Deloitte Center for Financial Services. Improving Bank Board Governance The bank board member s guide to risk management oversight

Improving Bank Board Governance The bank board member’s guide to risk management oversight Deloitte Center for Financial Services –– Contents For...
Author: Arron Thompson
0 downloads 0 Views 2MB Size
Improving Bank Board Governance The bank board member’s guide to risk management oversight

Deloitte Center for Financial Services

––

Contents

Foreword 3 Executive summary

4

Introduction: Large banks rise to the challenges

6

The nature and practice of risk oversight

7

Risk committee versus audit committee charters

9

Risk committee charters

10

The regulatory picture becomes clearer

11

Key comparative findings

13

Detailed 2011 findings: U.S. versus non-U.S. banks

15

Detailed points of comparison – 2009 versus 2011

16

How to enhance risk oversight

18

Appendix A: Selected details on sources used in developing the risk charter characteristics

21

Appendix B: Summary of bank committee charters

23

Appendix C: The Risk Intelligent Enterprise™ framework

27

Contacts 29

2

Foreword

Board risk oversight at banks has continued to evolve over the last several years. Regulators and industry bodies are taking more of an active interest in how boards approach risk governance. In fact, they have been providing pointed guidance on how the board may strengthen its risk governance, including the Federal Reserve’s recently issued notice of proposed rulemaking (NPR) on enhanced prudential supervision which includes requirements for stronger risk governance. Boards are responding by increasingly forming risk committees, and implementing new governance structures to secure greater visibility into how risks are managed across their enterprise. To shed some light on board risk oversight practices, Deloitte conducted a study of 34 bank board risk committee charters, the results of which are presented in this report. Our findings identified certain characteristics boards should consider to sharpen their focus and strengthen its risk governance. We hope you find the contents of this report useful when assessing and enhancing your risk oversight practices. Regards,

A. Scott Baret Global Leader, Enterprise Risk Services - Financial Services Industry Partner, Governance, Regulatory & Risk Strategies Deloitte & Touche LLP Tel: +1 212 436 5456 [email protected]

Edward Hida Global Leader, Risk & Capital Management Partner, Governance, Regulatory & Risk Strategies Deloitte & Touche LLP Tel: +1 212 436 4854 [email protected]

As used in this document, “Deloitte” means Deloitte & Touche LLP and Deloitte Services LP, which are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Improving Bank Board Governance The bank board member's guide to risk management oversight

3

Executive summary

Deloitte reviewed the board committee charters of 34 large banks1 and bank holding companies to identify whether those charters specify certain board risk oversight practices. In general, risk oversight entails the board reviewing and scrutinizing management’s risk-related programs and activities. This 2011study follows a similar study of board risk charters, which Deloitte performed in 2009. The goal was to update boards on risk oversight practices at large banks, and to suggest steps a board can take to strengthen its risk governance. Board risk committee charters may be an important source of information on risk oversight practices. A board risk committee charter indicates the existence of a board risk committee, itself an indicator of a level of risk oversight that could be difficult to attain without such a committee. The importance of a risk committee and risk committee charter is acknowledged in the Federal Reserve's notice of proposed rule-making (NPR) on enhanced prudential supervision which will require: U.S. bank holding companies with greater than $50 billion in assets; those with greater than $10 billion in assets and who are publicly-traded; and non-bank financial companies designated as systemically important to establish a board risk committee with a formal written charter approved by the company's board of directors. Also, without a board risk committee and related charter, risk oversight practices may be more opaque to stakeholders and to management (unless clearly defined in the audit committee charter).

The goal of this study is to update boards on risk oversight practices at large banks, and to suggest steps a board can take to strengthen its risk governance. Board committee charters generally define the role and responsibilities of the committee, and its relationship to the board, to other committees, and to management. Board risk committee charters aim to define the risk committee’s role in risk governance, define the elements of risk governance, and disclose the board’s involvement in and approach to risk oversight. Examples include areas such as the risk committee’s responsibilities, its relationship to the chief risk officer (CRO) and to the management risk committee, and its role regarding the organization’s risk appetite. As public documents, board committee charters can be used to communicate with investors and other stakeholders. In our study of bank board risk committee charters, Deloitte examined: • The role of the board in risk oversight, how the board executes that role and the governance process • The board’s defined responsibilities for risk oversight and how it addresses those responsibilities • Responsibility for oversight of the management risk committee (as opposed to board) • Responsibility for establishing the criteria for management’s reporting on risk to the board • Documentation of board member risk management qualifications

4

In the past three years, regulatory change has accelerated, industry groups have continued to issue standards, pressures on boards to exercise enhanced oversight of risk management have increased, and economic conditions have remained challenging. Against this backdrop, as compared to our 2009 study, our 2011 study expanded the number of banks' charters reviewed to account for large domestic and international banks under the regulatory spotlight and examined a significantly larger number of oversight items, to account for recent regulatory changes. The following developments, among others, prompted this more detailed study: • The Wall Street Reform and Consumer Protection Act (Dodd-Frank), which was passed in July 2010 with provisions that call for increased board involvement in risk governance in financial institutions2 • Amended Securities and Exchange Commission (SEC) rules for risk-related proxy disclosures, effective in early 2010, with requirements for increased disclosure of board-level risk oversight practices in publicly held companies3 • The Basel Committee guidelines for risk governance, which provide risk governance expectations4 • The Walker Review recommendations, released in 2009 and winning adoption within and beyond the United Kingdom, where they originated5 Deloitte’s 2011 study of board committee charters suggest that boards at the 34 U.S. and internationally based banks studied are generally intensifying their risk oversight efforts (see sidebar). Deloitte Touche Tohmatsu Limited (DTTL) also found strong evidence of enhanced risk governance activity at large banks in our most recent Global Risk Management Survey.6 In addition, Deloitte has over the past several years seen increasing board member interest in risk oversight, with a special emphasis on how boards can best meet their risk oversight responsibilities. Boards and board committees appear concerned about their roles in key oversight aspects. They want to clearly identify areas in which they are responsible for approval decisions; where others (usually, senior executives) are responsible for approval decisions that they must as board members oversee, further approve, or simply be aware of; and how

Key findings Deloitte’s 2011 study of board risk committee charters suggests that boards at the 34 U.S. and internationally based banks studied are generally intensifying their risk oversight efforts. Key findings in our study include the following: • Seventy-nine (79) percent of the bank charters show that separate board risk committees have been established • Seventy-one (71) percent of the charters note that banks specify that their board risk committees establish, communicate, and monitor the risk tolerance/appetite or risk profile of the organization • Sixty-five (65) percent of the charters note that board risk committees oversee current risk exposures and future risk strategy pertaining to specific risk categories • Seventy-nine (79) percent of the charters suggest that board risk committees oversee management’s implementation of their risk management strategy • Seventy-six (76) percent of the charters indicate that boards receive formal and informal communication from the bank’s risk management function and the CRO These findings — based on the review of bank charters — suggest that boards at large banks are broadening the scope and including more specific components in their charters to enhance their risk oversight practices. However, Deloitte’s study of large banks’ board risk committee charters also reveals that some may have yet to adopt a number of risk oversight practices that regulators and industry groups are promulgating — and that could benefit organizations and their stakeholders — thus leaving areas for improvement.

these roles, responsibilities, and decisions should be defined. Board risk committee charters are a mechanism for defining oversight, improving role clarity and specifying risk-related responsibilities.

Improving Bank Board Governance The bank board member's guide to risk management oversight

5

Introduction: Large banks rise to the challenges

Deloitte’s study of board risk committee charters found increasing evidence of risk oversight practices on the part of large banks’ boards. This stands to reason given the recent financial crisis and regulatory developments, particularly the Dodd-Frank Act in the United States. (Implicit in Deloitte’s study is the fact that boards of banks, given the nature of their institutions’ business, face fiduciary duties, regulatory requirements, industry expectations, and risk oversight challenges that may be different than those in other types of commercial enterprises. As a result, bank risk oversight capabilities may likely be more evolved than those in other industries.) The findings detailed in this report indicate that boards at major banks are intensifying their risk oversight efforts. This appears to be consistent with the results of DTTL’s most recent Global Risk Management Survey, which surveyed banks and other financial institutions regarding their risk management and governance practices (see below).

