progress post walker the evolution of board audit … post walker the evolution of board audit and...
TRANSCRIPT
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Analysis: graphs and commentary
Contacts
h
IntroductionThe financial crisis highlighted imbalances between the increasing growth and complexity of the
financial services industry and fundamental failures in governance and risk management, raising
important questions and calling for changes across the market.
A key response to these challenges was Sir David Walker’s ‘A review of corporate governance in UK
banks and other financial entities’ (the Walker Report) published in 2009, which recommended,
amongst other items, the establishment of a separate Board Risk Committee (BRC) as a means of
addressing the overload of Non-Executive Directors (NEDs) on Audit Committees (AC) and the need for
a closely-related but separate capability to focus on risk in future strategy.
Over four years on from the Walker Report, this analysis looks at how firms are responding to the
challenges and fulfilling the increased expectations, with particular focus on the AC versus the BRC.
We present our findings from a data-driven exercise, looking at publicly disclosed information published
in 2012 from 25 listed banks and other financial institutions (BOFIs).
2
IntroductionProgress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Analysis: graphs and commentary
Contacts
h
Pre-crisis state of play
3
Pre-crisis state of play Lack of focus on risk management at Board sub-committee level
There was a lack of detailed understanding of all areas of the business by many NEDs, in some cases exacerbated by insufficient breadth and depth of skill at Board level to effectively manage all the risks of the business
Combined Audit & Risk Committee was the norm
CombinedCommittee
UnderstandingTime
Commitment
Access to Board
Backward-lookingAudit & Risk activity was largely backward-looking with management information (MI) often poorly presented making effective forward-looking risk management challenging
NED time commitment was often limited to Committee meeting
pre-reading and attendance
There was a poor level of access to the Board for risk
management functions and a lack of clarity around
reporting lines
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Analysis: graphs and commentary
Contacts
h
Drivers for change post-crisis
Improved Board risk oversight, with clearer risk ownership and a more direct relationship between senior risk
management and the appropriate Board committees.
Material behavioural changes across the business, with enhanced risk consciousness and culture to be
embedded throughout an organisation.
A more forward-looking focus on risk management.
More diversity in the skill set and experience, and an increase in time commitment
from NEDs to meet their responsibilities.
A much stronger focus on the risk consequences of remuneration.
4
Drivers for change post-crisis Underlying the structural recommendations from Walker, there was a need for:
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Current state of play
Identified areas for continued focus
Analysis: graphs and commentary
Contacts
h
Emerging role of the Board Risk Committee post-crisis
5
Emerging role of the Board Risk Committee post-crisis Separate Board Risk Committees and Audit Committees are now the norm
The split of responsibilities between the two committees is increasingly well defined.
Nearly all ACs oversee Internal Audit (IA) and most BRCs oversee risk management functions.
We are seeing a number of practical steps being taken to ensure the alignment of both
Committees and reduce the risk of gaps or overlap:
• Cross membership is normal practice;
• Meeting synchronisation or joint meetings;
• Agenda agreement and delineation; and
• Minute and report sharing.
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Identified areas for continued focus
Analysis: graphs and commentary
Contacts
h
Current state of play
6
Current state of play Structural developments since 2009
Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.
1. Number of BOFIs with a separate BRC
We analysed 25 annual reports published in 2012
(25 BOFIs: 18 FTSE 100, 7 FTSE 250)
Click on each section for findings
9. Disclosure of risk appetite responsibilities
8. Split of responsibilities
7. Compliance, Risk and Internal Audit reporting
lines
2. Average number of members
5. Cross membership
6. Relevant experience
3. Average number of
meetings per annum
4. Composition of BRC
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Analysis: graphs and commentary
Contacts
h
Identified areas for continued focus
7
Identified areas for continued focus BOFIs have responded strongly since 2009, but challenges remain
Strengthening the risk and compliance experience of
BRC members.
Ensuring NEDs remain independent and don’t stray
into a quasi-management role as their involvement grows.
Greater prominence of compliance at Board sub-committee level.
Equipping BRCs with good quality, concise management
information that highlights the key assumptions, sensitivities
and big bets; rather than volumes of data.
Embedding risk appetite throughout the organisation.
The need for real and lasting change in the risk culture of
the institution, with increasing emphasis on the significance
of conduct risk.
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Contacts
h
9
6 5
234
87
1
Analysis: graphs and commentary
When comparing the number of banks with separate BRCs in 2009 to 2011 we identified:
•BRCs are now the norm.
•17 out of 25 had separate BRCs in 2011, of which six already had BRCs prior to the Walker Report.
