Improving Bank Board Governance
The bank board member’s guide
to risk management oversight
Deloitte Center for Financial Services
––
Contents
Foreword3
Executive summary
4
Introduction: Large banks rise to the challenges
6
The nature and practice of risk oversight
7
Risk committee versus audit committee charters 9
Risk committee charters 10
The regulatory picture becomes clearer
11
Key comparative findings
13
Detailed 2011 findings: U.S. versus non-U.S. banks
15
Detailed points of comparison – 2009 versus 2011
16
How to enhance risk oversight
18
Appendix A:
Selected details on sources used in developing
the risk charter characteristics
21
Appendix B:
Summary of bank committee charters
23
Appendix C:
The Risk Intelligent Enterprise™ framework
27
Contacts29
2
Foreword
Board risk oversight at banks has continued to evolve over the last several years. Regulators and industry bodies are taking
more of an active interest in how boards approach risk governance. In fact, they have been providing pointed guidance
on how the board may strengthen its risk governance, including the Federal Reserve’s recently issued notice of proposed
rulemaking (NPR) on enhanced prudential supervision which includes requirements for stronger risk governance.
Boards are responding by increasingly forming risk committees, and implementing new governance structures to secure
greater visibility into how risks are managed across their enterprise.
To shed some light on board risk oversight practices, Deloitte conducted a study of 34 bank board risk committee
charters, the results of which are presented in this report. Our findings identified certain characteristics boards should
consider to sharpen their focus and strengthen its risk governance.
We hope you find the contents of this report useful when assessing and enhancing your risk oversight practices.
Regards,
A. Scott Baret
Global Leader, Enterprise Risk Services - Financial
Services Industry
Partner, Governance, Regulatory & Risk Strategies
Deloitte & Touche LLP
Tel: +1 212 436 5456
[email protected]
Edward Hida
Global Leader, Risk & Capital Management
Partner, Governance, Regulatory & Risk Strategies
Deloitte & Touche LLP
Tel: +1 212 436 4854
[email protected]
As used in this document, “Deloitte” means Deloitte & Touche LLP and Deloitte Services LP, which are separate subsidiaries of Deloitte LLP.
Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services
may not be available to attest clients under the rules and regulations of public accounting.
Improving Bank Board Governance The bank board member's guide to risk management oversight
3
Executive summary
Deloitte reviewed the board committee charters of 34
large banks1 and bank holding companies to identify
whether those charters specify certain board risk oversight
practices. In general, risk oversight entails the board
reviewing and scrutinizing management’s risk-related
programs and activities.
This 2011study follows a similar study of board risk
charters, which Deloitte performed in 2009. The goal was
to update boards on risk oversight practices at large banks,
and to suggest steps a board can take to strengthen its
risk governance.
Board risk committee charters may be an important source
of information on risk oversight practices. A board risk
committee charter indicates the existence of a board risk
committee, itself an indicator of a level of risk oversight
that could be difficult to attain without such a committee.
The importance of a risk committee and risk committee
charter is acknowledged in the Federal Reserve's notice
of proposed rule-making (NPR) on enhanced prudential
supervision which will require: U.S. bank holding
companies with greater than $50 billion in assets;
those with greater than $10 billion in assets and who
are publicly-traded; and non-bank financial companies
designated as systemically important to establish a board
risk committee with a formal written charter approved by
the company's board of directors.
Also, without a board risk committee and related
charter, risk oversight practices may be more opaque to
stakeholders and to management (unless clearly defined in
the audit committee charter).
The goal of this study is to
update boards on risk
oversight practices at large
banks, and to suggest steps a
board can take to strengthen
its risk governance.
Board committee charters generally define the role and
responsibilities of the committee, and its relationship to the
board, to other committees, and to management. Board
risk committee charters aim to define the risk committee’s
role in risk governance, define the elements of risk
governance, and disclose the board’s involvement in and
approach to risk oversight. Examples include areas such
as the risk committee’s responsibilities, its relationship to
the chief risk officer (CRO) and to the management
risk committee, and its role regarding the organization’s
risk appetite. As public documents, board committee
charters can be used to communicate with investors and
other stakeholders.
In our study of bank board risk committee charters,
Deloitte examined:
•The role of the board in risk oversight, how the board
executes that role and the governance process
•The board’s defined responsibilities for risk oversight and
how it addresses those responsibilities
•Responsibility for oversight of the management risk
committee (as opposed to board)
•Responsibility for establishing the criteria for
management’s reporting on risk to the board
•Documentation of board member risk management
qualifications
4
In the past three years, regulatory change has accelerated,
industry groups have continued to issue standards,
pressures on boards to exercise enhanced oversight of risk
management have increased, and economic conditions
have remained challenging. Against this backdrop, as
compared to our 2009 study, our 2011 study expanded the
number of banks' charters reviewed to account for large
domestic and international banks under the regulatory
spotlight and examined a significantly larger number of
oversight items, to account for recent regulatory changes.
The following developments, among others, prompted this
more detailed study:
•The Wall Street Reform and Consumer Protection Act
(Dodd-Frank), which was passed in July 2010 with
provisions that call for increased board involvement in risk
governance in financial institutions2
•Amended Securities and Exchange Commission (SEC) rules
for risk-related proxy disclosures, effective in
early 2010, with requirements for increased disclosure
of board-level risk oversight practices in publicly
held companies3
•The Basel Committee guidelines for risk governance,
which provide risk governance expectations4
•The Walker Review recommendations, released in 2009
and winning adoption within and beyond the United
Kingdom, where they originated5
Deloitte’s 2011 study of board committee charters suggest
that boards at the 34 U.S. and internationally based banks
studied are generally intensifying their risk oversight efforts
(see sidebar). Deloitte Touche Tohmatsu Limited (DTTL)
also found strong evidence of enhanced risk governance
activity at large banks in our most recent Global Risk
Management Survey.6 In addition, Deloitte has over the
past several years seen increasing board member interest
in risk oversight, with a special emphasis on how boards
can best meet their risk oversight responsibilities. Boards
and board committees appear concerned about their roles
in key oversight aspects. They want to clearly identify
areas in which they are responsible for approval decisions;
where others (usually, senior executives) are responsible
for approval decisions that they must as board members
oversee, further approve, or simply be aware of; and how
Key findings
Deloitte’s 2011 study of board risk committee charters
suggests that boards at the 34 U.S. and internationally
based banks studied are generally intensifying their risk
oversight efforts.
Key findings in our study include the following:
•Seventy-nine (79) percent of the bank charters
show that separate board risk committees have
been established
•Seventy-one (71) percent of the charters note that
banks specify that their board risk committees establish,
communicate, and monitor the risk tolerance/appetite
or risk profile of the organization
•Sixty-five (65) percent of the charters note that board
risk committees oversee current risk exposures and
future risk strategy pertaining to specific risk categories
•Seventy-nine (79) percent of the charters suggest
that board risk committees oversee management’s
implementation of their risk management strategy
•Seventy-six (76) percent of the charters indicate that
boards receive formal and informal communication
from the bank’s risk management function and
the CRO
These findings — based on the review of bank charters
— suggest that boards at large banks are broadening
the scope and including more specific components in
their charters to enhance their risk oversight practices.
However, Deloitte’s study of large banks’ board risk
committee charters also reveals that some may have
yet to adopt a number of risk oversight practices that
regulators and industry groups are promulgating — and
that could benefit organizations and their stakeholders —
thus leaving areas for improvement.
these roles, responsibilities, and decisions should be
defined. Board risk committee charters are a mechanism
for defining oversight, improving role clarity and specifying
risk-related responsibilities.
Improving Bank Board Governance The bank board member's guide to risk management oversight
5
Introduction: Large banks
rise to the challenges
Deloitte’s study of board risk committee charters found
increasing evidence of risk oversight practices on the
part of large banks’ boards. This stands to reason given
the recent financial crisis and regulatory developments,
particularly the Dodd-Frank Act in the United States.
(Implicit in Deloitte’s study is the fact that boards of
banks, given the nature of their institutions’ business,
face fiduciary duties, regulatory requirements, industry
expectations, and risk oversight challenges that may
be different than those in other types of commercial
enterprises. As a result, bank risk oversight capabilities
may likely be more evolved than those in other industries.)
The findings detailed in this report indicate that boards at
major banks are intensifying their risk oversight efforts. This
appears to be consistent with the results of DTTL’s most
recent Global Risk Management Survey, which surveyed
banks and other financial institutions regarding their risk
management and governance practices (see below).
