Effective Risk Committees: 3 Key Questions for Boards

In today’s banking environment, an active and effective risk committee can play a crucial role in helping a bank maintain financial stability and achieve its long-term strategic objectives.

Although supervisory requirements for risk committees generally do not become effective for banks and bank holding companies (BHCs) until they exceed $50 billion in assets, most boards come to recognize the need for a qualified, independent risk committee long before they reach that threshold.

As a bank grows and adapts to evolving risks and opportunities, its directors need to address three critical risk management and governance questions:

1. At what point should we establish a board-level risk committee?
2. What responsibilities should be assigned to the committee?
3. What policies, procedures and practices should we implement to help the committee do its work?

Establishing the Risk Committee: Timing matters
In the earliest stages of a bank’s growth cycle, the board typically relies on its audit committee to oversee risk management. Bank directors must consider a variety of factors in deciding when to assign that oversight function to a dedicated risk management committee.

As banks grow, audit committees often start taking on an ever-expanding and increasingly diverse list of responsibilities, to the point where they can easily be overburdened, especially as the bank’s operational complexities increase. Given the volume and complexity of today’s risks, effective oversight often requires a certain level of specialized understanding and technical expertise. These complications can accelerate the need for an independent risk committee.

To be sure, there are arguments against chartering and empaneling a dedicated risk committee too soon. A separate committee likely will incur some extra costs. Also, there’s a significant potential for some duplication of effort across the two committees and an increased possibility that critical risk management and strategy discussions and decision-making could be isolated or siloed from the larger board.

As they weigh the costs and risks against the advantages a separate risk committee can bring to the bank’s overall governance, directors should bear in mind that the audit and risk management functions are fundamentally different regarding outlook and orientation. While the audit committee must look back to review the effectiveness of financial reporting, compliance and internal controls, successful risk management is an inherently forward-looking activity, which must envision and anticipate future threats for which strategies, controls and best practices might not yet be developed.

Roles, Responsibilities and Sound Practices
At the highest level, the risk committee is responsible for defining the bank’s overall risk appetite and tolerance levels across broad categories — such as credit risk, market and strategic risk, operational risk, liquidity risk and reputational risk — for ultimate approval by the full board. To address these broad categories, the risk committee is charged with overseeing the development and implementation of the bank’s risk management framework and policies. It also is responsible for identifying and defining key risk indicators in specific areas of risk such as cybersecurity, artificial intelligence, fraud, compliance, mergers and acquisitions and third-party risk management.

The Federal Reserve’s enhanced prudential standards spell out specific risk committee duties and requirements in detail. Although the standards are written for BHCs with more than $50 billion in assets, they can also serve as valuable benchmarks for smaller institutions initially establishing risk committees or periodically reviewing their risk monitoring, reporting and governance structures.

Several points in the standards merit special mention:

• The risk committee must have a formal, written charter approved by the full board, and it must report directly to the full BHC board.
• The risk committee’s sole and exclusive function must be to take responsibility for the BHC’s risk management policies and framework.
• The risk committee must be chaired by an independent director and must include at least one member with experience in identifying, assessing and managing risk exposures of financial firms.
• The risk committee must meet at least quarterly, or more frequently as needed, to receive regular reports from the chief risk officer, who reports directly to both the risk committee and the holding company’s CEO.

No single approach is right for every bank, of course. Boards must enact policies and procedures that are most appropriate for their needs as well as their specific financial and market strategies. Directors should regularly review their bank’s risk management structure and governance and take steps to ensure the risk management committee has the resources and support it needs to adapt to changing circumstances and to continue performing its critical role effectively.