Risk Oversight, Capital and Imperatives for a More Engaged Board
The economic smack-down we have weathered since 2008 has emphasized the importance of the Board of Directors’ responsibility for risk oversight. We have seen an over-reaction to the excesses that precipitated this recession through the passage of Dodd-Frank, the implementation of a number of regulatory “reforms”, and the press reports stressing how banks have gone wrong in serving customers. Since no one appears to be able to distinguish the responsibility for this situation between the typical community bank from investment banks and specialty finance companies (particularly mortgage brokerage firms), the brunt of this over-reaction appears to be falling on the community banking industry.
However, community banks are not completely innocent in this crisis. The sheer number of banks categorized as “problem institutions” – over 800 banks (see the chart below) – indicates that many community bankers dove into the risk pool without understanding the consequences of their actions.
So community bankers have a great deal of work to do. Much of that work involves bankers understanding the risks embedded within their organizations.
In order to address risk oversight, we need to get back to basics.
First: The fundamental purpose of business is to take on prudent risks in order to deliver sustainable performance and long-term value.
The strategic plan must identify not only the critical objectives, but also – explicitly – the risk profile that the bank wishes to assume.
What needs to be done to define these “prudent risks”? Three elements are involved. First, the overall business model – the bank’s definition of its markets and customers, and its products and processes to deliver them – needs to be explicit, and the strategic plan to implement the model must be realistic. Second, the risks imbedded in the business model and strategic plan – the bank’s “Risk Appetite” – must be documented. Third, the amount of acceptable variation of results over time – “Risk Tolerance” – requires definition. Business model and strategy, risk appetite and risk tolerance establish the basis for creating long term value.
Second: The development of the risk oversight function has to start from the “Top of the House” in setting the business strategies and cascade down through the bank.
Starting at the “bottom” by defining all of the detailed risks throughout the bank with the hope that, when summarized, they accumulate to an overall risk profile does not work.
The basic decisions regarding the risk profile of the bank occur in setting the strategic plan. Clear understanding of how the bank makes money starts the conversation. The policy framework and regulatory environment connects plan to operations.
Third: “Risk Management” does not exist; however, “Risk Oversight” is an essential Board and management process.
This statement follows directly from the first two propositions. Risk is implicit in our business model. Executives manage businesses through executing strategic plans with the right structure, people, processes and technologies. They do not “manage” risk; they manage businesses. Risk is, however, measured, mitigated and controlled through the application of strategic and operating business practices.
Fourth: The Board needs to be prepared to assume its duty to provide risk oversight.
Unfortunately, we have seen cases where the last group within a bank to know that the examiners have identified serious issues is the Board of Directors. The exit meeting with the examiners then becomes a very difficult exercise of shock and astonishment on the part of the Board, and frustration on the part of the examiners who expect the Board to be aware of the issues being discussed.
So the Board must be prepared to exercise its responsibilities. Preparation involves two major elements:
- The information about risk including measurements and descriptions of the processes to mitigate and control it must be presented in a manner that is clear, direct and connected to the strategic plan. A test for management’s understanding of the risk profile is whether they can present the concepts, measurements and status in clear English. For example, how many directors really understand the notion of convexity in the analysis of interest rate sensitivity? What about the notions of probability of default and the expected loss of default when thinking about the FAS 5 analysis of the adequacy of the allowance for loan and lease losses? Banking is a sophisticated business, but directors cannot let management hide behind complex words to describe risks that no one – perhaps not even key members of the management team – truly understands.
- Once clear English becomes the standard of communication, the presentation of quantitative information must be simple without being simplistic, relevant to the topic at hand and connected to the strategic plan and business model. Graphical presentations should include level of activity, trend in activity and relevant boundaries of risk. The boundaries of risk can include policy levels adopted in the lending, interest rate risk and liquidity policies.
- A prepared board has members who are skilled and organized to receive, understand and act appropriately given the information presented to them. The skill requirement for board members continues to increase. Board members must have good business sense, financial acumen and enough sophistication to interpret the facts being presented. The difficulty of finding board candidates who possess these skills continues to grow. The pressure on boards to increase their oversight activities will make this problem worse.
- Not only do the board members themselves have to be skilled, but the Board must organize itself to exercise oversight. Options exist: oversight can be conducted by the Board itself; it can assign oversight to the Audit Committee or it can establish – as is the current vogue – a “Directors’ Enterprise Risk Committee” to provide oversight.
- The Audit Committee is an alternative because it has the responsibility – if the bank is publicly held – to oversee the bank’s financial filings and to assure that the controls are in place to deliver accurate reporting. No doubt this responsibility includes a direct relationship with risk oversight, but (1) for public companies, the Audit Committee’s agenda is already extremely full, and (2) the scope of risk oversight is far broader than oversight of financial reporting.
- Establishment of a Directors Enterprise Risk Oversight Committee becomes an attractive alternative to use of the Audit Committee. Assigning oversight responsibility to a committee with a specific charter relieves the Board as a whole of a significant work load and provides assurance that risk oversight has specific attention. In recognizing the significance of this committee, some banks organize this committee by including as members the chairs of all other board committees and the non-executive chair of the board or the lead independent director as chair.
- These actions affirm the seriousness of this committee, but the responsibility for strategy and therefore risk oversight ultimately rests with the Board as a whole. Our preference in board structure is for risk oversight to remain with the full Board.
- Impact on Capital: All of this discussion becomes more real in the current debate over capital standards. We believe that the approach to capital levels will expand the use of individual minimum capital requirements (“IMCR”) that we have seen in regulatory orders. These IMCRs may become the approach to tie more specifically individual bank’s business model and risk profile with its required capital levels.
- The implication is that two banks headquartered in the same place, but using different business models, will have different IMCR levels. In other words, a low-risk bank may be required to hold less capital to support its business than its higher risk competitor. It will lead to an opportunity for the low-risk bank, even with average earnings, to report a higher return on equity (“ROE”) than the higher-risk neighbor. This situation will essentially result in a “risk-adjustment” to reported ROE, and may enable ROE to become more prominent as an important measure of bank performance.
- Over time, we expect board members – including those of non-public community banks – to become more sophisticated and engaged in the setting of strategy within a risk profile prudent for the bank’s business model, markets, management team and business processes. Director’s skills will have to change, and significant investments in director education will have to be made. All of these actions will be required to enable the bank to create sustainable performance and long-term value.