Prior to 2008, it was not uncommon for a bank to assign its risk oversight responsibilities to the audit committee of its board of directors, or in some cases, to even divide those tasks between a number of other committees. Since then, a number of policies and guidelines have been enacted (including, notably, the Basel Committee for Banking Supervision’s Corporate Governance Principles for Banks in July 2015) that set new standards and procedures with respect to how financial institutions are to monitor and moderate risk.

PricewaterhouseCoopers recently completed a study entitled Board Governance: Higher Expectations, but Better Practices?, which considers the policies and practices of the ten largest banks in the United States, focusing on boards of directors that have undergone significant changes including structural and functional transformation. The study finds that the impetus for these changes has largely been: (1) the need to comply with new or increasingly stringent regulatory requirements (that began and continue to emerge in the post-2008 environment); and (2) the recognition that better internal risk governance policies can empower boards to monitor—and if necessary, challenge—management on key operational decisions.

The study found that since 2008, all ten of the largest banks in the United States have created dedicated audit committees, compared to only twenty percent in 2008, prior to the financial crisis.

Although the formation of risk committees is now a requirement, the banks have supplemented the regulatory frameworks imposed by the U.S. Federal Reserve’s Enhanced Prudential Standards with additional in-house policies. For example, nine of the ten largest banks require a minimum number of directors to sit on the risk committee, despite the fact that the Federal Reserve has not set any such requirement. Increased committee sizes typically signal an increased desire for direct engagement in a specific area. In addition, 60% of the subject banks have self-imposed a rule that the risk committee be entirely independent, regardless of the fact that the Federal Reserve only requires that there be at least one independent director. Other refinements over the regulated standards include having at least one director with directly relevant risk management experience and including former regulators on the risk committee.

There are, however, areas where banks still fall short. Significantly, roughly one-third of the ten largest banks do not require their respective risk governance policies to be approved by the risk committee and roughly one-fifth do not require either the board of directors or the risk committee to approve risk appetite standards. In addition, only half of the banks require the chief risk officer to report to the risk committee. Issues such as these can raise the concern that these committees are devoid of actual influence on institutional direction and daily operations.

The study makes a number of recommendations. Banks should: (1) enshrine regulatory expectations in risk committee charters; (2) augment their boards with additional independent directors with relevant experience; (3) ramp up risk-related board training sessions; (4) establish internal standards for risk issue escalation, ownership and resolution; and (5) increase the risk committee’s engagement with  the chief risk officer. In order to prevent another big short, financial institutions must give greater attention to the risks they are willing to take on, and a large part of that is through empowering the risk committee in such a way so as to most effectively carry out its mandate.

Stay connected with Special Situations Law and subscribe to the blog today.