4106 - Bank Board Risk Governance

A research report by the Deloitte Center for Financial Services
What’s next for bank board

risk governance?
Recalibrating to tackle new risk oversight expectations
What’s next for bank board risk governance?
Deloitte’s governance, risk and compliance (GRC) services help clients tackle the broad issues of
corporate governance, enterprise risk management, and effective corporate compliance, while
offering specialized assistance in key areas such as financial reporting, tax, information technol-
ogy, human capital, anti-fraud and dispute consulting, and financial advisory services. We can
help organizations identify, remediate, monitor, exploit and manage enterprise risks in addition
to coordinating the utilization of people, process and technology to improve GRC effectiveness
and help manage costs.
Read more about our governance, risk, and compliance services on www.deloitte.com
COVER IMAGE BY: LIVIA CIVES

CONTENTS
Foreword | 2
A sea change beckons | 3
Analysis of 2016–2017 charters, and comparison to

progress made since late 2014 | 6
Raising the bar on governance to navigate choppy

seas | 15
Orienting the compass to meet renewed

expectations | 18
Appendix | 19
Endnotes | 23
1
Foreword
By Scott Baret and Edward Hida
D
EAR colleague, of the Treasury’s June 2017 recommendation of
We are now about a decade removed an interagency review of requirements imposed on
from the defining days of the financial cri- banks’ boards.4
sis. As the financial system stood on a precipice, the These proposals can be considered positive for
risk management and governance functions at most the banking industry. Board members have fre-
banks were challenged as never before. In the wake quently found themselves being drawn “into the
of the crisis, risk management and board oversight weeds” of risk management issues, and are some-
of risk became fundamental priorities for bank times left with inadequate time to guide and chal-
management teams and shareholders. The breadth lenge management on broader strategic issues. The
and intensity of regulation, compliance require- Fed’s proposal, therefore, heralds a fundamental
ments, and supervisory expectations increased ex- rethinking of the way that boards prioritize their
ponentially, and bank executives and boards poured focus. Its delineation of board and management re-
time and money to meet them. sponsibilities also creates an environment in which
In that sense, “All hands on deck!” may be the senior executives and business line leaders can be
most appropriate characterization of how most unambiguously held accountable for their manage-
banks responded. Institutions seem to have become ment responsibilities.
more vigilant and resilient from a financial, process, This paper, the fourth in our continuing series
and governance perspective. But the constant read- of studies on board risk governance, is a timely ad-
justment also led to a blurring of lines between the dition to the current discussion around the role of
role and accountability of boards vis-à-vis senior boards at large banks. It extends Deloitte’s5 effort,
management1—an observation that regulators now first started in 2009, to evaluate risk governance
directly acknowledge. Board member responsibili-
2
standards at the largest and most systemically im-
ties and obligations have substantively heightened, portant US and global institutions against regula-
and the time and complexity associated with serving tory requirements and an expanded array of leading
as a member of risk committees have soared. practices.6
In August 2017, the Federal Reserve (the Fed) At a broader level though, as the nature of over-
proposed revisiting supervisory expectations of sight expectations evolves, bank boards—particular-
bank boards “to establish principles regarding ef- ly the board risk committee—will have to recalibrate
fective boards of directors focused on the perfor- to provide “effective challenge”7 to management
mance of a board’s core responsibilities,” with com- on overall risk strategy and develop mechanisms
ment period for external input closing recently.3 The to hold management accountable. Fulfilling these
Fed’s proposal aimed at reviewing the role of boards mandates is likely to be demanding and far from
to create stronger delineation between board mem- easy. Yet, the enormous progress that institutions
ber oversight responsibilities and management’s have made in risk management and oversight over
obligations and laid out new Board Effectiveness the past decade should leave them better prepared
(BE) guidance. This followed the US Department to step up to the challenge.
2
A sea change beckons
T
HIS fourth iteration of Deloitte’s series ana- Given a more complex and interconnected op-
lyzing the charters of board of directors’ risk erating environment, most boards should prepare
committees appears to confirm that systemi- to question and evaluate the interplay of risks insti-
cally important US banks, their global peers, and tutions are exposed to as a result of management’s
US-based nonbank systemically important finan- business strategy, and probe risks to the bank’s cho-
cial institutions (SIFIs) have come a long way in sen strategy. As a corollary, risk committees should
their efforts to increase the level and breadth of challenge the capability of the risk management
their oversight of risk management. Since late 2014, apparatus to identify, report, and remediate risks
when we last analyzed banks’ board risk committee relating to strategy. In this respect, the role of risk
charters, many institutions have made large gains oversight and governance goes beyond the notion of
in documenting compliance with expectations from mere risk avoidance; it demonstrates how risk com-
the Fed’s Enhanced Prudential Standards (EPS), mittees can help create and protect firm value.
the Office of the Comptroller of the Currency’s Ironically, these demands for heightened risk
(OCC) Heightened Standards, and the Basel Com- awareness come just as regulatory expectations ap-
mittee for Banking Supervision’s (BCBS) guidelines pear to be levelling off, after a decade of continu-
on bank corporate governance. ous escalation. A few far-reaching rules instituted
However, evolution in the risk environment is after the downturn, such as the Volcker Rule, are
creating new governance priorities, and articulat- even being reevaluated.8 And while regulatory com-
ing clear mandates around them is an all-important pliance may still pose a major challenge, after con-
step; hence, despite significant progress, there is siderable time and investment, most banks seem to
likely still work to be done. have mastered certain aspects—all US banks passed
3
the Fed’s 2017 Comprehensive Capital Analysis and
The risk committee Review process, for example.9