• Of the eight BOFIs that retained a combined Audit and Risk Committee there were several Asset Managers reflecting a more intensive focus on enhancing governance in banks and perhaps also the narrower range of financial risks material to asset managers versus banks and insurers.
8
Analysis 1. Number of BOFIs with a separate BRC
6
2009 2011
Yes
No
1917
8
Click foranalysis
Back to Current state of play
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Contacts
h
Analysis: graphs and commentary
19
6 5
234
87
9
Analysis 2. Average number of members
We analysed the average number of members on each of the two committees in 2009 versus 2011 and observed the following:
• The slightly higher number of members on BRCs compared to ACs is likely attributable to organisations wanting to bring a breadth of skills to the BRC as well as ensuring overlap with the AC and Remuneration Committee.
2009
2011
4 4
5BRC
AC
5
Click foranalysis
Back to Current state of play
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Contacts
h
9
6 5
2
487
1
3
Analysis: graphs and commentary
10
Analysis 3. Average number of meetings per annum
We analysed the average number of meetings from 2009 to 2011 and observed the following:
• Whilst both committees met on average six times in 2011, the average number of BRC meetings has steadily risen since 2009 reflecting the changing environment and need for additional discussion.
0 2 4 6 8
2011
2010
AC
BRC
5
2009
Click foranalysis
Back to Current state of play
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Contacts
h
9
6 5
287
1
34
Analysis: graphs and commentary
11
We analysed the composition of BRCs in terms of Non-Executive and Executive membership and observed the following:
•BRCs occasionally have a mix of NEDs and Executive Directors (EDs).
•Whilst the majority of BRCs are composed of solely NEDs, five firms, including three insurers, have a mixed committee composition.
• The EDs tend to be Chief Financial Officers and on occasion, Chief Executives or Chief Operating Officers.
• The mixed composition potentially reflects the depth of knowledge and skills deemed by some boards to be necessary effectively to define and embed risk appetite and a risk intelligent culture whilst still demonstrating an external, independent challenge.
Analysis 4. Composition of BRC
Solely NEDs
Mix of NEDs & EDs
12
5
Click foranalysis
Back to Current state of play
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Contacts
h
9
6
287
1
34
5
Analysis: graphs and commentary
12
Analysis 5. Cross membership
Graph 1 shows the number of members on the AC and of these individuals, how many are also members of other Board Committees. Graph 2 shows the number of members on the BRC and of these, how many individuals also sit on other Board Committees. We observed the following:
• There is a high reliance on cross-membership between AC and BRC members, with three members on average sitting on both committees.
•All 17 firms with separate BRCs have AC and BRC Chairs sitting on the other committee.
0
1
2
3
4
5
6
AC
4
3
Graph 1 Graph 2
AC BRC
2
3
5
3
2
3
BRC
5
Remuneration Committee Nominations Committee
Click foranalysis
Back to Current state of play
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Contacts
h
9 287
1
34
56
Analysis: graphs and commentary
13
Analysis 6. Relevant experience
The below graph shows the percentage of each committee with relevant experience in 2011:
• There is limited in-depth risk and compliance experience (for example, to the extent of a former Chief Risk Officer (CRO) or Head of Compliance (HoC)).
• We would expect to see more specific and direct risk experience to start to emerge on Boards and in BRCs in time as in our view, it is likely that some CROs and HoCs may start to migrate into NED roles over the next three to five years as they retire from their executive roles.
0% 20% 40% 60% 80% 100%
Accounting/Audit/Financial background
FS sector experience
Public sector experience
Other sector experience
Economics background
Legal/Tax/Regulatory background
Actuarial/Risk Management background
BRC
As interpreted from the biographies available in the 2011 Annual Report
7%8%
28%26%
9%8%
46%26%
66%58%
93%81%
49%29%
AC
5
Click foranalysis
Back to Current state of play
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Contacts
h
9 28
1
34
567
Analysis: graphs and commentary
Analysis 7. Compliance, Risk and Internal Audit Reporting lines
We analysed the reporting lines of Heads of Control Functions into the BRC and AC in 2011 and observed the following:
•Nearly all ACs oversee Internal Audit (IA) and most BRCs oversee risk management functions.
•Oversight of compliance is mixed/unclear.
• There are instances where Heads of Internal Audit (HIA) report to both committees.
• Our research also shows a large proportion of CROs and HIAs attending both committee meetings, as opposed to having hard reporting lines. However, BRCs appear to have a more ‘open door’ policy.
