Viewing offline content

Limited functionality available

Dismiss
United States
  • Services

    What's New

    • Register for Dbriefs webcasts

    • Unlimited Reality™

      Metaverse solutions that drive value

    • Sustainability, Climate & Equity

      Cultivating a sustainable and prosperous future

    • Tax

      • Tax Operate
      • Tax Legislation
      • Tax Technology Consulting
      • Mobility and Payroll
      • Legal Business Services
      • Tax Services
    • Consulting

      • Core Business Operations
      • Customer & Marketing
      • Enterprise Technology & Performance
      • Human Capital
      • Strategy & Analytics
    • Audit & Assurance

      • Audit Innovation
      • Accounting Standards
      • Accounting Events & Transactions
    • Deloitte Private

    • M&A and Restructuring

    • Risk & Financial Advisory

      • Accounting & Internal Controls
      • Cyber & Strategic Risk
      • Regulatory & Legal
      • Transactions and M&A
    • AI & Analytics

    • Cloud

    • Diversity, Equity & Inclusion

  • Industries

    What's New

    • The Ripple Effect

      Real-world client stories of purpose and impact

    • Register for Dbriefs webcasts

    • Industry Outlooks

      Key opportunities, trends, and challenges

    • Consumer

      • Automotive
      • Consumer Products
      • Retail, Wholesale & Distribution
      • Transportation, Hospitality & Services
    • Energy, Resources & Industrials

      • Industrial Products & Construction
      • Power, Utilities & Renewables
      • Energy & Chemicals
      • Mining & Metals
    • Financial Services

      • Banking & Capital Markets
      • Insurance
      • Investment Management
      • Real Estate
    • Government & Public Services

      • Defense, Security & Justice
      • Federal health
      • Civil
      • State & Local
      • Higher Education
    • Life Sciences & Health Care

      • Health Care
      • Life Sciences
    • Technology, Media & Telecommunications

      • Technology
      • Telecommunications, Media & Entertainment
  • Insights

    Deloitte Insights

    What's New

    • Deloitte Insights Magazine

      Explore the latest issue now

    • Deloitte Insights app

      Go straight to smart with daily updates on your mobile device

    • Weekly economic update

      See what's happening this week and the impact on your business

    • Strategy

      • Business Strategy & Growth
      • Digital Transformation
      • Governance & Board
      • Innovation
      • Marketing & Sales
      • Private Enterprise
    • Economy & Society

      • Economy
      • Environmental, Social, & Governance
      • Health Equity
      • Trust
      • Mobility
    • Organization

      • Operations
      • Finance & Tax
      • Risk & Regulation
      • Supply Chain
      • Smart Manufacturing
    • People

      • Leadership
      • Talent & Work
      • Diversity, Equity, & Inclusion
    • Technology

      • Data & Analytics
      • Emerging Technologies
      • Technology Management
    • Industries

      • Consumer
      • Energy, Resources, & Industrials
      • Financial Services
      • Government & Public Services
      • Life Sciences & Health Care
      • Technology, Media, & Telecommunications
    • Spotlight

      • Deloitte Insights Magazine
      • Press Room Podcasts
      • Weekly Economic Update
      • COVID-19
      • Resilience
      • Top 10 reading guide
  • Careers

    What's New

    • Our Purpose

      Exceptional organizations are led by a purpose. At Deloitte, our purpose is to make an impact that matters by creating trust and confidence in a more equitable society.

    • Day in the Life: Our hybrid workplace model

      See how we connect, collaborate, and drive impact across various locations.

    • The Deloitte University Experience

      Explore Deloitte University like never before through a cinematic movie trailer and films of popular locations throughout Deloitte University.

    • Careers

      • Audit & Assurance
      • Consulting
      • Risk & Financial Advisory
      • Tax
      • Internal Services
      • US Delivery Center
    • Students

      • Undergraduate
      • Advanced Degree
      • Internships
    • Experienced Professionals

      • Additional Opportunities
      • Veterans
      • Industries
      • Executives
    • Job Search

      • Entry Level Jobs
      • Experienced Professional Jobs
      • Recruiting Tips
      • Explore Your Fit
      • Labor Condition Applications
    • Life at Deloitte

      • Life at Deloitte Blog
      • Meet Our People
      • Diversity, Equity, & Inclusion
      • Corporate Citizenship
      • Leadership Development
      • Empowered Well-Being
      • Deloitte University
    • Alumni Relations

      • Update Your Information
      • Events
      • Career Development Support
      • Marketplace Jobs Dashboard
      • Alumni Resources
  • US-EN Location: United States-English  
  • Contact us
  • US-EN Location: United States-English  
  • Contact us
    • Dashboard
    • Saved items
    • Content feed
    • Subscriptions
    • Profile/Interests
    • Account settings

Welcome back

Still not a member? Join My Deloitte

Bank board risk governance

by Val Srinivas, Urval Goradia, Lincy Therattil, Dennis Dillon
  • Save for later
  • Download
  • Share
    • Share on Facebook
    • Share on Twitter
    • Share on Linkedin
    • Share by email
Deloitte Insights
  • Strategy
    Strategy
    Strategy
    • Business Strategy & Growth
    • Digital Transformation
    • Governance & Board
    • Innovation
    • Marketing & Sales
    • Private Enterprise
  • Economy & Society
    Economy & Society
    Economy & Society
    • Economy
    • Environmental, Social, & Governance
    • Health Equity
    • Trust
    • Mobility
  • Organization
    Organization
    Organization
    • Operations
    • Finance & Tax
    • Risk & Regulation
    • Supply Chain
    • Smart Manufacturing
  • People
    People
    People
    • Leadership
    • Talent & Work
    • Diversity, Equity, & Inclusion
  • Technology
    Technology
    Technology
    • Data & Analytics
    • Emerging Technologies
    • Technology Management
  • Industries
    Industries
    Industries
    • Consumer
    • Energy, Resources, & Industrials
    • Financial Services
    • Government & Public Services
    • Life Sciences & Health Care
    • Tech, Media, & Telecom
  • Spotlight
    Spotlight
    Spotlight
    • Deloitte Insights Magazine
    • Press Room Podcasts
    • Weekly Economic Update
    • COVID-19
    • Resilience
    • Top 10 reading guide
    • US-EN Location: United States-English  
    • Contact us
      • Dashboard
      • Saved items
      • Content feed
      • Subscriptions
      • Profile/Interests
      • Account settings
    05 February 2015

