the “bored” risk committee? - oliver wyman
TRANSCRIPT
AUTHORS
Mark Abrahamson, Partner Michelle Daisley, Partner Lisa Quest, Partner Hesse McKechnie, Engagement Manager
THE “BORED” RISK COMMITTEE?LESS TICKING BOXES, MORE MEANINGFUL OVERSIGHT
Board Risk Committees (BRCs) provide mission-critical oversight of Financial Institutions,
advising the Board on taking and mitigating the risks that will ultimately determine the
survival and success of the organisation.
In 2011, Oliver Wyman published a paper setting out eight “New Years’ Resolutions” for the
BRC. At that time many firms had only recently established a dedicated Risk Committee
for the Board, and fewer than one in three firms surveyed had BRC members who could list
financial services risk management experience on their CVs. Most BRCs are now much better
equipped to understand and control the risks being taken; the depth of experience of BRC
members is typically much better.
Yet more often than not, BRC meetings are exhausting, jam-packed marathons of reviewing
lengthy reports and ticking regulatory boxes, as institutions struggle to meet ever more
expansive governance requirements and regulations, mindful that Supervisors are
increasingly focusing their attention on the quality of Board oversight (such as s166 reviews
in the UK, JST visits for SSM firms).
Non-Executive Directors (NEDs) must wade through voluminous technical reports, painfully
aware of the potential for fines and bad headlines should breaches, failures, losses or
misdemeanours occur on their watch. But time spent on regulatory compliance comes at
the expense of meaningful strategic discussions around risk / return trade-offs. Discussions
about the best way to measure and manage risk get buried in the details. Even the most
effective BRCs struggle with:
• Engaging sufficiently early when key decisions are made to ensure meaningful influence and impact
• Synthesising and tailoring voluminous technical reports, keeping a big picture perspective whilst recognising that the devil may be in the detail
• Managing the issues that cross-cut multiple committees, reducing accountability and slowing down decision-making
• Ambiguity around parent and subsidiary Board governance and accountability
• Poor visibility of key operational risks, such as execution of major change programmes
We suggest four ways in which institutions can better leverage the expertise and experience
of the BRC:
1 Get specific on what the BRC is responsible for 2 Engage the BRC
early on for major decisions 3 Give the BRC
the expert and operational support it needs
4 Build a proactive relationship with the Supervisor
Copyright © 2018 Oliver Wyman
1. GET SPECIFIC ON WHAT THE BRC IS RESPONSIBLE FOR
BRC terms of reference are often not up to the job. They are, understandably, written to be
inclusive and cover the widest possible set of responsibilities but consequently there are
often overlaps across different committees, in particular the Audit Committee. Valuable
time is lost covering the same ground twice. Worse is the potential for issues to fall between
mandates, with no coverage at all.
Examples of ambiguity abound. Both the Board Risk and Audit Committees may look at
regulatory compliance, taking a different perspective on the same issue, but duplicating
some tasks in the process. BRCs frequently fail to coordinate with Remuneration Committees
on risk-adjusted compensation measures. Institutions that have Board-level Financial
Crime and Conduct Committees could often manage the accountabilities between these
committees better.
Cross-committee membership and informal relationships can mitigate some but not all of
these issues. Organisations need to specify and document roles with regards to all risks,
controls and processes. Ownership should be defined consistently with the institution’s own
risk taxonomy and the three lines of defence, while recognising that not all issues will slot
neatly into this matrix.
Done well, this helps BRC Chairs to plan their annual workloads and meeting agendas and
when a risk event does occur, it is easier to manage and to communicate externally about the
mitigation actions being taken.
Particular attention is needed when dealing with subsidiaries. Historically, communication
between parent and subsidiary companies has been the sole responsibility of management.
Subsidiary BRCs were accountable to their own local Boards with informal communication
lines to the Parent BRC, at best. Poor subsidiary oversight has been linked to several high
profile governance scandals in recent years.
Parent BRCs need to better understand how subsidiaries and material branches contribute
to the overall group risk profile and appetite by risk category. There should also be clear and
documented communication and escalation processes from the Chairs of subsidiary BRCs to
the Chair of the Group BRC.
1
2. ENGAGE THE BRC EARLY ON FOR MAJOR DECISIONS
Too many critical decisions, such as risk appetite and business planning, are rushed through
the BRC at the last minute. BRCs need to be involved earlier to be able to meaningfully
discuss options and challenge management.
Many institutions have found it useful to develop annual rolling calendars, calibrated
with internal processes and external reporting requirements. This improves engagement
with the BRC as requests for information and analysis can complement rather than add to
management’s ongoing work. The rolling calendar can be linked to the BRC terms
of reference.
For a regular annual process, such as setting Risk Appetite, the points of interaction with
the BRC (what information it needs, key decision points, consultation discussions) should
be set out for the months leading up to the formal sign-off of both risk limits and strategic
plans. For example, an annual risk limit review cycle should do more than validate a limited
number of year-on-year changes proposed by management. To satisfy the expectation that
the committee makes an independent assessment of risk, it must periodically review the
complete set of limits to ensure that they still conform to the institution’s risk appetite. This
requires examination over multiple meetings and actions in between meetings. The rolling
calendar should make explicit the expectation of the BRC vis-à-vis the Risk function at each
stage in the process.