In addition, Deloitte has identified practices that characterize the Risk Intelligent Enterprise, which we have found to heighten the effectiveness of risk governance and risk management. These practices have also been adopted by some large banks. (For more information on Risk Intelligent board practices, see the Deloitte paper Risk Intelligent Governance: A practical guide for boards.7) That said, our goal in this report is not to dictate criteria, set rigid standards, or limit a board’s flexibility in any way. Rather it is to update boards on risk oversight practices at large banks, for informational, comparison, and benchmarking purposes, and to suggest steps a board can take to strengthen its risk committee’s charter and risk oversight practices. As public documents, risk charters may provide a clear perspective on an institution’s board-level risk-related practices. Before examining the results of our study in detail, it is worth taking a moment to define risk oversight and the role of the risk committee.

Select key findings of DTTL’s Global Risk Management Survey6 In 2011, DTTL released its seventh Global Risk Management Survey, in which 131 financial institutions with a total of more than $17 trillion in assets participated. Key risk oversight related findings of this worldwide study included the following: • About 90 percent of institutions had a defined risk governance model, and 78 percent reported that their board had approved their risk management policy or enterprise risk management (ERM) framework. • The board of directors or a designated board risk committee received risk or ERM reports at 97 percent of surveyed institutions. • A CRO or equivalent was reported at 86 percent of institutions, an increase from 73 percent in 2008 and 65 percent in 2002. Also, the CRO reports to the board and/or the chief executive officer at 85 percent of surveyed institutions. This survey revealed that boards are taking an active role in understanding risk, reviewing risk policies, and overseeing implementation of risk management strategy.

6

The nature and practice of risk oversight

Risk oversight — a responsibility of the board — stands apart from risk management — a responsibility of management. A bank board’s risk oversight responsibilities may include: • Knowing which risks the institution and management are willing and able to assume and which ones are considered unacceptable as stated in the risk appetite (which can be defined as “the maximum allowable loss by type of risk and overall for the enterprise”8). • Understanding the risk profile — the risks the institution faces in business, product, customer, geography, and other areas — and its potential impact, whether the risks are strategic, financial, operational, political, security, property, or reputational, for example. • Staying abreast of regulatory requirements and industry expectations and initiating efforts to meet board-level requirements and standards, and ensuring that other requirements and standards are met in the organization. Exhibit 1: Risk management committee structures – a stylized illustration

Boards of Directors (BoD)

R

ht

sig

ver

o isk

BoD risk management committee Charter

Executive management risk committee Management risk committees Line of business risk committees

Charter

Charter

ting

por

Charter

k Ris

a

rm

info

re tion

Charter

Board committees

• Providing input to management on risk issues in light of the risk appetite, risk profile, regulatory requirements, and the strategic goals of the business. • Determining that the bank has a risk management infrastructure consistent with the complexity of the business and the risks it faces, and all applicable regulatory requirements. This infrastructure includes the people (both the CRO and the broader risk management function), processes, and technology that enable the organization to identify, measure, manage, monitor, and report on risk. In its role as representative of the shareholders and steward of their assets, often the board selects, evaluates, and compensates the chief executive officer (CEO); establishes the audit, compensation, and other committees (including, for many, a risk committee); provides input to management on strategy and goals; and meets with management regarding issues that affect the organization. Thus, the board can affect the culture of the organization and the tone at the top as well as the approach to risk from both the asset-preservation and value-creation standpoints. Generally speaking, when a board establishes a risk committee, it may have several corresponding positive effects on increasing its oversight for risk management, such as an inherent increase in board attention and resources providing risk oversight; it may interact more purposefully with management regarding risk matters; and it may increase its visibility into the organization’s risk management practices, particularly when the CRO and/or the management risk committee report to the board risk committee (see Exhibit 1). The actual role and responsibilities of the board risk committee, as with any board committee, will be defined in its charter.

Management committees Line of business committees

Business units — Risk origination

Improving Bank Board Governance The bank board member's guide to risk management oversight

7

The board or its risk committee may shape its risk oversight responsibilities through the following activities: 1. Establish the risk culture of the enterprise: In selecting the CEO and articulating the values of the institution for the senior executives, the board can influence the prioritization of risk management enhancements in everyday decision making and the organization’s approach toward risk and risk management. 2. Promote open discussion regarding risk: Board members may discuss with the CRO, or others within the organization with similar stature and authority for risk management, the risks that are most material and to which the organization is most vulnerable. The board may wish to inquire and challenge management about risks that affect decisions, operations, processes and most importantly risks of and to the strategy. Such discussions should generally be seen as constructive dialog with management. 3. Provide input on — and approve — the bank’s risk appetite: The board provides appropriate input to management on the risk appetite and approves it. Risk appetite represents the parameters within which the executive team and business managers (the owners of the risk) manage risk at the enterprise and business unit levels. 4. Define the issues that require the board’s attention: The board should define the issues and decisions that management should bring to its attention for either informational purposes, review or board approval. These include risks associated with businesses, investments, partners, transactions, employee incentives and developments that could substantially affect the bank, with the board clearly defining “substantially.”

8

5. Monitor risks and risk management capabilities: The board should consider its role in monitoring the risk profile — the types, levels, and concentrations of risk the bank is incurring — and any escalation, concentration of, and interrelation of risks. It should also understand the bank’s business, operations and products well enough to conduct this monitoring. Finally, it should think about how management monitors, mitigates, and manages specific risks and communicates about risk in the organization. 6. Obtain reasonable evidence regarding risk management: It is management’s role to identify and continually assess and manage all risks, and the board’s to ascertain that management has done so. The latter means being confident that management has a) identified the relevant risks that could affect the ability of the business to achieve its strategies and preserve its assets, and b) established a risk management infrastructure — the people, processes, and technology — to identify, measure, monitor, and report on the risks the institution faces. Some boards also obtain external advice and views of the firm’s capabilities regarding these two items. Board risk committee charters should set the framework for the roles and responsibilities of the risk committee so that these activities are accomplished.

Risk committee versus audit committee charters

The case for separate board risk committees at large banks was strong, even before the NPR proposed such committees for certain bank holding companies and non-bank financial companies who are designated as systemically important. The expertise and time required for risk oversight, and competing demands on both the director’s and the audit committee’s attention, tend to favor the establishment of separate risk committees. One alternative is to locate risk oversight in the audit committee. There are arguments for doing so, one being that separating risk and audit responsibilities can potentially create overlap and gaps in oversight responsibility between the risk and audit committees, while combining the two avoids this. However, audit committees inherently are driven by financial reporting requirements and timelines. As a result, they likely focus on risks related to the integrity of the financial statements.

A key argument for separating the two holds that the audit committee’s focus on risks associated with financial reporting, the limited time it has to focus on matters unrelated to financial reporting, and a possible lack of sufficient risk expertise may potentially cause it to overlook some risks. By this logic, risk may need to be overseen by the full board or a board risk committee. The NPR requirement renders arguments against separate risk committees moot, at least for U.S. bank holding companies with more than $50 billion in assets and for non-bank financial companies who are designated as systemically important. In effect, the NPR places risk on par with audit and compensation as issues that warrant board committees. When a bank of any size has a separate risk committee, the board should consider whether there are any potential risk oversight overlaps, and gaps between committees are identified and addressed.