In short, the risk committee should take a pro-
should take a proactive active role in: fully appreciating and understanding
role in: fully appreciating the nature of risks to which institutions are exposed;
reevaluating or reconsidering the bank’s risk strat-
and understanding egy and appetite in the context of these new and
the nature of risks to shifting risks; and reengineering mechanisms to as-

sign accountability and oversee management’s ex-
which institutions are ecution of risk strategy and appetite. These impera-
exposed; reevaluating tives seem to align with the recent Fed proposal’s
guidance on the role of boards in defining risk strat-
or reconsidering the egy and in clearly holding management accountable.
bank’s risk strategy and In this paper, we present the results of our
analysis of board risk committee charters, along
appetite in the context of with guidance for bank boards as they confront this
these new and shifting evolving risk environment. While these charters are
one yardstick to measure the level and quality of
risks; and reengineering risk management oversight of a board’s risk com-
mechanisms to assign mittee, we acknowledge that they do not necessar-

ily equate to high performance (see sidebar, “An
accountability and important caveat”). That said, we apply this meth-
oversee management’s odology as transparent, public, and comprehensive

documentation is a likely first step to a board risk
execution of risk committee demonstrating its oversight accountabil-
strategy and appetite. ity and intent.
AN IMPORTANT CAVEAT
As in our previous studies, we use board risk committee charters of bank holding companies (BHCs)
and nonbank SIFIs, to assess practices in risk governance. Board risk committee charters are guiding
documents on board-level risk oversight; they signal the bank’s commitment to risk governance. Risk
charters also help stakeholders, such as counterparties, investors, and regulators, understand the
role boards play in risk governance.
We acknowledge that charters might not fully reflect all of the actions, policies, and activities that
board risk committees at many banks actually follow. Conversely, there may be items in the charters
that are not implemented in practice. Nevertheless, clear, direct, and comprehensive articulation of
board risk oversight in the charter documentation seems an essential foundation of strong board
risk governance.
4
STUDY METHODOLOGY
For our latest analysis, we used 33 criteria to assess the degree to which bank board risk committee
charters explicitly outlined or elaborated on various topics. These criteria reflect some key regulatory
requirements and leading practices identified by Deloitte subject-matter specialists. They particularly
draw heavily on the requirements of the Fed’s “enhanced prudential standards for bank holding
companies and foreign banking organizations,”10 and the Basel Committee on Banking Supervision’s
“corporate governance principles for banks.”11
We reviewed the following documents, where publicly available:
• Board risk committee charters of bank-affiliated US financial holding companies with assets
greater than $50 billion as of March 31, 2017, according to the Federal Financial Institutions
Examination Council (FFIEC).
• Risk and/or hybrid board risk committee charters, or similar documents, where available in
English, of all non-US G-SIBs. G-SIBs were identified using the Financial Stability Board’s November
2016 list.
• Board risk committee charters of US nonbanks that have been designated SIFIs by the Financial
Stability Oversight Council (FSOC).
In total, board risk committee charters or corresponding documents of 50 banks—28 large US banks
and 22 non-US G-SIBs—and 2 US nonbank SIFIs were reviewed and assessed using the questions
shown in Appendix A to determine if the charter met each criterion. Since performing this analysis,
the FSOC voted to revoke the SIFI status of one large US nonbank. The population is hereafter
referred to collectively as “banks” for brevity. The assessments were performed from May through
July 2017 using the latest, publicly available documentation, and depended to a certain extent on the
professional judgment of the researchers.
5
Analysis of 2016–2017 charters,