    Bank board risk governance Driving performance through enhanced risk oversight

    06 February 2015
    • Val Srinivas United States
    • Urval Goradia United States
    • Lincy Therattil United States
    • Dennis Dillon
    • Save for later
    • Download
    • Share
      • Share on Facebook
      • Share on Twitter
      • Share on Linkedin
      • Share by email

    Boards of directors at large banks may have built a strong risk oversight foundation, but many still have work to do in adopting leading practices.

    View the related infographic.

    DUP_1072_intro-imageA look at board risk committee charters of large banks

    In recent quarters, two groups of large US banks showed substantially different operating results. The average return on average assets (ROAA) in one group was 57 percent higher. Otherwise—in terms of average total assets and other characteristics—the two groups were roughly similar.

    One key difference between the two groups was that the board risk committee charters of the higher-performing banks documented the need for a risk expert.1

    Learn More

    Deloitte Center for Financial Services

    Banking & Securities Services

    Of course, correlation doesn’t mean causation, and because it is only in recent times that the more rigorous risk governance practices have been introduced, it will be a while before one can examine the long-term relationship between robust risk governance and financial performance. Requiring a risk expert on the board risk committee is just a strong sign of a bank’s commitment to risk management and governance, which, in theory, can exert a positive influence on performance.

    Many banks seem to have taken this lesson to heart. Efforts to strengthen risk management and instill appropriate policies and a “risk intelligent” culture throughout the organization have become top priorities for many banks. Major failures in risk management and oversight, some carrying heavy costs, show the stakes are high. Board risk committees, as the highest level of risk oversight, and crucial promoters of the “tone at the top,” are increasingly focused on this transformation.

    Regulatory expectations in the area of risk management are only adding to the pressures flowing from other regulations. In particular, in the United States, the Federal Reserve’s enhanced prudential standards (EPS) require bank holding companies (BHCs) to have additional risk governance standards in place as of January 1, 2015—a key driver of recent efforts (see Appendix C for more specifics). Similar rules issued by other agencies, such as the Office of the Comptroller of the Currency (OCC)’s heightened standards, also set new expectations for duties, membership, and other practices, increasing the onus on bank boards. And the Federal Reserve’s Comprehensive Capital Analysis and Review (CCAR) program has spurred enhanced focus on governance over banks’ risk and capital management programs.

    Internationally, the European Union’s Capital Requirement Directive IV is likely having a similar impact on bank boards’ risk governance practices.2 Another driver is the recently revised set of principles on bank corporate governance issued by the Basel Committee on Banking Supervision, which also encourages greater board-level risk oversight.3

    In meeting these new standards, banks will need to show not only technical compliance with policy and process requirements, but also, increasingly, that their board risk committees are capable of presenting effective challenges to management decisions as part of their oversight duties. This is also stipulated by the OCC’s heightened standards.

    In other words, these regulations have increased both director responsibility and potential liability. The impact of this increased responsibility may have had some unintended consequences, as shown in a study by Per Ardua Associates in which 80 percent of financial sector nonexecutive directors surveyed said the risk committee is the most challenging.4 Three possible explanations of the survey’s responses are the broad range of board risk committees’ responsibilities, risk committees’ forward-looking nature, and the technical nature of regulatory compliance.5

    Two previous studies by the Deloitte Center for Financial Services6, in 2009 and 2011, reviewed the board risk committee charters of large US and foreign banks to understand risk oversight practices at these institutions, and suggested steps boards can consider taking to strengthen risk governance.7 This new study shares the same goal and updates our research, building on both these previous studies and Deloitte’s large body of published work on board risk governance.

    The main difference now is that many governance practices highlighted in our 2009 study have since then been codified into rules that banks have to, or will soon have to, follow. The new rules, several of which originate from legislative mandates, enable us to both make more informed evaluations of the current state of risk oversight and provide some insight into the challenges banks face as they strive to comply with these new regulatory mandates.

    A caveat

    As in our previous studies, we use board risk committee charters of BHCs to infer banks’ practices in this area. Board risk committee charters are key guiding documents on board-level risk oversight, and a clear way to demonstrate commitment to oversight and communicate management and board responsibilities. Charters may also be seen as important tools to inform other stakeholders, such as counterparties, investors, and regulators, about institutions’ board risk governance policies.

    We acknowledge that charters might not fully reflect all the actions, policies, and activities that board risk committees in these institutions actually follow. Likewise, there might be items in the charters that are not implemented in practice. As such, we suggest that our results be interpreted in that light. However, we believe that comprehensive, clear, and accurate risk committee charter documentation is an essential foundation of strong board-level oversight.

    Key findings: Where have banks made the most changes?

    Heightened regulatory expectations, increased market complexity, and performance needs have necessitated further advancement in risk management, both across organizations and in the board risk committees overseeing them. Many banks, in particular the larger US institutions, have significantly enhanced their board risk governance since our last study in 2011. Yet the updated available data indicate that some improvements are still works in progress.

