Should your board form a standing risk committee — and how will you know that the time is right?
Federal law requires all depository institutions to establish a standing board-level risk committee once they reach $50 billion in assets. The requirement dates back to the passage of the Dodd-Frank Act in 2010; the original asset threshold was set at $10 billion but raised to $50 billion when some of Dodd-Frank’s provisions were relaxed in 2018.
Not every bank waits until it reaches $50 billion to form a risk committee. Many boards make that decision when their bank is much smaller, generally in reaction to its growing size and complexity. In my experience, smaller banks tend to handle risk oversight through their audit committee. But as a bank grows by expanding geographically, adding new business lines or diversifying its loan portfolio — and sometimes doing all of these things at once — its risk profile changes. There is simply more to keep track of — more that can go wrong — and it becomes appropriate to assign the job of risk oversight to a dedicated committee.
In my opinion, once a bank becomes large and complex enough that risk oversight shouldn’t be juggled with audit committee issues like overseeing the external audit or ensuring the integrity of the bank’s financial statements (if it’s a public company), having a dedicated risk committee becomes a best practice.
“When the materials, when the content, when the conversations get more complex and more involved — that’s when I tend to see audit committees split apart into a pure audit committee and a board risk committee,” says Ryan Luttenton, a partner at the consulting firm Crowe LLP. “It’s when the complexities of the institution become a little more challenging to manage in the context of just one meeting. When you start to push things into consent agendas, and you’re approving things and the list starts to grow and grow, it becomes a question of, are we doing a disservice to the institution by not having more constructive discussions around risk and strategy in a risk committee?”
BankNewport, a $2.3 billion mutual bank subsidiary of OceanPoint Financial Partners, opted to form a risk committee in 2016 when it was just $1.4 billion. According to risk committee chair James Wright, the Newport, Rhode Island-based bank was beginning to expand beyond Aquidneck Island, an island in Narragansett Bay that contains Newport and surrounding towns, to the rest of Rhode Island. The bank was also beginning to expand its lending focus to include commercial real estate, an inherently riskier asset class.
Previously, the BankNewport board had not assigned risk oversight to its audit committee, but instead handled it in a compliance and trust committee. The board ended up reconstituting that committee as a standing risk committee. “I think it was a variety of things that led us to doing that,” says Wright. “Our credit portfolio was shifting from more of a residential focus to more commercial. It wasn’t dramatic, but the balance was starting to shift. We were taking on more of a geographic footprint. It really was time to create a more enterprise-wide, strategically focused risk committee that would look at all risk as connected entities.”
There are seven members on the bank’s risk committee, including the board chair and CEO, and it meets quarterly. Around the same time that it created the committee, BankNewport also hired its first chief risk officer to build out a more comprehensive, enterprise-wide risk management process at the bank level. Wright believes the board’s decision to form a risk committee, combined with stronger risk management practices at the bank level, has greatly improved the quality of its risk oversight. “Now, there’s a more centralized place for everyone to go and say, ‘What are we doing about this? What are our protections? What are our proactive measure we’re taking on these things?’”
Another bank that made a decision to bring a sharper focus to risk governance is Glacier Bancorp, a $21.3 billion asset regional bank in Kalispell, Montana. According to committee chair Annie Goodwin, the bank had approximately $5 billion in assets when it formed a risk oversight committee in 2012. Obviously, this was well under the $10 billion threshold that had been established by Dodd-Frank, but the bank wanted to be ready when it got there.
“Even though we’re not at the $50 billion asset threshold presently … our board has made the decision to maintain the risk oversight committee,” Goodwin says. Nine of Glacier’s 11 directors sit on the committee, and its risk oversight officer reports directly to the committee and provides it with monthly reports.
“The risk oversight committee provides a disciplined structure to ensure that we are conducting enterprise risk management in a comprehensive manner,” says Goodwin. “So many areas of the bank’s functions and operations are encompassed in the oversight of our committee that I don’t think our board could ever go back and not have a risk oversight process again.”
Although bank regulators rarely mandate that banks below the $50 billion threshold form a risk committee, they often begin to have conversations with banks under their supervision about adopting more robust enterprise risk management practices at the bank level when they approach the $5 billion mark, according to Luttenton. “And then, as you get to $8 billion, what I hear from my clients and feedback from some of the regulators is that they kind of come in and do a light touch,” he says. “They start to set some expectations around enterprise risk and things like model risk management and vendor management.” Regulation generally becomes tougher when a bank passes the $10 billion mark, and the regulators want a strong risk management program in place by then.
And if the bank is beefing up its risk management policies and practices at the bank level, it may make sense for the board to focus its risk governance efforts in a dedicated committee.
Goodman is a former regulator who served as Montana’s Commissioner of Banking and Financial Institutions from 2001 to 2010. She believes that even small community banks can benefit from bringing a more focused approach to risk governance by setting up a dedicated committee.
“For all banks that are sitting on the sidelines with whether or not they should implement an enterprise risk management committee, my advice is to get started soon,” she says. “And even if it’s a very simple process, it’s always easier to implement a program when the bank is small, rather than waiting until it gets much larger in asset size and much more complex in its operations. I think even with a smaller community bank, enterprise risk management can get into the board’s DNA, their way of thinking that prepares them for the future and to help the bank with its long-term success.”
Brian Nappi, a senior manager at Crowe, says directors are often bogged down under the weight of too much information. “If I’m sitting on a risk committee and I have to look at more than nine pages to understand where we are, then we’re not good communicators,” he says. The first page should have four things, Nappi says: the risk appetite statement compared to the bank’s risk profile at the end of every quarter; the top three to five risks facing the bank; management’s response to those risks; and the top two or three emerging risks. The remaining eight pages should contain a variety of risk data if the committee members want to drill down deeper, he adds.
Generally speaking, risk committees should be forward-looking in their focus, while audit committees naturally look backward. This is why handling risk in the audit committee is something of a philosophical disconnect. When a bank forms a risk committee after its audit committee has been handling risk oversight, the audit committee still plays an important role in verifying that the bank’s various risk management policies are being followed.
“The focus for audit committees is on internal controls — which controls are working, and which ones are broken,” says Nappi. “Risk committees, their focus should be on what’s the highest residual risk [facing] the institution, and what [is] management’s response to those risks.”
You can view a sample risk committee charter here, part of our Board Structure Guidelines, which describe committee functions, structure and compensation, as well as board roles. These resources are available exclusively to Bank Services members.