and comparison to progress
made since late 2014
T
HE Fed’s August 2017 proposal12 laid out ments, such as cyber risk, conduct risk, model risk,
Board Effectiveness (BE) guidance, specifying and third-party risk.13 Again, as we note throughout,
five clear expectations for bank boards to per- a lack of mention in charters does not translate to
form effectively. Banks, regulators, and other mar- actual neglect. Yet, inadequate attention may indi-
ket participants have likely already begun to adopt cate immature governance.
them as a frame of reference. Within this context, Finally, from a geographic perspective, we ob-
we thought it would be valuable to assess, to the serve that US banks continue to document their risk
extent possible, the results of our analysis of banks’ committee mandates more thoroughly than their
2016 and 2017 risk committee charters based on non-US G-SIB counterparts across the vast major-
these five supervisory expectations. ity of evaluation criteria, despite some significant
Overall, we note a significantly higher measure improvements in documentation by the latter in
of compliance with regulatory requirements and several areas. While the focus of our analysis on
guidelines by both large US banks and non-US G- US regulatory expectations does account for some
SIBs on—for lack of a better word—“vanilla” expec- of these gaps, these differences also outline the po-
tations. These are baseline requirements that relate tential for these global behemoths to drive the el-
to the structure and composition of the risk com- evation of risk governance standards (see sidebar,
mittee, the establishment of the committee’s role in “Non-US G-SIBs should grab the opportunity to
setting risk policies and tolerance, the delineation crystallize risk governance standards”). Please note
between risk oversight and management, the com- that the US nonbank SIFIs are included in the US
mittee’s reporting structures, and internal coordi- banks’ group due to the general consistency of their
nation with some other key board committees. results with the latter.
However, we also note potentially large gaps in The next five subsections follow the outline
documenting compliance with some regulatory re- of the five supervisory expectations proposed for
quirements and guidance, most notably about en- boards in the Fed’s BE guidance,14 albeit with modi-
suring the independence of the risk management fications to reflect how these expectations relate to,
function. In addition, we only found sporadic or in- and intersect with, our own granular analysis of the
sufficient references to leading practices related to risk committees of these boards.
very prominent issues in most banks’ risk environ-
6
1. Setting risk policies, risk-management framework when approving the

overseeing the risk firm’s strategy and risk tolerance . . . An effective
board assesses whether the firm’s significant poli-
management and governance
cies, programs, and plans are consistent with the
framework, and risk firm’s strategy, risk tolerance, and risk manage-
strategy and tolerance ment capacity prior to approving them.”16 Both of
“. . . the firm’s strategy should clearly articulate these features should be considered core responsi-
objectives consistent with the firm’s risk tolerance, bilities of the board risk committee.
and the risk tolerance should clearly specify the ag- Quite simply, language in risk committee char-
gregate level and types of risks the board is will- ters that directly relates to the committee’s role in
ing to assume to achieve the firm’s strategic objec- defining the institution’s broad risk appetite, es-
tives.”15 This Fed guidance describes a broad remit tablishing risk management policies, and oversee-
of the full board, which works with senior manage- ing the operation of the overall risk management
ment to set the strategic agenda for the bank. The framework seems to have become more prevalent
risk committee has a fundamental role to play in and focused since our last review. Our charter anal-
questioning strategic choices and setting risk toler- ysis revealed that 87 percent of US banks required
ance at a level that reflects organizational strategy. the committee to review and approve the bank’s risk
These responsibilities should complement the com- management policies and oversee the risk manage-
mittee’s input to the formulation of a risk appetite ment framework, and 83 percent required the com-
statement, the risk management framework and its mittee to oversee strategy for capital and liquidity
review, approval, and oversight of these key docu- management, as well as for a host of individual risk
ments. types. Both of these numbers reflect material gains
The Fed’s guidance additionally states: “An ef- since our last analysis (see figure 1).
fective board considers the capacity of the firm’s
Figure 1. Oversight of risk policy, governance infrastructure, and risk strategy
Does the charter . . .

Large US banks Non-US G-SIBs
require the committee to approve and
review risk management policies of the 2017 87% 13% 68% 23% 9%
bank's global operations and to oversee
the operation of the global risk 2014 57% 43% 15% 70% 15%
management framework?
5%
require the committee to oversee policies
and procedures establishing risk 2017 100% 32% 86% 68% 9%
governance and risk-control infrastructure
for its global operations? 2014 100% 15% 70% 85% 15% 15%
indicate that the committee oversees 3%

