The focus on the board’s role in managing risk has certainly been in the spotlight in the years following the financial crisis, with the regulatory bar raised regarding risk governance. While publicly traded institutions with more than $10 billion in assets are specifically required to establish separate risk committees of the board, many smaller banks are doing so as well. In March, Bank Director’s 2014 Risk Practices Survey found that more than half of institutions with between $1 billion and $5 billion in assets and 76 percent of those with between $5 billion and $10 billion in assets now govern risk within a separate committee. Data for institutions with less than $1 billion in assets was not collected.
When does a bank need a separate board-level risk committee? Despite the rising popularity of risk committees, many community banks have not taken this approach, but instead govern risk in the audit committee or as an entire board.
Regardless of size, banks with a more complex risk profile have a greater need to govern risk within a separate board-level committee. Not only does a more complex organization intrinsically have a more complex risk profile, its audit committee will be more heavily tasked, leaving less time to devote to risk management matters. In that situation, “the best case scenario is to have two separate committees,” says Jennifer Burke, partner at accounting and consulting firm Crowe Horwath LLP.
Jim McAlpin, partner at Bryan Cave LLP, believes it best to separate risk and audit responsibilities if the bank has qualified directors for both committees. “Not all boards have qualified directors for this,” he says. “Unless you have adequate capability on the board, it’s not helpful to have both committees.”
The ability of the board to place appropriate members on a risk committee is important, and having those skills mirror that of the bank’s audit committee may not be the best approach. The risk analysis process focuses on more than just financial risk and requires directors who can anticipate a variety of problems that could be faced by the institution. “It’s good to have directors with a compliance or risk background that are used to thinking outside of the box. The most beneficial aspect of the risk committee is anticipation,” he says. “The board can charge management to focus on areas where risks appear to be developing.”
He sees more banks bringing in new directors with these skills, and there is no shortage of qualified candidates. That said, larger institutions can better attract directors from outside the community and recruit for these skills, so risk and compliance expertise may not be found on the boards of smaller, less complex banks. “So far, the regulators understand this,” says McAlpin.
Generally, the more complex an organization is, the more likely the regulators will be to urge the establishment of a stand-alone risk committee. McAlpin recommends that a board look at how many different business lines the bank has, particularly in consumer-facing areas like mortgage lending. Over the past two years, scrutiny by the regulators on consumer compliance has grown significantly, he says, resulting in greater risk to the bank regarding these issues. Further risk analysis may also be required if the bank is involved in business lines that regulators deem to be unique or cutting edge.
The maturity of the bank’s risk management program could also dictate whether the bank is ready to establish a separate risk committee.
Crowe Horwath Partner Mike Percy says that a more mature and developed enterprise risk management (ERM) program will allow the board to better assess and monitor risk. Without the robust set of information provided through a mature ERM program, a risk committee won’t have much to contribute. “If you lead with [the risk committee] before the processes are mature, I think it just frustrates” board members, he says.
But McAlpin can see how a risk committee could precede development of an ERM program or the hiring of a chief risk officer. “The risk committee could be the body to take the steps of driving the hire of risk personnel or implementation of ERM,” he says.
A bigger bank is, typically, a more complex one, so banks with plans to grow, whether through organic means or by acquisition, may consider beefing up their approach to risk governance. Percy says that some regulators, notably the Office of the Comptroller of the Currency, consider risk committees to be a best practice for institutions approaching $10 billion in assets.
Burke says that a bank’s growth strategy should be considered when a board makes a decision to have a risk committee, and for those with a more aggressive growth plan a risk committee is a best practice. “You’re making changes, you’re growing [and] your strategy is different from what it’s been in the past,” says Burke.
Growth typically results in additional personnel, business lines and assets, particularly as the result of a merger, which could lessen the certainty that the board knows everything they need to know, says McAlpin.
“An acquisition strategy is just an additional complexity,” adds Percy. Banks with an eye to grow, particularly those above $1 billion in assets, need the infrastructure in place to support a larger organization, which could include a chief risk officer, an ERM program and a board-level risk committee.
“This side of the banking crisis, the attention to risk is greater than it was,” says Percy. Whether governed within a separate risk committee, combined with audit responsibilities or addressed as a full board, the board, along with senior management, is responsible for setting the tone for risk governance.
The Financial Stability Board, an international regulatory agency based in Basel, Switzerland, released guidance in April (“Guidance on Supervisory Interaction with Financial Institutions on Risk Culture”) that details the elements of a sound risk culture within a financial institution. Though primarily intended for an audience of large, systemically important institutions, this report provides some basic tenets that can be applied to institutions of all sizes. A key element of a sound risk culture that is perhaps the most applicable to bank directors is the establishment of an “effective system of controls commensurate with the scale and complexity of the financial institution.”
In addition to a mature ERM program, this system of controls would include proper oversight by the board. McAlpin recommends that boards work with senior management to determine what areas of risk require the board’s focus. Independent analysis should play a role in these decisions. “If the board relies only on senior management, that’s a big mistake,” he says.