Do Risk Committees and Chief Risk Officers Make Banks Safer?

The Dodd-Frank Act mandates that banks with $10 billion in assets or greater must have a board-level risk committee, and banks with $50 billion or more in assets also must have a chief risk officer. But do these risk control mechanisms, separately or in combination, actually reduce risk in a bank?

Judging by the experience of JPMorgan Chase & Co., which in May of this year sustained a $6 billion trading loss because of a flawed trading strategy run by its London-based chief investment office, the answer would have to be no-because the bank had both a board-level risk committee and a chief risk officer (CRO) at the time of the loss.

In subsequent testimony before the Senate Banking Committee, Chairman and Chief Executive Officer Jamie Dimon said JPMorgan’s senior management had been misinformed by the London-based investment operation (which had its own CRO and risk management structure). “To the extent that we were misinformed, we were misinforming them,” Dimon reportedly said of the committee. “It’s a little unrealistic to expect the risk committee to capture something like this.”

Considering their professional backgrounds, it might have been a little unrealistic to expect the three directors on JPMorgan’s risk committee at the time to have exercised adequate oversight at such a highly complex global bank even under the best of circumstances. One committee member is the president of the American Museum of Natural History in New York, another is CEO of a manufacturing and technology company and a third is the president of a family owned investment company who last worked on Wall Street in 1985. In July the bank appointed a fourth director to the risk committee-Timothy P. Flynn, the recently retired chairman of KPMG International who was elected to the board in May-in an apparent move to strengthen the committee.

Risk committees and CROs are valuable tools that can make banks better at managing risk, but a number of experts agree that a more important consideration is the strength of the underlying risk management process, including how risk is controlled by management, how information is reported up to the board and how the board provides leadership in this critical area. If the process is flawed, or if directors are poorly qualified to provide risk oversight, then having a risk committee and a CRO hardly matters-as the trading debacle at JPMorgan makes clear. “Those things by themselves do very little to convince me that you’re doing an adequate job of overseeing the institution,” says Robert Burns, associate director in the division of risk management supervision at the Federal Deposit Insurance Corp. (FDIC) in Washington, DC.

Or to turn an old adage on its head, the tools of risk management are only as good as the workmen.

The regulators have for several years now been encouraging banks to adopt an enterprise-wide risk management approach, in which a number of risks are monitored beyond such traditional bank exposures as credit and interest rate risk. But the passage of Dodd-Frank was the first time that banks were mandated to meet specific requirements for their risk management programs, although they only applied to banks with $10 billion in assets or greater. The Federal Reserve was tasked with developing new rules that would spell out these requirements, which it proposed in December 2011. The required public comment period ended in March of this year, and as of late September the Fed had yet to issue a final set of rules.

The proposed rules would require banks with $10 billion in assets or greater to establish a risk committee of the board that is chaired by an independent director and includes at least one risk management expert with professional experience “commensurate with the capital structure, risk profile, complexity, activities, size and other appropriate risk-related factors” of the organization. The proposed rules also dictate the specific responsibilities that risk committees must assume, including the setting of risk parameters for each line of business, monitoring management’s compliance with those parameters and the implementation of prompt corrective action to address risk management deficiencies as they are identified.

Banks with assets of $50 billion and above must also have a chief risk officer whose background is commensurate with the overall profile of the institution, and who reports directly to both the risk committee and CEO. Prescribed responsibilities for the CRO would include the establishment of policies and processes for risk oversight, the monitoring of management compliance with risk limits and the management of risk exposures and risk controls.

Although the Dodd-Frank Act has made risk committees and CROs a regulatory requirement for banks of a certain size, a number of the country’s largest institutions have had them for some time, including $117-billion asset Fifth Third Bancorp in Cincinnati. The bank’s risk and compliance committee started out as the compliance committee in August 2002 before adopting its current title in August 2003. Over that period of time, the committee’s focus has expanded beyond just credit and regulatory compliance, which were its initial concerns, to embrace an enterprise-wide risk governance role.

Fifth Third has also had a chief risk officer since 2003. The bank’s current CRO, Paul Reynolds, is an executive vice president and corporate secretary, and has been in that position since October 2011. “At the time this position was established, there weren’t a lot of organizations that had a CRO, so we were pretty early,” he says.

According to Reynolds, the risk committee’s job is to oversee and regularly review the bank’s risk profile while taking a “forward looking” view on areas of emerging risk that might pose a problem in the future. “The committee is really the bank’s eyes and ears around all the various areas of risk,” he explains.