Improving Bank Board Governance The bank board member's guide to risk management oversight

9

Risk committee charters

Boards use charters to establish board-level committees and define their responsibilities. Through a risk committee charter, the board establishes risk oversight responsibilities and communicates them to the institution, regulators, and other stakeholders. Creating or updating a risk committee charter enables the board to define, clarify, and assert its risk oversight role. (This can also be done in the audit committee charter, if that committee retains risk-related responsibilities.) A board risk committee charter can also be used by a board to set risk oversight expectations for itself and risk management expectations for the executive management team. For example, the charter can explicitly define responsibilities in the following areas: • Risk oversight: define the scope and responsibilities of the board risk committee including the governance process. • Risk appetite: set forth overall expectations regarding ways in which the risk appetite of the firm will be defined, understood, monitored, and observed. • Management risk committee charters: articulate the responsibility of the board to review management’s risk committee charter as well as any amendments to it. • Risk management policies: identify the key risk management policies that the board will be required to periodically review and/or approve. • Risk management reporting criteria: define reporting criteria related to monitoring compliance with the established risk management policies, controls and practices in order to increase transparency in this area and to set thresholds for board involvement in decisions. • Risk management: establish the board’s expectations of management regarding specific areas of risk management, such as management of market, credit, regulatory, legal, and reputational risks as well as necessary remediation activities. • Reporting lines: define the relationship between the CRO and the board risk committee and between the board risk committee and management risk committee. Specifically the requirements for risk management to have the appropriate independence and authority within the organization. 10

As in our 2009 study, the difference in the level of details and specificity of language in risk committee versus audit committee charters is substantial. We expected this, as it reflects the continuing gap between financial governance and risk governance. Yet those differences appear to be narrowing, particularly in financial institutions. For example, the NPR calls for a board-level risk committee at banks with more than $50 billion in assets and those with greater than $10 billion in assets and publicly-traded, and for non-bank financial companies who are designated as systemically important, have an independent director to lead the committee, and for "at least one member of a company's risk committee to have risk management expertise that is commensurate with the company's capital structure, risk profile, complexity, activities, size, and other appropriate risk-related factors".9 This resembles the way in which the Sarbanes-Oxley Act (SOX) of 2002 expanded the role of board audit committees and called for identifying financial experts on the board’s audit committee. Deloitte expects risk management, governance, and reporting to continue to evolve as enterprises respond to challenges, regulatory requirements, and industry expectations.

It is about relationships: Board and management risk committees The board risk committee is, of course, distinct from the management risk committee. In the past three years, some boards decided that they needed a board risk committee and that the CRO and the management risk committee should report to it. This represents a shift in that management risk committees typically report to an executive management committee, which is responsible for all management committees (which might include a finance committee, compensation committee, and others). The management risk committee may report to either the board risk committee or to the executive management committee. In practice however, it may report to both, which can create dual reporting lines and potential complications that should be acknowledged and addressed. The point is that the board (and management) should consider how to structure the reporting relationships among these committees, based on the culture and needs of the organization and the effectiveness and efficiency of each option — and define the reporting relationships in the charter.

The regulatory picture becomes clearer

In the past two years, financial institution regulations have multiplied — as have principles and practices emanating from industry groups such as the Basel Committee on Banking Supervision and sources such as The Walker Review. The following developments in particular have prompted banks to strengthen risk management and oversight. We used guidance from regulatory bodies and industry groups to determine certain characteristics to review in the risk charters (see Exhibit 3). In developing these 16 characteristics, we reviewed relevant past and current guidance issued by regulatory bodies and industry groups, including: • The Dodd-Frank Act: The rules under which DoddFrank will be implemented are works in progress. Yet it is clear that improved risk governance is an intent of the act. • Amended rules on risk disclosures in proxy statements: In December 2009, the SEC issued new requirements regarding risk disclosures in proxy statements.10 These amended rules, which went into effect in 2010, were aimed at enhancing disclosure to investors and other stakeholders regarding the board’s role in risk oversight. • Federal Reserve/Office of the Comptroller of the Currency (OCC): The Federal Reserve and the OCC issued regulatory guidance applicable to board risk oversight at U.S. banks. Specifically, these included Federal Reserve Division of Banking Supervision and Regulation SR 95-51 (SUP), November 1995 and The Role of a National Bank Director – The Director’s Book, issued by the Comptroller of the Currency Administrator of National Banks, March 1997.11

Study methodology From the sources detailed in Appendix A, Deloitte developed a list of 16 characteristics applicable to board risk committee charters. We obtained the risk and audit committee charters from the 27 largest publicly held U.S. banks. These are publicly traded companies and are therefore required to have audit committees and publicly available committee charters. The charters of an additional seven large non-U.S.-based banks selected mainly on the basis of size and location were also obtained. We read each institution’s board risk committee charter and, when appropriate, audit committee charter using the characteristics shown in Exhibit 3 to determine whether or not the practice was addressed. This provided a method for determining the risk oversight practices of the bank, as stated in the board risk committee charter.

• Basel Committee guidance: The Bank for International Settlements’ (BIS) Basel Committee on Banking Supervision has recently issued detailed principles for enhancing corporate governance at banks.12 This guidance is quite specific regarding the board and its risk committee’s roles in oversight. • The Walker Review: The review of corporate governance in the United Kingdom prepared by Sir David Walker and released in November 2009 also contained very specific recommendations on risk.

Improving Bank Board Governance The bank board member's guide to risk management oversight

11

Exhibit 2: Exhibit 2: Enhanced prudential standards and early remediation requirements for covered companies, NPR, section 252.126 sets forth the following key provisions regarding the risk committee:13 The NPR will require: U.S. banks and bank holding companies with greater than $50 billion in assets; those with greater than $10 billion in assets and who are publicly-traded; and non-bank financial companies designated as systemically important to establish a board risk committee with a formal written charter approved by the company's board of directors. For U.S. bank holding companies with more than $50 billion in assets and non-bank financial companies designated as systemically important, the NPR will require appointment of a CRO, who should have appropriate expertise in developing and applying risk management practices and procedures, measuring and identifying risks, and monitoring and testing risk controls commensurate with the size and complexity of the organization. Under the proposed rules, the risk committee will have specific responsibilities that include, but are not limited to, oversight and approval of the enterprise risk management framework commensurate with the complexity of the company including: 1. Risk limitations appropriate to each business line of the company; 2. Appropriate policies and procedures relating to risk management governance, risk management practices, and risk control infrastructure for the enterprise as a whole; 3. Processes and systems for identifying and reporting risks and risk-management deficiencies, including emerging risks, on an enterprise-wide basis; 4. Monitoring of compliance with the company’s risk limit structure and policies and procedures relating to risk management governance, practices, and risk controls across the enterprise; 5. Effective and timely implementation of corrective actions to address risk management deficiencies; 6. Specification of management and employees’ authority and independence to carry out risk management responsibilities; and 7. Integration of risk management and control objectives in management goals and the company’s compensation structure.

12

Key comparative findings

Board risk committees have been established by 79 percent of the banks studied in 2011, up from 53 percent in 2009 To indicate the general trends in board risk oversight in large banks over the past three years, we compared key findings from Deloitte’s 2011 and 2009 studies. The banks included in both studies overlap significantly and both consist of large banks and bank holding companies. The key findings in our studies of board committee charters for the characteristics (see Exhbit 3) examined in both 2011 and 2009 are the following:

None of the bank charters required a risk management expert on the board (characteristic (see exhibit 2) #16) in either 2011 or 2009. This is not to say that there is not such an expert present on the board or committee. Committee charters do not cover every practice the committee employs; however it may be useful if the charter clarified whether or not this is a requirement. Characteristics #1, 2, 5, 7, and 16 were covered in both the 2011 and 2009 studies of committee charters. The other 11 characteristics (also shown in Exhibit 3) were covered only in the 2011 study. Therefore, 2011 and 2009 comparisons are possible for only those five characteristics.

• Board risk committees are establishing, communicating, and monitoring the risk appetite, tolerance, or risk profile in 71 percent of the banks in 2011, up 50 percent from 2009 (characteristic #2). • Board risk committees oversee the risk exposures and future risk strategy for key risk categories (e.g., credit, market, operational, compliance, reputational, and other risks) in 65 percent of the banks, up very significantly from 20 percent in 2009 (characteristic #5). • Board risk committees approve and review charters of existing management risk committees in 26 percent of the banks, up from 20 percent in 2009 (characteristic #7). Overall, these findings indicate that the boards at major banks have expanded their risk oversight efforts (see Exhibit 2 for all 2011 findings, which are discussed below). The increase in bank charters reporting that they have board risk committees and that the committees’ approve risk appetite and review risk exposures is particularly significant. These two conditions — having a board risk committee and having it provide input into and approval of the risk appetite — can contribute to enhanced risk oversight.