strategy for capital and liquidity 2017 83% 13%
20% 50% 36% 14%
management, as well as for credit, market,
operational, compliance, reputational, and 2014 75% 25% 45% 35% 20%
other risks?
Yes Somewhat No
Source: Bank board risk committee charters and Deloitte Center for
Financial Services analysis. Totals may not add up to 100 percent
due to rounding. Large US banks also include nonbank US SIFIs. Deloitte Insights | deloitte.com/insights
7
Yet, an improvement was expected, since the unfettered access to resources, including access to
EPS established these expectations of board risk internal executives and information, and the ability
committees shortly after our 2014 analysis. In fact, to obtain external legal or expert advice. Proactive
the significant progress that non-US G-SIBs have use of this open access to information, resources,
made in mandating these fundamental policy is- and expertise can be critical for board risk commit-
sues, despite not being subject to the same regulato- tees to meet regulatory expectations around over-
ry expectations, is likely more notable. Nonetheless, seeing and channeling information flow.
this measure of documentation seems to only fulfill More than eight in ten charters of US banks
basic requirements and expectations regarding the mentioned that the committee received regular re-
role of a bank’s board risk committee. ports from the bank’s chief risk officer (CRO), a re-
quirement stipulated by the EPS. Moreover, a simi-
lar percentage of charters noted that the committee
2. Actively managing had the authority to meet in executive session, or
information flow, privately with key risk management executives, fur-
ther promoting healthy information flow and mini-
resources, capabilities, and
mizing communication gaps.
committee discussions
The Fed proposal noted: “. . . boards of large
financial institutions face significant information
flow challenges. . . . Absent actively managing its
Effective information
information flow, boards can be overwhelmed by flow structures often go
the quantity and complexity of information they
receive. Although boards have oversight respon-
beyond mere metrics
sibilities over senior management, they are inher- related to profits and
ently disadvantaged given their dependence on se-
nior management for the quality and availability
risk tolerance; many
of information.”17 probe deeper than
Consistent with and building upon the Fed’s
view, managing and channeling information flow
the P&L column.
is also fundamental to boards’ ability to effectively
question risk exposure associated with business
strategy. Effective information flow structures often Coordinating information flow among different
go beyond mere metrics related to profits and risk board committees could also play a role in the com-
tolerance; many probe deeper than the P&L col- mittee’s ability to meet its mandate. Our research
umn. Qualitative reporting of strategy performance found that documenting coordination between the
can help board members understand and question risk and audit committees of the board has become
the potential unintended consequences of business relatively more common compared to previous years
choices. Board risk committee members should also (figure 2). However, coordination between the risk
seek to challenge the strength of the risk-control en- and compensation committees (as also stipulated
vironment, reporting structures and metrics, and within the BCBS’ corporate governance principles)
training needs that relate to business choices. is noted in only a few charters. This potential lack of
In light of the concerns expressed by the Fed, it coordination may hinder the risk committee’s abil-
is encouraging that board risk committee charters ity to effectively oversee management’s implemen-
generally mandate that committee members have tation of strategy, which may be influenced by the
8
Figure 2. Actively managing information flow, resources, and capabilities

Large US banks Non-US G-SIBs
3%
indicate that the board risk committee
has access to additional internal and
2017 97% 45% 9% 45%
external resources without prior approval 2014 96% 35% 10% 55%
from management or the board?
4%
require the risk committee to receive and 2017 63% 20% 17% 32% 68%
review regular reports (at least quarterly)
from the CRO? 2014 36% 39% 25% 15% 85%
indicate that the board risk committee 2017 80% 20% 18% 5% 77%
meets in executive session?
2014 68% 4% 29% 10% 85%
5%
note the need for communication and 2017 77% 10% 13% 45% 9% 45%
coordination between the risk committee
and the audit committee? 2014 63% 13% 25% 32% 11% 58%
require the risk committee to coordinate

with the compensation committee to 2017 30% 70% 32%
36% 5% 59%
determine policies for executive
compensation and incentives? 2014 25% 75% 16% 84%
mention the provision of training to

enhance committee members’ knowledge 2017 100% 27% 5% 68%
of complex risk-oversight and
regulatory issues?
2014 100% 21% 79%
Yes Somewhat No
nature and structure of compensation incentives set 3. Holding senior management

for management. accountable for overall
Finally, in what was perhaps the most surprising
risk management, and for
result of our analysis, not one US bank risk commit-
tee charter mandated training for committee mem-
specific emerging risk issues
bers. Due to the rapid change in the types, scope, As principal agents for shareholders, a funda-
and severity of risks to which most banks are ex- mental role of bank boards is to ensure that man-
posed, we consider the lack of a training mandate to agement is accountable for its actions, which the
be especially fraught. Interestingly, non-US G-SIBs Fed’s BE guidance also states. Our risk committee
are ahead of the game on this front, with nearly one charter reviews showed that committees (under the
in three charters mentioning training for committee remit of the overall board) appear to be prioritizing
members. this management accountability aspect of oversight.
Moreover, in general, it seems the qualitative heft
associated with such language in charters has also
increased compared to previous years.
9
Figure 3. Oversight of risk management, and holding senior management accountable
Does the charter . . . Large US banks Non-US G-SIBs
2017 83% 7%10% 64% 5% 32%

delineate managerial responsibility
for risk management?
2014 79% 11% 11% 30% 10% 60%
3%
require the committee to oversee senior 2017 90% 7% 68% 14% 18%
management’s implementation of
risk-management strategy? 2014 86% 7%7% 50% 20% 30%
require the committee to identify and 41% 14% 45%

report risks and risk-management 2017 57% 27% 17%
deficiencies, and ensure effective and timely

