Does your board need to set up a separate risk committee to manage all of its bank’s exposures? If your institution is large enough, that question has already been answered for you. The two-year-old Dodd-Frank Act, which was Congress’ answer to the financial crisis of 2008, will soon require that all banks with $10 billion in assets or greater have a board level risk committee, and also that the committee have at least one director with risk management experience.
The new rules on risk committees have been proposed but are currently in a comment period, so it’s unclear when they will take effect or what the final requirements will look like, although it’s a safe bet that all banks north of $10 billion have already begun the process of organizing a risk committee. The more interesting question is what institutions below the $10 billion cut off point should do. The answer would seem to be, “It depends.”
Christina Speh, the director of consulting services at Wolters Kluwer Financial Services, says it’s the job of the board to set the institution’s risk appetite based on its strategic plan, and then make sure that the executive management team stays within the boundaries that the board has laid out. At its simplest, these boundaries are expressed in the form of various metrics—the level of non-performing assets, or service quality complaints, for example—and also as institutional values, such as honesty or customer responsiveness.
When it comes to the risk governance process, Speh says that it’s particularly important that boards be “forward thinking” in their approach—which is perhaps the best argument in favor of having a separate risk committee. “I would say that [risk management] is not really an audit committee function regardless of the size of the institution,” she says. “Audit committees look backward. The role of the risk committee is strategic and forward looking.”
Bert Otto, a Chicago-based deputy comptroller for the Central District at the Office of the Comptroller of the Currency, agrees with Speh that boards need to have a forward thinking perspective when it comes to risk governance. Otto says he asked his staff to identify those institutions that emerged from the 2008 financial crisis in relatively good shape and identify what they had in common. An important characteristic that many of these banks shared was a board that was keenly focused on emerging risks, which enabled them to spot problems at an earlier stage in the downturn than many of their peers.
“The institutions that weathered the storm better than others had that [forward looking] process, whether they had a risk committee or not,” says Otto. That said, Otto believes the presence of a risk committee makes it more likely that a board will be focused on future risks—although he stops short of advocating that all banks should have a risk committee. For Otto, the important considerations are factors like the institution’s business model and product mix. “Vanilla institutions just serving their communities in a small town in rural America, we’re not saying they have to have a risk committee,” he says. Larger, more complex institutions with a more complicated risk profile—even if they are below the $10 billion threshold—might benefit from a having a separate risk committee, Otto adds.
For smaller institutions, more important than whether responsibility falls to the audit committee or a separate risk committee is the perspective that the board brings to the activity of risk governance. “My concern is that if no one is looking at it, [the bank] is going to be late to the dance when something happens,” Otto says.