In addition, Deloitte has identified practices that
characterize the Risk Intelligent Enterprise, which we have
found to heighten the effectiveness of risk governance
and risk management. These practices have also been
adopted by some large banks. (For more information on
Risk Intelligent board practices, see the Deloitte paper
Risk Intelligent Governance: A practical guide for
boards.7) That said, our goal in this report is not to dictate
criteria, set rigid standards, or limit a board’s flexibility in
any way. Rather it is to update boards on risk oversight
practices at large banks, for informational, comparison,
and benchmarking purposes, and to suggest steps a board
can take to strengthen its risk committee’s charter and risk
oversight practices.
As public documents, risk charters may provide a clear
perspective on an institution’s board-level risk-related
practices. Before examining the results of our study in
detail, it is worth taking a moment to define risk oversight
and the role of the risk committee.
Select key findings of DTTL’s Global Risk Management Survey6
In 2011, DTTL released its seventh Global Risk Management Survey, in which 131 financial institutions with a total
of more than $17 trillion in assets participated. Key risk oversight related findings of this worldwide study included the
following:
•About 90 percent of institutions had a defined risk governance model, and 78 percent reported that their board had
approved their risk management policy or enterprise risk management (ERM) framework.
•The board of directors or a designated board risk committee received risk or ERM reports at 97 percent of surveyed
institutions.
•A CRO or equivalent was reported at 86 percent of institutions, an increase from 73 percent in 2008 and 65 percent
in 2002. Also, the CRO reports to the board and/or the chief executive officer at 85 percent of surveyed institutions.
This survey revealed that boards are taking an active role in understanding risk, reviewing risk policies, and overseeing
implementation of risk management strategy.
6
The nature and practice
of risk oversight
Risk oversight — a responsibility of the board — stands
apart from risk management — a responsibility of
management. A bank board’s risk oversight responsibilities
may include:
•Knowing which risks the institution and management
are willing and able to assume and which ones are
considered unacceptable as stated in the risk appetite
(which can be defined as “the maximum allowable loss
by type of risk and overall for the enterprise”8).
•Understanding the risk profile — the risks the institution
faces in business, product, customer, geography, and
other areas — and its potential impact, whether the risks
are strategic, financial, operational, political, security,
property, or reputational, for example.
•Staying abreast of regulatory requirements and
industry expectations and initiating efforts to meet
board-level requirements and standards, and ensuring
that other requirements and standards are met in the
organization.
Exhibit 1: Risk management committee structures – a stylized illustration
Boards of Directors
(BoD)
R
ht
sig
ver
o
isk
BoD risk management
committee
Charter
Executive management
risk committee
Management risk
committees
Line of business risk
committees
Charter
Charter
ting
por
Charter
k
Ris
a
rm
info
re
tion
Charter
Board committees
•Providing input to management on risk issues in light
of the risk appetite, risk profile, regulatory requirements,
and the strategic goals of the business.
•Determining that the bank has a risk management
infrastructure consistent with the complexity of
the business and the risks it faces, and all applicable
regulatory requirements. This infrastructure includes the
people (both the CRO and the broader risk management
function), processes, and technology that enable the
organization to identify, measure, manage, monitor,
and report on risk.
In its role as representative of the shareholders and
steward of their assets, often the board selects, evaluates,
and compensates the chief executive officer (CEO);
establishes the audit, compensation, and other committees
(including, for many, a risk committee); provides input
to management on strategy and goals; and meets with
management regarding issues that affect the organization.
Thus, the board can affect the culture of the organization
and the tone at the top as well as the approach to risk
from both the asset-preservation and value-creation
standpoints.
Generally speaking, when a board establishes a risk
committee, it may have several corresponding positive
effects on increasing its oversight for risk management,
such as an inherent increase in board attention and
resources providing risk oversight; it may interact more
purposefully with management regarding risk matters;
and it may increase its visibility into the organization’s
risk management practices, particularly when the CRO
and/or the management risk committee report to the
board risk committee (see Exhibit 1). The actual role and
responsibilities of the board risk committee, as with any
board committee, will be defined in its charter.
Management committees
Line of business committees
Business units — Risk origination
Improving Bank Board Governance The bank board member's guide to risk management oversight
7
The board or its risk committee may shape its risk oversight
responsibilities through the following activities:
1. Establish the risk culture of the enterprise: In
selecting the CEO and articulating the values of
the institution for the senior executives, the board
can influence the prioritization of risk management
enhancements in everyday decision making and
the organization’s approach toward risk and risk
management.
2. Promote open discussion regarding risk: Board
members may discuss with the CRO, or others within
the organization with similar stature and authority
for risk management, the risks that are most material
and to which the organization is most vulnerable. The
board may wish to inquire and challenge management
about risks that affect decisions, operations, processes
and most importantly risks of and to the strategy. Such
discussions should generally be seen as constructive
dialog with management.
3. Provide input on — and approve — the bank’s risk
appetite: The board provides appropriate input to
management on the risk appetite and approves it. Risk
appetite represents the parameters within which the
executive team and business managers (the owners
of the risk) manage risk at the enterprise and business
unit levels.
4. Define the issues that require the board’s attention:
The board should define the issues and decisions that
management should bring to its attention for either
informational purposes, review or board approval.
These include risks associated with businesses,
investments, partners, transactions, employee incentives
and developments that could substantially affect the
bank, with the board clearly defining “substantially.”
8
5. Monitor risks and risk management capabilities:
The board should consider its role in monitoring the
risk profile — the types, levels, and concentrations
of risk the bank is incurring — and any escalation,
concentration of, and interrelation of risks. It should
also understand the bank’s business, operations and
products well enough to conduct this monitoring.
Finally, it should think about how management
monitors, mitigates, and manages specific risks and
communicates about risk in the organization.
6. Obtain reasonable evidence regarding risk
management: It is management’s role to identify
and continually assess and manage all risks, and the
board’s to ascertain that management has done so. The
latter means being confident that management has a)
identified the relevant risks that could affect the ability
of the business to achieve its strategies and preserve
its assets, and b) established a risk management
infrastructure — the people, processes, and technology
— to identify, measure, monitor, and report on the risks
the institution faces. Some boards also obtain external
advice and views of the firm’s capabilities regarding
these two items.
Board risk committee charters should set the framework
for the roles and responsibilities of the risk committee so
that these activities are accomplished.
Risk committee versus
audit committee charters
The case for separate board risk committees at large
banks was strong, even before the NPR proposed such
committees for certain bank holding companies and
non-bank financial companies who are designated as
systemically important. The expertise and time required
for risk oversight, and competing demands on both the
director’s and the audit committee’s attention, tend to
favor the establishment of separate risk committees.
One alternative is to locate risk oversight in the audit
committee. There are arguments for doing so, one
being that separating risk and audit responsibilities
can potentially create overlap and gaps in oversight
responsibility between the risk and audit committees, while
combining the two avoids this. However, audit committees
inherently are driven by financial reporting requirements
and timelines. As a result, they likely focus on risks related
to the integrity of the financial statements.
A key argument for separating the two holds that the
audit committee’s focus on risks associated with financial
reporting, the limited time it has to focus on matters
unrelated to financial reporting, and a possible lack of
sufficient risk expertise may potentially cause it to overlook
some risks. By this logic, risk may need to be overseen by
the full board or a board risk committee.
The NPR requirement renders arguments against separate
risk committees moot, at least for U.S. bank holding
companies with more than $50 billion in assets and for
non-bank financial companies who are designated as
systemically important. In effect, the NPR places risk on par
with audit and compensation as issues that warrant board
committees. When a bank of any size has a separate risk
committee, the board should consider whether there are
any potential risk oversight overlaps, and gaps between
committees are identified and addressed.
Improving Bank Board Governance The bank board member's guide to risk management oversight
9
Risk committee charters
Boards use charters to establish board-level committees
and define their responsibilities. Through a risk committee
charter, the board establishes risk oversight responsibilities
and communicates them to the institution, regulators, and
other stakeholders. Creating or updating a risk committee
charter enables the board to define, clarify, and assert
its risk oversight role. (This can also be done in the audit
committee charter, if that committee retains risk-related
responsibilities.)
A board risk committee charter can also be used by a
board to set risk oversight expectations for itself and risk
management expectations for the executive management
team. For example, the charter can explicitly define
responsibilities in the following areas:
•Risk oversight: define the scope and responsibilities
of the board risk committee including the governance
process.