Improving Bank Board Governance The bank board member's guide to risk management oversight

13

Exhibit 3: Summary of results (for 27 U.S. and 7 non-U.S. banks)

Characteristics

U.S.

Non-U.S.

Total

Yes

Yes

Yes

1

Does the bank’s board charter indicate there is an established board risk committee separate from the audit committee with sufficient authority, stature, independence, resources, and access to the board?

74%

100%

79%

2

Does the charter note that the board risk committee establish, communicate, and monitor risk tolerance/ appetite or risk return profile of the organization?

63%

100%

71%

3

Does the charter note that the board risk committee identify, assess, and monitor risks on an ongoing firm-wide and individual-entity basis?

7%

29%

12%

4

Does the charter suggest that the board risk committee is responsible for assessment of actual risk appetite over time covering both banking and trading book exposure?

4%

0%

3%

5

Does the charter indicate that the board risk committee oversees the current risk exposures and future risk strategy, including strategy for capital and liquidity management, as well as for credit, market, operational, compliance, reputational, and other risks of the bank?

63%

71%

65%

6

Does the charter clarify that the board risk committee oversee senior management’s implementation of risk management strategy?

81%

71%

79%

7

Does the charter suggest that the board risk committee sanction, approve, and review charters of management risk committees?

33%

0%

26%

8

Does the charter note that the board risk committee advise the board on the current risk exposures and future risk strategy?

56%

86%

62%

9

Does the charter suggest that the board risk committee receive formal and informal communication from the bank’s risk management function and CRO?

78%

71%

76%

10

Does the charter suggest that the CRO reports to and has direct access to the board and its risk impediment?

48%

43%

47%

11

Does the charter indicate that the board risk committee holds executive sessions?

33%

14%

29%

12

Does the charter indicate that the board risk committee supports the role of CRO such that the CRO has sufficient stature, authority and seniority within the organization, and is independent from individual business units?

15%

43%

21%

13

Does the charter indicate that the board risk committee requires and oversees timely internal communication about risk across the organization?

33%

43%

35%

14

Does the charter suggest that the board risk committee has access to external expert advice?

56%

29%

50%

15

Does the charter note the presence of independent directors (nonexecutive director, senior independent director) on the board risk committee?

30%

43%

32%

16

Does the charter require/designate a risk management expert (in identifying, assessing, and managing risk exposures of large, complex firms) on the board risk committee?

0%

0%

0%

14

Detailed 2011 findings: U.S. versus non-U.S. banks

Overall, Deloitte sees the study results as signaling that many risk oversight policies among major U.S. and non-U.S. banks are converging. We expect continued convergence as the Basel Committee as well as regulators in North America and the European Union promulgate similar requirements and guidance in response to risks and as banks respond accordingly. In fact, the differences that Deloitte found between U.S. and non-U.S. banks governance practices identify areas for large banks to consider alternative governance practices.

Differences: • Non-U.S. banks more often designated the role of the board risk committee in establishing, communicating, and monitoring the risk appetite (characteristic #2).

Comparison of the findings of U.S. and non-U.S. banks can identify qualitative similarities and differences in risk governance practices. The following are those that we found most interesting:

• U.S. banks more often empowered the board to approve management’s risk charters and committees, while according to the charters no foreign banks did (characteristic #7).

Similarities: • Most U.S. and all non-U.S. banks had established a board risk committee separate from the audit committee (characteristic #1). • U.S. and non-U.S. banks were similar in their approaches to risk committee oversight of risk exposures (characteristic #5) and of management’s implementation of risk management strategy (characteristic #6).

• U.S. banks more often provided the risk committee with access to external expert advice (characteristic #14). • As indicated in the charters, non-U.S. banks more often specified that the risk committee advises the board on risk exposures and risk strategy (characteristic #9) and supports the CRO having sufficient stature, authority, and independence (characteristic #12).

• U.S. and non-U.S. banks were similar in receiving risk reporting information from the risk management function (characteristic #8). • Similar percentages of U.S. and non-U.S. banks have the CRO reporting to the board or its risk committee (characteristic #10).

Improving Bank Board Governance The bank board member's guide to risk management oversight

15

Detailed points of comparison – 2009 versus 2011

This section provides detailed analysis on three characteristics (#1, 2, and 5) examined in both 2009 and 2011. Characteristic #1: Does the bank’s board charter indicate there is an established board risk committee separate from the audit committee with sufficient authority, stature, independence, resources, and access to the board? A further look into the board’s committee structure for the oversight of risk reveals the following. 2009 (Total = 30 banks) 10%

2011 (Total = 34 banks)

10%

12%

3%

6% 27%

53%

Separated audit and risk committee Combined audit and risk committee

79%

Audit committee Audit plus other committee

Key observations: • The percentage of risk charters that indicate that banks have separate board risk committees increased substantially from 2009 to 2011. • The number of banks with only an audit committee decreased dramatically, given the shift toward establishing risk oversight committees. • Anecdotally,14 we have observed that, for some bank boards, there was significant focus on risk management activities in the last several years, and as a result these boards revisited and strengthened their risk oversight strategy and programs. • The enhanced supervision and prudential standard requirements from the Dodd-Frank Act (for U.S. banks with more than $50 billion in assets and those with greater than $10 billion in assets, and publicly-traded, and for non-bank financial companies who are designated as systemically important to establish a risk committee) will likely further drive risk oversight activities going forward.

16

Characteristic #2: Does the charter note that the board risk committee establish, communicate and monitor risk tolerance/appetite or risk return profile of the organization? 2011 (Total = 34 banks)

2009 (Total = 30 banks)

35% No 50%

No

Yes

50%

65%

Yes

Key observations: • There was a substantial increase in the number of charters that indicated that risk committees establish, communicate, and/or monitor the risk appetite or profile, or both. • All the foreign banks whose charters we reviewed in 2011 suggest that the risk committee establishes, communicates, and/or monitors risk appetite/profile. There has been recent regulatory guidance that may influence risk committee activity going forward. This guidance includes the Basel Committee Guidance on Corporate Governance and, in the UK, The Walker Review. Characteristic #5: Does the charter indicate that the board risk committee oversees the current risk exposures and future risk strategy, including strategy for capital and liquidity management, as well as for credit, market, operational, compliance, reputational, and other risks of the bank? 2009 (Total = 30 banks)

2011 (Total = 34 banks) 20%

Yes

35% No

80%

No

Yes

65%

Key observations: • The number of charters that note that the board risk committees oversee current and future risk exposures and strategy across a full range of risks increased dramatically. • Key guidance potentially influencing this increase included the Basel Principles on Corporate Governance, which state that banks are “responsible for advising the board on the bank’s overall current and future risk tolerance/appetite and strategy, and for overseeing senior management’s implementation of that strategy.”

Improving Bank Board Governance The bank board member's guide to risk management oversight

17

How to enhance risk oversight

The findings of Deloitte’s study of board risk committee charters suggest several steps that boards at large banks can take to further enhance risk oversight. The suggestions presented here assume that the organization has a separate board-level risk committee and a risk committee charter. By modifying this charter, the board can enhance risk oversight by using the charter to assert, clarify, broaden, or focus its risk oversight role as necessary. We have organized our suggestions into strategic and tactical steps, although a few items overlap those categories. These steps include several not directly related to the 16 characteristics Deloitte used in its study (see Exhibit 3), which instead emerged from Deloitte’s overall review of the charters, our analysis of the current regulatory environment and our general experience with board risk committee charters, particularly over the past three years. As you take steps to further enhance risk oversight you may wish to consider Deloitte’s Risk Intelligence Diagnostic and Maturity Model throughout the process (see Appendix C). The following steps may help the board to further define and establish risk committee roles and responsibilities, while the more tactical steps that follow this section may assist in enabling the committee to fulfill those roles and responsibilities. Strategic action steps: 1. Review the risk committee charter: One good starting point for a board considering ways to enhance risk oversight would be to have its risk committee charter reviewed in light of the 16 characteristics Deloitte used in this study as well as the seven components of the risk

