Bank Board Oversight: The Case for a Separate Risk Committee

FROM http://deloitte.wsj.com

Risk oversight by bank boards of directors continues to evolve, driven largely by proposed requirements, mandates and guidance issued by regulators and industry bodies, most notably, the Dodd-Frank Wall Street Reform and Consumer Protection Act and the Federal Reserve’s notice of proposed rulemaking (NPR) on enhanced prudential supervision (EPS).

Organizations that fall under the Federal Reserve’s EPS mandate will be required to establish a standalone risk committee that operates under a formal written charter approved by the company’s board of directors. They include banks with greater than $50 billion in assets, banks with greater than $10 billion in revenues that are publicly traded and any non-bank financial company designated as systemically important. “In effect, the NPR places risk on par with audit and compensation as issues that warrant board committees,” says Scott Baret, Deloitte & Touche LLP’s global leader of Enterprise Risk Services for the Financial Services Industry practice.

For the boards at smaller banks, however, the decision of whether or not to form a separate risk committee remains under discussion; some have chosen to house the risk oversight function within the audit committee rather than establish another board committee. Supporters of a dual-function committee say it can help avoid potential overlap and gaps in oversight responsibility between separate risk and audit committees. But others argue such a move adds to the burdens of already heavily tasked audit committees, and that the knowledge, experience and time required for risk oversight tend to favor the establishment of a standalone risk committee.

“Audit committees inherently are driven by financial reporting requirements and timelines, and as a result they likely focus on risks related to the integrity of the financial statements,” says Edward Hida, who serves as global leader for Deloitte & Touche LLP’s Risk & Capital Management practice within the Financial Services Industry practice. “It also is possible that audit committees may lack sufficient risk management experience that could cause committee members to overlook some risks,” he adds.

Clarifying the Board’s Risk Oversight Responsibilities

On a fundamental level, risk oversight is a responsibility of the board and stands apart from risk management, which is the responsibility of management. But the board’s risk oversight role can have substantial positive impact on the organization in ways felt across the enterprise. “Generally, when a board establishes a risk committee, it may have several corresponding positive effects on increasing its oversight for risk management,” says Mr. Baret, who also is a member of Deloitte’s Governance, Regulatory & Risk Strategies practice. “Such benefits could include an inherent increase in board attention and resources aimed at risk oversight, more purposeful interaction with management regarding risk matters and an increase in visibility into the organization’s risk management practices, particularly when the CRO and the management risk committee report to the board risk committee.”

For a board risk committee to be effective, its oversight responsibilities should be clearly defined. One way to establish the responsibilities of a risk committee is to use the board charter to define the parameters of the group’s work. Boards that want to establish a risk committee, or existing committees that want to benchmark their responsibilities, can consider the following guidelines:

1. Establish the risk culture of the enterprise. In selecting the CEO and articulating the values of the institution for the senior executives, the board can influence the priorities of risk management enhancements in everyday decision-making and the organization’s approach toward risk and risk management.

2. Promote open discussion regarding risk. Board members may discuss with the CRO, or others within the organization with similar stature and authority for risk management, the threats that are material and to which the organization is most vulnerable. The board may wish to inquire and challenge management about risks that affect decisions, operations, processes, and most importantly, risks of and to the strategy.

3. Provide input on—and approve—the bank’s risk appetite. Risk appetite represents the parameters within which the executive team and business managers (the owners of the risk) manage risk at the enterprise and business unit levels. The board committee should be involved in discussion on risk appetite on a regular basis.

4. Define the issues that require the board’s attention. The board can define the issues and decisions that management should bring to its attention for either informational purposes, review or board approval. These include risks associated with businesses, investments, partners, transactions, employee incentives and developments that could substantially affect the bank, with the board clearly defining “substantially.”

5. Monitor risks and risk management capabilities. The board should consider its role in monitoring the risk profile—the types, levels and concentrations of risk the bank is incurring—and any escalation, concentration of risks and their interrelation. The board should also understand the bank’s business, operations and products well enough to conduct this monitoring. Finally, it should think about how management monitors, mitigates and manages specific risks and communicates about risk in the organization.

6. Obtain reasonable evidence regarding risk management. It is management’s role to identify and continually assess and manage all risks, while the board should be focused on ascertaining whether management has done so. The latter means being confident that management has completed two important tasks: Identifying the relevant risks that could affect the ability of the business to achieve its strategies and preserve its assets, and establishing a risk management infrastructure—the people, processes and technology—to identify, measure, monitor and report on the risks the institution faces. Board risk committee charters should set the framework for the roles and responsibilities of the risk committee so that these activities are accomplished.