progress post walker the evolution of board audit … post walker the evolution of board audit and...

Progress post WalkerThe evolution of Board Audit and Risk Committees in financial services

Pre-crisis state of play

Drivers for change post-crisis

Emerging role of the Board Risk Committee post-crisis

Current state of play

Identified areas for continued focus

Analysis: graphs and commentary

Contacts

h

IntroductionThe financial crisis highlighted imbalances between the increasing growth and complexity of the

financial services industry and fundamental failures in governance and risk management, raising

important questions and calling for changes across the market.

A key response to these challenges was Sir David Walker’s ‘A review of corporate governance in UK

banks and other financial entities’ (the Walker Report) published in 2009, which recommended,

amongst other items, the establishment of a separate Board Risk Committee (BRC) as a means of

addressing the overload of Non-Executive Directors (NEDs) on Audit Committees (AC) and the need for

a closely-related but separate capability to focus on risk in future strategy.

Over four years on from the Walker Report, this analysis looks at how firms are responding to the

challenges and fulfilling the increased expectations, with particular focus on the AC versus the BRC.

We present our findings from a data-driven exercise, looking at publicly disclosed information published

in 2012 from 25 listed banks and other financial institutions (BOFIs).

2

IntroductionProgress post WalkerThe evolution of Board Audit and Risk Committees in financial services

http://webarchive.nationalarchives.gov.uk/+/http:/www.hm-treasury.gov.uk/d/walker_review_261109.pdf

http://webarchive.nationalarchives.gov.uk/+/http:/www.hm-treasury.gov.uk/d/walker_review_261109.pdf

Introduction






Contacts

h


3

Pre-crisis state of play Lack of focus on risk management at Board sub-committee level

There was a lack of detailed understanding of all areas of the business by many NEDs, in some cases exacerbated by insufficient breadth and depth of skill at Board level to effectively manage all the risks of the business

Combined Audit & Risk Committee was the norm

CombinedCommittee

UnderstandingTime

Commitment

Access to Board

Backward-lookingAudit & Risk activity was largely backward-looking with management information (MI) often poorly presented making effective forward-looking risk management challenging

NED time commitment was often limited to Committee meeting

pre-reading and attendance

There was a poor level of access to the Board for risk

management functions and a lack of clarity around

reporting lines


Introduction






Contacts

h


Improved Board risk oversight, with clearer risk ownership and a more direct relationship between senior risk

management and the appropriate Board committees.

Material behavioural changes across the business, with enhanced risk consciousness and culture to be

embedded throughout an organisation.

A more forward-looking focus on risk management.

More diversity in the skill set and experience, and an increase in time commitment

from NEDs to meet their responsibilities.

A much stronger focus on the risk consequences of remuneration.

4

Drivers for change post-crisis Underlying the structural recommendations from Walker, there was a need for:


Introduction






Contacts

h


5

Emerging role of the Board Risk Committee post-crisis Separate Board Risk Committees and Audit Committees are now the norm

The split of responsibilities between the two committees is increasingly well defined.

Nearly all ACs oversee Internal Audit (IA) and most BRCs oversee risk management functions.

We are seeing a number of practical steps being taken to ensure the alignment of both

Committees and reduce the risk of gaps or overlap:

• Cross membership is normal practice;

• Meeting synchronisation or joint meetings;

• Agenda agreement and delineation; and

• Minute and report sharing.


Introduction






Contacts

h


6

Current state of play Structural developments since 2009

Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.Diagram does not include dependencies and overseas territories, etc.

1. Number of BOFIs with a separate BRC

We analysed 25 annual reports published in 2012

(25 BOFIs: 18 FTSE 100, 7 FTSE 250)

Click on each section for findings

9. Disclosure of risk appetite responsibilities

8. Split of responsibilities

7. Compliance, Risk and Internal Audit reporting

lines

2. Average number of members

5. Cross membership

6. Relevant experience

3. Average number of

meetings per annum

4. Composition of BRC


Introduction






Contacts

h


7

Identified areas for continued focus BOFIs have responded strongly since 2009, but challenges remain

Strengthening the risk and compliance experience of

BRC members.

Ensuring NEDs remain independent and don’t stray

into a quasi-management role as their involvement grows.

Greater prominence of compliance at Board sub-committee level.

Equipping BRCs with good quality, concise management

information that highlights the key assumptions, sensitivities

and big bets; rather than volumes of data.

Embedding risk appetite throughout the organisation.

The need for real and lasting change in the risk culture of

the institution, with increasing emphasis on the significance

of conduct risk.