The risk committee’s five members are Marsha Williams, a retired chief financial officer with Orbitz Worldwide who serves as the chairman; former U.S. Senator Evan Bayh from Indiana, now an attorney in private practice; Jewell Hoover, a former senior regulator at the Office of the Comptroller of the Currency for 28 years who is now a principal at her own consulting firm, Hoover & Associates; Ulysses Bridgeman, who owns a string of Wendy’s and Chili’s restaurants; and Hendrik Meijer, CEO of the Meijer Inc. grocery chain in Michigan.

“We have a diverse committee and it serves us well,” says Reynolds.

The role of Fifth Third’s CRO is to focus on eight categories of risk-credit, market, operational, compliance, liquidity, legal, reputational and strategic-“and directly or indirectly manage all of these categories,” says Reynolds. He gathers risk-related data from throughout the company, distills it into a set of key risk metrics and provides that to the committee in the form of a monthly dashboard report. He also provides the committee with other informational content that helps its members understand what’s going on in the world, including peer performance data and economic forecasts, attends committee meetings and speaks to Williams regularly. “I probably speak to her every other week or so,” Reynolds says.

KeyCorp, an $87-billion asset regional bank headquartered in Cleveland, has had a board-level risk management committee and a chief risk officer for several years. The bank’s senior executive vice president and CRO, William L. Hartmann, has only been in the job since July but brings a wealth of risk management experience to the position. He joined Key in 2010 as its chief credit officer, and previously spent 29 years at Citigroup in a variety of risk management and capital markets jobs, most recently as the bank’s global head of large corporate risk management.

Hartmann says the risk committee’s primary role is to establish the “risk appetite level” for the bank’s various business lines, expressed in the form of measurable data like non-performing loans or customer service complaints, and “it’s part of my job to translate that appetite into a risk control structure for the company.” That control structure includes a risk reporting process where Hartmann regularly provides the committee with a variety of forward looking metrics that will not only tell the committee what the bank’s risk profile is today-but also where it might be trending in the future. KeyCorp’s risk committee meets six times a year, “so every other month we’re also having face time with the [committee members].”

Although many large banks like Fifth Third and KeyCorp have had risk committees for several years now, they are still a relatively new development throughout the industry, and it’s unlikely that most risk committee members will bring an extensive background in risk management to the task. Christina Speh, the director of consulting services at Wolters Kluwer Financial Services in Minneapolis, says risk committee members do not need to be risk experts since they are not actually managing risk throughout the bank. “That’s the role of the chief risk officer,” she says. “The role of the risk committee is to give management the direction and set the culture. What you need are really smart people who understand the bank’s businesses and the market it is operating in.”

Bert Otto, who is deputy comptroller for the central district at the Office of the Comptroller of the Currency (OCC), agrees that risk committee members do not need to be risk experts per se, although they do need to understand the basic elements of enterprise risk management and also have a thorough understanding of their bank and its market. They also need to be intellectually curious. “You need someone who asks questions,” Otto says. “They need to be aggressive about asking for data. They need to keep asking ‘Why?’”

However, it might be tough to find that perfect “risk management expert” with experience in identifying, assessing and managing the risk exposures of large and complex firms, as Dodd-Frank requires for banks with $10 billion or more in assets. In its proposed rule, the Federal Reserve did not provide a detailed explanation of what kind of person would qualify as a risk management expert, so it will probably take some time before banks know whom to recruit.

Most institutions have long had chief credit officers, since credit risk is an exposure that banks have traditionally paid close attention to. But it has only been in recent years that an emphasis on enterprise risk management has created the need for a senior level executive to oversee risk across the entire organization. It would be unusual to find a banker who was equally versed in, say, credit, operational and regulatory risk, given their divergent characteristics. And that means CROs are likely to come from a number of different places within the bank. Hartmann’s background is in credit risk management and capital markets, while Reynolds is a licensed attorney whose first job at Fifth Third 22 years ago was managing the bank’s legal department. He has also overseen the bank’s regulatory compliance and community affairs activities, and prior to becoming the CRO, was Fifth Third’s chief administrative officer. “I have a very broad background,” he says.

Molly Curl, the bank regulatory national advisory partner at Grant Thornton LLP, and herself a former bank examiner with the OCC, suggests that experienced examiners might actually make excellent chief risk officers because they need to understand everything about the banks under their supervision. “They’re the ones with a global view of the entire bank,” she says.