    For example:

    • One hundred percent of large US banks (see research methodology) have board risk committees—most of which are fully dedicated to risk, rather than combined with other responsibilities—as well as formal charters. But just 39 percent of these charters document the need for a risk expert on the committee, a role required by the Federal Reserve’s EPS and one that is a major contributor to effective oversight.8
    • All large US banks’ board risk committee charters establish the board risk committee’s oversight of risk management policies and procedures, but only 57 percent explicitly state that the committee possesses authority to approve major risk management policies. This, again, is a requirement of the Federal Reserve’s EPS.
    • Most (86 percent) large US banks’ board risk committee charters establish board committee oversight of management’s implementation of risk strategy, but just 36 percent require the risk committee to oversee processes and systems designed to protect the independence of the risk management function.

    Global systemically important banks (G-SIBs) outside the United States, though not subject to the same regulatory expectations as US banks, appear to have further to go. A small number do not have dedicated board-level risk committees, and many more have not documented their responsibilities in depth. In general, non-US bank board risk committee charters are not as detailed as US bank board risk committee charters. In particular, oversight authority and provisions for the independence of the risk management function among non-US banks find limited mention compared with US peers’ charters.

    Just one of the US banking subsidiaries of foreign institutions in our sample had a publicly available board risk committee charter. The compliance date for the Federal Reserve’s EPS for this group is 2016, a year later than for US banks. Though charters are not explicitly required by regulations, formally codifying board risk oversight responsibilities may help institutions prepare to meet US regulators’ stringent standards. And going beyond compliance, charters can help board risk committees establish and communicate their priorities within their organizations as well as to investors, regulators, and the public.

    Research methodology

    Board risk committee charter analysis

    The Deloitte Center for Financial Services developed a list of 25 criteria applicable to board risk committee charters. These criteria are based on a wide range of regulatory requirements and leading practices9 identified by subject matter specialists, but in particular draw on the requirements of the Federal Reserve’s “Enhanced Prudential Standards for Bank Holding Companies and Foreign Banking Organizations.”10

    In conducting our research we obtained the following documents, where publicly available:

    1. Board risk committee charters of US financial holding companies with assets greater than $50 billion as of March 31, 2014, according to the Federal Financial Institutions Examination Council (FFIEC). Savings and loan holding companies were omitted because they are not subject to the same regulatory risk management requirements as bank-affiliated financial holding companies.
    2. Risk and/or hybrid board risk committee charters, or similar documents, where available in English, of all non-US G-SIBs.11
    3. Board risk committee charters of US nonbanks that have been designated systemically important financial institutions (SIFIs) by the Financial Stability Oversight Council.

    In total, 48 board risk committee charters were reviewed and assessed using the attributes shown in Appendix A to determine whether or not the charter met each criterion. The assessments were performed from August through September 2014 using the latest, publicly available documentation.

    Risk governance and financial performance

    The analysis of the relationship between performance and certain board risk governance criteria is based on the board risk committee charter analysis described above using data from SNL Financial.12 All financial data shown are averages of 2013 and first-half 2014 quarterly results, the period that most closely corresponds with the dates of the board risk charters reviewed. The time period used for the analysis is limited by the availability of relevant data; many of the practices that charters document and that are of concern are responses to recent regulations.

    Due to lack of data, the performance analysis is limited to US institutions. Four US institutions that are part of our charter analysis, but have substantially different business profiles than the banking institutions in our sample, have also been excluded (for example, BHCs that draw a significant proportion of revenues from their payments operations). The excluded institutions do not bias the results directionally—in fact, they are generally consistent with the effects highlighted.

    Why this matters: Connecting risk governance and performance

    As regulatory expectations evolve, banks have little choice but to continue improving their board risk governance practices. But getting it right has to be more than a compliance exercise. Leading institutions will aim for higher standards, whether they are required by regulations or not.

    The improvements banks make may matter on multiple levels. Managing risk in line with strategic objectives is management’s job, yet board risk committees have a critical role to play through their oversight of management risk-taking, and risk management practices’ alignment with firm goals.

    The committee can also make an important contribution to shaping an institution’s broader risk culture—the strength of which is essential for effective enterprise-wide risk management. And, more broadly, improved governance is good business: It may have an impact on business performance.
    Our analysis, though pertaining to a relatively short timeframe, supports this intuitive connection. Several board risk governance criteria we analyzed, including the risk expert requirement, show positive relationships with performance (as measured by ROAA, figure 1).13 The same patterns hold for similar measures, such as return on average equity.

    DUP_1072_Figure 1. Profitability and board risk governance, 2013-1H2014

    These relationships extend to other performance metrics as well, if not universally. Notably, nonperforming loan ratios show a similar pattern as ROAA (figure 2).

    DUP_1072_Graphic: Deloitte University Press | DUPress.com Figure 2. Loan quality and board risk governance, 2013-1H2014

    To be clear: These connections don’t mean that inserting these items in banks’ risk committee charters would lead to improved performance. But considered a sign of the institutions’ overall commitment to risk governance, they indicate that a connection may exist between good risk governance and stronger performance.

    Other research lends additional support. A 2012 academic study examining the relationship between risk governance and bank financial performance found that banks in which the chief risk officer (CRO) reported directly to the board exhibited both higher returns on equity and stronger stock returns during the recent economic turmoil, compared with financial institutions where the CRO reported to a management executive.14

    Evolving bank board risk committees: Trends and findings

    These performance links appear to be reinforced by the continuing evidence of risk management lapses, which have, in turn, increased regulatory pressure. More stringent rules mandate new attention to structure, membership, reporting lines, and independence of bank boards and their risk committees.

