Demystifying the Risks of Board-Level Risk Committees

In the wake of the financial crisis, many large financial institutions created new, board-level risk committees to oversee their most critical risk issues. For other industries, the decision to create a risk committee isn’t so simple—and isn’t without some risk-taking itself.

Under Dodd-Frank’s “enhanced prudential standards,” publicly traded bank holding companies with total consolidated assets of $50 billion or more are required to have a risk committee of the board of directors to oversee its risk management framework. Numerous companies also have been required to create the committees as part of settlements with regulatory agencies, and financial regulators in particular have telegraphed their desire to see risk committees as a common practice. But that’s about all so far.

“I suspect over time this will trickle down into other industries,” says Tom Rollauer, executive director of the Center for Regulatory Strategies at Deloitte. “I think it will become a leading practice.”

Beyond the financial services sector, companies in heavily regulated industries or high-risk industries—healthcare, pharmaceutical, and energy, for example—may find these committees particularly advantageous. That might not be true for all companies, however, or all industries.

Companies have traditionally housed risk oversight in the audit committee. In the current regulatory environment, however, the audit committee may no longer have the time, resources, or expertise necessary to assess and manage the extensive range of business and operational risks that companies face. “Perhaps a risk committee would help alleviate that rushed agenda of the audit committee and allow for some deeper diligence on risks,” says Warren Stippich, national governance, risk, and compliance leader for Grant Thornton.

For companies contemplating a board risk committee, certain important factors need to be weighed, including the scope of the risk committee’s role and responsibilities. “You have to guard against the risk that a separate risk committee might contribute to confusion over where the responsibilities of one committee end and another begins, leading to possible gaps and overlaps among the board committee structure,” says Jim DeLoach, a managing director at Protiviti.

“You have to guard against the risk that a separate risk committee might contribute to confusion over where the responsibilities of one committee end and another begins.”
Jim DeLoach Managing Director, Protiviti

Because the board should maintain overall risk oversight responsibility, “some might argue that risk oversight should be embedded in board discussions regarding strategy, policy, execution, and reporting, rather than segregated in a risk committee,” DeLoach says. “That’s a viable concern.”

Creating Charters

A charter is one way to put clarity around the risk committee’s specific responsibilities and duties. “There is no one-size-fits-all standard,” DeLoach says. One company’s risk committee charter may differ significantly from another company’s risk committee charter, even within the same industry, he says.

Some companies have a clearly stated objective at the top. The objective of HSBC’s charter states, for example, that “the committee shall be accountable to the board and shall have non-executive responsibility for oversight of, and advice on, high-level risk-related matters and risk governance.”

In many charters, too, the chief risk officer has “a much more prominent rule in the organization, reporting into the CEO and have access directly to the board of directors, typically through the risk management committee,” Rollauer says.

BNY Mellon’s charter, for example, states: “The chief risk officer shall report directly to both the committee and the chief executive officer of the corporation. The committee shall receive and review regular reports, at least quarterly, from the chief risk officer.”

BNY MELLON’S RISK COMMITTEE

The excerpt below describes the composition, meetings, and procedures of BNY Mellon’s risk committee.
The Committee will consist of three or more independent directors. At least one member of the Committee shall have experience in identifying, assessing, and managing risk exposures of large, complex financial firms.
The Committee Chairman shall be a director who:

Is not an officer or employee of the Corporation and has not been an officer or employee of the Corporation during the immediately preceding three year period;

Is not a member of the immediate family of a person who is, or who has been within the last three years, an executive officer of the Corporation; and