Introduction






Contacts

h

9

6 5

234

87

1


When comparing the number of banks with separate BRCs in 2009 to 2011 we identified:

•BRCs are now the norm.

•17 out of 25 had separate BRCs in 2011, of which six already had BRCs prior to the Walker Report.

• Of the eight BOFIs that retained a combined Audit and Risk Committee there were several Asset Managers reflecting a more intensive focus on enhancing governance in banks and perhaps also the narrower range of financial risks material to asset managers versus banks and insurers.

8

Analysis 1. Number of BOFIs with a separate BRC

6

2009 2011

Yes

No

1917

8

Click foranalysis

Back to Current state of play


Introduction






Contacts

h


19

6 5

234

87

9

Analysis 2. Average number of members

We analysed the average number of members on each of the two committees in 2009 versus 2011 and observed the following:

• The slightly higher number of members on BRCs compared to ACs is likely attributable to organisations wanting to bring a breadth of skills to the BRC as well as ensuring overlap with the AC and Remuneration Committee.

2009

2011

4 4

5BRC

AC

5

Click foranalysis



Introduction






Contacts

h

9

6 5

2

487

1

3


10

Analysis 3. Average number of meetings per annum

We analysed the average number of meetings from 2009 to 2011 and observed the following:

• Whilst both committees met on average six times in 2011, the average number of BRC meetings has steadily risen since 2009 reflecting the changing environment and need for additional discussion.

0 2 4 6 8

2011

2010

AC

BRC

5

2009

Click foranalysis



Introduction






Contacts

h

9

6 5

287

1

34


11

We analysed the composition of BRCs in terms of Non-Executive and Executive membership and observed the following:

•BRCs occasionally have a mix of NEDs and Executive Directors (EDs).

•Whilst the majority of BRCs are composed of solely NEDs, five firms, including three insurers, have a mixed committee composition.

• The EDs tend to be Chief Financial Officers and on occasion, Chief Executives or Chief Operating Officers.

• The mixed composition potentially reflects the depth of knowledge and skills deemed by some boards to be necessary effectively to define and embed risk appetite and a risk intelligent culture whilst still demonstrating an external, independent challenge.

Analysis 4. Composition of BRC

Solely NEDs

Mix of NEDs & EDs

12

5

Click foranalysis



Introduction






Contacts

h

9

6

287

1

34

5


12

Analysis 5. Cross membership

Graph 1 shows the number of members on the AC and of these individuals, how many are also members of other Board Committees. Graph 2 shows the number of members on the BRC and of these, how many individuals also sit on other Board Committees. We observed the following:

• There is a high reliance on cross-membership between AC and BRC members, with three members on average sitting on both committees.

•All 17 firms with separate BRCs have AC and BRC Chairs sitting on the other committee.

0

1

2

3

4

5

6

AC

4

3

Graph 1 Graph 2

AC BRC

2

3

5

3

2

3

BRC

5

Remuneration Committee Nominations Committee

Click foranalysis



Introduction






Contacts

h

9 287

1

34

56


13

Analysis 6. Relevant experience

The below graph shows the percentage of each committee with relevant experience in 2011:

• There is limited in-depth risk and compliance experience (for example, to the extent of a former Chief Risk Officer (CRO) or Head of Compliance (HoC)).

• We would expect to see more specific and direct risk experience to start to emerge on Boards and in BRCs in time as in our view, it is likely that some CROs and HoCs may start to migrate into NED roles over the next three to five years as they retire from their executive roles.

0% 20% 40% 60% 80% 100%

Accounting/Audit/Financial background

FS sector experience

Public sector experience

Other sector experience

Economics background

Legal/Tax/Regulatory background

Actuarial/Risk Management background

BRC

As interpreted from the biographies available in the 2011 Annual Report

7%8%

28%26%

9%8%

46%26%

66%58%

93%81%

49%29%

AC

5

Click foranalysis



Introduction






Contacts

h

9 28

1

34

567


Analysis 7. Compliance, Risk and Internal Audit Reporting lines

We analysed the reporting lines of Heads of Control Functions into the BRC and AC in 2011 and observed the following:

•Nearly all ACs oversee Internal Audit (IA) and most BRCs oversee risk management functions.

•Oversight of compliance is mixed/unclear.

• There are instances where Heads of Internal Audit (HIA) report to both committees.

• Our research also shows a large proportion of CROs and HIAs attending both committee meetings, as opposed to having hard reporting lines. However, BRCs appear to have a more ‘open door’ policy.