    In attending to their board risk governance, banks have started with the fundamentals. Items such as the scope of the committee, its governing documents, and the qualifications for membership may seem mundane, but they are fundamental to board risk committees’ effectiveness. Recognizing this, many firms have paid close attention to these building blocks.

    Our analysis of bank board risk committee charters confirms this impression of strengthened board risk governance (figure 3). As of 2014, 89 percent of the largest US banks in our assessment had established standalone risk committees (100 percent, if committees combining risk responsibility with related areas like compliance are included) as opposed to 74 percent in 2011 and only 53 percent in 2009. Documentation standards have also taken firm root: All US institutions reviewed have established (and made public) formal board risk committee charters—though currently only one of nine large foreign-owned US banks has done so.

    DUP_1072_Figure 3. Board risk committee structure and organization

    However, some US banks may consider further adjustments to their board risk committees’ governance structures. For example, some banks’ committees combine risk oversight with other areas like audit or compliance, which might give committees greater breadth, but may also limit the time and focus members can devote to core risk issues.

    Banks should weigh this trade-off between breadth and depth carefully. As a recent Deloitte Touche Tohmatsu Limited study highlights, “Board workloads have increased, as have those of audit committees, which are often tasked with risk oversight.”15 One solution might be to schedule board risk committee meetings such that board members on other committees may participate when needed, as some institutions already do.

    In contrast to the strides made by many US banks, several non-US G-SIBs do not have dedicated board risk committees. As discussed with respect to US bank boards, combining risk responsibilities with audit may hinder committee members’ abilities to oversee both areas. Several other non-US institutions do have independent risk committees, but do not document their operations in publicly disclosed charters or terms of reference, limiting the transparency—and possibly the rigor—of board-level risk governance.

    Membership: Room for improvement in expertise and independence requirements

    As much as the scope of the committee matters, its composition may matter more. Committee members without the right mix of expertise and experience may be challenged by complex risk measures and regulatory issues.16Board risk committees without sufficient numbers of independent members may run afoul of regulatory mandates. More importantly, these shortcomings might handicap board risk committees’ ability to offer the perspective needed to avoid potentially costly gaps in oversight.

    Looking again to board risk charters for evidence, it appears many US banks have missed the opportunity to document the composition of their risk committees (figure 4). This may be because they have yet to adjust to regulatory mandates and leading practices on membership. Just 39 percent of board risk charters require a committee member to have “experience in identifying, assessing, and managing risk exposures of a large, complex financial firm,” as required by the Federal Reserve’s EPS. But there has been much improvement. In 2011, in the last study we did of board risk committee charters, no banks had this requirement. A smaller percentage of non-US G-SIBS have specifically addressed this issue: Only 15 percent of their charters mention risk expertise.

    DUP_1072_Figure 4. Board risk committee membership

    That said, both US banks and non-US G-SIBs appear to have taken steps to strengthen the independence of the committee. Nearly four in five US firms reviewed have documented a requirement for one or more independent directors on the risk committee, as do 60 percent of non-US G-SIBs. In our 2011 study, just 30 percent of US banks documented requiring an independent director.

    Surprisingly, not all US institutions’ board risk charters require the risk committee chair to be independent, another EPS requirement. In fact, just 61 percent of US banks’ board risk charters reviewed do.

    Fortunately, in actual practice, US institutions usually meet both regulatory requirements and leading practices regarding independence. All US board risk committees in our sample had an independent chair, and many committees consisted entirely of independent directors.17 Not including these actual practices in the board risk committee charter is a clear missed opportunity to demonstrate commitment to the committee’s independence.

    Increased responsibilities and scope of oversight

    To respond to their expanded responsibilities, board risk committees have seen an increase in the depth and breadth of their oversight authority. The heft of new requirements and notable performance difficulties have drawn focus to this issue. This is particularly noted in banks’ efforts to meet the “effective challenge” standard expected by US regulators. (In brief, the “effective challenge” standard requires risk management practices to be critically examined by oversight bodies with sufficient competence, power, and incentives to generate change.18)

    The impact of increased expectations is gradually becoming visible in board risk charters. One hundred percent of US banks’ board risk committee charters and 75 percent of non-US G-SIBs’ charters now require the board risk committee to oversee policies and procedures establishing risk management governance and risk-control infrastructure (figure 5).

    Figure 5. Board risk committee responsibilities

    This is also evident in the breadth of risks covered by the committee. Nearly 80 percent of US banks’ board risk charters make committees responsible for oversight of exposure to a set of risk categories including not only credit risk, market risk, and operational risk, but also liquidity risk, reputational risk, and capital management. In 2011, just 63 percent covered this broad set. Clearly, firms have strengthened the board risk committee’s authority. At a minimum, they have documented practices that meet a higher standard.

    However, only 57 percent of US banks’ board risk charters place the responsibility to approve the firm’s broad risk management policies with the board risk committee. This fact indicates that the board risk committees in nearly half the firms reviewed may be missing a key oversight mechanism. Still, US firms are significantly further ahead of their non-US counterparts in this respect: Only 10 percent of non-US G-SIBs have such stated approval authority.

    Risk oversight also seems to be rather reactive. Only one in five US bank risk committee charters (a) specify that alerts on emerging risks should be provided to the board risk committee and (b) authorize the committee’s oversight of timely and effective remediation by management. Non-US G-SIBs show similarly muted resolution, with only 15 percent of their charters mentioning the communication of emerging risks and oversight of remediation. In other words, this is an area where there appears to be room for improvement.

    This comprehensive oversight can give committee members greater understanding of the interplay of risks to which the firm is exposed, while giving them the focus needed to make sure they address emerging issues promptly.

