A New Mandate for Risk Management

Early last spring, after three straight years of annual losses, a newly revamped risk committee sat down to business at $26-billion-asset First Horizon National Corp.

Under the new CEO, D. Bryan Jordan, the Memphis-based bank had been working hard to recover from a costly misadventure in home mortgage and residential development lending. Now, the board decided to make some changes, too. It replaced the credit policy and management committee with an executive and risk committee, which expanded the board’s focus to all aspects of risk, not just credit and compliance risk. New executive vice president and chief risk officer Yousef Valine was now creating quarterly reports that showed how risks interacted with each other, including fiduciary trust and the loan portfolio. He also was giving each board member, not just risk committee members, eight-to-10-page executive summaries of the entire organization’s risks.

First Horizon was not going to make the same mistakes twice.

“Risk management is just a part of good management,” Valine says.

The collapse of some of the nation’s largest financial institutions a few years ago is forcing directors at banks of all sizes to get more actively engaged in the risk management function. The federal government also is forcing their hand: Dodd-Frank legislation will require board level risk committees for bank holding companies with more than $10 billion in assets.

Non-bank publicly traded financial companies also will need them, if regulators designate them as “systemically important.” However, some bank consultants predict even smaller banks may be forced to start risk committees.

So what is the best way to set up and operate a risk committee efficiently? How can directors control the committee and make sure they’re getting the right information from management, rather than a data download sure to bury them in a pile of numbers? How do they ensure, in short, they’re doing their jobs?

“We certainly see (the adoption of risk committees) as a best practice,” says Nichole Jordan, the New York-based banking and securities leader for audit, tax and advisory firm Grant Thornton.

Jordan says regulators will start asking smaller banks, those under $10 billion in assets, to have risk committees, too.

Jordan adds that she already knows of such banks beginning the work of creating the committees, although she declined to name them.

The language of Dodd-Frank lets the Federal Reserve decide whether to start requiring risk committees for the boards of banks under $10 billion. If nothing else, regulators are pressuring smaller banks to rethink how they view risk.

“The crisis has highlighted the need for better risk practices,” says Luther Klein, an executive in Accenture’s financial services group. “Risk management has been greatly elevated in the marketplace.”

The risk committee mandate began its journey into law in the office of Sen. Charles Schumer, D-New York, who in May 2009 introduced the Shareholder Bill of Rights Act in the Senate.

Schumer’s proposal, which included a “say on pay” requirement for shareholders of publicly traded companies and a risk committee for every public company, never made it into law. But those two elements did make it into Dodd-Frank, although the risk committee rule was paired down so it only applied to large financial companies.

“There were a whole lot of provisions the legislators realized wouldn’t make sense for smaller institutions,” says Steve Verdier, executive vice president for congressional relations at the Independent Community Bankers Association.

Schumer’s office, which didn’t return phone calls for this story, sent out a press release when introducing his Bill of Rights legislation, saying: “Today, the oversight of how companies manage their risks is most often a responsibility of the audit committee, which has enough responsibilities already without also having to focus on risk. By creating separate risk committees, boards will never again be able to say they did not understand the risks that the firms they oversee were taking.”

The Federal Reserve has a lot of leeway in making the risk committee rules, and plans to elicit public comment between April and June of this year on a proposal. Final rules on the new risk committees are due by July 21, 2012, if all goes on schedule. Big bank boards would need risk committees by October 21, 2012.

The law has few specifics on what must be included: at least one expert in risk must be on the committee, defined as someone with “experience in identifying, assessing and managing risk exposures of large, complex firms.”

There were 62 publicly traded bank and thrift holding companies with more than $10 billion in assets as of the fourth quarter of last year, meaning roughly that amount will be impacted by the new law, according to a Crowe Horwath analysis of SNL Financial data.