• These findings are interesting in light of the recent consultation document by the Chartered Institute of Internal Auditors ‘Effective Internal Audit in the Financial Services Sector’ which recommended, amongst other things, that Internal Audit should be present at both the AC and the BRC, and should have a primary reporting line to the Chairman of the AC.

0% 20% 40% 60% 80% 100%

Head of IA

Chief Risk Officer

Chief Compliance Officer

AC BRC

2BRC

AC

1 1

215

1 115

9

Both BRC member Not disclosed/Unclear

Click foranalysis



Introduction






Contacts

h

9 21

34

5678


Analysis 8. Split of responsibilities

The below graph shows the percentage of each committee with relevant experience in 2011:

• A number of responsibilities have moved to BRCs which previously sat with the AC, and with mixed practice observed for oversight of key regulatory risks and operational risk.

• Oversight of risk management and internal controls (and associated disclosures in the annual report) is jointly conducted, reflecting the overlapping interests of the two committees.

0% 20% 40% 60% 80% 100%

Risk management and internal controls

Annual Report

Operational risk

Financial crime

Regulatory risk/FSA Relationship

IT risk

Risk strategy/risk exposures

Risk profile

Risk appetite

Stress and scenario testing

Risk policies

Strategic/material transactions

Remuneration

Risk culture

Capital and liquidity

Tax

Whistle blowing/complaints

Anti-money laundering 9 1 3 4

14 2 1

6 1 6

15 2

11 6

14 3

11 6

1 213 1

15 2

15 1 1

14 3

14 3

4 13

5 6 6

6 4 4 3

2 6 4 5

4 23 8

17

BRCAC Jointly Not disclosed/Unclear

Click foranalysis



Introduction






Contacts

h

21

34

5678

9


Analysis 9. BOFIs disclosing risk appetite responsibilities

The below graph shows whether and the extent to which BOFIs are disclosing risk appetite responsibilities in 2011. We observed the following:

• There is room for enhancement of risk disclosure with many not externally evidencing that they meet Walker’s requirements on risk appetite.

Key references in the 2009 Walker Report:

A. Paragraph 6.13: “Advise the board on risk appetite and tolerance for future strategy”.

B. Recommendation 23: ”Take account of the current and prospective macro-economic and financial environment drawing on financial stability assessments”.

C. Paragraph 6.13: “Qualitative and quantitative advice to the remuneration committee on risk weightings to be applied to performance objectives incorporated within the incentive structure for the CEO and executive team”.

D. Paragraph 6.9: “View on capital and its prospective adequacy over the cycle in the light of the entity’s overall strategy and the external risk environment”.

E. Paragraph 6.14: “The risk assessment process should involve some quantitative metrics to serve as a way of tracking risk management performance in implementation of the agreed strategy”.

F. Paragraph 6.14: “Review and approval of the parameters used in these measures and the methodology adopted“.

G. Paragraph 6.14: “Setting of a standard for the capability to monitor, in a sufficiently accurate and timely manner, particular large exposures whose relevance, possibly because of some external shock, may become of critical importance”.

H. Recommendation 26: “In respect of a proposed strategic transaction involving acquisition or disposal, it ‘should as a matter of good practice be for the board risk committee to oversee a due diligence appraisal of the proposition, drawing on external advice where appropriate ‘and available, before the board takes a decision whether to proceed”.

0% 50% 100%

A

B

C

D

E

F

G

H 13 1 11

8 161

8 1

11

16

10 2 13

1 10

1213

14

6 6

9 16

11 122

PartialYes Not disclosed

Click foranalysis



Introduction







h

Contacts

Contacts

Kari HalePartnerBanking and Capital Markets+44 20 7303 [email protected]

Natasha de SoysaDirectorInsurance+44 20 7303 7340 [email protected]

Ralph DaalsDirectorInsurance+44 20 7 303 8192 [email protected]

Catherine HodgesDirectorBanking and Capital Markets +44 20 7303 [email protected]

Jagruti PatelManagerInsurance+44 20 7007 8234 [email protected]


mailto:kahale%40deloitte.co.uk?subject=

mailto:ndesoysa%40deloitte.co.uk?subject=

mailto:rdaals%40deloitte.co.uk?subject=

mailto:rdaals%40deloitte.co.uk%20?subject=

mailto:jagrpatel%40deloitte.co.uk?subject=

h

14

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.

Deloitte LLP is the United Kingdom member firm of DTTL.

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

© 2013 Deloitte LLP. All rights reserved.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.

Designed and produced by The Creative Studio at Deloitte, London. 26394A

19

progress post walker the evolution of board audit … post walker the evolution of board audit and...

Documents