    Resources to support board risk committees’ activities

    Of course, effective oversight authority and responsibility require adequate support and resources. Here, US banks have made substantial gains, boosting training programs for board members and increasing authority to retain outside experts. Charters indicate that almost all domestic board risk committees have unfettered access to internal and external experts (figure 6). And 71 percent have the option to meet in executive session, either with key officers of the company or without management present. On both these dimensions, US firms score better than they did in 2011, and better than non-US G-SIBs: Only 33 percent of US board risk committee charters provided for executive sessions in 2011 and only five percent of non-US G-SIBs do so currently.

    DUP_1072_Figure 6. Board risk committee resources and support

    Role in promoting independence of the risk management function

    Authority and expertise matter little if a firm’s risk culture and risk management functions are weak. While senior executives are responsible for providing for and ensuring the capability of the risk management function, the board should require and support management in its efforts to develop and maintain an independent, well-resourced risk management function. Perhaps more importantly, as the organization’s ultimate risk oversight authority, the board risk committee is responsible for promoting a strong risk culture.

    Board risk committee charters indicate that many institutions take this responsibility seriously, but our study finds that US banks may need to make progress before they can sufficiently satisfy regulatory expectations—or at least better document the steps they have already taken. Most board risk charters of domestic banks either directly or indirectly establish management’s responsibility for managing risk and the risk committee’s oversight of this responsibility (figures 7 and 8). However,  just above a third explicitly highlight the committee’s role in requiring and fostering the independence of the risk management function.

    Figure 7. Board risk committee’s role in protecting independence of CRO and risk management function

    DUP_1072_Figure 8. Board risk committee reporting linesOrganizational reporting—both in terms of reporting lines and timing of formal reports—is a potential weak link in adequately supporting the risk management function. The board risk charter analysis indicates that establishing norms and safeguarding communication may be challenging banks. Only 36 percent of US firms’ board risk charters explicitly require the CRO to report on risk management to the committee on at least a quarterly basis. Similarly, just 36 percent of board risk charters state that the CRO reports directly to both the risk committee and the bank’s CEO. Both of these are governance expectations of the EPS.

    Two other findings further identify places where banks can improve. First, only 32 percent of US banks’ board risk charters have language indicating that the board risk committee actively supports the role of CRO such that the CRO has the independence and authority to fulfill his or her responsibilities. For example, the charter may specify that the board risk committees may review the CRO’s hiring, compensation and incentive structure, and dismissal; may verify his or her freedom of action; and may take similar steps. This is a modest improvement from the 15 percent recorded in 2011, but could be higher and better documented.

    Second, only 11 percent of US banks’ board risk committee charters document the ability of the CRO or other risk officers to communicate on an unscheduled basis with the committee. The OCC’s heightened standards require the chief risk executive within each bank to be positioned a level directly below the CEO, and mandates that the chief risk executive have unrestricted access to the board and its committees. As banks make moves to comply or document compliance with these rules, further advances are expected on both counts.

    The progress in this area has also been modest for the global banks included in the study. A notable difference relative to their US counterparts was a lack of direct or indirect assignment of risk management responsibility to senior management. That said, one of the few areas global banks scored relatively higher was in the risk management function’s access to the committee via unscheduled interactions.

    Role in driving risk awareness and culture

    Setting the right "tone at the top" is critical for firms’ efforts to improve risk management. But the lack of board-level documentation supporting the alignment of risk with incentive structures shows a missed opportunity to reinforce this tone. Our board risk committee charter analysis suggests that only 43 percent of US banks have mandated integration of risk management concerns into compensation, a regulatory requirement and one that is essential to strengthening the firm-wide risk culture.

    Overcoming challenges in board risk governance

    Now that the EPS standards are in effect for US BHCs with total assets above $50 billion, firms should eschew the temptation to just meet the letter of the law and focus instead on implementing leading practices to enhance risk governance standards.

    By aiming high, these banks face numerous challenges (figure 9). However, they can overcome these hurdles with a combination of disciplined attention to standards and rigorous assessment of their committees’ performance.

    DUP_1072_Figure 9. Overcoming implementation challenges

    Challenge 1: Enhancing authority

    Making sure board risk committees have sufficient authority and objectivity should be a top priority, but setting the right boundaries can be difficult in practice.

    “Board education is the biggest challenge.” —CRO of a G-SIB

    The analysis of board risk charters, especially those of US banks, suggests that boards have strengthened risk committee powers. However, this authority may need further extension. One such area is the ability to oversee all risk types, including emerging risks such as cyber risk, to enable the committee to develop an integrated and comprehensive view of the firm’s overall risk exposure.

    Overcoming the challenge: The risk committee should have, under the purview of the board, responsibility and authority to review and approve risk management policy for all risk types. Liaising with other committees for a better understanding of the firm’s wider activities is helpful, even necessary, but the risk committee should be the ultimate overseer of risk policy.

    An important factor in objectivity is the presence of independent directors—the Federal Reserve’s EPS requires the committee chair to be independent, while the OCC’s heightened standards require two independent members. Given the importance of risk governance and the beneficial role of independent members, risk committees should seek more independent directors, and may even consider mandating a majority in their governing documents.

    Operational burden on US BHCs of foreign banks

    Many large foreign banking organizations operating in the US will need to establish intermediate holding companies (IHCs) over their US banking and non-banking subsidiaries, as part of the new EPS requirements. Essentially, these foreign banks will now need to manage their US operations as if they were standalone US BHCs. To transition to this new structure, foreign banks face a number of difficult tasks. They will likely need to rationalize existing entities, establish new ones, and reallocate or raise new capital to fulfill new requirements.

    In particular, many foreign banking organizations will have to create new capabilities to manage risk and capital at the IHC level. The upgrades entailed as these functions are separated from the parent company will need to be designed carefully to meet the complex array of new regulatory and business needs.