18

management framework outlined in the NPR and shown in Exhibit 2. While these do not aim to be completely comprehensive as there may be other characteristics that boards may want to review, they can serve as a “report card” and enable a board to determine whether its risk committee charter meets the given criteria. Also, your bank’s “yes” or “no” can be compared with the percentage Deloitte found in its study. Discussing the results of this exercise as a group can help board or risk committee members to identify differences in their interpretations of the charter, to locate areas that lack clarity, and to start identifying priorities. 2. Focus across the enterprise: The risk committee charters we reviewed focused on risk mainly at the consolidated entity (i.e., the holding company level). Indeed, only 12 percent of charters called for the board risk committee to “assess, and monitor risks on an ongoing firm-wide and individual-entity basis” (characteristic #3). Consistency of risk management programs and activities in general helps lead to a more effective aggregation of risk across the enterprise. 3. Approve and monitor the risk appetite: While the charters indicated that all seven non-U.S. banks had the board risk committee establish, communicate, and monitor the risk appetite, tolerance, and/or profile, a lesser proportion two-thirds (63 percent) of U.S. banks did (characteristic #2). In general the board risk committee should approve management’s process to set the risk appetite at the enterprise and businessunit and risk-type levels, and oversee how this is communicated within the organization. At a more

tactical level, the board risk committee should also consider monitoring the risk appetite and approve increases (or decreases) to it as well. While the specifics are up to each board, the charter may need to better define the role and responsibility of the risk committee regarding risk appetite. 4. Consider CRO reporting lines: Only half (48 percent) of the charters specified that the CRO report to the board risk committee (characteristic #10). Even fewer gave the committee authority to hire and compensate the CRO (which was not among the characteristics). Having the CRO report to the board risk committee encourages his or her independence. It may be useful to think of the CRO as requiring independence and objectivity similar to that of the chief internal auditor. Giving consideration to having the CRO report to the board, and be hired and compensated by the board, may “encourage the CRO having sufficient stature, authority, and seniority within the organization and is totally independent from the business units” (characteristic #12, which was met in only 21 percent of the charters). 5. Avoid overlap and gaps among board committees: Although it was not among Deloitte’s study characteristics, from the strategic and tactical standpoints boards may want to assess that risk committee responsibilities and activities do not duplicate or burden the audit, compensation, or other board committees, or create gaps between committees. Some committee responsibilities and activities could create such issues, unless the charter of each clearly demarcates responsibilities, activities, and hand-off points. Clear guidelines for sharing information, particularly regarding risks, could also be helpful. Tactical action steps: In general, the board’s risk oversight capabilities may be strengthened when the scope of the charter includes risk oversight matters, such as communications, monitoring activities, and other interactions between the board risk

committee and management. Specific provisions regarding such areas help the board to set explicit expectations of management and to clarify the mechanisms by which oversight occurs. 1. Oversee current exposures and future risk strategy: This is also a risk oversight activity that was noted in two-thirds (65 percent) of the charters read. (The related characteristic is #5: the board risk committee oversees the current risk exposures and future risk strategy, including for capital and liquidity management and for credit, market, operational, and other risks.) It is notable that the number of banks specifying this in their charters jumped from 20 percent to 65 percent from 2009 to 2011. This finding indicates that more banks are documenting in their charters that the committee is overseeing a range of risk exposures, and are thus asserting this as one of its risk oversight responsibilities. 2. Specify communication about risk with management and across the enterprise: Charters vary in the specificity with which they define communication about risk. For example, 76 percent indicated that the “committee receives formal and informal communication from the bank’s risk management function and CRO” (characteristic #8). But charters vary in how specifically they define these communications in terms of methods (e.g., formal meetings with management risk committee/ CRO, or informal dialogues with management), form (e.g., written or oral), and frequency (e.g., quarterly or annually). Only 29 percent of charters specified that the board risk committee has a formal meeting, “executive sessions with senior management,” meaning a requirement that the committee meet separately with the CRO. Similarly, about 35 percent of charters specified that the “board risk committee oversees timely internal communication about risk across the organization” (characteristic #13). Management is responsible for facilitating such communication, and the board may want evidence that management has done so — and to set forth its related requirements in the risk committee charter.

Improving Bank Board Governance The bank board member's guide to risk management oversight

19

3. Conduct an annual self-assessment: Although not among Deloitte’s study characteristics, the charter may wish to consider specifying an annual self-assessment of the risk committee’s capabilities and performance. Items to evaluate may include quality of the input the committee has provided to management, the level of two-way communication about risk, risk events, losses, and other measures of risk oversight effectiveness. Based upon our marketplace observations one current issue that boards are considering is their role in management policy decisions that they must as board members be informed of, review, or approve. Given the importance of a board's role, boards may wish to consider decision-making roles within their annual self-assessment. External assistance with this review can be useful, with an appropriate third party providing objectivity and expertise that’s difficult to obtain in a pure self-assessment. On the subject of external expertise, half of the charters (50 percent) we reviewed indicated that the board could access external advice, but none required it (characteristic #14). External parties can be particularly useful in benchmarking management’s practices against industry practices and in updating the board and the risk committee on current practices and expectations on recent regulatory and other developments. Stating this in the charter may elevate its priority.

20

4. Consider selectively adopting “advanced” provisions: Some provisions included by few, or even none, of the banks whose charters we reviewed may be worth considering. For example, designating a risk management expert (characteristic #16) might also be worthwhile, particularly given that the charter could define the responsibilities of that expert, the qualifications for the position, and how he or she would be compensated. Deloitte offers these suggestions regarding steps a board or board risk committee may take to clarify and strengthen its risk committee charter and thus its role in risk oversight. It is up to each board and committee to identify steps worth considering. The actual steps may be prioritized in terms of the needs of the organization and its stakeholders, cost and time involved and potential benefits. In addition, these steps should be discussed with and implemented in conjunction with management. Based on the board risk committee charters Deloitte reviewed, most banks appear to have responded to increasing risk and continuing regulatory developments by establishing separate risk committees and having them establish, communicate, and monitor the risk appetite, tolerance, and/or profile of the organization. Most also seem to oversee senior management’s implementation of the risk management strategy. These are welcome developments, but even large sophisticated banks can further enhance their risk oversight practices.

Appendix A:

Selected details on sources used in developing the risk charter characteristics The Wall Street Reform and Consumer Protection Act (Dodd-Frank) Dodd-Frank was signed into law in July 2010, with significant impact on U.S. financial institutions. The Federal Reserve Bank is in the process of developing Enhanced Prudential Standards related to risk governance, see Exhibit 2 on Page 12.15

• Federal Reserve Division of Banking Supervision and Regulation SR 95-51 (SUP), November 1995, instructed bank examiners to assign a formal supervisory rating to the adequacy of an institution’s risk management processes. Among other items, the guidelines noted that boards are ultimately responsible for the level of risk, should understand risks, and provide clear guidance regarding acceptable exposures.19

Amended rules on risk disclosures in proxy statements In December 2009, the Securities and Exchange Commission (SEC) issued new requirements regarding risk disclosures in proxy statements.17 These amended rules, which went into effect in 2010, aimed to enhance disclosure to investors and other stakeholders regarding the board’s role in risk oversight. Specifically, the rules:

• The Role of a National Bank Director – The Director’s Book, issued by the Comptroller of the Currency Administrator of National Banks, March 1997,20 stated that the board establishes risk guidelines, exercises risk oversight, should specify the reports it wants and with what frequency, and should understand the risks presented by any proposed new product or service.

• Require companies to describe the board’s role in risk oversight, including how the company perceives the role of its board and the relationship between the board and management in managing the material risks facing the company

Given the dates of this Federal Reserve and OCC guidance, more recent developments such as board risk committees and CROs were not mentioned. However, Deloitte used these sources to identify board risk-oversight responsibilities promulgated by the Federal Reserve and the OCC.