2014 21% 39% 39% 15% 15% 70%
implementation of actions?
require the committee to oversee 2017 47% 53% 18% 9% 73%

management’s handling of risks related to
information security and cybersecurity? 2014 25% 8% 67% 11% 89%
require the committee to oversee risks 2017 7% 93% 18% 5% 77%

stemming from unethical employee
conduct or behavior? 2014 4% 96% 5% 95%
require the committee to oversee the 2017 57% 13% 30% 50% 14% 36%
readiness and review results of the
stress-testing program? 2014 54% 46% 21% 5% 74%
require the risk committee to oversee 2017 13% 3% 83% 5% 95%
third-party risks?
2014 4% 96% 5% 95%
2017 47% 3% 50% 27% 5% 68%

require the committee to oversee risks
stemming from financial models?
2014 21% 4% 75% 5% 95%
Yes Somewhat No
Similarly, we found that most risk charters in- However, we had expected greater improve-
cluded language that requires committees to over- ment regarding the committee’s role in identifying
see management’s execution of risk management emerging risks, risk management deficiencies, and
strategy. And although the percentage of charters in overseeing management’s remedial actions. And
that do so remain at a lower level compared to those the Fed’s BE guidance is also specific about this
of US institutions, non-US G-SIBs have made no- expectation: “An effective board engages in ro-
table improvements on both these criteria (figure 3). bust and active inquiry into, among other things,
10
drivers, indicators, and trends related to current 4. Supporting the

and emerging risks; . . . material or persistent defi- independence and stature of
ciencies in risk management and control practices;
the CRO, and risk management
. . .”18 Explicitly documenting this mandate in char-
ters may drive committees to focus on the informa-
and compliance functions
tion flow, risk control, and governance structures As part of the fallout from the financial crisis,
necessary for them to fulfill it. many regulators advocated for banks to empower
As noted earlier, our 2017 analysis included new their CROs to serve as the head of an independent
assessment criteria based on recent regulatory guid- risk management function. Various mandates from
ance as well as emerging leading practices. On the regulatory agencies across the world noted the need
whole, we found most banks’ performance on these for a strong, independent CRO role, and included
new criteria to be quite fragmented. For example, requirements or guidance that would enable him or
about one-half of US banks’ board risk committee her to act independently of business leadership.
charters mentioned oversight of cyber/information Our latest analysis shows that measures taken to
security risk and model risk, both registering no- empower the CRO and associated documentation
table increases compared to 2014. Committee over- have indeed increased substantively. A comfortable
sight of stress-testing programs, whether internal majority of charters now note that CROs report to
or regulator-driven, has also become more notable. both the CEO and the board risk committee. Like-
On the flip side, mention of third-party risks and wise, nearly three-fourths of US bank charters out-
conduct risk, both issues that have led to billions in lined that the committee would approve changes
fines for many large banks across the world,19 was to the CRO’s position and review his or her perfor-
surprisingly limited. mance and compensation (figure 4).
Given the scale of these risks, most banks have However, there appears to still be significant
ramped up programs to confront them. But it is room for improvement regarding the board’s role in
also essential for the board risk committee to have elevating the stature and independence of the CRO,
documented oversight responsibility to monitor which the Fed’s proposal also explicitly endorses:
these programs. In some cases, due to the complex- “An effective risk committee supports the stature
ity and interconnectedness of these risks, many risk and independence of the independent risk man-
committees share oversight responsibility for spe- agement function, including compliance, by com-
cific risks with other board committees or the full municating directly with the CRO on material risk
board—another possible instance of the need for management issues . . .”20 Only a few charters noted
tighter coordination among board committees. the role of the committee in supporting the CRO’s
stature and authority within the institution.
Moving past just the CRO’s role, when we last
conducted our analysis in late 2014, only one-third
It is essential for the of risk committee charters stipulated that the com-
board risk committee mittee ensure the independence of the risk manage-
ment function as a whole, a stated requirement of
to have documented the Fed’s EPS. Perhaps surprisingly, three years
oversight responsibility to later, only a little more than four in ten US banks’
charters stipulate it. And mention of the commit-
monitor emerging risks. tee’s role in integrating controls with management
goals and the compensation structure, another EPS
mandate, was also low. Hence, it was no surprise
that few charters noted BCBS guidance that encour-
11
Figure 4. Supporting the independent risk function and the CRO
Does the charter . . . Large US banks Non-US G-SIBs
2017 70% 30% 18% 5% 77%

state that the CRO reports directly to both
the risk committee and CEO? 2014 36% 4% 61% 20% 80%
require the committee to approve the

appointment or dismissal of the CRO, and 2017 73% 3% 23% 18% 14% 68%
review the CRO’s performance and