Many banks, though, already have risk committees. In a February 2010 survey of 197 bank audit committee members, Bank Director and Grant Thornton found that 41 percent of banks with more than $500 million in assets had a risk committee. Only 17 percent of smaller banks did.

Susanna Tisa, managing director of Treliant Risk Advisors in Washington, D.C., says that number has probably increased during the last year to more than 50 percent of large banks because “they see they won’t be able to avoid it.”

In fact, some banks even had risk committees predating the financial crisis, says Dawnella Johnson, a partner in the risk consulting group for Crowe Horwath in New York.

Bank of New York Corp. and Mellon Financial Corp., then separate companies, both started separate risk committees in 2002, well before the financial meltdown. The idea came from Thomas Reyni, who was then chief executive officer of The Bank of New York and had been the chief risk officer for the bank previously, so he already had risk management at the top of his agenda.

The Bank of New York Mellon Corp., which has $254 billion in assets, not only survived the financial crisis a few years later, it was one of the top performers in the federal government’s stress tests in early 2009. The bank, which services securities and manages assets for the world’s institutions and wealthy individuals, reported net income of $2.5 billion in 2010.

At least part of that success can be attributed to a long culture of good risk management throughout the organization, says the company’s risk committee chairman, Nicholas Donofrio, who had previously served on the audit committee.

“You can’t expect (the chief risk officer) to do everything,” Donofrio says. “It’s a huge bank. It has trillions of dollars of assets it’s dealing with on a daily basis.”

The seven members of the BNY Mellon board, all of whom are independent, sit either on the audit or the risk committee, but not both. In part to manage the natural redundancy between the two groups, the risk and audit committees start with a two-hour joint session. That means every board member is present to go over the joint issues of the audit and risk committees-for instance, the company’s progress in meeting Basel II international banking capital rules.

Donofrio says his committee “takes control of the agenda” from management to ensure that the concerns and questions of the committee members are what get addressed during the meetings. The company’s CEO and president both sit through much of the committee meetings but they don’t serve on the committee and they don’t vote, says Brian Rogan, vice chairman and chief risk officer. Rogan has his own executive session with the risk committee, and the committee also has its own executive session apart from any member of management.

Rogan says the bank surveys risk committee members annually to see what is working well and not so well, assessing the clarity and value of the information it is giving to committee members. The committee also spends time during each session talking about emerging risks-what could happen in the future and what should be done about it, Rogan says.

The committee meets about eight to 10 times per year with one annual strategy meeting to discuss the company’s appetite for risk and set the organization’s risk tolerance threshold.

“Where are we allocating capital and are we getting our just return?” explains Donofrio. “That’s where the problems (in the financial meltdown) were. You weren’t getting returns so you (went) and (did) stupid things.”

Donofrio also enforces a rule that plain English must be spoken during all meetings, not an easy task when it comes to risk management.

“The bulk of us are not financially savvy people,” says Donofrio, who has an engineering background and is a former executive vice president for IBM. “(Risk managers) can speak whole sentences I don’t understand by combining acronyms.We forbid that.” Donofrio asks managers to submit executive summaries of their presentations to the board in writing before the meetings.

Tutorials outside the committee meetings also help members digest the company’s risk management processes better.

“If we can get to a common language quicker, it’s easier,” he says. “You have to stand guard for that.”

Donofrio also tries to limit the number of people attending risk committee meetings. “We want people to come in, tell us what’s on their mind, and please leave,” he says. “Sometimes these things can become huge groups. You can do your best thinking out loud in a smaller group. If you have to perform before 50 to 100 people (it’s not as easy).”

However, Donofrio likes to get division heads reporting to the committee meetings. He thinks it’s helpful to talk to people in all aspects of the organization, not just risk management.

Talking to multiple people in the organization not only educates the board, but it also keeps a check and balance on the information the board is getting from top management. Donofrio believes the appetite for risk can’t stay with the risk committee alone.

