Here’s What Bankers Are Asking About Risk Committees
One of the central topics of conversation at this week’s Bank Audit & Risk Committees Conference hosted by Bank Director in Chicago is whether a bank’s board of directors should have a risk committee separate from its audit committee. And for banks that have already established a risk committee, the question is what responsibilities should be delegated to it.
In one respect, the question of whether a bank should establish a risk committee seems easy to answer because it’s clearly delineated in the regulations. Under the original Dodd-Frank Act of 2010, banks with more than $10 billion in assets are required by law to have one, though that threshold was raised to $50 billion in legislation enacted last month designed to ease the burden of the post-financial crisis regulatory regime on smaller banks.
There is a general consensus among attendees at this year’s conference that a bank shouldn’t base its decision to establish a risk committee solely on a size threshold. “Now that we have a risk committee, I don’t know how we did it without one,” said Tom Richovsky, chairman of the audit committee at United Community Banks, a $12.3-billion bank based in Blairsville, Georgia.
Rob Azarow, a partner at Arnold & Porter, says the decision should be informed by two factors in addition to size. The first is the complexity of a bank, with the presumption being that a bank with a more complex business model should establish a risk committee sooner than a bank with a less complex model. The second factor is dollars and cents—namely, whether a bank has the internal resources at its disposal to essentially split its existing audit committee into two.
It’s worth noting as well, as Azarow points out, that even under the new legislation, the Federal Reserve retains the authority to require a bank to implement a risk committee, irrespective of size. Another point to keep in mind is that even for banks not required as a result of their size to establish a risk committee, once established, it is subject to regulatory oversight.
Approximately half the banks at this year’s Bank Audit & Risk Committees Conference have both types of committees—audit and risk—with many of the others still weighing the pros and cons of establishing both.
Deciding whether to have a risk committee is only half the battle; the other half involves deciding exactly what that committee should do. Should it be vested with all risk-related questions, thereby usurping the authority over those questions from other committees? Or should the other committees retain their authority of relevant risks, while the risk committee then plays the role of overseeing an aggregated view of those risks?
This distinction is clearest in the context of the credit committee, for example. One of the fundamental purposes of a credit committee is to gauge credit risk. It isn’t uncommon, for instance, for a bank to require its credit committee to approve especially large loans. Would the risk committee now handle this?
Generally, the answer is no. The role of the risk committee when it comes to credit risk is broader, focused on concentration risk as opposed to the risk associated with individual credits.
Another place this comes up is in the context of technology and information security. While the audit committee would retain the authority to ensure that current laws, regulations and best practices are being abided by, the risk committee would be more focused on looming threats.
Deciding which responsibilities fall under the risk committee as opposed to, say, the audit and credit committees seems to boil down to the question of whether the issue is backward-looking or forward-looking, tactical or strategic. Issues that are forward-looking and strategic should go to the risk committee, with the rest remaining under the jurisdiction of their home committees.
To be clear, conclusions on when and how to charter a risk committee are far from settled. There are rough best practices, but no overarching consensus in terms of bright lines. Even banks that have established separate risk committees with clearly delineated duties are still in a process of adjustment. They’re happy with their decision to do so, but they recognize that this is more of an evolution than a revolution.