•Risk appetite: set forth overall expectations regarding
ways in which the risk appetite of the firm will be
defined, understood, monitored, and observed.
•Management risk committee charters: articulate the
responsibility of the board to review management’s risk
committee charter as well as any amendments to it.
•Risk management policies: identify the key risk
management policies that the board will be required to
periodically review and/or approve.
•Risk management reporting criteria: define reporting
criteria related to monitoring compliance with the
established risk management policies, controls and
practices in order to increase transparency in this area
and to set thresholds for board involvement in decisions.
•Risk management: establish the board’s expectations
of management regarding specific areas of risk
management, such as management of market, credit,
regulatory, legal, and reputational risks as well as
necessary remediation activities.
•Reporting lines: define the relationship between the
CRO and the board risk committee and between the
board risk committee and management risk committee.
Specifically the requirements for risk management to
have the appropriate independence and authority within
the organization.
10
As in our 2009 study, the difference in the level of details
and specificity of language in risk committee versus audit
committee charters is substantial. We expected this, as it
reflects the continuing gap between financial governance
and risk governance. Yet those differences appear to
be narrowing, particularly in financial institutions. For
example, the NPR calls for a board-level risk committee
at banks with more than $50 billion in assets and those
with greater than $10 billion in assets and publicly-traded,
and for non-bank financial companies who are designated
as systemically important, have an independent director
to lead the committee, and for "at least one member of
a company's risk committee to have risk management
expertise that is commensurate with the company's capital
structure, risk profile, complexity, activities, size, and other
appropriate risk-related factors".9 This resembles the way in
which the Sarbanes-Oxley Act (SOX) of 2002 expanded the
role of board audit committees and called for identifying
financial experts on the board’s audit committee. Deloitte
expects risk management, governance, and reporting to
continue to evolve as enterprises respond to challenges,
regulatory requirements, and industry expectations.
It is about relationships: Board and management risk committees
The board risk committee is, of course, distinct from the management risk committee.
In the past three years, some boards decided that they needed a board risk committee
and that the CRO and the management risk committee should report to it. This
represents a shift in that management risk committees typically report to an executive
management committee, which is responsible for all management committees (which
might include a finance committee, compensation committee, and others).
The management risk committee may report to either the board risk committee or to
the executive management committee. In practice however, it may report to both,
which can create dual reporting lines and potential complications that should be
acknowledged and addressed.
The point is that the board (and management) should consider how to structure the
reporting relationships among these committees, based on the culture and needs of
the organization and the effectiveness and efficiency of each option — and define the
reporting relationships in the charter.
The regulatory picture
becomes clearer
In the past two years, financial institution regulations have
multiplied — as have principles and practices emanating
from industry groups such as the Basel Committee on
Banking Supervision and sources such as The Walker
Review. The following developments in particular have
prompted banks to strengthen risk management and
oversight. We used guidance from regulatory bodies and
industry groups to determine certain characteristics to
review in the risk charters (see Exhibit 3). In developing
these 16 characteristics, we reviewed relevant past and
current guidance issued by regulatory bodies and industry
groups, including:
•The Dodd-Frank Act: The rules under which DoddFrank will be implemented are works in progress. Yet
it is clear that improved risk governance is an intent of
the act.
•Amended rules on risk disclosures in proxy
statements: In December 2009, the SEC issued
new requirements regarding risk disclosures in proxy
statements.10 These amended rules, which went into
effect in 2010, were aimed at enhancing disclosure to
investors and other stakeholders regarding the board’s
role in risk oversight.
•Federal Reserve/Office of the Comptroller of the
Currency (OCC): The Federal Reserve and the OCC
issued regulatory guidance applicable to board risk
oversight at U.S. banks. Specifically, these included
Federal Reserve Division of Banking Supervision and
Regulation SR 95-51 (SUP), November 1995 and The
Role of a National Bank Director – The Director’s
Book, issued by the Comptroller of the Currency
Administrator of National Banks, March 1997.11
Study methodology
From the sources detailed in Appendix A, Deloitte
developed a list of 16 characteristics applicable to board
risk committee charters. We obtained the risk and audit
committee charters from the 27 largest publicly held
U.S. banks. These are publicly traded companies and
are therefore required to have audit committees and
publicly available committee charters. The charters of
an additional seven large non-U.S.-based banks
selected mainly on the basis of size and location were
also obtained.
We read each institution’s board risk committee charter
and, when appropriate, audit committee charter using
the characteristics shown in Exhibit 3 to determine
whether or not the practice was addressed. This
provided a method for determining the risk oversight
practices of the bank, as stated in the board risk
committee charter.
•Basel Committee guidance: The Bank for International
Settlements’ (BIS) Basel Committee on Banking
Supervision has recently issued detailed principles
for enhancing corporate governance at banks.12 This
guidance is quite specific regarding the board and its
risk committee’s roles in oversight.
•The Walker Review: The review of corporate
governance in the United Kingdom prepared by Sir David
Walker and released in November 2009 also contained
very specific recommendations on risk.
Improving Bank Board Governance The bank board member's guide to risk management oversight
11
Exhibit 2: Exhibit 2: Enhanced prudential standards and early remediation requirements for covered
companies, NPR, section 252.126 sets forth the following key provisions regarding the risk
committee:13
The NPR will require: U.S. banks and bank holding companies with greater than $50 billion in assets; those with
greater than $10 billion in assets and who are publicly-traded; and non-bank financial companies designated as
systemically important to establish a board risk committee with a formal written charter approved by the company's
board of directors.
For U.S. bank holding companies with more than $50 billion in assets and non-bank financial companies designated
as systemically important, the NPR will require appointment of a CRO, who should have appropriate expertise
in developing and applying risk management practices and procedures, measuring and identifying risks, and
monitoring and testing risk controls commensurate with the size and complexity of the organization.
Under the proposed rules, the risk committee will have specific responsibilities that include, but are not limited to,
oversight and approval of the enterprise risk management framework commensurate with the complexity of the
company including:
1. Risk limitations appropriate to each business line of the company;
2. Appropriate policies and procedures relating to risk management governance, risk management practices, and risk
control infrastructure for the enterprise as a whole;
3. Processes and systems for identifying and reporting risks and risk-management deficiencies, including emerging
risks, on an enterprise-wide basis;
4. Monitoring of compliance with the company’s risk limit structure and policies and procedures relating to risk
management governance, practices, and risk controls across the enterprise;
5. Effective and timely implementation of corrective actions to address risk management deficiencies;
6. Specification of management and employees’ authority and independence to carry out risk management
responsibilities; and
7. Integration of risk management and control objectives in management goals and the company’s
compensation structure.
12
Key comparative findings
Board risk committees
have been established by
79 percent of the banks
studied in 2011, up from
53 percent in 2009
To indicate the general trends in board risk oversight in
large banks over the past three years, we compared key
findings from Deloitte’s 2011 and 2009 studies. The banks
included in both studies overlap significantly and both
consist of large banks and bank holding companies.
The key findings in our studies of board committee
charters for the characteristics (see Exhbit 3) examined in
both 2011 and 2009 are the following:
None of the bank charters required a risk management
expert on the board (characteristic (see exhibit 2) #16)
in either 2011 or 2009. This is not to say that there is
not such an expert present on the board or committee.
Committee charters do not cover every practice the
committee employs; however it may be useful if the
charter clarified whether or not this is a requirement.
Characteristics #1, 2, 5, 7, and 16 were covered in both
the 2011 and 2009 studies of committee charters. The
other 11 characteristics (also shown in Exhibit 3) were
covered only in the 2011 study. Therefore, 2011 and 2009
comparisons are possible for only those five characteristics.
•Board risk committees are establishing, communicating,
and monitoring the risk appetite, tolerance, or risk profile
in 71 percent of the banks in 2011, up 50 percent from
2009 (characteristic #2).
•Board risk committees oversee the risk exposures and
future risk strategy for key risk categories (e.g., credit,
market, operational, compliance, reputational, and other
risks) in 65 percent of the banks, up very significantly
from 20 percent in 2009 (characteristic #5).
•Board risk committees approve and review charters of
existing management risk committees in 26 percent
of the banks, up from 20 percent in 2009
(characteristic #7).
Overall, these findings indicate that the boards at major
banks have expanded their risk oversight efforts (see
Exhibit 2 for all 2011 findings, which are discussed below).
The increase in bank charters reporting that they have
board risk committees and that the committees’ approve
risk appetite and review risk exposures is particularly
significant. These two conditions — having a board risk
committee and having it provide input into and
approval of the risk appetite — can contribute to
enhanced risk oversight.
