In the aftermath of the 2008 global financial crisis, bank boards are taking on a much more active role in overseeing enterprise risk management (ERM). Bank directors face greater liability from shareholders and regulators in the form of lawsuits and professional liability claims from the Federal Deposit Insurance Corp., more stringent regulatory and disclosure requirements and higher expectations from key stakeholders. An effective relationship between the chief risk officer and the board is more important than ever.
How should bank directors support the chief risk officer (CRO) and improve the effectiveness of their relationship? Consider these five steps:
- Understand the role of the board in ERM. Bank directors recognize the regulatory requirements and business uncertainties that they face. Recent surveys indicate that risk management has emerged as a top board concern. What is the role of the board in ERM? There are three key responsibilities: (a) establishing an effective governance structure to oversee ERM, (b) approving an ERM policy that includes a risk appetite statement, and (c) establishing assurance and reporting processes to monitor risk management effectiveness. Bank directors who understand their role in ERM can provide effective risk oversight without encroaching on the role of management.
- Appoint more risk professionals on bank boards. Section 165 of the Dodd-Frank Act established new requirements for publically traded banks with assets over $10 billion, including the establishment of a risk committee of the board that includes at least one risk management expert. The Federal Reserve Board may also begin requiring a risk committee at smaller publically-traded banks. James Lam & Associates reviewed the professional biographies of over 1,200 bank directors at U.S. banks with over $10 billion in assets, and found that only 5 percent have a risk background. We expect that number to more than double in the next few years.
- Ensure an effective risk committee of the board. While appointing risk professionals to their ranks will enhance the board’s capabilities to oversee ERM, there are other best practices for an effective risk committee. These requirements include (a) a well-developed charter that defines the risk oversight responsibilities of the risk committee relative to the full board, the audit committee and other board committees, (b) a set of integrated dashboard reports designed specifically for the board that will highlight major risk exposures and key decision points and (c) a periodic assessment of the effectiveness of the risk committee based on both subjective and objective criteria.
- Enhance the independence of the risk function. What is the reporting relationship between the CRO and the risk committee of the board? If there is a dotted line relationship, what does that dotted line really mean in terms of direct communication, CRO hiring/firing decisions and CRO performance evaluation? Moreover, what is the expectation of the board with respect to the responsibilities of the CRO? Importantly, is the CRO sufficiently independent and able to raise critical risk issues to the board without concern about job security or compensation? These are some of the key questions that should be addressed.
- Integrate board oversight of strategy and ERM. Monitoring strategy development and execution has long been the purview of boards. As boards become more active in ERM, the integration of strategy and risk oversight is a logical and desirable outcome. Independent research studies from Deloitte Research, The Corporate Executive Board and James Lam & Associates have found that when publicly-traded firms suffer a significant decline in market value, approximately 60 percent of the loss events were caused by strategic risks, 30 percent from operational risks and 10 percent from financial risks. While integrated strategy and risk oversight is arguably a key role for the board, this process is still in its early stage of development.
In the current business and regulatory environment, establishing an effective partnership between the board and the CRO is more important than ever. Given that the CRO is responsible for implementing the ERM program, and the board is responsible for overseeing its effectiveness, the partnership between the two should be an ideal match.