2014 46% 54% 21% 79%
compensation?
indicate that the committee supports the

role of CRO, such that the CRO has 2017 30% 10% 60% 9% 91%
sufficient stature, authority, and seniority
and is independent from individual 2014 32% 11% 57% 5% 95%
business units?
mention the committee’s role in preserving 43% 10% 47% 18% 82%
2017
or maintaining the independence of the
risk management function? 2014 32% 7% 61% 10% 5% 85%
2017 27% 73% 27% 5% 68%

require that the committee report on the
state of risk culture at the bank?
2014 13% 88% 11% 11% 79%
require the integration of risk management 40% 10% 50% 55% 5% 41%
and associated controls with management 2017
goals and compensation structure for
2014 39% 18% 43% 35% 5% 60%
global operations?
Yes In part No
aged the risk committee to report on the state of risk ing practices for banks’ risk committees to document
culture at the bank. their support of independent risk management and
On all of these counts, non-US G-SIBs trailed US compliance. In addition, articulating relatively sim-
banks substantially, but it is worth noting that the ple practices, such as providing independent risk
non-US G-SIBs were also not bound by the US EPS management with direct and unrestricted access to
mandates. Nonetheless, given their outsized role in the risk committee and including representatives of
the global financial system, it could be worrisome the independent risk management function on se-
that few non-US G-SIBs mention supporting the in- nior management-level committees, can be power-
dependence of the risk function, let alone the CRO, ful signals that the committee is fostering an inde-
in their charters. pendent risk function.
Nonetheless, for US banks, the Fed’s recent BE
guidance should bolster EPS requirements or lead-
12
5. Maintaining a capable years hence, almost every bank in our analysis—in

board risk committee the United States and globally—has a dedicated risk
committee, and most also have detailed charters or
composition and structure
the equivalent (for example, terms of reference).
The Fed’s BE guidance notes, “An effective Regulatory requirements and guidance played
board has a composition, governance structure, a defining role in this transition. The Fed’s EPS
and established practices that support governing required a separate risk committee with an inde-
the firm in light of its asset size, complexity, scope pendent chairman, and every US bank noted this
of operations, risk profile, and other changes that membership requirement in its charter. Likewise,
occur over time. . . . An effective board is composed the requirement to have a risk expert on the com-
of directors with a diversity of skills, knowledge, mittee, also imposed by the EPS, has come to be
experience, and perspectives . . . ”21 widely noted in charters (see figure 5). However, the
In 2009, in our first paper in this series, we ar- risk expertise requirement now creates a wider gulf
gued that a risk committee should stand on its own, between the documented compositions of the risk
independent of the audit committee, and have a for- committees of US banks vs. those of non-US G-SIBs,
mal written charter that documents the committee’s which seem to rarely require the inclusion of a risk
authority and risk oversight responsibility.22 Eight expert. And many banks now insist that a majority
Figure 5. Risk committee composition and structure
Is the committee . . . Large US banks Non-US G-SIBs
separate from the audit committee, 100% 95% 5%

with sufficient authority, stature,
2017
independence, and resources and does 2014 89% 11% 70% 15% 15%
it report directly to the board?

2017 90% 10% 36% 64%
require the committee to be chaired by an
independent director?
2014 61% 39% 25% 75%
require that the committee include at least

2017 80% 20% 23% 14% 64%
one risk management expert with
experience in identifying, assessing, and
managing risk exposures of large, complex 2014 39% 61% 10% 5% 85%
financial firms?
stipulate that the risk committee chairman 3% 97% 5% 95%

cannot also serve as the chairman of the
2017
board, or as chair of the finance or audit 2014 100% 5% 95%
committees?
require that a majority of the risk

2017 70% 30% 41% 5% 55%
committee’s members be independent? 2014 54% 46% 32% 5% 63%
Yes In part No
13
(or, in some cases, all) of the members of the risk dent nature of the risk and compliance functions
committee be independent. and, perhaps more importantly, the taxing and
Meanwhile, some BCBS recommendations, such time-consuming nature of the job of chairing a risk
as ensuring that the chair of the risk committee does committee.
not also serve as the chair of the board or the au- As figure 5 shows, global counterparts have also
dit or finance committees, still need to be adopted made some progress in promoting independent risk
across institutions; if these practices are adopted, committees. Yet, they still continue to meaningfully
they need to be stated in the committee charter. En- trail US peers, possibly a sign of local practices as
suring that a risk committee chairman is not hin- well as US regulators’ more demanding posture in
dered by the chairmanship of any other committee recent years.
is sound practice, given the fundamentally indepen-
NON-US G-SIBS SHOULD GRAB THE OPPORTUNITY TO