    Overcoming the challenge: Banks should start early to meet the new compliance requirements. Fortunately, foreign banks can take some advantage of the slightly lengthened schedules (EPS compliance by 2016, for example) to learn leading practices from domestic organizations.

    Challenge 2: Building risk expertise

    Banks’ risk exposures have grown exceedingly complex, making them steadily more difficult to understand for everyone, including experts. Accordingly, board risk committees need to continuously build the expertise needed to fully understand the nature, extent, and potential impact of the risks that banks face.

    Firms have found qualified directors with a financial background and experience in managing the risks of large complex financial firms to be a limited talent pool. Additionally, many current directors may lack the technical knowledge or recent professional experience necessary to interpret quantitative risk data. This may handicap their ability to form an independent view of risk and increases reliance on management’s assessment.

    Overcoming the challenge: Committee composition should include at least one or two risk management experts—directors who satisfy regulatory expertise requirements. Other directors should have the requisite background to understand the bank’s operating environment, risk policy, and regulatory expectations.

    In addition, these directors should also be educated about the key quantitative parameters that the firm uses to monitor risk and the tolerance limits of those parameters, and the committee should have the authority to retain external risk and industry experts to supplement this knowledge when needed.

    Case in point: The board risk charter of ING Group explicitly requires members of the risk committee to have relevant business knowledge and adequate understanding of risk management related to the activities of the company and its group entities.19

    Challenge 3: Strengthening risk culture

    Strengthened reporting structures and aligned risk and business incentives can help promote a risk-aware environment. Setting the right tone at the top is the single-most-used cliché when referring to board risk governance. However, extending responsibility and awareness of risk throughout the organization is no easy task.

    Driving a risk culture can be especially difficult for large organizations due to their inherent complexity. On the other hand, with regulators’ eyes focused on large firms with a view to minimizing systemic risk, many smaller firms have yet to begin taking action to revamp their governance structures.

    Overcoming the challenge: Fostering a strong risk culture should be as much of a board risk committee responsibility as that of senior management. Building senior management incentive structures that place a premium on being risk-aware is critical. Otherwise, governance efforts are likely to falter—with potentially serious consequences for performance.

    Similarly, CROs and other senior risk personnel should have the flexibility to approach the committee at any time.

    Cases in point: The board risk committee charters of HSBC20 and HSBC Bank USA,21 HSBC’s US subsidiary, provide the CRO with direct access to the committee chair at all times.

    “The biggest difference between large and small institutions is in embedding risk culture, and the time required to implement it; that is, the ‘tone from the top’ and the level of effort required.” —CRO of a G-SIB

    Moving forward

    As banks continue to revamp their risk management policies and practices, board-level risk governance should be a priority. Without careful attention to regulatory mandates and leading practices, banks may find themselves unprepared to meet these high expectations. Perhaps more importantly, insufficient attention may lead to negative business consequences. And as the data from our new study illustrate, many institutions have not yet shown sufficient focus.

    This paper may help banks consider these crucial next moves. Our criteria and assessments indicate many basic steps toward an increasingly rigorous governance structure. Institutions that have yet to put these standards in place, or fully document them, may wish to use these as a short-term action plan.

    In the longer term, however, the benefits may go beyond compliance. As our analysis indicates, some leading risk governance practices may be connected with improved performance outcomes. And in an environment of continuing uncertainty and an elevated degree of regulatory risk, new investments in improved board risk governance may prove farsighted.

    Appendix A: Full list of criteria assessed and results by type of institution

    Number EPS requirement or a leading practice? Criteria Large US banks(% “yes”) Non-US G-SIBs(% “yes”)
    1 EPS requirement/leading practice Does the bank have an independent risk committee, separate from the audit committee, with sufficient authority, stature, independence, and resources, that reports directly to the board? 89% 75%
    2 EPS requirement Does the board risk committee have a formal, written charter that is approved by the board of directors? 100% 50%
    3 Leading practice Does the board risk committee’s charter require that the committee sanction, approve, and review charters of management risk committees? 36% 10%
    4 EPS requirement Does the risk committee charter require the risk committee to include at least one risk management expert with experience in identifying, assessing, and managing risk exposures of large, complex financial firms? 39% 10%
    5 EPS requirement Does the charter require the risk committee to be chaired by an independent nonexecutive director? 61% 25%
    6 Leading practice Does the charter note the presence of independent directors (nonexecutive director, senior independent director) on the board risk committee? 79% 60%
    7 Leading practice Does the charter note that all members of the committee be independent directors? 54% 15%
    8 EPS requirement Does the charter require the risk committee to oversee policies and procedures establishing risk-management governance, procedures, and risk-control infrastructure for its global operations? 100% 75%
    9 Leading practice Does the charter note that the board risk committee oversees the risk management framework over individual entities as well as the firm? 7% 15%
    10 EPS requirement Does the charter require the risk committee to approve and periodically review the risk-management policies of the BHC's global operations and oversee the operation of the BHC's global risk management framework? 57% 10%
    11 EPS requirement/leading practice Does the charter clarify that the board risk committee oversees senior management’s implementation of risk management strategy? 86% 55%
    12 EPS requirement Does the charter require the risk committee to identify and report risks (including emerging risks) and risk management deficiencies, and ensuring effective and timely implementation of actions to address them? 21% 15%
    13 EPS requirement Does the charter establish managerial responsibility for risk management? 79% 30%
    14 EPS requirement Does the charter provide for the independence of the risk management function? 36% 10%
    15 EPS requirement Does the charter require the integration of risk management and associated controls with management goals and its compensation structure for its global operations? 43% 35%
    16 Leading practice Does the charter note that the board risk committee communicates current risk exposures and future risk strategy to the board? 100% 75%
    17 EPS requirement Does the charter require the risk committee to review and approve the contingency funding plan at least annually, and whenever the company materially revises the plan? 25% 0%
    18 Leading practice Does the charter indicate that the board risk committee oversees the current risk exposures and future risk strategy, including strategy for capital and liquidity management, as well as for credit, market, operational, compliance, reputational, and other risks of the bank? 79% 40%
    19 EPS requirement Does the charter require the risk committee to receive and review regular reports on not less than a quarterly basis from the BHC's CRO? 36% 0%
    20 Leading practice Does the charter suggest that the board risk committee receive unscheduled communication from the bank’s risk management function? 11% 25%
    21 Leading practice Does the charter require that the board risk committee receive scheduled communication from the bank's risk management function? 100% 55%
    22 EPS requirement Does the charter state that the CRO reports directly to both the risk committee and CEO of the company? 36% 20%
    23 Leading practice Does the charter indicate that the board risk committee supports the role of CRO such that the CRO has sufficient stature, authority, and seniority within the organization, and is independent from individual business units? 32% 5%
    24 Leading practice Does the charter indicate that the board risk committee holds executive sessions? 71% 5%
    25 Leading practice Does the charter indicate that the board risk committee has access to additional internal and external resources (consultants, internal experts, etc.), without prior approval from management or the board, in fulfilling its duties? 96% 40%