• Give companies the flexibility to describe how the board administers its risk oversight function, such as through the whole board or through a separate risk committee or the audit committee • Suggest that companies address whether the people supervising day-to-day risk management report directly to the board as a whole or to the board committee, and how the board or committee otherwise receives information from them The amended rules appear to have already affected risk oversight practices, as found in a 2011 Deloitte study of proxy statements.18 Federal Reserve/Office of the Comptroller of the Currency (OCC) The Federal Reserve and the OCC issue regulatory guidance applicable to board risk oversight at U.S. banks. The guidelines Deloitte considered in its review of risk charters were as follows:

Basel Committee Guidance The Bank for International Settlements’ (BIS) Basel Committee on Banking Supervision has issued detailed principles for enhancing corporate governance at banks. The guidelines that most affect risk governance include the following (summarized) principles: 1. The board oversees implementation of the bank’s strategic objectives, risk strategy, corporate governance, and senior management. 2. The board should define appropriate governance practices for its own work and encourage that these practices are followed and periodically reviewed. 3. Under the board’s direction, senior management should ensure that the bank’s activities are consistent with the business strategy, risk tolerance/appetite, and policies approved by the board. 4. Banks should have effective internal controls and a risk management function (including a chief risk officer or equivalent) with sufficient authority, stature, independence, resources, and access to the board.

Improving Bank Board Governance The bank board member's guide to risk management oversight

21

5. The bank’s risk management and control infrastructures should keep pace with any changes to the bank’s risk profile and external risks. 6. Effective risk management requires robust internal communication about risk, across the organization and through reporting to the board and senior management. 7. The board should monitor the compensation system to ensure that it operates as intended and that compensation is aligned with prudent risk taking. 8. The board and senior management should understand the bank’s operational structure and the risks posed by any special purpose structures and in any foreign jurisdictions. 9. Governance should be adequately transparent to shareholders, depositors, other relevant stakeholders and market participants. The study utilized the Basel Committee guidance on board risk governance as one of the sources of the characteristics we applied in our review of board risk charters. The Walker Review The review of corporate governance in UK banks known as the Walker Review was prepared by former Chairman of the Securities and Investment Board (now the Financial Services Authority), Sir David Walker. The review was released in November 2009 and contained 39 recommendations on governance of UK banks. The following five recommendations (nos. 23 to 27) concern risk governance and risk committees: • Establish a separate board risk committee responsible for risk oversight and strategy. A FTSE 100 bank or life insurance company should establish a board risk committee separate from the audit committee. The board risk committee should have responsibility for oversight and advice to the board on current risk exposures and future risk strategy and advise the board on risk appetite, tolerance, and strategy.

22

• Establish an independent enterprise risk function. The board should be served by a CRO who reports to the board risk committee and participates in the enterprise-wide risk management and oversight processes, independent of the business units. • Make external advice available to the board risk committee. The board risk committee should grasp the potential value added by external input to its work. • Advise management regarding strategic transactions. In proposed strategic acquisitions or disposals of assets, the board risk committee should advise the board to ensure that due diligence is undertaken. It should focus in particular on risks and the implications for risk appetite and tolerance, drawing on independent external advice where appropriate, before the board decides whether to proceed. • Ensure proper risk disclosure and risk governance. The board risk committee risk report should be separate in the annual report. It should discuss key risk exposures, risk appetite and tolerance, and how the risk appetite is assessed. Although the Walker Review was prepared for UK institutions, its recommendations can be used as a guideline for many banks. Deloitte therefore used the Walker Review (as it did the Basel Committee findings) as a source of the characteristics we applied in our study of board risk charters.

Appendix B:

Summary of bank committee charters

20

Company

Committee

Summary of risk related committee charter elements

A

Enterprise risk committee

The committee is responsible for exercising oversight of senior management’s identification of the material risks. The committee shall oversee senior management’s establishment of policies and guidelines articulating risk tolerances as to material categories of risk, the performance and functioning of the risk management function, and senior management’s establishment of appropriate systems (including policies, procedures, management committees, and stress testing) that support controls over market risk, interest rate risk, and liquidity risk.

B

Risk policy committee

The committee is responsible for oversight of the chief executive officer and senior management's responsibilities to assess and manage the corporation's credit risk, market risk, interest rate risk, investment risk, liquidity risk, and reputational risk.

C

Risk management and finance committee

The purpose of the committee is the oversight of the risk management framework, including the significant policies, procedures and practices used in managing credit, market, operational and certain other risks. In addition, the committee is responsible for the oversight of the policies and practices relating to treasury matters, including capital, liquidity and financing, as well as to merger, acquisition, and divestiture activity.

D

Risk committee

The purpose of the committee is to provide oversight of enterprise-wide risk management framework, including the strategies, policies, procedures, and systems, established by management to identify, assess, measure, and manage major risks.

E

Risk committee

The purpose of the committee is to assist the board in its oversight of the management of financial and operational risks, including market, credit, and liquidity risks.

F

Risk committee

The committee is appointed by the board of directors to assist the board in its oversight of risk governance structure, risk management, risk assessment guidelines and policies regarding market, credit, liquidity and funding risk and such other risks as necessary to fulfill the committee's duties and responsibilities, the risk tolerance, and the performance of the chief risk officer.

G

Risk management committee

The purpose of the committee is to provide oversight of the risk management function, including its policies, procedures and practices relating to management of credit risk; financial, liquidity and market risk; and operational risk. The committee will conduct an annual performance evaluation of the committee to provide regular reports to the board.

H

Risk committee

The purpose of the committee is to assist the board of directors in fulfilling its oversight responsibilities with regard to the risk appetite and the risk management and compliance framework and the governance structure that supports it.

I

Risk committee

The committee provides oversight of enterprise-wide risk structure and the processes established to identify, measure, monitor, and manage credit risk, market risk (including liquidity risk), and operating risk (including technology, operational, compliance, and fiduciary risk).

J

Risk and compliance committee

The purpose of the committee is to assist the board of directors in setting risk appetite and tolerances, as well as overseeing management’s responsibility to manage the risk profile and implement the risk program, with emphasis on credit, market, liquidity, operational, and reputational risks from both an enterprise and a line of business perspective.

K

Executive and risk management committee

The committee is appointed by the board of directors and has the responsibility to exercise all the powers and the authority of the board during the intervals between board meetings, to the extent permitted by applicable law. In addition, except for those matters overseen by other board committees, the committee reports to and assists the board in overseeing executive management’s identification of, planning for, and responding to material risks, including strategic risk, credit risk, operational risk, reputation risk, liquidity risk, market risk, and compliance risk.

Improving Bank Board Governance The bank board member's guide to risk management oversight

23

Company

Committee

Summary of risk related committee charter elements

L

Audit and risk committee

The committee is responsible for assisting the board of directors in its oversight responsibilities relating to the integrity of the financial statements and financial reporting process; internal and external auditing, including the qualifications and independence of the independent registered public accounting firm and the performance of the internal audit services function; the integrity of the systems of internal accounting and financial controls; legal and regulatory compliance; the assessment and management of the risk and capital; and the performance of the other committee functions set forth in the charter.

M

Risk committee

The committee is appointed by the board of directors. This committee is responsible for reviewing and approving the board’s risk appetite parameters to be used by management. This committee’s purpose is to assist the board of directors in its oversight of the risk management governance and processes. Generally, these risks can be categorized in the following classifications – legal risk, reputation risk, liquidity risk, credit risk, market risk, regulatory risk, compliance risk, and operational risk, including emerging risks.

N

Risk and compliance committee

The committee oversees management’s compliance with all of its regulatory obligations arising under applicable banking laws, rules and regulations; management’s development and implementation of an enterprise-wide view of risk capacity, risk appetite and risk tolerances; management’s implementation of the development of effective policies, processes and procedures to ensure risks are properly controlled, quantified and within the risk appetite; and oversee management’s taking of appropriate measures to apply consistent methodologies for assessing, quantifying, aggregating, monitoring, prioritizing and reporting risk including the categories of credit risk, market risk, liquidity risk, operational risk, regulatory compliance risk, legal risk, reputation risk and strategic risk.

O

Business risk committee

The purpose of the committee is to assist the board in discharging its oversight duties with respect to the risks inherent in the businesses, in the following categories: credit risk, market and liquidity risk, fiduciary risk, operational risk and the regulatory component of compliance risk; and the process by which risk-based capital requirements are determined, including internal capital adequacy assessment process and promoting a culture that encourages ethical conduct and compliance with applicable rules and standards.