CRYSTALLIZE RISK GOVERNANCE STANDARDS
According to our analysis, most non-US G-SIBs appear to trail large US banks in crystallizing risk
governance standards in a stand-alone charter across most of the dimensions we analyzed. We
reiterate that these differences in documentation may not reflect gaps in actual practice, and they
can also be partly attributed to US regulations’ heavy influence on our criteria. Non-US G-SIBs also
operate in a variety of distinct regulatory regimes and market structures, where expectations about
practices, documentation, and disclosure may be different.
Nonetheless, global institutions have an opportunity to raise their risk governance credentials by
publicly setting standards similar to US risk committee requirements, especially since many of these
institutions have material operations in the United States. A comprehensive, stand-alone board risk
committee charter document communicates institutional commitment to risk governance more
effectively; it is also a more resourceful touchstone to senior management, board members, and
external examiners on the proper mandate of the committee.
French banks, for example, utilize annual “registration documents,” which contain a section for
overall board governance, with subsections for committees, including their mandates and a list
of the actions taken that year. At first glance, the language in the risk committee section could be
considered thin compared to what you would find in stand-alone US board risk committee charters.
However, risk governance mandates can be found buried in the risk management references within
the sections for business, operating, and service units. Extracting and consolidating these references,
and explicitly stating them as board risk committee mandates, would likely better communicate risk
management governance intent and practice, and properly delineate it from management. And to
clarify, we are not proposing that non-US banks create exact replicas of the US bank risk committee
charter. The “terms of reference” document for board risk committees of UK banks, for example,
while not a replica, aligns with the spirit of clearly documenting and delineating mandates.
14
Raising the bar on governance

to navigate choppy seas
A
NALYZING risk committee charters offers us
an imperfect but substantive basis to review
the current state of risk governance at banks.
But pairing our analysis with key priorities that
banks face in the risk environment can make it truly
valuable. Deloitte recently identified six fundamen-
tal risk priorities for financial services firms as they
look forward to 2018 and beyond.23 Following are
considerations on how bank boards can construct a
governance agenda around these six priorities:
Present effective challenge

to focus on strategic risk
Unexpected geopolitical shocks, rapid policy
shifts (economic and regulatory), and growing ac-
tivity by nonbank players can influence the risks
Committees should to bank’s strategic choices, and the risks of those

choices. Most firms seem to be concentrating efforts
look beyond metrics to on early identification of external factors to address
evaluate why a strategy these strategic risks. Many have already established
strategic risk working groups or centers of excel-
is working, probe what lence that are owned by the CRO or the chief strat-
a failure would look egy officer (CSO) to proactively prepare for strategic
threats.24
like, and ask whether The Fed, in addressing the governance side of
things are proverbially the coin, notes that effective bank boards “set clear,
aligned, and consistent direction regarding the
“too good to be true.” firm’s strategy and risk tolerance.”25 Risk com-
mittees should fundamentally focus on questioning
chosen strategies and their risks, and their insti-
15
tutions’ capability and preparedness to track and Stay vigilant as management

manage them. Moreover, the absence of an appar- tries to “do more with less”
ent problem may not be adequate evidence of strat-
egy performance. As we noted earlier, committees Executive orders signed earlier this year in-
should look beyond metrics to evaluate why a strat- structed the US Treasury Department to review fi-
egy is working, probe what a failure would look like, nancial regulations, including some key mandates
and ask whether things are proverbially “too good of the Dodd-Frank Act.28 Expecting regulatory de-
to be true.” This overarching focus is important to, mands to stabilize, many banks have begun to opti-
and should even influence the type and amount of, mize their internal risk and regulatory compliance
enterprise risk appetite and risk management poli- footprint. Advances in automation, machine learn-
cies. ing, natural language processing, and other cogni-
tive technologies, and big data techniques could
help banks meet these objectives.
Oversee the rethinking of On a governance level, the risk committee should
the three lines of defense ensure that optimization and budget reductions do
not, in any way, diminish risk management capa-
The delineation of risk control intended by the bilities. Committee members should be dedicated to
three lines of defense model—with business units understanding and challenging the effective capa-
owning and managing their specific risks, risk man- bilities of new technology solutions—even in stress
agement providing independent oversight and chal- scenarios. Members should also seek to assess in-
lenge, and internal audit reviewing the effectiveness formation flow in an automated risk reporting and
of the overall risk-control framework—has been control environment; these IT structures directly
difficult for banks to achieve in practice.26 As man- affect the bank’s ability to identify and respond to
agement focuses on restructuring and eliminating emerging risks.
overlapping responsibilities to create a more effi-
cient governance structure, risk committees should
ensure that these efforts strengthen the integrity of Strengthen formal conduct
the three lines. and culture programs
Specifically, the committee can help the stature
and authority of risk managers through a strong In the five-year period to end-2016, the world’s
control environment that includes empowering se- largest banks collectively paid large sums in con-
nior risk management executives with the authority duct-related charges, including fines, legal bills, and
to escalate emerging risk issues in a timely fash- the cost of compensating mistreated customers.29
ion to the board. For large global banks operating Many banks have created conduct risk-and-culture
across multiple regulatory regimes, group boards programs, and regulatory focus on the issue of con-
should also strive to understand the structure and duct has been more intense. In addition to high-pro-
monitor the effectiveness of local and subsidiary file US investigations by the Fed, the OCC, and the
boards.27 These local boards often have their own Consumer Financial Protection Bureau (CFPB), the
independent directors who are obligated to follow Senior Managers Regime in the United Kingdom
local jurisdiction regulations. Group risk commit- has emphasized individual responsibility to prevent
tees should ensure that local boards provide effec- regulatory breaches.30
tive challenge to local business heads on risk and The first, likely obvious, step is for risk commit-
strategic issues that pertain to the soundness of tees to clearly acknowledge oversight of conduct
country-level entities, whether branches or subsid- risk and risk culture in the language of their char-
iaries. ters. Second, risk committee oversight of culture
16
and conduct risk programs should look particularly sues as well as helping them determine the right
at decision-making processes around product and measures for oversight, enabling them to be effec-
service design, with a focus on senior management tive stewards in a more complex operating environ-
accountability. Risk committees can also set the ment.
right governance tone by demanding higher-than-
required standards of compliance from manage-
ment that includes enforcing a zero-tolerance policy Oversee the strategic
on ethics breaches at all levels, and ensuring that management of capital
conduct assessments are included in performance
and liquidity
evaluation and compensation-setting processes.
Of all the risk management capabilities that
most banks have built since the financial crisis,
Focus on the capital and liquidity stress-testing at an enterprise-
interconnectedness of risk wide level may have matured the most. As regula-
tory expectations around capital and liquidity stan-
Many risks not only span the purview of spe- dards have evolved, most banks have begun to use
cific business units, but of specialized committees measurement tools and analytics not only for com-
outside and within the board of directors. Accord- pliance, but also as guideposts for strategy. As we
ingly, board risk committees should work with other noted earlier, risk committee and board attention
committees at the board level (for example, technol- to stress-testing programs seems to have likewise
ogy, audit, remuneration, and operations) and with increased substantially.
management risk committees embedded in busi- However, if business activity and loan growth
nesses to identify and understand risks holistically. eventually accelerates, banks could face tough
While the EPS required designated risk experts to choices in allocating capital and liquidity. Board
be part of the board risk committee, boards should risk committees would have to walk this tightrope
also seek members with new types of expertise. For while making sure that balance sheets continue to
example, more institutions appear to be actively possess adequate capital and liquidity buffers. Ex-
recruiting directors with technology expertise. 31
tending robust enterprise-level analytics to subsid-
Another way to approach interconnectedness is to iary, function, and regional levels can provide board
prioritize training, which should include updating members insight through which they can more ac-
members’ knowledge of key risk and regulatory is- tively exercise their oversight of risk tolerance.
17
Orienting the compass to

