Recent Trends in Risk Committee Practices for Financial Institutions

RISK MANAGEMENT
Ze'ev Eiger Elizabeth  Schauber

By Ze'-ev Eiger and Elizabeth Schauber

Ze'-ev Eiger is a partner in the Capital Markets Group in the New York office of Morrison & Foerster LLP. Mr. Eiger's practice focuses on securities and other corporate transactions for both foreign and domestic companies. Elizabeth Schauber is an associate in the Capital Markets Group in the New York office of Morrison & Foerster LLP.

The years following the 2008 financial crisis have brought about increased regulatory focus on the oversight of risk management of large financial institutions. Regulatory agencies have noted the importance of strong corporate governance and risk management as one element of strengthening the banking industry and preventing another large-scale financial crisis.

Post-financial crisis regulations and standards require that a banking organization’s board of directors, or a risk committee thereof (depending on the size, type and complexity of the institution in question) be responsible for overseeing the risk management of the enterprise. The members of the risk committee are tasked with broad oversight responsibilities designed to ensure that management effectively appreciates and manages the risks of the enterprise. Members of the risk committee are not, however, responsible for implementing and managing the day-to-day risks of the business.

Risk Committee Requirements for Financial Institutions

On March 27, 2014, pursuant to the Dodd-Frank Act, the Board of Governors of the Federal Reserve System (Federal Reserve) promulgated Enhanced Prudential Standards (EPS) for large U.S. bank holding companies (BHCs) and foreign banking organizations (FBOs). The EPS rules require that publicly traded BHCs with total consolidated assets of $10 billion or more establish enterprise-wide risk committees. BHCs with total consolidated assets of $50 billion or more—considered large BHCs—must establish a distinct risk committee to oversee the risk management of the enterprise. Such risk committees may not be part of a joint committee of the board of directors that oversees another aspect of the business. Similarly, FBOs with combined U.S. assets of $50 billion or more must establish a U.S. risk committee, designed to ensure that the entity understands and properly manages the risks of the U.S. entity. Although the EPS rules specifically encompass FBOs, this article will focus primarily on the risk committee characteristics of BHCs.

The requirement to establish a risk committee and the related governance thereof are paramount to the EPS rules and the Federal Reserve’s focus on creating a stronger financial system. In establishing the risk committee, the EPS rules require that the risk committee include at least one risk management expert who has experience managing risk commensurate with the size and complexity of the institution. The rules also require that large BHCs (those with total consolidated assets of at least $50 billion) maintain distinct risk committees that are not part of a joint committee of the board of directors. In the largest and most complex institutions, the members of the risk committee focus specifically on risk management and the oversight of enterprise-wide risk. Additionally, pursuant to the EPS rules, the risk committee must have a formal written charter approved by the board of directors.

The EPS requirements for mid-size BHCs (those with total consolidated assets between $10 billion and $50 billion) are similar to the EPS requirements for large BHCs, with the exception of the distinct risk committee requirement. The EPS rules permit the risk committee of mid-size BHCs to be part of a joint committee of the board of directors, rather than requiring the organization to establish a stand-alone risk committee. As is the case for risk committees of large BHCs, the risk committee of a mid-size BHC must have at least one member with the requisite experience in risk management. Again mirroring the rules for large BHCs, the EPS rules for mid-size BHCs also require that the risk committee have a formal charter approved by the board of directors.

The Office of the Comptroller of the Currency (OCC) has also addressed risk management of large banking organizations following the financial crisis. On September 11, 2014, the OCC established heightened standards for the risk management of certain large banks, with a focus on promoting the safety and soundness of the institutions. The OCC’s standards emphasize independent risk management and require banks to establish a framework that manages and controls the bank’s risk-taking. The board of directors, or the risk committee thereof, is responsible for approving the framework.