P

Risk management committee

The committee is appointed by the board of directors and is responsible for assisting the board with strategies, policies, procedures, and practices relating to the assessment and management of credit risk, market risk, liquidity risk, and material operational and other risks, and in each case, any significant reputation or strategic risk arising there from, in the best interests of the corporation and its shareholders.

Q

Risk review committee

The committee is responsible for assisting the board in fulfilling its oversight responsibilities for the identification and management of risk; adherence to risk management corporate policies; and compliance with risk-related regulatory requirements.

R

Audit and risk committee

The committee is appointed by the board of directors to assist the board in monitoring the integrity of the financial statements and internal controls, compliance with legal and regulatory requirements, the qualifications, independence and performance of the independent auditor, the performance of the internal auditor and chief credit review officer; and the processes by which management assesses and manages risk.

24

Company

Committee

Summary of risk related committee charter elements

S

Audit and risk committee

The Audit Committee responsibilities surrounding risk are to oversee the effectiveness of S Corporation’s operational risk management framework, and evaluate its effectiveness on an annual basis. Receive and review reports from the Enterprise-Wide Risk Management functions, and review the steps management has taken to assess, monitor and control credit, operational, strategic/reputational, compliance/legal, liquidity, market, and interest rate risks. Receive and review reports from Loan Review, I.T. and Central operations, for relevant risk related matters, loan reviews, disaster recovery, self assessment of systems.

T

Audit and risk committee

The Audit Committee responsibilities surrounding risk are to review reports from management on the Company's enterprise-wide risk management program. Review with management the framework for assessing and managing the risk exposures of the Company, including credit, market, liquidity, and operational risks, and the steps management has taken to monitor and control such risk exposures. Review reports from management on the status of and changes to risk exposures, policies, procedures, and practices. Review adequacy of risk parameters that have been established for each area of enterprise risk. Review and discuss with risk management whether it has the appropriate resources, independence, and authority to fulfill its responsibilities.

U

Enterprise risk committee

The Committee is responsible to review and approve annually the Charters for the Enterprise-Wide Risk Management Authorization, Enterprise-Wide Risk Management Committee, Enterprise-Wide Risk Management Policy, Strategic Credit Committee, Asset Liability Policy Committee, Asset Liability Management Policy, Operational Risk Management Committee, and Enterprise-Wide Compliance Committee.

V

Risk oversight committee

The Committee is responsible for the review and approval of V’s risk governance committee and the executive-level risk management committee charters and the board level risk policies on a biennial basis. The committee shall review and approve corporate Key Risk Indicators (KRIs) and the associated limits that are established for each KRI are the basis of the risk limit framework, and are intended to help measure the level of risk that the organization has assumed. The Committee shall oversee and review the effectiveness for monitoring compliance with laws and regulations.

W

Risk management committee

The Committee is responsible to ensure that management has established a risk management framework designed to identify and bring to the Committee’s attention and appropriately manage, monitor, control, and report to all major risks affecting W including credit, market, reputation, and operational risks.

X

Credit review committee

The purpose of the Credit Review Committee is to monitor the results of internal and external credit reports and examinations. To review, evaluate, and recommend changes to policies established by the Board and by management; with respect to extensions of credit of any kind and other activities which entail the taking of credit risk.

Y

Risk committee charter

The Risk Committee reports to and assists the Board of Directors in overseeing and reviewing information regarding the Company’s enterprise risk management framework and capital adequacy framework, including the significant policies, procedures, and practices employed to manage credit risk, market risk, and operational risk.

Z

Audit committee

The Audit Committee is appointed by the Board of Directors of Z to assist the Board in monitoring: (a) the integrity of the financial statements of the Corporation; (b) the independent auditor’s qualifications, independence, and performance; (c) the performance of the Corporation’s internal audit function; and (d) the compliance by the Corporation with certain legal and regulatory requirements.

AA

Risk and capital committee

The Committee is responsible for reviewing and discussing with management the Company’s assessment and management of risk, including market, operational, fiduciary, interest rate, liquidity, business and credit risks, and related policies.

BB

Risk committee

The purpose of the Committee is to ensure that management has established policies and procedures relating to compliance with the self-dealing provisions of the Bank Act. Additionally, to oversee risk management of the Bank, ensuring that management has in place policies, processes, and procedures to manage the significant risks to which the Bank is exposed, including compliance with applicable laws and regulations.

Improving Bank Board Governance The bank board member's guide to risk management oversight

25

Company

Committee

Summary of risk related committee charter elements

CC

Risk committee

The committee is responsible for the various types of risk (operational, technological, financial, legal, and reputational, among others); including off-balance sheet losses and contingencies. Additionally, the committee is responsible for the information and internal control systems that will be used to control and manage such risks and setting the risk level the company deems acceptable. The committee is to be aware of and to authorize, management tools, improvement initiatives, advancement of projects and other activities relating to control of risks. Additionally, they will assess and monitor the statements made by supervisory authorities and ensure the activities are consistent with risk tolerance level.

DD

Risk committee

The committee will be responsible for: providing oversight and advice in relation to current and potential future risk exposures and future risk strategy, including determination of risk appetite and tolerance; assisting on such other matters as may be referred to it by the board; acting as the risk committee of the board; promoting a risk awareness culture; and reporting to the board, identifying any matters within its remit in respect of which it considers that action or improvement is needed, and making recommendations as to the steps to be taken. The board risk committee may engage independent counsel and other expert advisers, as it determines necessary, to carry out its duties.

EE

Risk committee

The committee is a committee of the board of directors, from which it derives its authority and to which it regularly reports. The principal purpose of the committee is to review, on behalf of the board, management’s recommendations on risk, in particular: consider and recommend to the board the risk appetite; review, on behalf of the board, the risk profile; satisfy itself on the design and completeness of the internal control and assurance framework relative to the risk profile, including the principal risk categories; and commission, receive and consider reports on key risk issues.

FF

Risk committee

The committee shall be accountable to the board and shall have responsibility for oversight and advice to the board. The committee shall report to the board on: risk appetite, tolerance, and strategy, systems of risk management, internal control, and compliance to identify, measure, aggregate, control, and report risk including the alignment of strategy with the board’s risk appetite; the alignment of reward structures, in relation to the management of risk with the board’s risk appetite; and the maintenance and development of a supportive culture, in relation to the management of risk, appropriately embedded through procedures, training and leadership actions so that all employees are alert to the wider impact on the whole organization of their actions and decisions.

GG

Risk committee

The committee's primary function is to assist the board of directors in fulfilling its risk management responsibilities as defined by applicable law and regulations as well as articles of association and internal regulations, by periodically reviewing and assessing the integrity and adequacy of the risk management function, in particular as it relates to market, credit, and liquidity and funding risks; the review and assessment of the adequacy of the management of reputational risks, however, is a joint responsibility of the risk committee and audit committee, reviewing the adequacy of the capital (economic, regulatory, and rating agency) and its allocation to the businesses, reviewing certain risk limits and regular risk reports and making recommendations to the board of directors, and reviewing the policy in respect of corporate responsibility and sustainable development.

HH

Risk committee

The function of the committee is to oversee and support the board in fulfilling its duty to supervise and set appropriate risk management and control principles in the area of risk management and control, including credit, market, country, and operational risks, treasury and capital management, including funding and liquidity, and balance sheet management, including in each case any consequent reputational risk. For these purposes, the committee will receive all relevant information from management and has the authority to meet with regulators/external bodies in consultation with the chief executive officer.

26

Appendix C:

The Risk Intelligent Enterprise™ framework

A Risk Intelligent Enterprise focuses not solely on risk avoidance, but also on risk-taking as a means to value creation. This approach recognizes the need for an integrated risk management program that embeds capabilities throughout all levels of the organization. The framework shown below depicts a Risk Intelligent organization where:

The Risk Intelligent Enterprise approach offers a practical framework, or roadmap, for enabling directors and management to focus simultaneously on value protection and value creation. Deloitte’s framework and insights are based on Nine fundamental principles of a Risk Intelligence program. Effectively, Risk Intelligence takes a dynamic view of all the dimensions of risk, imbuing decision makers with a special skill set that helps build uncommon awareness and flexibility, such as a bias against assumptions, vigilance for rooting out perceptual “blind spots,” and a keen ability to connect trends, people, and entities in ways that expose threats and exploit opportunities — either of which may predictably or unexpectedly materialize.