Improving Bank Board Governance The bank board member's guide to risk management oversight
13
Exhibit 3: Summary of results (for 27 U.S. and 7 non-U.S. banks)
Characteristics
U.S.
Non-U.S.
Total
Yes
Yes
Yes
1
Does the bank’s board charter indicate there is an established board risk committee separate from the
audit committee with sufficient authority, stature, independence, resources, and access to the board?
74%
100%
79%
2
Does the charter note that the board risk committee establish, communicate, and monitor risk tolerance/
appetite or risk return profile of the organization?
63%
100%
71%
3
Does the charter note that the board risk committee identify, assess, and monitor risks on an ongoing
firm-wide and individual-entity basis?
7%
29%
12%
4
Does the charter suggest that the board risk committee is responsible for assessment of actual risk
appetite over time covering both banking and trading book exposure?
4%
0%
3%
5
Does the charter indicate that the board risk committee oversees the current risk exposures and future
risk strategy, including strategy for capital and liquidity management, as well as for credit, market,
operational, compliance, reputational, and other risks of the bank?
63%
71%
65%
6
Does the charter clarify that the board risk committee oversee senior management’s implementation of
risk management strategy?
81%
71%
79%
7
Does the charter suggest that the board risk committee sanction, approve, and review charters of
management risk committees?
33%
0%
26%
8
Does the charter note that the board risk committee advise the board on the current risk exposures and
future risk strategy?
56%
86%
62%
9
Does the charter suggest that the board risk committee receive formal and informal communication from
the bank’s risk management function and CRO?
78%
71%
76%
10
Does the charter suggest that the CRO reports to and has direct access to the board and its risk
impediment?
48%
43%
47%
11
Does the charter indicate that the board risk committee holds executive sessions?
33%
14%
29%
12
Does the charter indicate that the board risk committee supports the role of CRO such that the CRO has
sufficient stature, authority and seniority within the organization, and is independent from individual
business units?
15%
43%
21%
13
Does the charter indicate that the board risk committee requires and oversees timely internal
communication about risk across the organization?
33%
43%
35%
14
Does the charter suggest that the board risk committee has access to external expert advice?
56%
29%
50%
15
Does the charter note the presence of independent directors (nonexecutive director, senior independent
director) on the board risk committee?
30%
43%
32%
16
Does the charter require/designate a risk management expert (in identifying, assessing, and managing
risk exposures of large, complex firms) on the board risk committee?
0%
0%
0%
14
Detailed 2011 findings: U.S. versus
non-U.S. banks
Overall, Deloitte sees the study results as signaling that
many risk oversight policies among major U.S. and
non-U.S. banks are converging. We expect continued
convergence as the Basel Committee as well as regulators
in North America and the European Union promulgate
similar requirements and guidance in response to risks
and as banks respond accordingly.
In fact, the differences that Deloitte found between U.S.
and non-U.S. banks governance practices identify areas for
large banks to consider alternative governance practices.
Differences:
•Non-U.S. banks more often designated the role of the
board risk committee in establishing, communicating,
and monitoring the risk appetite (characteristic #2).
Comparison of the findings of U.S. and non-U.S. banks
can identify qualitative similarities and differences in risk
governance practices. The following are those that we
found most interesting:
•U.S. banks more often empowered the board to
approve management’s risk charters and committees,
while according to the charters no foreign banks did
(characteristic #7).
Similarities:
•Most U.S. and all non-U.S. banks had established a
board risk committee separate from the audit committee
(characteristic #1).
•U.S. and non-U.S. banks were similar in their approaches
to risk committee oversight of risk exposures
(characteristic #5) and of management’s implementation
of risk management strategy (characteristic #6).
•U.S. banks more often provided the risk committee with
access to external expert advice (characteristic #14).
•As indicated in the charters, non-U.S. banks more often
specified that the risk committee advises the board on
risk exposures and risk strategy (characteristic #9) and
supports the CRO having sufficient stature, authority, and
independence (characteristic #12).
•U.S. and non-U.S. banks were similar in receiving risk
reporting information from the risk management
function (characteristic #8).
•Similar percentages of U.S. and non-U.S. banks have
the CRO reporting to the board or its risk committee
(characteristic #10).
Improving Bank Board Governance The bank board member's guide to risk management oversight
15
Detailed points of comparison
– 2009 versus 2011
This section provides detailed analysis on three characteristics (#1, 2, and 5) examined in both 2009 and 2011.
Characteristic #1:
Does the bank’s board charter indicate there is an established board risk committee separate from the audit committee
with sufficient authority, stature, independence, resources, and access to the board? A further look into the board’s
committee structure for the oversight of risk reveals the following.
2009 (Total = 30 banks)
10%
2011 (Total = 34 banks)
10%
12%
3%
6%
27%
53%
Separated audit and risk committee
Combined audit and risk committee
79%
Audit committee
Audit plus other committee
Key observations:
•The percentage of risk charters that indicate that banks have separate board risk committees increased substantially
from 2009 to 2011.
•The number of banks with only an audit committee decreased dramatically, given the shift toward establishing risk
oversight committees.
•Anecdotally,14 we have observed that, for some bank boards, there was significant focus on risk management activities
in the last several years, and as a result these boards revisited and strengthened their risk oversight strategy and
programs.
•The enhanced supervision and prudential standard requirements from the Dodd-Frank Act (for U.S. banks with more
than $50 billion in assets and those with greater than $10 billion in assets, and publicly-traded, and for non-bank
financial companies who are designated as systemically important to establish a risk committee) will likely further drive
risk oversight activities going forward.
16
Characteristic #2:
Does the charter note that the board risk committee establish, communicate and monitor risk tolerance/appetite or risk
return profile of the organization?
2011 (Total = 34 banks)
2009 (Total = 30 banks)
35%
No
50%
No
Yes
50%
65%
Yes
Key observations:
•There was a substantial increase in the number of charters that indicated that risk committees establish, communicate,
and/or monitor the risk appetite or profile, or both.
•All the foreign banks whose charters we reviewed in 2011 suggest that the risk committee establishes, communicates,
and/or monitors risk appetite/profile. There has been recent regulatory guidance that may influence risk committee
activity going forward. This guidance includes the Basel Committee Guidance on Corporate Governance and, in the
UK, The Walker Review.
Characteristic #5:
Does the charter indicate that the board risk committee oversees the current risk exposures and future risk strategy,
including strategy for capital and liquidity management, as well as for credit, market, operational, compliance,
reputational, and other risks of the bank?
2009 (Total = 30 banks)
2011 (Total = 34 banks)
20%
Yes
35%
No
80%
No
Yes
65%
Key observations:
•The number of charters that note that the board risk committees oversee current and future risk exposures and strategy
across a full range of risks increased dramatically.
•Key guidance potentially influencing this increase included the Basel Principles on Corporate Governance, which state
that banks are “responsible for advising the board on the bank’s overall current and future risk tolerance/appetite and
strategy, and for overseeing senior management’s implementation of that strategy.”
Improving Bank Board Governance The bank board member's guide to risk management oversight
17
How to enhance risk oversight
The findings of Deloitte’s study of board risk
committee charters suggest several steps that
boards at large banks can take to further
enhance risk oversight.
The suggestions presented here assume that the
organization has a separate board-level risk committee
and a risk committee charter. By modifying this charter,
the board can enhance risk oversight by using the charter
to assert, clarify, broaden, or focus its risk oversight role
as necessary.
We have organized our suggestions into strategic and
tactical steps, although a few items overlap those
categories. These steps include several not directly
related to the 16 characteristics Deloitte used in its study
(see Exhibit 3), which instead emerged from Deloitte’s
overall review of the charters, our analysis of the current
regulatory environment and our general experience with
board risk committee charters, particularly over the past
three years.
As you take steps to further enhance risk oversight you
may wish to consider Deloitte’s Risk Intelligence
Diagnostic and Maturity Model throughout the process
(see Appendix C).
The following steps may help the board to further define
and establish risk committee roles and responsibilities,
while the more tactical steps that follow this section may
assist in enabling the committee to fulfill those roles and
responsibilities.