• These findings are interesting in light of the recent consultation document by the Chartered Institute of Internal Auditors ‘Effective Internal Audit in the Financial Services Sector’ which recommended, amongst other things, that Internal Audit should be present at both the AC and the BRC, and should have a primary reporting line to the Chairman of the AC.
0% 20% 40% 60% 80% 100%
Head of IA
Chief Risk Officer
Chief Compliance Officer
AC BRC
2BRC
AC
1 1
215
1 115
9
Both BRC member Not disclosed/Unclear
Click foranalysis
Back to Current state of play
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Contacts
h
9 21
34
5678
Analysis: graphs and commentary
Analysis 8. Split of responsibilities
The below graph shows the percentage of each committee with relevant experience in 2011:
• A number of responsibilities have moved to BRCs which previously sat with the AC, and with mixed practice observed for oversight of key regulatory risks and operational risk.
• Oversight of risk management and internal controls (and associated disclosures in the annual report) is jointly conducted, reflecting the overlapping interests of the two committees.
0% 20% 40% 60% 80% 100%
Risk management and internal controls
Annual Report
Operational risk
Financial crime
Regulatory risk/FSA Relationship
IT risk
Risk strategy/risk exposures
Risk profile
Risk appetite
Stress and scenario testing
Risk policies
Strategic/material transactions
Remuneration
Risk culture
Capital and liquidity
Tax
Whistle blowing/complaints
Anti-money laundering 9 1 3 4
14 2 1
6 1 6
15 2
11 6
14 3
11 6
1 213 1
15 2
15 1 1
14 3
14 3
4 13
5 6 6
6 4 4 3
2 6 4 5
4 23 8
17
BRCAC Jointly Not disclosed/Unclear
Click foranalysis
Back to Current state of play
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Contacts
h
21
34
5678
9
Analysis: graphs and commentary
Analysis 9. BOFIs disclosing risk appetite responsibilities
The below graph shows whether and the extent to which BOFIs are disclosing risk appetite responsibilities in 2011. We observed the following:
• There is room for enhancement of risk disclosure with many not externally evidencing that they meet Walker’s requirements on risk appetite.
Key references in the 2009 Walker Report:
A. Paragraph 6.13: “Advise the board on risk appetite and tolerance for future strategy”.
B. Recommendation 23: ”Take account of the current and prospective macro-economic and financial environment drawing on financial stability assessments”.
C. Paragraph 6.13: “Qualitative and quantitative advice to the remuneration committee on risk weightings to be applied to performance objectives incorporated within the incentive structure for the CEO and executive team”.
D. Paragraph 6.9: “View on capital and its prospective adequacy over the cycle in the light of the entity’s overall strategy and the external risk environment”.
E. Paragraph 6.14: “The risk assessment process should involve some quantitative metrics to serve as a way of tracking risk management performance in implementation of the agreed strategy”.
F. Paragraph 6.14: “Review and approval of the parameters used in these measures and the methodology adopted“.
G. Paragraph 6.14: “Setting of a standard for the capability to monitor, in a sufficiently accurate and timely manner, particular large exposures whose relevance, possibly because of some external shock, may become of critical importance”.
H. Recommendation 26: “In respect of a proposed strategic transaction involving acquisition or disposal, it ‘should as a matter of good practice be for the board risk committee to oversee a due diligence appraisal of the proposition, drawing on external advice where appropriate ‘and available, before the board takes a decision whether to proceed”.
0% 50% 100%
A
B
C
D
E
F
G
H 13 1 11
8 161
8 1
11
16
10 2 13
1 10
1213
14
6 6
9 16
11 122
PartialYes Not disclosed
Click foranalysis
Back to Current state of play
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
Introduction
Pre-crisis state of play
Drivers for change post-crisis
Emerging role of the Board Risk Committee post-crisis
Current state of play
Identified areas for continued focus
Analysis: graphs and commentary
h
Contacts
Contacts
Kari HalePartnerBanking and Capital Markets+44 20 7303 [email protected]
Natasha de SoysaDirectorInsurance+44 20 7303 7340 [email protected]
Ralph DaalsDirectorInsurance+44 20 7 303 8192 [email protected]
Catherine HodgesDirectorBanking and Capital Markets +44 20 7303 [email protected]
Jagruti PatelManagerInsurance+44 20 7007 8234 [email protected]
Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services
h
14
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.
Deloitte LLP is the United Kingdom member firm of DTTL.
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
© 2013 Deloitte LLP. All rights reserved.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.
Designed and produced by The Creative Studio at Deloitte, London. 26394A
19