Is an independent director under Securities and Exchange Commission standards..
Committee members and the Committee Chairman (a) shall be appointed annually by the Board of Directors on recommendation of the Corporate Governance and Nominating Committee and (b) serve at the pleasure of the Board. The Committee shall report directly to the Board.
Except as limited by law, regulation or the rules of the New York Stock Exchange, the Committee may form subcommittees for any purpose that it deems appropriate and may delegate to such subcommittees or to members of the Corporation's management such power and authority as it deems appropriate, provided, however, that any such subcommittees shall meet all applicable independence requirements and that the Committee shall not delegate to persons other than independent directors any functions that are required — under applicable law, regulation, or stock exchange rule — to be performed by independent directors.
The Committee shall meet as frequently as necessary to fulfill its duties and responsibilities, but not less frequently than quarterly. A meeting of the Committee may be called by its chairman or any two members of the Committee.
The Committee may meet in joint session with the Audit Committee of the Board from time to time to discuss areas of common interest and significant matters including, but not limited to, major investment portfolio issues, frauds, major regulatory enforcement actions, major litigation or whistleblower matters, and systemic technology issues.
The Committee may request any officer or employee of the Corporation, or any special counsel or advisor, to attend a meeting of the Committee or to meet with any members of, or consultant to, the Committee. The agenda for each Committee meeting will provide time during which the Committee can meet separately in executive session with management, the Chief Risk Officer, the Chief Compliance Officer, the independent auditors and as a Committee to discuss any matters the Committee or these groups believe should be discussed.
The Committee shall fully document and maintain records of its proceedings, including risk management decisions. Minutes of its meetings will be approved by the Committee and maintained on behalf of the Committee. The Committee shall report its activities to the Board of Directors on a regular basis and make such recommendations as it deems necessary or appropriate.
Source: BNY Mellon.

“Whatever a risk committee is charted to do, it should report to and advise the full board with respect to its activities, including making recommendations for issues that should be discussed before the full board,” DeLoach says.

At BNY Mellon, for example, the risk committee charter states that “the committee may meet in joint session with the audit committee of the board from time to time to discuss areas of common interest and significant matters, including—but not limited to—major investment portfolio issues, frauds, major regulatory enforcement actions, major litigation or whistleblower matters, and systemic technology issues.”

The charter can also help overcome implementation challenges by ensuring access to external experts. HSBC’s charter states, for example, that the committee “may invite any director, executive, external auditor, or other person to attend any meeting(s) of the committee as it may from time to time consider desirable to assist the committee in the attainment of its objective.” BNY Mellon’s charter has a similar provision in place.

Appointing Directors

Who sits on the committee is another important consideration. Under Section 165 of the Dodd-Frank Act, for example, financial firms must include at least one “risk management expert” on the board risk committee with experience in identifying, assessing, and managing risk exposures of large, complex firms. “There are a lot of large bank holding companies that have brought on board to their board of directors former bankers or former bank regulators to serve as this risk expert on the risk management committee of the board,” Rollauer says.

The risk management committee also needs to be made up of independent, non-executive directors. HSBC’s charter states, for example, that the committee “shall compromise not less than three independent non-executive directors.”

The board will want to consider the experience and skills of members that are particularly relevant to the specific risk profile of the company. “You want people who bring different perspectives—industry, regulatory, academics, financial, legal, for example,” Stippich says. An industry expert is particularly essential, “because so many risks are industry specific,” he says.

Getting members to serve on an independent risk committee, however, can prove challenging, particularly since the concept of risk committees is still new for many companies. “Especially outside of financial services, there is a little bit of confusion or uncertainty over what exactly is the risk committee responsibility,” Stippich says.

The time commitment may be another obstacle to overcome when recruiting directors. “The term limits may not be desirable because of the need for continuity and the limited pool of candidates that might be suited to sit on one of these committees,” DeLoach says.

That’s another factor the board will want to take into consideration when establishing a board risk committee: How long do you want people to serve? The criteria that you might use to make that decision about the compensation committee or the nominating committee might not be the criteria you’d want to use for a risk committee, because continuity might be important, DeLoach says.

Once a board risk committee is established, that’s only the first step. “It’s a dynamic process. Risk profiles change and economic condition change,” Rollauer says. “You just have to have a very robust program in place that will adjust with the times.”