Strategic action steps:
1. Review the risk committee charter: One good starting
point for a board considering ways to enhance risk
oversight would be to have its risk committee charter
reviewed in light of the 16 characteristics Deloitte used
in this study as well as the seven components of the risk
18
management framework outlined in the NPR and shown
in Exhibit 2. While these do not aim to be completely
comprehensive as there may be other characteristics
that boards may want to review, they can serve as a
“report card” and enable a board to determine whether
its risk committee charter meets the given criteria. Also,
your bank’s “yes” or “no” can be compared with the
percentage Deloitte found in its study. Discussing the
results of this exercise as a group can help board or
risk committee members to identify differences in their
interpretations of the charter, to locate areas that lack
clarity, and to start identifying priorities.
2. Focus across the enterprise: The risk committee
charters we reviewed focused on risk mainly at the
consolidated entity (i.e., the holding company level).
Indeed, only 12 percent of charters called for the
board risk committee to “assess, and monitor risks
on an ongoing firm-wide and individual-entity basis”
(characteristic #3). Consistency of risk management
programs and activities in general helps lead to a more
effective aggregation of risk across the enterprise.
3. Approve and monitor the risk appetite: While the
charters indicated that all seven non-U.S. banks had
the board risk committee establish, communicate, and
monitor the risk appetite, tolerance, and/or profile,
a lesser proportion two-thirds (63 percent) of U.S.
banks did (characteristic #2). In general the board risk
committee should approve management’s process to
set the risk appetite at the enterprise and businessunit and risk-type levels, and oversee how this is
communicated within the organization. At a more
tactical level, the board risk committee should also
consider monitoring the risk appetite and approve
increases (or decreases) to it as well. While the specifics
are up to each board, the charter may need to better
define the role and responsibility of the risk committee
regarding risk appetite.
4. Consider CRO reporting lines: Only half (48 percent)
of the charters specified that the CRO report to the
board risk committee (characteristic #10). Even fewer
gave the committee authority to hire and compensate
the CRO (which was not among the characteristics).
Having the CRO report to the board risk committee
encourages his or her independence. It may be useful
to think of the CRO as requiring independence and
objectivity similar to that of the chief internal auditor.
Giving consideration to having the CRO report to the
board, and be hired and compensated by the board,
may “encourage the CRO having sufficient stature,
authority, and seniority within the organization
and is totally independent from the business units”
(characteristic #12, which was met in only 21 percent
of the charters).
5. Avoid overlap and gaps among board committees:
Although it was not among Deloitte’s study
characteristics, from the strategic and tactical
standpoints boards may want to assess that risk
committee responsibilities and activities do not
duplicate or burden the audit, compensation, or other
board committees, or create gaps between committees.
Some committee responsibilities and activities could
create such issues, unless the charter of each clearly
demarcates responsibilities, activities, and hand-off
points. Clear guidelines for sharing information,
particularly regarding risks, could also be helpful.
Tactical action steps:
In general, the board’s risk oversight capabilities may be
strengthened when the scope of the charter includes risk
oversight matters, such as communications, monitoring
activities, and other interactions between the board risk
committee and management. Specific provisions regarding
such areas help the board to set explicit expectations of
management and to clarify the mechanisms by which
oversight occurs.
1. Oversee current exposures and future risk strategy:
This is also a risk oversight activity that was noted
in two-thirds (65 percent) of the charters read. (The
related characteristic is #5: the board risk committee
oversees the current risk exposures and future risk
strategy, including for capital and liquidity management
and for credit, market, operational, and other risks.) It is
notable that the number of banks specifying this in their
charters jumped from 20 percent to 65 percent from
2009 to 2011. This finding indicates that more banks
are documenting in their charters that the committee
is overseeing a range of risk exposures, and are thus
asserting this as one of its risk oversight responsibilities.
2. Specify communication about risk with
management and across the enterprise: Charters
vary in the specificity with which they define
communication about risk. For example, 76 percent
indicated that the “committee receives formal
and informal communication from the bank’s risk
management function and CRO” (characteristic #8).
But charters vary in how specifically they define
these communications in terms of methods (e.g.,
formal meetings with management risk committee/
CRO, or informal dialogues with management), form
(e.g., written or oral), and frequency (e.g., quarterly
or annually). Only 29 percent of charters specified
that the board risk committee has a formal meeting,
“executive sessions with senior management,” meaning
a requirement that the committee meet separately
with the CRO. Similarly, about 35 percent of charters
specified that the “board risk committee oversees
timely internal communication about risk across the
organization” (characteristic #13). Management is
responsible for facilitating such communication, and
the board may want evidence that management has
done so — and to set forth its related requirements in
the risk committee charter.
Improving Bank Board Governance The bank board member's guide to risk management oversight
19
3. Conduct an annual self-assessment: Although not
among Deloitte’s study characteristics, the charter may
wish to consider specifying an annual self-assessment
of the risk committee’s capabilities and performance.
Items to evaluate may include quality of the input the
committee has provided to management, the level of
two-way communication about risk, risk events, losses,
and other measures of risk oversight effectiveness.
Based upon our marketplace observations one current
issue that boards are considering is their role in
management policy decisions that they must as board
members be informed of, review, or approve. Given
the importance of a board's role, boards may wish
to consider decision-making roles within their annual
self-assessment. External assistance with this review
can be useful, with an appropriate third party providing
objectivity and expertise that’s difficult to obtain in
a pure self-assessment. On the subject of external
expertise, half of the charters (50 percent) we reviewed
indicated that the board could access external advice,
but none required it (characteristic #14). External
parties can be particularly useful in benchmarking
management’s practices against industry practices
and in updating the board and the risk committee on
current practices and expectations on recent regulatory
and other developments. Stating this in the charter may
elevate its priority.
20
4. Consider selectively adopting “advanced”
provisions: Some provisions included by few, or even
none, of the banks whose charters we reviewed may
be worth considering. For example, designating a
risk management expert (characteristic #16) might
also be worthwhile, particularly given that the charter
could define the responsibilities of that expert, the
qualifications for the position, and how he or she would
be compensated.
Deloitte offers these suggestions regarding steps a
board or board risk committee may take to clarify and
strengthen its risk committee charter and thus its role in
risk oversight. It is up to each board and committee to
identify steps worth considering. The actual steps may
be prioritized in terms of the needs of the organization
and its stakeholders, cost and time involved and potential
benefits. In addition, these steps should be discussed with
and implemented in conjunction with management.
Based on the board risk committee charters Deloitte
reviewed, most banks appear to have responded to
increasing risk and continuing regulatory developments
by establishing separate risk committees and having them
establish, communicate, and monitor the risk appetite,
tolerance, and/or profile of the organization. Most also
seem to oversee senior management’s implementation
of the risk management strategy. These are welcome
developments, but even large sophisticated banks can
further enhance their risk oversight practices.
Appendix A:
Selected details on sources used in
developing the risk charter characteristics
The Wall Street Reform and Consumer Protection
Act (Dodd-Frank)
Dodd-Frank was signed into law in July 2010, with
significant impact on U.S. financial institutions. The Federal
Reserve Bank is in the process of developing Enhanced
Prudential Standards related to risk governance, see Exhibit
2 on Page 12.15
•Federal Reserve Division of Banking Supervision and
Regulation SR 95-51 (SUP), November 1995, instructed
bank examiners to assign a formal supervisory rating
to the adequacy of an institution’s risk management
processes. Among other items, the guidelines noted
that boards are ultimately responsible for the level of
risk, should understand risks, and provide clear guidance
regarding acceptable exposures.19
Amended rules on risk disclosures in proxy
statements
In December 2009, the Securities and Exchange
Commission (SEC) issued new requirements regarding
risk disclosures in proxy statements.17 These amended
rules, which went into effect in 2010, aimed to enhance
disclosure to investors and other stakeholders regarding
the board’s role in risk oversight. Specifically, the rules:
•The Role of a National Bank Director – The Director’s
Book, issued by the Comptroller of the Currency
Administrator of National Banks, March 1997,20 stated
that the board establishes risk guidelines, exercises
risk oversight, should specify the reports it wants and
with what frequency, and should understand the risks
presented by any proposed new product or service.
•Require companies to describe the board’s role in risk
oversight, including how the company perceives the role
of its board and the relationship between the board and
management in managing the material risks facing
the company
Given the dates of this Federal Reserve and OCC
guidance, more recent developments such as board risk
committees and CROs were not mentioned. However,
Deloitte used these sources to identify board risk-oversight
responsibilities promulgated by the Federal Reserve and
the OCC.