    Appendix B: Additional sample characteristics

    DUP_1072_Figure 10. Institutions represented by country

    see endnotes 22 & 23

    Appendix C: Relevant regulatory requirements

    DUP_1072_Appendix C

    Deloitte’s governance, risk, and compliance services help clients tackle the broad issues of corporate governance, enterprise risk management, and effective corporate compliance. Our governance and oversight services at the board level encompass improving board effectiveness; setting the right tone to make effective decisions; and assessing and implementing ethics programs, training, change management, antifraud programs, and monitoring and reporting.

    Read more about our governance, risk, and compliance services on www.deloitte.com.

    Credits

    Written by: Val Srinivas, Urval Goradia, Lincy Therattil, Dennis Dillon

    Cover image by: Livia Cives

    Acknowledgements

    The Center wishes to thank the following Deloitte professionals for their insights and contributions to this report:

    Bank board governance contacts

    A. Scott Baret

    Partner, global financial services industry leader, enterprise risk services Deloitte & Touche LLP +1 212 436 5456 sbaret@deloitte.com

    Scott Baret is the global leader of Deloitte’s financial services enterprise risk services and a partner in the Governance, Regulatory, and Risk Strategies practice of Deloitte & Touche LLP. Baret has more than 24 years of experience working with Deloitte’s largest domestic and international banking, securities and insurance clients. His client work has focused on transforming organizational approaches to risk management.

    Edward Hida

    Partner, global leader, risk and capital management Deloitte & Touche LLP +1 212 436 4854 ehida@deloitte.com Edward Hida is the global leader of Risk & Capital Management and a partner in the Governance, Regulatory & Risk Strategies practice of Deloitte & Touche LLP, where he leads our Risk & Capital services. Hida has substantial experience consulting on a variety of financial risk management and capital markets issues, and has completed a wide range of risk management consulting assignments for US and global financial services organizations.

    Christopher Smith

    Partner Deloitte & Touche LLP +1 617 585 5879 christophsmith@deloitte.com Christopher Smith is a partner with Deloitte & Touche LLP’s banking and securities practice, serving banks, broker-dealers, finance organizations, and the Federal Reserve. He has more than 15 years of experience in accounting, internal controls, and risk management, specializing in assessing, designing, and testing business process controls and financial statements for financial services clients with complex infrastructures.

    • James Beasley, senior manager, financial services corporate governance, Deloitte LLP
    • Natasha de Soysa, director, head of financial services corporate governance, Deloitte LLP
    • Cheila Fernandez, senior manager, Deloitte & Touche LLP
    • Tom Rollauer, director, Deloitte & Touche LLP
    • Nicole Sandford, partner, Deloitte & Touche LLP
    • Lauren Wallace, lead marketing specialist, Deloitte Services LP
    • David Wright, director, Deloitte & Touche LLP