“It starts with the CEO and it has to permeate the entire organization,” he says, adding that banks have to watch out for lower-level rogue employees who claim not to know the rules. “It has to be your culture.”

The Senior Supervisors Group, which includes global financial regulators from 12 agencies in 10 countries, concluded something similar in its 2009 report on the financial crisis when it highlighted “a key weakness in governance stemmed from what several senior managers admitted was a disparity between the risks that their firms took and those that their boards of directors perceived the firms to be taking.”

Aligning the board’s expectation with business reality has become a priority even for much smaller banks.

“It has been three years since the start of the financial crisis,” writes First Horizon National Corp.’s chief risk officer, Yousef Valine, in an article published in February in The Risk Management Association’s magazine, “and it would be a missed opportunity if we continued operating in the same manner without engaging in meaningful soul-searching.”

He says good risk management boils down to answering three questions: Should we do it? Can we do it? Did we do it? To answer these questions, the company prepares a more than 100-page report quarterly to the risk committee of the entire organization’s risk profile. “In some ways, the role of the chief risk officer is to act as a general contractor and make sure the owner of the house knows what the big picture is,” he says. Four independent directors serve on the risk committee as well as the company’s chief executive officer.

The chairman of the audit committee also serves on the risk committee to make sure the two committees don’t duplicate efforts, Valine says.

Risk committees tend to organize themselves in different ways, but clearly the trend now is to take an enterprise-wide view of risk. In the past, consultants were hired every few years to look at risk throughout the company, and now it’s a part of regular board reviews, says Grant Thornton’s Jordan.

Enterprise risk management involves identifying potential future events that could impact the company, managing the organization’s appetite for risk and providing assurance that goals were met. Regulators are pushing for more enterprise risk assessment, even for banks that don’t have risk committees, says Mark Olson, a former Federal Reserve governor and co-chairman of financial consulting firm Treliant Risk Advisors in Washington, D.C. That includes looking at risk throughout the organization, not just credit or liquidity.

For instance, will a glitch in information technology allow the release of thousands of customer social security numbers? Will a group of traders in some obscure subsidiary take down the entire institution, as happened to AIG? Has the organization done worst-case scenario stress testing to see what happens if real estate prices erode even further?
Crowe Horwath’s Johnson says bank regulators are pushing even banks between $1 billion and $5 billion in assets to have an enterprise risk program in place, whether they have a risk committee or not.

Will Callender, manager of the risk management practice First Manhattan Consulting Group in New York, says bank boards and regulators are focusing more within the last few years on strategy or business model risk.

“Now there is a redoubling of effort to say: What are the risks to our strategy?” he says. “What are the competitive risks to our model? What are the pricing risks? Are we pricing at levels we don’t really want? What has to go really well for our strategy to succeed? How much of our success is predicated on a handful of events taking place?”

But sometimes, such questions can lead risk management staff to dump a ton of financial data on risk committees, and they need to control that, Callender cautions. He suggests a member of management, not necessarily the chief risk officer, who can “go through and provide not just the data but also the context and the importance of that information.

Someone needs to say, ‘Here is the issue at hand and what do we need to do about it?’”

Risk committee members also need to understand how the management structure works and how information flows up to the board, Callender adds. Committee members need to understand how the risk is being monitored, who is responsible for doing that, and what triggers something being brought to the attention of the risk committee.

Tisa, the managing director of Treliant, suggests creating a matrix of all the different risks in an organization and setting tolerance thresholds for each one. The thresholds could be turned from numbers or concepts into colors such as green, orange and red.

“You don’t want a matrix that is laborious and that won’t get updated,” she says. “You need a common language of risk to understand and talk about and timely reporting that is easy to do.”

Enterprise risk isn’t a new concept. But it is shaping up to be one of the most important topics for the board’s regular business. The banks that understood it the best are in many cases the ones that are still alive today.

“The financial institutions that underestimated their risk exposure are not around anymore,” says Olson. “That’s how critical it is.” |BD|