•Give companies the flexibility to describe how the board
administers its risk oversight function, such as through
the whole board or through a separate risk committee or
the audit committee
•Suggest that companies address whether the people
supervising day-to-day risk management report directly
to the board as a whole or to the board committee,
and how the board or committee otherwise receives
information from them
The amended rules appear to have already affected risk
oversight practices, as found in a 2011 Deloitte study of
proxy statements.18
Federal Reserve/Office of the Comptroller of the
Currency (OCC)
The Federal Reserve and the OCC issue regulatory guidance
applicable to board risk oversight at U.S. banks. The
guidelines Deloitte considered in its review of risk charters
were as follows:
Basel Committee Guidance
The Bank for International Settlements’ (BIS) Basel
Committee on Banking Supervision has issued detailed
principles for enhancing corporate governance at banks.
The guidelines that most affect risk governance include
the following (summarized) principles:
1. The board oversees implementation of the bank’s
strategic objectives, risk strategy, corporate governance,
and senior management.
2. The board should define appropriate governance
practices for its own work and encourage that these
practices are followed and periodically reviewed.
3. Under the board’s direction, senior management should
ensure that the bank’s activities are consistent with the
business strategy, risk tolerance/appetite, and policies
approved by the board.
4. Banks should have effective internal controls and
a risk management function (including a chief risk
officer or equivalent) with sufficient authority, stature,
independence, resources, and access to the board.
Improving Bank Board Governance The bank board member's guide to risk management oversight
21
5. The bank’s risk management and control infrastructures
should keep pace with any changes to the bank’s risk
profile and external risks.
6. Effective risk management requires robust internal
communication about risk, across the organization
and through reporting to the board and senior
management.
7. The board should monitor the compensation system
to ensure that it operates as intended and that
compensation is aligned with prudent risk taking.
8. The board and senior management should understand
the bank’s operational structure and the risks posed
by any special purpose structures and in any foreign
jurisdictions.
9. Governance should be adequately transparent to
shareholders, depositors, other relevant stakeholders
and market participants.
The study utilized the Basel Committee guidance on board
risk governance as one of the sources of the characteristics
we applied in our review of board risk charters.
The Walker Review
The review of corporate governance in UK banks
known as the Walker Review was prepared by former
Chairman of the Securities and Investment Board (now
the Financial Services Authority), Sir David Walker. The
review was released in November 2009 and contained
39 recommendations on governance of UK banks. The
following five recommendations (nos. 23 to 27) concern
risk governance and risk committees:
•Establish a separate board risk committee responsible
for risk oversight and strategy. A FTSE 100 bank or
life insurance company should establish a board risk
committee separate from the audit committee. The
board risk committee should have responsibility for
oversight and advice to the board on current risk
exposures and future risk strategy and advise the board
on risk appetite, tolerance, and strategy.
22
•Establish an independent enterprise risk function. The
board should be served by a CRO who reports to the board
risk committee and participates in the enterprise-wide risk
management and oversight processes, independent of the
business units.
•Make external advice available to the board risk committee.
The board risk committee should grasp the potential value
added by external input to its work.
•Advise management regarding strategic transactions.
In proposed strategic acquisitions or disposals of assets,
the board risk committee should advise the board to
ensure that due diligence is undertaken. It should focus in
particular on risks and the implications for risk appetite and
tolerance, drawing on independent external advice where
appropriate, before the board decides whether to proceed.
•Ensure proper risk disclosure and risk governance. The
board risk committee risk report should be separate in
the annual report. It should discuss key risk exposures,
risk appetite and tolerance, and how the risk appetite
is assessed.
Although the Walker Review was prepared for UK
institutions, its recommendations can be used as a guideline
for many banks. Deloitte therefore used the Walker Review
(as it did the Basel Committee findings) as a source of the
characteristics we applied in our study of board risk charters.
Appendix B:
Summary of bank committee charters
20
Company
Committee
Summary of risk related committee charter elements
A
Enterprise risk committee
The committee is responsible for exercising oversight of senior management’s identification of the
material risks. The committee shall oversee senior management’s establishment of policies and
guidelines articulating risk tolerances as to material categories of risk, the performance and functioning
of the risk management function, and senior management’s establishment of appropriate systems
(including policies, procedures, management committees, and stress testing) that support controls over
market risk, interest rate risk, and liquidity risk.
B
Risk policy committee
The committee is responsible for oversight of the chief executive officer and senior management's
responsibilities to assess and manage the corporation's credit risk, market risk, interest rate risk,
investment risk, liquidity risk, and reputational risk.
C
Risk management and
finance committee
The purpose of the committee is the oversight of the risk management framework, including the
significant policies, procedures and practices used in managing credit, market, operational and certain
other risks. In addition, the committee is responsible for the oversight of the policies and practices
relating to treasury matters, including capital, liquidity and financing, as well as to merger, acquisition,
and divestiture activity.
D
Risk committee
The purpose of the committee is to provide oversight of enterprise-wide risk management framework,
including the strategies, policies, procedures, and systems, established by management to identify,
assess, measure, and manage major risks.
E
Risk committee
The purpose of the committee is to assist the board in its oversight of the management of financial and
operational risks, including market, credit, and liquidity risks.
F
Risk committee
The committee is appointed by the board of directors to assist the board in its oversight of risk
governance structure, risk management, risk assessment guidelines and policies regarding market,
credit, liquidity and funding risk and such other risks as necessary to fulfill the committee's duties and
responsibilities, the risk tolerance, and the performance of the chief risk officer.
G
Risk management
committee
The purpose of the committee is to provide oversight of the risk management function, including
its policies, procedures and practices relating to management of credit risk; financial, liquidity and
market risk; and operational risk. The committee will conduct an annual performance evaluation of the
committee to provide regular reports to the board.
H
Risk committee
The purpose of the committee is to assist the board of directors in fulfilling its oversight responsibilities
with regard to the risk appetite and the risk management and compliance framework and the
governance structure that supports it.
I
Risk committee
The committee provides oversight of enterprise-wide risk structure and the processes established to
identify, measure, monitor, and manage credit risk, market risk (including liquidity risk), and operating
risk (including technology, operational, compliance, and fiduciary risk).
J
Risk and compliance
committee
The purpose of the committee is to assist the board of directors in setting risk appetite and tolerances,
as well as overseeing management’s responsibility to manage the risk profile and implement the risk
program, with emphasis on credit, market, liquidity, operational, and reputational risks from both an
enterprise and a line of business perspective.
K
Executive and risk
management committee
The committee is appointed by the board of directors and has the responsibility to exercise all the
powers and the authority of the board during the intervals between board meetings, to the extent
permitted by applicable law. In addition, except for those matters overseen by other board committees,
the committee reports to and assists the board in overseeing executive management’s identification
of, planning for, and responding to material risks, including strategic risk, credit risk, operational risk,
reputation risk, liquidity risk, market risk, and compliance risk.
Improving Bank Board Governance The bank board member's guide to risk management oversight
23
Company
Committee
Summary of risk related committee charter elements
L
Audit and risk committee
The committee is responsible for assisting the board of directors in its oversight responsibilities relating
to the integrity of the financial statements and financial reporting process; internal and external
auditing, including the qualifications and independence of the independent registered public accounting
firm and the performance of the internal audit services function; the integrity of the systems of internal
accounting and financial controls; legal and regulatory compliance; the assessment and management of
the risk and capital; and the performance of the other committee functions set forth in the charter.
M
Risk committee
The committee is appointed by the board of directors. This committee is responsible for reviewing and
approving the board’s risk appetite parameters to be used by management. This committee’s purpose
is to assist the board of directors in its oversight of the risk management governance and processes.
Generally, these risks can be categorized in the following classifications – legal risk, reputation risk,
liquidity risk, credit risk, market risk, regulatory risk, compliance risk, and operational risk, including
emerging risks.
N
Risk and compliance
committee
The committee oversees management’s compliance with all of its regulatory obligations arising under
applicable banking laws, rules and regulations; management’s development and implementation of an
enterprise-wide view of risk capacity, risk appetite and risk tolerances; management’s implementation of
the development of effective policies, processes and procedures to ensure risks are properly controlled,
quantified and within the risk appetite; and oversee management’s taking of appropriate measures to
apply consistent methodologies for assessing, quantifying, aggregating, monitoring, prioritizing and
reporting risk including the categories of credit risk, market risk, liquidity risk, operational risk, regulatory
compliance risk, legal risk, reputation risk and strategic risk.
O
Business risk committee
The purpose of the committee is to assist the board in discharging its oversight duties with respect to
the risks inherent in the businesses, in the following categories: credit risk, market and liquidity risk,
fiduciary risk, operational risk and the regulatory component of compliance risk; and the process by
which risk-based capital requirements are determined, including internal capital adequacy assessment
process and promoting a culture that encourages ethical conduct and compliance with applicable rules
and standards.