    Endnotes
      1. This finding, drawn from analysis of our board risk committee charter research (see research methodology below) and SNL Financial’s database, is limited to the set of banks studied during 2013–1H2014 period only. It is possible that there are other factors that contributed to the differences between the two groups of banks, but these were not readily apparent to us from the data. View in article
      2. European Commission, “Capital requirements regulation and directive—CRR/CRD IV,” November 11, 2014. View in article
      3. Basel Committee on Banking Supervision, “Corporate governance principles for banks—consultative document,” October 2014. View in article
      4. Sir Howard Davies, “Audit is no longer the chore the board dreads most,” Financial Times, July 28, 2014; Per Ardua Associates, “Chairman and the CEO—Has the relationship changed?,” May 2014. View in article
      5. Ibid. View in article
      6. As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. View in article
      7. Deloitte Center for Financial Services, Getting bank governance right, 2009; Deloitte Center for Financial Services, Improving bank board governance, 2011. View in article
      8. Totals for large US banks include one foreign-owned US BHC, the only such institution with a publicly available risk committee charter, and two nonbank SIFIs with board risk committee charters. View in article
      9. In this paper, the term “leading practice” refers to risk policies, procedures, controls, and frameworks that are not yet widely adopted in the marketplace, and are indicative of a higher level of risk governance maturity. View in article
      10. Federal Reserve, “Enhanced prudential standards for bank holding companies and foreign banking organizations: Final rule,” March 27, 2014. View in article
      11. G-SIBs identified using the Financial Stability Board’s November 2013 list. View in article
      12. The SNL Financial database, accessed October 2014. View in article
      13. Financial data are drawn from SNL Financial’s database, accessed October 2014. View in article
      14. The study covers more than 300 North American institutions, using 2006 corporate governance data and annual reports from 2007 and 2008 to assess the impact of a large number of corporate governance factors. Vincent Aebi, Gabriele Sabato, and Markus Schmid, “Risk management, corporate governance, and bank performance in the financial crisis,” Journal of Banking and Finance, 36:12 (2012). View in article
      15. Deloitte Touche Tohmatsu Limited, As risks rise, boards respond: A global view of risk committees, May 2014. View in article
      16. For BHCs with assets greater than $50 billion, the Federal Reserve’s EPS define a risk management expert as someone with “experience in identifying, assessing, and managing risk exposures of large, complex financial firms.” View in article
      17. Information available on BoardEx (a database of corporate board members) was used to check for the independence of the committee chair, as well as to check the proportion of independent members, on board risk committees of the US banks in our analysis. The data were current as of October 2014. View in article
      18. Federal Reserve and OCC, “Supervisory guidance on model risk management,” April 4, 2011. View in article
      19. ING Group, “Charter of the risk committee of ING Group N.V.,” last updated February 11, 2014. View in article
      20. HSBC Holdings PLC, “Group risk committee terms of reference,” last updated August 1, 2014. View in article
      21. HSBC Bank USA N.A., “Risk committee charter,” last updated July 25, 2014. View in article
      22. FFIEC, “Holding companies with assets greater than $10 billion,” as of September 30, 2014. View in article
      23. The Banker database, 2013 year-end totals. View in article
      24. Basel Committee on Banking Supervision, “Consultative document: Corporate governance principles for banks,” Bank for International Settlements, October 2014. View in article
    Show moreShow less

    Topics in this article

    Board of Directors , Financial Services , Governance , Risk management , Banking & Capital Markets

    Deloitte Consulting

    Learn more
    Download Subscribe

    Related

    img Trending

    Interactive 3 days ago

    Val Srinivas

    Val Srinivas

    Research Leader, Banking & Capital Markets | Deloitte Services LP

    Val Srinivas is the banking and capital markets research leader at the Deloitte Center for Financial Services. He leads the development of our thought leadership initiatives in the industry, coordinating our various research efforts and helping to differentiate Deloitte in the marketplace. He has more than 20 years of experience in research and marketing strategy.

    • vsrinivas@deloitte.com
    • +1 212 436 3384
    Urval Goradia

    Urval Goradia

    Urval, Deloitte Services LP, is a senior market insights analyst at the Deloitte Center for Financial Services. Urval researches and writes on a broad range of themes in banking and capital markets, including strategy, risk, and regulation, with a specific focus on performance imperatives. Before joining Deloitte, he was a credit analyst covering financial institutions at the Fitch Group. Goradia is a CFA charter holder.

    • ugoradia@deloitte.com
    • +1 212 436 2085
    Lincy Therattil

    Lincy Therattil

    Lincy Therattil, of Deloitte Services India Pvt. Ltd., is a manager at the Deloitte Center for Financial Services. Over the last decade, she has been involved in several banking and securities research projects covering a broad range of topics, including strategic and performance issues at retail and commercial banks. Specifically, Therattil is focused on analyzing the impact of technological innovations and risk on the financial marketplace.

    • ltherattil@deloitte.com
    • +91 981 999 4333

    Share article highlights

    See something interesting? Simply select text and choose how to share it:

    Email a customized link that shows your highlighted text.
    Copy a customized link that shows your highlighted text.
    Copy your highlighted text.

    Bank board risk governance has been saved

    Bank board risk governance has been removed

    An Article Titled Bank board risk governance already exists in Saved items

    Invalid special characters found 
    Forgot password

    To stay logged in, change your functional cookie settings.

    OR

    Social login not available on Microsoft Edge browser at this time.

    Connect Accounts

    Connect your social accounts

    This is the first time you have logged in with a social network.

    You have previously logged in with a different account. To link your accounts, please re-authenticate.

    Log in with an existing social network:

    To connect with your existing account, please enter your password:

    OR

    Log in with an existing site account:

    To connect with your existing account, please enter your password:

    Forgot password

    Subscribe

    to receive more business insights, analysis, and perspectives from Deloitte Insights
    ✓ Link copied to clipboard
    • Contact us
    • Search jobs
    • Submit RFP
    • Subscribe to Deloitte Insights
    Follow Deloitte Insights:
    Global office directory US office locations
    US-EN Location: United States-English  
    About Deloitte
    • About Deloitte
    • Client stories
    • My Deloitte
    • Deloitte Insights
    • Email subscriptions
    • Press releases
    • Submit RFP
    • US office locations
    • Alumni
    • Global office directory
    • Newsroom
    • Dbriefs webcasts
    • Contact us
    Services
    • Tax
    • Consulting
    • Audit & Assurance
    • Deloitte Private
    • M&A and Restructuring
    • Risk & Financial Advisory
    • AI & Analytics
    • Cloud
    • Diversity, Equity & Inclusion
    Industries
    • Consumer
    • Energy, Resources & Industrials
    • Financial Services
    • Government & Public Services
    • Life Sciences & Health Care
    • Technology, Media & Telecommunications
    Careers
    • Careers
    • Students
    • Experienced Professionals
    • Job Search
    • Life at Deloitte
    • Alumni Relations
    • About Deloitte
    • Terms of Use
    • Privacy
    • Privacy Shield
    • Cookies
    • Cookie Settings
    • Legal Information for Job Seekers
    • Labor Condition Applications
    • Do Not Sell My Personal Information

    © 2023. See Terms of Use for more information.

    Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

    Learn more about Deloitte's work for the US Olympic Committee