For banks below the $10-billion and $50-billion threshold levels, size and complexity are probably the factors most likely to drive a decision to form a risk committee or hire a CRO. The board of a $5-billion bank with a simple branch banking business model and plain vanilla asset mix might be able to handle risk governance without forming a risk committee. The board at another $5-billion asset bank with a more complex model that includes a number of subsidiaries might find that it needs the extra focus that a risk committee would bring to the process. The FDIC’s Burns says his agency would always look at whether the bank’s risk management processes are adequate for the risks it is taking on regardless of how the oversight process is organized. “From a regulatory perspective, it’s less important that they have a committee with a certain name and more important that they’re able to oversee management,” he says. “Does the bank have the level of expertise to supervise management in light of the risks it is taking on?”

Smaller banks outside of major urban markets might have difficulty attracting enough qualified directors to serve on a risk committee, particularly if they are already having trouble finding good directors to fill out their other committees, and they also might balk at the cost of adding such an expensive commodity as a chief risk officer. And yet in spite of these practical considerations, the federal bank regulators clearly expect the board to provide adequate risk governance regardless of how it organizes itself for that undertaking.

When it comes to risk governance, what the board does is clearly more important than how it does it. Michele Sullivan, a partner at the consulting firm Crowe Horwath LLP, says the board’s most important risk governance role is to determine a risk tolerance level-which is to say, how much risk the bank is willing to assume in each of its principal businesses-and then make sure that tolerance is adequately reflected in the strategic plan. “That in my opinion is the single most important step to take,” Sullivan says.

Still, there are definite advantages to having a risk committee and chief risk officer-and Kevin Blakely, a former CRO for both KeyCorp and Huntington Bancshares Inc. in Columbus, Ohio, and now a senior advisor in Deloitte & Touche LLP’s governance, risk and regulatory strategies practice, is a strong advocate for both.

“How could you not have a risk committee,” says Blakely. He would encourage all banks regardless of their size to form a risk committee because, in his view, it’s the best mechanism to ensure that risks throughout the organization are being adequately managed. “[Risk governance] needs to be getting the level of attention it deserves,” Blakely says.

Most small banks have assigned risk governance to their audit committee, and Blakely and others see that as a potential problem. According to Blakely, audit committees tend to be focused primarily on operational risk and the integrity of the bank’s financial statements if it files regular statements with the Securities and Exchange Commission as a publicly owned company, in addition to all of the committee’s other duties, like overseeing the internal and external auditors. “There have been a lot of expectations placed on the audit committee in the last 10 years that have taken up a lot of its time,” he says. “Having a risk committee allows the board to do a deep dive into all the other areas of risk.”

By their very nature, audit committees tend to be backward looking in their focus, while effective risk governance needs to be forward looking as well. It’s important to understand what your institution’s risk profile is today, but equally important to know where it’s trending in the future. The OCC’s Otto asked his staff to look at banks that weathered the recent financial crisis and identify what set them apart from those that didn’t fare as well. One factor they discovered was that the survivors tended to have a forward looking process that helped them identify problems early and make quick adjustments. “That’s what a risk committee does for you,” Otto says. “Audit looks back to make sure that controls are in place. I’m not sure that the audit committee can also be the risk committee.”

Not surprisingly, perhaps, Blakely is also a strong advocate for the chief risk officer position, which he describes as the “second tier of defense, after the bank’s business line managers, who are the first line of defense.” The CRO’s role is to create a structure throughout the bank that measures and manages risk in compliance with the risk profile, and feeds reliable and timely data up to the committee for its consumption. While human judgment is an important part of managing risk inside a bank, much of that process involves the collection and interpretation of data.

Blakely argues all but the very smallest banks would benefit from having one senior executive who is charge of overseeing risk control throughout the organization, even if that person does not carry the CRO title. For example, the chief credit officer at a small bank could double as the CRO so long as he or she was well versed in the full breadth of the bank’s operations and activities. “I believe that you do need a CRO and if you find one, they’re worth their weight in gold,” says Blakely. “But there’s no perfect structure.”

Thus far, at least, there seems to be few signs that the regulators are pressuring small banks to adopt these more extensive-and expensive-risk control mechanisms such as hiring a chief risk officer. Grant Thornton’s Curl says the issue of risk committees and CROs rarely comes up during regulatory examination at smaller institutions. “The sense that I am getting is that they are not pushing these things,” she says.

For his part, Burns says the FDIC is not pursuing such an aggressive agenda even though “that is an observation that is fairly widespread,” and he is more concerned about process than structure. Otto at the OCC voices essentially the same point of view. “A plain vanilla institution just serving its community in a small town in rural America, we’re not saying they have to have a risk committee,” he says. More importantly is whether the board has a forward looking view of risk. “My concern is that if no one is looking at it, they’re going to be late to the dance when something happens,” he says.