P
Risk management
committee
The committee is appointed by the board of directors and is responsible for assisting the board
with strategies, policies, procedures, and practices relating to the assessment and management of
credit risk, market risk, liquidity risk, and material operational and other risks, and in each case, any
significant reputation or strategic risk arising there from, in the best interests of the corporation and its
shareholders.
Q
Risk review committee
The committee is responsible for assisting the board in fulfilling its oversight responsibilities for
the identification and management of risk; adherence to risk management corporate policies; and
compliance with risk-related regulatory requirements.
R
Audit and risk committee
The committee is appointed by the board of directors to assist the board in monitoring the integrity
of the financial statements and internal controls, compliance with legal and regulatory requirements,
the qualifications, independence and performance of the independent auditor, the performance of the
internal auditor and chief credit review officer; and the processes by which management assesses and
manages risk.
24
Company
Committee
Summary of risk related committee charter elements
S
Audit and risk committee
The Audit Committee responsibilities surrounding risk are to oversee the effectiveness of S Corporation’s
operational risk management framework, and evaluate its effectiveness on an annual basis. Receive and
review reports from the Enterprise-Wide Risk Management functions, and review the steps management
has taken to assess, monitor and control credit, operational, strategic/reputational, compliance/legal,
liquidity, market, and interest rate risks. Receive and review reports from Loan Review, I.T. and Central
operations, for relevant risk related matters, loan reviews, disaster recovery, self assessment of systems.
T
Audit and risk committee
The Audit Committee responsibilities surrounding risk are to review reports from management on the
Company's enterprise-wide risk management program. Review with management the framework for
assessing and managing the risk exposures of the Company, including credit, market, liquidity, and
operational risks, and the steps management has taken to monitor and control such risk exposures.
Review reports from management on the status of and changes to risk exposures, policies, procedures,
and practices. Review adequacy of risk parameters that have been established for each area of
enterprise risk. Review and discuss with risk management whether it has the appropriate resources,
independence, and authority to fulfill its responsibilities.
U
Enterprise risk committee
The Committee is responsible to review and approve annually the Charters for the Enterprise-Wide
Risk Management Authorization, Enterprise-Wide Risk Management Committee, Enterprise-Wide
Risk Management Policy, Strategic Credit Committee, Asset Liability Policy Committee, Asset Liability
Management Policy, Operational Risk Management Committee, and Enterprise-Wide Compliance
Committee.
V
Risk oversight committee
The Committee is responsible for the review and approval of V’s risk governance committee and the
executive-level risk management committee charters and the board level risk policies on a biennial basis.
The committee shall review and approve corporate Key Risk Indicators (KRIs) and the associated limits
that are established for each KRI are the basis of the risk limit framework, and are intended to help
measure the level of risk that the organization has assumed. The Committee shall oversee and review
the effectiveness for monitoring compliance with laws and regulations.
W
Risk management
committee
The Committee is responsible to ensure that management has established a risk management
framework designed to identify and bring to the Committee’s attention and appropriately manage,
monitor, control, and report to all major risks affecting W including credit, market, reputation, and
operational risks.
X
Credit review committee
The purpose of the Credit Review Committee is to monitor the results of internal and external credit
reports and examinations. To review, evaluate, and recommend changes to policies established by the
Board and by management; with respect to extensions of credit of any kind and other activities which
entail the taking of credit risk.
Y
Risk committee charter
The Risk Committee reports to and assists the Board of Directors in overseeing and reviewing
information regarding the Company’s enterprise risk management framework and capital adequacy
framework, including the significant policies, procedures, and practices employed to manage credit risk,
market risk, and operational risk.
Z
Audit committee
The Audit Committee is appointed by the Board of Directors of Z to assist the Board in monitoring: (a)
the integrity of the financial statements of the Corporation; (b) the independent auditor’s qualifications,
independence, and performance; (c) the performance of the Corporation’s internal audit function; and
(d) the compliance by the Corporation with certain legal and regulatory requirements.
AA
Risk and capital
committee
The Committee is responsible for reviewing and discussing with management the Company’s
assessment and management of risk, including market, operational, fiduciary, interest rate, liquidity,
business and credit risks, and related policies.
BB
Risk committee
The purpose of the Committee is to ensure that management has established policies and procedures
relating to compliance with the self-dealing provisions of the Bank Act. Additionally, to oversee risk
management of the Bank, ensuring that management has in place policies, processes, and procedures
to manage the significant risks to which the Bank is exposed, including compliance with applicable laws
and regulations.
Improving Bank Board Governance The bank board member's guide to risk management oversight
25
Company
Committee
Summary of risk related committee charter elements
CC
Risk committee
The committee is responsible for the various types of risk (operational, technological, financial, legal,
and reputational, among others); including off-balance sheet losses and contingencies. Additionally, the
committee is responsible for the information and internal control systems that will be used to control
and manage such risks and setting the risk level the company deems acceptable. The committee is to
be aware of and to authorize, management tools, improvement initiatives, advancement of projects
and other activities relating to control of risks. Additionally, they will assess and monitor the statements
made by supervisory authorities and ensure the activities are consistent with risk tolerance level.
DD
Risk committee
The committee will be responsible for: providing oversight and advice in relation to current and
potential future risk exposures and future risk strategy, including determination of risk appetite and
tolerance; assisting on such other matters as may be referred to it by the board; acting as the risk
committee of the board; promoting a risk awareness culture; and reporting to the board, identifying
any matters within its remit in respect of which it considers that action or improvement is needed,
and making recommendations as to the steps to be taken. The board risk committee may engage
independent counsel and other expert advisers, as it determines necessary, to carry out its duties.
EE
Risk committee
The committee is a committee of the board of directors, from which it derives its authority and to
which it regularly reports. The principal purpose of the committee is to review, on behalf of the board,
management’s recommendations on risk, in particular: consider and recommend to the board the risk
appetite; review, on behalf of the board, the risk profile; satisfy itself on the design and completeness
of the internal control and assurance framework relative to the risk profile, including the principal risk
categories; and commission, receive and consider reports on key risk issues.
FF
Risk committee
The committee shall be accountable to the board and shall have responsibility for oversight and advice
to the board. The committee shall report to the board on: risk appetite, tolerance, and strategy, systems
of risk management, internal control, and compliance to identify, measure, aggregate, control, and
report risk including the alignment of strategy with the board’s risk appetite; the alignment of reward
structures, in relation to the management of risk with the board’s risk appetite; and the maintenance
and development of a supportive culture, in relation to the management of risk, appropriately
embedded through procedures, training and leadership actions so that all employees are alert to the
wider impact on the whole organization of their actions and decisions.
GG
Risk committee
The committee's primary function is to assist the board of directors in fulfilling its risk management
responsibilities as defined by applicable law and regulations as well as articles of association and internal
regulations, by periodically reviewing and assessing the integrity and adequacy of the risk management
function, in particular as it relates to market, credit, and liquidity and funding risks; the review and
assessment of the adequacy of the management of reputational risks, however, is a joint responsibility
of the risk committee and audit committee, reviewing the adequacy of the capital (economic,
regulatory, and rating agency) and its allocation to the businesses, reviewing certain risk limits and
regular risk reports and making recommendations to the board of directors, and reviewing the policy in
respect of corporate responsibility and sustainable development.
HH
Risk committee
The function of the committee is to oversee and support the board in fulfilling its duty to supervise
and set appropriate risk management and control principles in the area of risk management and
control, including credit, market, country, and operational risks, treasury and capital management,
including funding and liquidity, and balance sheet management, including in each case any consequent
reputational risk. For these purposes, the committee will receive all relevant information from
management and has the authority to meet with regulators/external bodies in consultation with the
chief executive officer.
26
Appendix C:
The Risk Intelligent Enterprise™ framework
A Risk Intelligent Enterprise focuses not solely on risk
avoidance, but also on risk-taking as a means to value
creation. This approach recognizes the need for an
integrated risk management program that embeds
capabilities throughout all levels of the organization.
The framework shown below depicts a Risk Intelligent
organization where:
The Risk Intelligent Enterprise approach offers a practical
framework, or roadmap, for enabling directors and
management to focus simultaneously on value protection
and value creation. Deloitte’s framework and insights are
based on Nine fundamental principles of a Risk Intelligence
program. Effectively, Risk Intelligence takes a dynamic view
of all the dimensions of risk, imbuing decision makers with
a special skill set that helps build uncommon awareness
and flexibility, such as a bias against assumptions, vigilance
for rooting out perceptual “blind spots,” and a keen ability
to connect trends, people, and entities in ways that expose
threats and exploit opportunities — either of which may
predictably or unexpectedly materialize.
