Board's role in risk management evolving

Bank boards of all sizes, but especially those of larger banks, have watched their responsibilities and regulators’ expectations expand like dough mixed with fast-rising yeast.

In the wake of the Sarbanes-Oxley Act and the Dodd-Frank Act, and regulators’ independent actions over the years, bank directorship became a bigger, tougher job. Fingers get pointed directly at boards more readily—witness Sen. Elizabeth Warren’s periodic calls for sacking Wells Fargo directors.

Even as the Federal Reserve has proposed “punching down” the bloated dough of modern bank governance, the boards’ risk management role continues to expand. That won’t change, but the line of delineation between board and management appears to be on the verge of change.

Time for a reset?

In August, the Fed published “Proposed Guidance On Supervisory Expectation For Boards Of Directors.” The pending proposal (the comment period closed in October) reflects the Fed’s desire to dial things back somewhat. In an August speech, Gov. Jerome Powell, later nominated to become Fed chairman, spoke about it: “The new approach distinguishes the board from senior management so that we can spotlight our expectations of effective boards.” 

“They felt the role of boards was starting to blur,” says Stephen Fromhart of the Deloitte Center for Financial Services.

“This backing off by the Fed, making management accountable and challenging boards to make sure management is accountable, sets the right dynamic,” says Scott Baret, Deloitte vice-chairman and leader of the firm’s U.S. banking and securities practice. The Fed essentially said where expectations on boards have been pushed “wasn’t a beneficial change.”

(Certain parts of the proposal cover only boards of institutions over $50 billion that are under Fed supervision, while others include any bank holding company or bank board under the Fed’s supervision.)

As the Fed was publishing its proposal, Deloitte was working on the latest version of a periodic study it does of the risk committee charters of very large (over $50 billion) banks in the United States as well as U.S. nonbanks classified as SIFIs (systemically important financial institution) and non-U.S. G-SIBs (global systemically important banks). In the final report, What’s Next For Bank Board Risk Governance?, issued recently, Baret and Ed Hida, Deloitte’s leader for global risk and capital management, write: 

“Board members have frequently found themselves being drawn ‘into the weeds’ of risk management issues, and are sometimes left with inadequate time to guide and challenge management on broader strategic issues. The Fed’s proposal, therefore, heralds a fundamental rethinking of the way boards prioritize their focus. Its delineation of board and management responsibilities also creates an environment in which senior executives and business line leaders can be unambiguously held accountable for their management responsibilities.”

The report says the Fed’s proposal characterizes the board role as “effective challenge.” Overall, the firm says its research found much progress in how institutions and their risk units oversee risk, “which should leave them prepared to step up to the challenge.”

Reviewing risk charters

The Deloitte review of risk charters used five key points from the Fed’s proposal as a structure for reviewing the state of the art.

One change that Baret anticipates is an elaboration in board minutes of how directors meet their risk management duties. “To have ‘effective challenge,’ and ‘critical challenge,’” says Baret (the latter term is drawn from guidance from the Comptroller’s Office), “you have to have independence.” This will be illustrated by reporting lines, the language of committee charters, and minutes. Baret also expects further emphasis on board evaluations of risk oversight.

Here is a summary of the results of the Deloitte Center for Financial Services’ review of risk committee charters:

1. Setting risk policies, overseeing risk management and governance, and setting risk strategy and tolerance.

Clearly, risk management can’t be left on autopilot. Course corrections must be made. The Deloitte analysis found that 87% of U.S. banks require the risk committee to review and approve risk management policies and framework. The study found that 83% of banks require oversight of capital and liquidity management by the committee as well. Both measures were substantially ahead of levels seen in the firm’s 2014 study (57% and 75%, respectively). While the rise among U.S. firms came after release of the Fed’s “enhanced prudential standards,” the report notes that the non-U.S. firms’ charters studied also showed much progress in these areas.

2. Actively managing information flow, resources, capabilities, and committee discussions.

The report found that more than most (over eight in ten) charters require regular reports from chief risk officers (CRO). This is something stipulated by the Fed’s enhanced guidelines. Many charters also give the committee authority to meet in executive session—without management’s presence—or with only risk management executives present.

Importantly, the report reviewed provisions in charters for intercommittee communication on risk—risk crosses traditional committee boundaries. Coordinating data flow between risk and audit committees has become pretty standard, rising to 77% of charters versus 63% in 2014. But a weak spot is coordination with compensation committees—only 30% of charters call for that.

“This potential lack of coordination may hinder the risk committee’s ability to effectively oversee management’s implementation of strategy, which may be influenced by the nature and structure of compensation incentives set for management,” the report states.

Baret says the “onus is on the board members to get the information they need to be able to provide effective challenge.”

3. Holding senior management accountable for overall risk management and emerging risks.

In spite of the overflow of regulatory expectations, study authors found that the key traditional role of boards—representing shareholders—has not been forgotten. “Our risk committee charter reviews showed that committees (under the remit of the overall board) appear to be prioritizing this management accountability aspect of oversight,” the report states.

Still lacking, in charters at least, is “issue radar”—attention to emerging risks. While the percentage of committee charters mentioning cyberrisk grew over 2014, only about half the charters mention this specifically (47% versus 25% in 2014). Two other issues receiving even less mention: third-party risk (13%)—a major concern of regulators and a key issue as partnerships with fintech firms beckon—and the risk of unethical employee conduct (7%). “Both issues have led to billions in fines for many large banks across the world,” the report states.

4. Supporting CRO independence and stature, and independence of risk management and compliance functions.

“A comfortable majority of charters now note that CROs report to both the CEO and the board risk committee,” the report notes. “. . . However there appears to still be significant room for improvement regarding the board’s role in elevating the stature and independence of the CRO, which the Fed’s proposal also explicitly endorses.”

In addition, the report notes with some surprise that only 43% of U.S. risk committee charters address the need to maintain the independence of the bank’s risk management function. And 27% of charters require the risk committee to produce a “state of risk culture” report.

For U.S. banks, the report says, the Fed’s recent board effectiveness proposal guidance should bolster elements of its enhanced standards concerning documentation by risk committees of their support for independent risk management and compliance. Two steps the report suggests to make this commitment evident: providing direct, unrestricted access by risk management employees to the risk committee, and putting representatives of the independent risk management function on senior management level committees.

5. Maintaining a capable board risk committee composition and structure.

The report notes that a combination of regulatory requirements and attention to best practices has led to nearly every company covered—and 100% of U.S. banks reviewed—establishing a risk committee. The Fed’s enhanced standards set up the requirement for a risk expert on large banks’ risk committees—something addressed in 80% of U.S. committee charters. By contrast, only about one in five of the foreign institutions studied included any such requirement.

What about small banks?

Will there be “trickle down” to smaller banks of what the review found in large institution committee charters? This remains to be seen. Typically, “public institutions are held to higher standards,” says Fromhart. But in a blog earlier this year, community banking columnist and attorney Jeff Gerrish, a former FDIC official, urged community banks to keep an eye on the Fed’s final expectations for large banks. “I expect these will become ‘best practices’ for community bank boards,” he wrote.