At the end of December, the U.S. Federal Reserve gave the banking industry a holiday “gift”—proposed rules implementing provisions of the Dodd-Frank Act, with the goal of preventing failure of systemically important institutions. The proposal includes provisions that could have a profound effect on how boards and managements deal with risk. 

The rules apply generally to bank holding companies with consolidated assets of $50 billion or more, as well as non-bank firms designated as systemically important (insurance companies and hedge funds, for example). While they don't apply to foreign banks unless a U.S.-based subsidiary itself reaches the $50 billion threshold, the Fed will be issuing more rules for foreign banks in the coming months.

The proposed rules are far-reaching, including requirements for risk-based capital and leverage, liquidity, stress tests, single-counter-party credit limits, debt-to-equity limits, and early remediation. Banks will need to comply within one year after the rules are issued in final form, with even shorter deadlines for compliance with some elements, such as stress testing.

The plan includes requirements for risk management and risk committees, and some of those items—as well as the proposed rules for stress testing—will apply to smaller firms with consolidated assets of $10 billion. Obviously, reading the fine print is important for all who may be subject to these proposals.

Contributors to the Financial Crisis

The Fed says companies that were under distress or failed during the financial crisis had major risk-management deficiencies. It highlighted findings of the Senior Supervisors Group, a joint effort on the part of 12 supervisory agencies—including the Comptroller of the Currency, the Securities and Exchange Commission, and the Federal Reserve here in the United States, the Financial Services Authority in Britain, and several others from nations around the globe—to evaluate vulnerabilities in the global financial system. Among the findings:

Line and senior risk managers did not jointly act to address risks on an enterprise-wide basis;

Line managers made decisions in isolation which increased rather than mitigated risk; and

Treasury functions were not aligned with risk-management processes.

On the other hand, the SSG identified effective senior management oversight and engagement as positively distinguishing companies' performance during the crisis:

Senior managers at successful companies were actively involved in risk management, determining the company's overall risk preferences and creating appropriate incentives and controls;

Senior managers had access to adaptive management information systems to identify and assess risks based on a range of dynamic measures and assumptions; and

Boards of directors were actively involved in determining the company's risk tolerance, which curbed excessive risk taking.

The SSG also stated in its report that firms are more likely to maintain risks consistent with the board and senior management's tolerance for risk where they establish risk-management committees.

The Requirements

In addition to the rules for the largest banks and financial institutions, the proposal would require banks with more than $10 billion in total assets to establish a board risk committee to “document and oversee, on an enterprise-wide basis, the risk-management practices of the company's worldwide operations.” That committee would be chaired by an independent director, and at least one member needs to have risk-management expertise commensurate with the company's size, complexity, and other risk-related factors.

Further, its members are expected to understand risk-management principles and practices relevant to the company, with experience “developing and applying risk-management practices and procedures, measuring and identifying risks, and monitoring and testing risk controls with respect to their organizations.” And there are rules for a committee charter, meetings, and documentation.

One approach that can work well is to have the chair or other member of board committees with inter-related responsibilities, such as audit and compensation, serve as members of the risk committee.

Responsibilities for the committee are spelled out. It will need to document and oversee enterprise risk management, and review and approve an appropriate risk-management framework commensurate with the company's size and other factors. The framework must include risk limits appropriate to each line of business; policies and procedures for risk-management governance, practices, and control infrastructure; processes for identifying and reporting risks, including emerging risks; monitoring compliance with risk limits and procedures; effective and timely corrective actions; specification of management's authority and independence to carry out risk-management responsibilities; and integration of risk-management and control objectives in management goals and the company's compensation structure.

The larger covered companies need to do more, with two important additional requirements:

Appoint a chief risk officer in charge of implementing and maintaining the risk-management framework and practices approved by the risk committee. The rules specify responsibilities, which include direct oversight for allocating delegated risk limits, monitoring and testing, all on an enterprise-wide basis. Also set forth are qualifications for the CRO, and that the position must report to the risk committee and CEO, as well as issues related to compensation with a focus on the CRO being incentivized to provide an objective view of risks.

The risk committee will need to report directly to the full board and not as part of another committee, and regularly review the CRO's reports.

Assessing the Rules

In looking at the proposal, one may challenge the need for a separate risk committee at the board level. Indeed, many governance experts believe risk is such an important matter that it must remain in the bailiwick of the full board, rather than be delegated to a sub-group.

I generally tend to agree, but in the case of large financial institutions the risks are more complex and require greater technical skill and experienced judgment. When looking at large banks with exposure to the likes of liquidity, credit, market, counter-party, geopolitical, operations, and other risks, and the inter-connectivity of risks within and outside the organization, a sharp focus on risk at the most senior levels is critical. So a separate risk committee of independent directors makes good sense—especially to the Fed, with an eye on the financial system as a whole.

The requirements for the committee's membership also make sense, calling for one member with risk-management expertise and others with knowledge of risk management. And they match up with rules established for audit committees years ago. I do have a couple of concerns, however:

With expanding requirements for board members to have specific expertise—such as with the audit committee and now risk committee—there are fewer board seats available for directors with knowledge and experience in other areas that may be critical to corporate success. These may include technology, global markets, marketing, the industry, and others, as well as broad-based CEOs and others who can provide the experience and judgment to help guide the organization where the strategic plan is designed to take it. And increasing the size of bank boards back to where they were years ago isn't a good idea either. Hopefully boards will be able to maintain their current size with the right spectrum of skills and experience while also meeting these specific requirements.

The federalization of governance standards. We've already seen this in connection with audit committees, where rules established by the federal government push their way past state requirements, when Delaware traditionally has led the way. Among the problems created are multiple levels of governance authority and regulation that can add cost and sometimes conflict with one another. 

We're seeing movement towards board committees becoming regulated entities unto themselves, with specified rules and requirements. But the full board should take responsibility for the entirety of governing a corporation. That is, a board may delegate work to its various committees, but it shouldn't abdicate that responsibility. Committees work at the direction of the full board, and the board as a whole needs to be comfortable with analyses and decisions individual committees reach.

One approach that can work well is to have the chair or other member of board committees with inter-related responsibilities, such as audit and compensation, serve as members of the risk committee.  Alternatively, those individuals could sit in on certain risk committee meetings, and of course the risk committee needs to report and discuss issues and direction with the full board. 

The proposal has some good elements as well. One of the better ideas is a rule for companies to establish a risk-management framework—although I prefer to call it a risk-management “process” or “architecture” and leave “framework” for things like COSO's Enterprise Risk Management—Integrated Framework, which set forth what ERM is and how it can best work. But clearly the Fed's requirements hit important points, including risk limits, management's role, infrastructure, and focus on emerging risks. And having a CRO with the stated responsibilities, but who isn't ultimately responsible for risk management, is right on point.

The Fed's proposal put forth a number of questions on specific elements of the rules for those wishing to comment. Certainly organizations subject to the rules will want to consider those questions as well as other issues and provide input to the rulemaking process. With that input and perhaps some tweaking, covered organizations and the financial system as a whole should be on a stronger foundation going forward. The Federal Reserve is accepting comments on the proposal until March 31.