•Leaders incorporate a broad outlook on risk into
strategic decision making
•The board ensures that appropriate risk management
controls and procedures are in place
•Systems, processes, and people are in place to act on
intelligence in a timely and coordinated manner
•A consistent approach is used across the enterprise
to manage all types and classes of risk effectively
and efficiently
Deloitte’s point of view: Nine principles of Risk Intelligence
The Risk Intelligent Enterprise™ framework
Risk governance
Common definition of risk
Common risk framework
Oversight
Roles & Responsibilities
str
ate
an
on
dd
an
Process
Technology
im
Business unit responsibility
Support of pervasive functions
Risk process
ve
Risk ownership
De
ve
pro
lop
People
ly
Objective Assurance and Monitoring
us
Executive management responsibility
uo
ep
tin
loy
Common risk
infrastructure
dc
Common risk infrastructure
in
gie
s
sta
Risk infrastructure and oversight
Su
Tone at the top
Transparency for governing bodies
Design,
Monitor,
Identify Assess & Integrate Respond
implement & assure &
evaluate
risks
risks
to risks
test controls escalate
risks
Risk categories
Operational Compliance Business and Systemic Reputational
strategic
Credit Market Interest rate Liquidity
Financial
risk on
banking book
Improving Bank Board Governance The bank board member's guide to risk management oversight
27
The Risk Intelligence maturity model
In reviewing their charters and defining their approach to risk governance, boards may find it helpful to utilize a Risk Intelligence maturity model.
(See below.) This model can supplement the boards’ current efforts to define the desired level of oversight both now and in the future. Deloitte’s Risk
Intelligence maturity model has been built based on our nine principles of a Risk Intelligence Enterprise. Below is an illustrative example of our maturity
model highlighting risk governance roles and responsibilities.
Risk Intelligence maturity model – risk governance roles and responsibilities
Risk Intelligence maturity model
Principles for building a
Risk intelligent
enterprise
Primary
owner
Responsibility
Key roles, responsibilities,
and authorities relating
to risk management are
clearly delineated within
the organization
Board of
Directors
Risk governance
28
Key duty
1. Unaware
Discharge risk
management
responsibilty
for oversight
The board has
not established
the necessary
oversight essential
for influencing
risk management
and establishing
a culture of
risk awareness
throughout the
enterprise.
2. Fragmented
The board has
established
oversight, but
it is not widely
adopted nor
well understood.
Consequently,
the management
of risks and the
culture of risk
awareness only
exists separately
and unevenly
within individual
lines of business
and not across
the enterprise.
3. Top-Down
The board has
established
oversight and it
has been clearly
communicated
throughout the
organization.
As a result,
management
demonstrates
a culture of risk
awareness, but
risk management
disciplines
have not been
embraced broadly
or evenly across
the enterprise.
4. Systematic
The board has
established
oversight that is
widely understood
and adopted,
creating a
culture of risk
awareness and
the adoption of
risk management
disciplines
throughout the
enterprise.
5. Risk
Intelligent
The board has
established
oversight and is
constantly seeking
ways to influence
the improvement
of the culture of
risk awareness and
the management
of risk throughout
the enterprise to
further the firm's
market leadership.
Contacts
A. Scott Baret
Global Leader, Enterprise Risk Services - Financial
Services Industry
Partner, Governance, Regulatory & Risk Strategies
Deloitte & Touche LLP
Tel: +1 212 436 5456
[email protected]
Edward Hida
Global Leader, Risk & Capital Management
Partner, Governance, Regulatory & Risk Strategies
Deloitte & Touche LLP
Tel: +1 212 436 4854
[email protected]
Contributors
Eduarda Cardoso
Consultant
Deloitte & Touche LLP
Tel: +1 212 436 4959
[email protected]
Christopher C. Smith
Senior Manager
Deloitte & Touche LLP
Tel: +1 617 585 5879
[email protected]
Val Srinivas
Head of Research
Deloitte Center for Financial Services
Deloitte Services LP
Tel: +1 212 436 3384
[email protected]
Improving Bank Board Governance The bank board member's guide to risk management oversight
29
Endnotes
1
Banking organizations with $50 billion or more in consolidated total assets.
2
Dodd-Frank Wall Street Reform and Consumer Protection Act; July 21, 2010; Section 165.
3
Securities and Exchange Commission, 17 CFR Parts 229, 239, 240, 249 and 274 [Release Nos. 33-9089; 34-61175; IC-29092;
File No. S7-13-09] RIN 3235-AK28 Proxy Disclosure Enhancements (http://www.sec.gov/rules/final/2099/33-9089.pdf).
4
Principles for enhancing corporate governance, Basel Committee on Banking Supervision, October 2010, Bank for International Settlements.
5
A review of corporate governance in UK banks and other financial industry entities, Final recommendations, November 26, 2009,
The Walker review secretariat, London, England.
6
Global Risk Management Survey, seventh edition, Navigating in a changed world, 2011, Deloitte Global Services Limited
(http://www.deloitte.com/FSIGlobalRiskSurvey).
7
Risk Intelligent Governance: A Practical Guide for Boards, 2009, Deloitte & Touche LLP, (www.deloitte.com/us/riskgovernanceguide).
8
Surviving and Thriving in Uncertainty by Frederick Funston and Stephen Wagner, John Wiley & Sons, Hoboken, NJ, 2010, pg. 265.
9
Dodd-Frank Wall Street Reform and Consumer Protection Act; July 21, 2010; Section 165 – Enhanced supervision and prudential standards for
nonbank financial companies supervised by the Board of Governors and certain bank holding companies.
10
Securities and Exchange Commission, 17 CFR Parts 229, 239, 240, 249 and 274 [Release Nos. 33-9089; 34-61175; IC-29092;
File No. S7-13-09] RIN 3235-AK28 Proxy Disclosure Enhancements.
11
The Role of a National Bank Director – The Director’s Book, Comptroller of the Currency Administrator of National Banks, March, 1997.
12
Principles for enhancing corporate governance, Basel Committee on Banking Supervision, October 2010, Bank for International Settlements.
13
Board of Governors of the Federal Reserve System (Board), Enhanced Prudential Standards and Early Remediation Requirements
for Covered Companies; December 20, 2011; Section 252.126.
14
This observation is based on anecdotal observation from our marketplace experiences and is not based on the charter review.
15
Hot Topics: Dodd-Frank Wall Street Reform and Consumer Protection Act—Abstracts and Observations, Special Edition,
Deloitte Development LLC, August 2010.
16
“The role of the board in enterprise risk management” by James Lam, The RMA Journal, Long View Publications, April 2011.
17
Securities and Exchange Commission, 17 CFR Parts 229, 239, 240, 249 and 274 [Release Nos. 33-9089; 34-61175; IC-29092;
File No. S7-13-09] RIN 3235-AK28 Proxy Disclosure Enhancements.
18
Risk Intelligent Proxy Disclosures – 2011: Have risk-oversight practices improved?, Deloitte Development LLC 2011.
19
Board of Governors of the Federal Reserve System, Division of Banking Supervision and Regulation Letter SR 95-51 (SUP), Rating the Adequacy
of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies, November 14, 1995.
20
The Role of a National Bank Director – The Director’s Book, Comptroller of the Currency Administrator of National Banks, March, 1997.
30
Improving Bank Board Governance The bank board member's guide to risk management oversight
31
Insights. Research. Connections.
Headquartered in New York City, the Deloitte Center for Financial Services provides insight and
research to help improve the business performance of banks, private equity, hedge funds, mutual
funds, insurance and real estate organizations operating globally. The Center helps financial
institutions understand and address emerging opportunities in risk and information technology,
regulatory compliance, growth, and cost management.
The Center brings a financial services integrated view to Deloitte and its network of member firms, each of which is a legally separate and
independent entity that provide audit, consulting, financial advisory, risk management, and tax services to select clients.
With access to the deep intellectual capital of 169,000 people worldwide, Deloitte serves more than one-half of the world’s largest companies,
as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies.
To learn more about the Center, its projects and events, please visit us at www.deloitte.com/us/cfs.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial,
investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor
should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may
affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Deloitte Touche Tohmatsu Limited