The OCC heightened standards emphasize the crucial role of corporate governance in maintaining well-functioning and safe institutions that have the tools and framework to manage risk and prevent the type of excessive risk-taking that had contributed to the financial crisis. While the OCC’s heightened standards do not set forth enumerated risk committee requirements as detailed as the requirements of the EPS rules, the heightened standards can be used as a starting point for financial institutions considering the responsibilities of their risk committees.

Current Market Standards

According to the EPS rules, depending on the size and nature of the financial institution’s business, the organization’s risk committee must be established as a distinct committee of the board of directors, or it may be combined with another committee of the board of directors. Where the risk committee is a distinct committee, its members focus their efforts specifically on overseeing the risk management of the enterprise to enable the appropriate board-level attention to risk management. Where the risk committee is part of a joint committee of the board, committee members oversee a wider range of elements of the business. For smaller or less complex institutions, the board of directors as a whole may oversee the risk management of the institution, without specifically designating a risk committee.

We reviewed the risk committee charters and corporate governance standards of 17 BHCs (as of September 2016) to understand the role of the risk committee in light of requirements promulgated by the various regulatory agencies. Of those BHCs that we reviewed, 13 (76.5 percent) were large BHCs under the EPS rules, two (11.8 percent) were mid-size BHCs under the EPS rules and two (11.8 percent) were not subject to the EPS rules because they have total consolidated assets under $10 billion. These BHCs also qualified as financial holding companies (FHCs). In our review, we noted the following trends among the BHCs:

  •  12 out of the 17 (70.6 percent) BHCs had a distinct risk committee of the board of directors.
  •  5 out of the 17 (29.4 percent) BHCs did not maintain a distinct risk committee.
  • o Of these 5 BHCs, 4 had a risk committee that was combined with another committee of the board.
  • o Of these 5 BHCs, one did not have a risk committee, but its audit committee took on risk management responsibilities.
  • o None of these 5 BHCs is considered a large BHC under the EPS rules, and, therefore, these BHCs are not required to maintain a stand-alone risk committee.

  •  Of the risk committees that were part of a joint committee of the board of directors, we found that the risk committees were typically combined with:
  • o a compliance committee;
  • o corporate governance committee;
  • o an executive committee; or
  • o an audit committee.

A joint risk and audit committee was most the prevalent combination among the BHCs reviewed.

  •  All of the BHCs with a distinct risk committee (12) had a formal risk committee charter approved by the board of directors.
  • o Of these 12 BHCs, 8 (66.67 percent) have risk committee charters that specifically require the risk committee to include at least one member with experience in identifying, assessing, and managing risk exposures of large, complex financial firms. For mid-size BHCs, the risk expert must have experience with “large, complex firms,” rather than “large, complex financial firms,” which is required for large BHCs.
  • o Of these 12 BHCs, 2 (16.7 percent) have risk committee charters that do not specifically require the risk committee to include at least one member with experience in identifying, assessing, and managing risk exposures of large, complex financial firms. However, both of these risk committee charters stated that the membership of the risk committee would comply with all applicable regulations, which necessarily includes the EPS requirement to have at least one risk expert as a member of the risk committee.
  • o Of these 12 BHCs, 2 (16.7 percent) have risk committee charters that do not state that (i) the risk committee must include at least one member with experience in identifying, assessing, and managing risk exposures of large, complex financial firms or (ii) the membership of the risk committee must comply with applicable regulations relating to expertise.

Conclusion

Our review has indicated that nearly all of BHCs that are required to maintain stand-alone risk committees pursuant to the risk committee regulations and the heightened standards promulgated by the Federal Reserve and the OCC, respectively, maintain such stand-alone committees. Of those BHCs that maintain distinct risk committees of the board, all such risk committees have formal charters approved by the board of directors, and most of those charters specifically include the EPS requirement that at least one member of the risk committee have risk management expertise commensurate with the size and complexity of the organization. Our review has also shown that these institutions are amenable to defining the role of corporate governance within their institutions, with an appreciation of strong corporate governance and risk oversight needed to maintain the safety and soundness of the enterprise.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.