Copyright © 2018 Oliver Wyman
HEIGHTENED SUPERVISORY EXPECTATIONS EXTEND BEYOND BANKING AND INSURANCE
The profile of the BRC has been elevated across the financial service industry. For
example, central counterparties (CCPs) subject to European Market Infrastructure
Regulation (EMIR), face new, more stringent requirements covering the BRC’s
membership and oversight responsibilities.
CCP BRCs need to comprise independent NEDs, clearing members and clients of
clearing members, with no single group in the majority (practically interpreted as
a minimum of 2 from each group). This means that confidentiality and conflicts of
interest need to be carefully managed.
The responsibilities of the BRC include reviewing the internal policy framework
(annually), plausible extreme scenarios, the liquidity plan, material changes to models,
back testing results and sensitivity testing results. This workload puts extra pressure
on the time available for strategic risk discussions and raises the stakes for improving
meeting effectiveness.
3. GIVE THE BRC THE EXPERT AND OPERATIONAL SUPPORT IT NEEDS
Even with a fully optimised annual work schedule, BRCs will of course still experience
”crunches” as priority issues arise. However all too often committee members get tied up
in a surprisingly high amount of administrative work. For example, considerable committee
time can be lost reviewing minutes, usually when the minute-taker is not familiar with
risk topics.
The Chief Risk Officer (CRO) plays a critical role in supporting the BRC and their interactions
should extend beyond the formal reporting line typically required by supervisors. The
majority of the BRC’s materials will come from or via the CRO’s team. Increasingly CROs are
dedicating their own resources to ensure that committee papers and reports are not only
accurate and comprehensive but are also appropriately tailored to a NED audience. The
CRO and BRC Chair should have a relationship that extends outside and between formal
meetings, allowing them to discuss and escalate urgent matters, as well as provide mutual
challenge and support.
To help with the quality assurance of Committee papers, Company Secretariats could
also be empowered to be the ‘gatekeepers’ of timeliness, quality and brevity of
executive summaries.
External experts, such as academics and industry specialists can be used selectively.
They can provide insights into emerging trends and risks, and the evolution of best risk
management practices at other firms, helping committees challenge their institutions’ own
“conventional wisdom” and guarding against the dreaded “groupthink”.
3
4. BUILD A PROACTIVE RELATIONSHIP WITH THE SUPERVISOR
Supervisors are taking a more active interest in NEDs, who should be prepared to engage in
frequent formal and informal dialogues. There are now specific suitability requirements for
both skills and number of committee memberships in new regulations and guidelines. Most
are asking BRC members to articulate the bank’s risk governance arrangements, including
the rationale for specific risk appetite metrics and limits.
Waiting for the supervisor to take the initiative is far from ideal. Such requests are often
instigated as a result of a specific concern and put NEDs on the back foot. Instead,
proactively maintaining an ongoing dialogue and a constructive relationship with the
supervisor helps BRC members to develop a more informal assurance of their governance
arrangements. This helps lay the groundwork if things take a turn for the worse.
Doing so requires leadership by the BRC Chair and coordination with management. Leading
firms treat the relationship with the supervisor with the same care as they would a major
client relationship and create a map of key supervisory relationships at an individual level.
This map clarifies the responsibilities of both BRC members as well as executives in engaging
with individual supervisory staff. Moreover, to facilitate this business-as-usual interaction,
the Company Secretariat should track and gather feedback on all key interactions.
Copyright © 2018 Oliver Wyman
CONCLUSION
Even though BRCs have come a long way in the last few years, there is still some way to go.
BRCs need to be more structured about their priorities. The workload is too great, and the
expectations are too high, for there to be any time to waste.
Report Card: Typical Progress against Oliver Wyman’s 2011 “New Year’s Resolutions for the BRC”
RESOLUTION PROGRESS
1 We will set clear objectives for our BRC
• Objectives around Risk Appetite, remuneration, oversight and disclosures are typically clear
• However, objectives around conduct, culture and scenario planning have not always been articulated
2 We will make sure our BRC is up to the job
• Most BRCs have members who have financial services risk experience
• New regulatory guidance requires upskilling in new topics including data, technology, conduct and culture
3 We will provide our BRC with the right mandate
• Terms of Reference are usually written to be inclusive rather than precise
• Delineation of responsibility with other board committees and management frequently has overlaps and/or gaps
4 Our risk appetite framework will have “bite”
• Risk appetite frameworks have been strengthened in recent years
• Common shortcomings are the lack of integration into important decision making processes
5The BRC will have adequate information about the risk profile of the institution
• Documentation that is too lengthy, contains too much FYI material and has too little recommendation focus
6Our BRC will have access to the Risk and Control functions
• CROs typically have a direct reporting line into the BRC
• Most committee members report good access to senior control function staff
7 Our BRC will make effective use of external advice
• Most BRCs report good access to external advice. Some BRCs engage permanent advisors. Mandated self-assessments are frequently undertaken with the assistance of external specialists
8An independent and effective “second line of defence” will implement the recommendations of the BRC
• Second line control functions have been strengthened over the last few years
Progress: Limited Significant
5
Copyright © 2018 Oliver Wyman
All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect.
The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written consent of Oliver Wyman.