How a Board Can Credibly Challenge Management on Risk
Brought to you by KPMG LLP
If you were asked, as a community bank director, how well your board challenges your executive team about the effectiveness of its risk management program (an area of increasing regulatory focus), how would you grade your board? Would it be closer to a C than an A? Worse? Better?
It is a situation that begs a few questions: What steps can, and should, a director take to assess management’s risk and compliance management capabilities? How can a board implement processes that enhance its risk oversight capabilities and how will those processes evolve and mature as the bank grows and the strategic and competitive landscape changes? Does the board need a separate risk committee? If the board is not required by regulation to have a risk committee, how well is the board discharging its risk oversight responsibilities (possibly delegated to the audit committee)?
Our experience with community banks indicates that, with the risk environment quickly evolving, directors can benefit from risk management training focused on the board’s role in ensuring the adequacy and effectiveness of the bank’s risk management functions and activities. We say that not as criticism but instead as an indication of the difficulty in keeping up with the pace of industry change.
What may be most important, though, is the recognition at banks that risk management is not just a program, but rather, is an ongoing process that must become embedded in the way management runs the bank and the board conducts its stewardship and oversight responsibilities.
With those observations as a backdrop, community bank board members may want to consider the following to identify potential improvement opportunities in board governance, oversight and risk management capabilities:
- If the bank has less than $10 billion in assets, and thus is not required by The Dodd-Frank Act to establish a separate risk committee, is risk management afforded the appropriate degree of focus and attention?
- What is the complexity of the bank’s operating model and the pace of change within the organization, the markets it serves, the types of credit offered, liquidity risks, interest-rate exposure, and its ability to respond to technological changes and cybersecurity threats?
- Is the management of risks being overseen by the full board, spread across various committees, or delegated to the audit committee? Have roles and responsibilities for risk oversight been clearly defined and communicated, including among the various board members and committees? If the audit committee is responsible, do the members have the capacity, and skills, to provide effective oversight of the variety of risks facing the bank, or should a dedicated risk committee be established?
Regardless of whether or not a separate risk committee exists, the full board is ultimately responsible for understanding the bank’s key risks and credibly challenging management’s assessment and response to those risks. Here are several considerations for boards as they evaluate their risk oversight. Keep in mind the issue of scalability. As the bank grows, the processes and reporting associated with each risk oversight activity will become more robust and formalized:
- Do our board members (particularly directors on audit or risk committees) know our bank’s top enterprise risks—those that threaten our bank’s strategy, business model, or existence?
- Does our bank have a formal risk management process? Do directors know how management identifies and manages risks, both existing and emerging, and if there is a process of accountability? Does the board have comfort that management has the proper talent to manage today’s risks?
- Does the bank have a formal risk appetite statement? If not, how does the board oversee that management is not taking risks outside of the bank’s stated risk tolerance? Is there a protocol to escalate a risk issue directly to the board? Is there evidence that management recognizes the critical need to timely communicate risk issues to board members? Is there a process for the board to evaluate the impact of compensation on management’s risk-taking?
- As the bank takes on new initiatives or offers new products and services, does the board understand the process to evaluate the risks prior to decisions being made? Is there a clear threshold for when items need to be brought to the board before finalizing a decision?
- In examining management’s reporting process, are directors concerned whether they are getting relevant data? Are they getting so much detail that it cannot be absorbed? Are they getting data at such a high level that it’s impossible to evaluate risk?
- Does the board recognize that risk management done well adds competitive advantage and value by addressing gaps in operations? Viewing risk management solely as a compliance function increases the chances of wasting time and money.
- Is the board ensuring that, in dealing with the regulators, the bank is “getting credit’’ for the risk management activities it is doing well by being able to describe the programs that have been instituted—or actions taken—that will enable the bank to “harvest value” from its enterprise risk management process?
- Finally, given the importance of “tone at the top,’’ are directors satisfied that the proper culture of “doing the right thing’’ exists across the organization?