• Leaders incorporate a broad outlook on risk into strategic decision making • The board ensures that appropriate risk management controls and procedures are in place • Systems, processes, and people are in place to act on intelligence in a timely and coordinated manner • A consistent approach is used across the enterprise to manage all types and classes of risk effectively and efficiently

Deloitte’s point of view: Nine principles of Risk Intelligence The Risk Intelligent Enterprise™ framework

Risk governance Common definition of risk Common risk framework

Oversight

Roles & Responsibilities

str ate

an on

dd an

Process

Technology

im

Business unit responsibility Support of pervasive functions

Risk process

ve

Risk ownership

De

ve

pro

lop

People

ly

Objective Assurance and Monitoring

us

Executive management responsibility

uo

ep

tin

loy

Common risk infrastructure

dc

Common risk infrastructure

in

gie

s

sta

Risk infrastructure and oversight

Su

Tone at the top

Transparency for governing bodies

Design, Monitor, Identify Assess & Integrate Respond implement & assure & evaluate risks risks to risks test controls escalate risks Risk categories

Operational Compliance Business and Systemic Reputational strategic Credit Market Interest rate Liquidity Financial

risk on banking book

Improving Bank Board Governance The bank board member's guide to risk management oversight

27

The Risk Intelligence maturity model In reviewing their charters and defining their approach to risk governance, boards may find it helpful to utilize a Risk Intelligence maturity model. (See below.) This model can supplement the boards’ current efforts to define the desired level of oversight both now and in the future. Deloitte’s Risk Intelligence maturity model has been built based on our nine principles of a Risk Intelligence Enterprise. Below is an illustrative example of our maturity model highlighting risk governance roles and responsibilities.

Risk Intelligence maturity model – risk governance roles and responsibilities Risk Intelligence maturity model Principles for building a Risk intelligent enterprise

Primary owner

Responsibility

Key roles, responsibilities, and authorities relating to risk management are clearly delineated within the organization

Board of Directors

Risk governance

28

Key duty 1. Unaware Discharge risk management responsibilty for oversight

The board has not established the necessary oversight essential for influencing risk management and establishing a culture of risk awareness throughout the enterprise.

2. Fragmented The board has established oversight, but it is not widely adopted nor well understood. Consequently, the management of risks and the culture of risk awareness only exists separately and unevenly within individual lines of business and not across the enterprise.

3. Top-Down The board has established oversight and it has been clearly communicated throughout the organization. As a result, management demonstrates a culture of risk awareness, but risk management disciplines have not been embraced broadly or evenly across the enterprise.

4. Systematic The board has established oversight that is widely understood and adopted, creating a culture of risk awareness and the adoption of risk management disciplines throughout the enterprise.

5. Risk Intelligent The board has established oversight and is constantly seeking ways to influence the improvement of the culture of risk awareness and the management of risk throughout the enterprise to further the firm's market leadership.

Contacts

A. Scott Baret Global Leader, Enterprise Risk Services - Financial Services Industry Partner, Governance, Regulatory & Risk Strategies Deloitte & Touche LLP Tel: +1 212 436 5456 [email protected] Edward Hida Global Leader, Risk & Capital Management Partner, Governance, Regulatory & Risk Strategies Deloitte & Touche LLP Tel: +1 212 436 4854 [email protected]

Contributors Eduarda Cardoso Consultant Deloitte & Touche LLP Tel: +1 212 436 4959 [email protected] Christopher C. Smith Senior Manager Deloitte & Touche LLP Tel: +1 617 585 5879 [email protected] Val Srinivas Head of Research Deloitte Center for Financial Services Deloitte Services LP Tel: +1 212 436 3384 [email protected]

Improving Bank Board Governance The bank board member's guide to risk management oversight

29

Endnotes 1

Banking organizations with $50 billion or more in consolidated total assets.

2

Dodd-Frank Wall Street Reform and Consumer Protection Act; July 21, 2010; Section 165.

3

Securities and Exchange Commission, 17 CFR Parts 229, 239, 240, 249 and 274 [Release Nos. 33-9089; 34-61175; IC-29092; File No. S7-13-09] RIN 3235-AK28 Proxy Disclosure Enhancements (http://www.sec.gov/rules/final/2099/33-9089.pdf).

4

Principles for enhancing corporate governance, Basel Committee on Banking Supervision, October 2010, Bank for International Settlements.

5

A review of corporate governance in UK banks and other financial industry entities, Final recommendations, November 26, 2009, The Walker review secretariat, London, England.

6

Global Risk Management Survey, seventh edition, Navigating in a changed world, 2011, Deloitte Global Services Limited (http://www.deloitte.com/FSIGlobalRiskSurvey).

7

Risk Intelligent Governance: A Practical Guide for Boards, 2009, Deloitte & Touche LLP, (www.deloitte.com/us/riskgovernanceguide).

8

Surviving and Thriving in Uncertainty by Frederick Funston and Stephen Wagner, John Wiley & Sons, Hoboken, NJ, 2010, pg. 265.

9

Dodd-Frank Wall Street Reform and Consumer Protection Act; July 21, 2010; Section 165 – Enhanced supervision and prudential standards for nonbank financial companies supervised by the Board of Governors and certain bank holding companies.

10

Securities and Exchange Commission, 17 CFR Parts 229, 239, 240, 249 and 274 [Release Nos. 33-9089; 34-61175; IC-29092; File No. S7-13-09] RIN 3235-AK28 Proxy Disclosure Enhancements.

11

The Role of a National Bank Director – The Director’s Book, Comptroller of the Currency Administrator of National Banks, March, 1997.

12

Principles for enhancing corporate governance, Basel Committee on Banking Supervision, October 2010, Bank for International Settlements.

13

Board of Governors of the Federal Reserve System (Board), Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies; December 20, 2011; Section 252.126.

14

This observation is based on anecdotal observation from our marketplace experiences and is not based on the charter review.

15

Hot Topics: Dodd-Frank Wall Street Reform and Consumer Protection Act—Abstracts and Observations, Special Edition, Deloitte Development LLC, August 2010.

16

“The role of the board in enterprise risk management” by James Lam, The RMA Journal, Long View Publications, April 2011.

17

Securities and Exchange Commission, 17 CFR Parts 229, 239, 240, 249 and 274 [Release Nos. 33-9089; 34-61175; IC-29092; File No. S7-13-09] RIN 3235-AK28 Proxy Disclosure Enhancements.

18

Risk Intelligent Proxy Disclosures – 2011: Have risk-oversight practices improved?, Deloitte Development LLC 2011.

19

Board of Governors of the Federal Reserve System, Division of Banking Supervision and Regulation Letter SR 95-51 (SUP), Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies, November 14, 1995.

20

The Role of a National Bank Director – The Director’s Book, Comptroller of the Currency Administrator of National Banks, March, 1997.

30

Improving Bank Board Governance The bank board member's guide to risk management oversight

31

Insights. Research. Connections. Headquartered in New York City, the Deloitte Center for Financial Services provides insight and research to help improve the business performance of banks, private equity, hedge funds, mutual funds, insurance and real estate organizations operating globally. The Center helps financial institutions understand and address emerging opportunities in risk and information technology, regulatory compliance, growth, and cost management. The Center brings a financial services integrated view to Deloitte and its network of member firms, each of which is a legally separate and independent entity that provide audit, consulting, financial advisory, risk management, and tax services to select clients. With access to the deep intellectual capital of 169,000 people worldwide, Deloitte serves more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. To learn more about the Center, its projects and events, please visit us at www.deloitte.com/us/cfs. This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication. Copyright © 2011 Deloitte Development LLC. All rights reserved. Deloitte Touche Tohmatsu Limited

Suggest Documents