Bank Risk Governance Past Practices
Before the financial crisis of 2007-08, many banks did not have a board-level risk committee. Rather, risk oversight received attention from the audit committee or was divided among the existing board committees. Due to the apparent ineffectiveness of the practice, multiple regulatory bodies such as the Office of the Comptroller of the Currency (OCC), Basel Committee for Banking Supervision (BCBS), and Enhanced Prudential Standards (EPS) all have created standards to deal with this issue.
Changes in Board Structure and its Members
A recent survey of the top ten banks in the industry revealed that all ten of these banks have a risk committee that is charged with risk management oversight. This is a significant change from 2008, where only two of these banks maintained a board-level risk committee. In 2008, half of these banks instead opted to use the audit committee to oversee risk. Banks in the current environment are now required to have risk committees due to regulations. However, bank boards have taken further steps in order to fulfill their role in risk oversight. Nine out of the ten banks surveyed outline a minimum number of directors that must sit on the risk committee, even though no regulation states a need for a minimum. More importantly 60% of risk committees include fully independent members even though the EPS only requires one independent member. Finally, banks are adding more directors with prior risk experience, either through the industry, or through former work as regulators.
Growing Risk Committee Responsibilities and Areas for Improvement
Along with changes in the structure and composition of the committees, the largest banks have also expanded their risk management related activities. About 30% of these banks have not required the risk committee to approve the risk governance framework. Another 20% do not require the risk committee to approve the risk appetite statement.
There is also a lack of risk committee involvement with the CRO. Only half of the largest banks have policies that give the risk committee the power to approve CRO appointments. Also, 40% of these banks risk committees approve the CRO’s compensation. Finally, only half of the banks surveyed have established a direct line of reporting between the board and the CRO.
What Banks Should do Going Forward
The following guidelines are minimums:
- Outline all regulatory expectations in board committee charters so that the board is apprised and mindful of what they need to do.
- Constantly look for independent board members with risk management experience.
- Provide periodic board training sessions on risks or activities that significantly impact the risk profile of the organization.
- Create processes for risk issue escalation, ownership, and resolution
- Increase the risk committee’s direct communication and involvement with the CRO with regular reports.