meet renewed expectations
A
S we conclude our study, let’s take a moment year, “We do not intend that these reforms will
to reflect on the progress that banks have lower the bar for boards or lighten the loads of di-
achieved in the area of risk oversight and rectors. The new approach distinguishes the board
governance. Even as late as 2011, having a dedicated from senior management so that we can spotlight
risk committee on the board—now ubiquitous—was our expectations of effective boards. The intent is
viewed as a leading practice. The codification of to enable directors to spend less board time on rou-
regulatory requirements, along with other leading tine matters and more on core board responsibili-
practices, has contributed to more vigilant gover- ties . . .”34
nance structures, potentially more resilient institu- To that end, board members should prepare
tions, and hopefully a more stable banking system. 32
for these changing expectations with the operat-
However, as Fed Governor Daniel Tarullo had ing principle of presenting effective challenge to
remarked as early as 2014, it was becoming appar- management across the breadth of strategic issues,
ent that the increasing operational burdens placed something we have reiterated throughout this pa-
on bank boards were drawing director attention per. To meet and exceed expectations, board mem-
away from strategy and risk-related oversight.33 bers should focus on creating robust information
From this perspective, the recalibration and focus flow structures (especially around emerging risks),
that may result from the Fed’s August BE proposal actively empowering the independent risk manage-
should help improve the quality of risk governance. ment function, and keeping pace with growing com-
And it would likely be a mistake to view the Fed’s plexity in the risk environment.
new guidance as an easing of expectations. As Fed Quite simply, now is not the time to stop evolv-
Governor Jerome Powell remarked at the Large ing.
Bank Directors conference in Chicago earlier this
18
Appendix
Table 1. Mapping charter analysis questions to Fed BE expectations
EPS Large Non-US

requirement, US banks* G-SIBs
# BCBS guidance Criteria
or leading % % % %
practice yes partial yes partial
Setting risk policies, overseeing the risk management and governance framework, and risk strategy and tolerance
Does the charter require the risk committee to approve

and periodically review the risk management policies of
1 EPS requirement 87% 13% 68% 23%
the BHC’s global operations and oversee the operation of
the BHC’s global risk management framework?
Does the charter require the risk committee to oversee

2 EPS requirement policies and procedures establishing risk governance and 100% 0% 86% 9%
risk control infrastructure for its global operations?
Does the charter indicate that the board risk committee

oversees strategy for capital and liquidity management,
3 Leading practice 83% 13% 50% 36%
as well as for credit, market, operational, compliance,
reputational, and other risks of the bank?
Actively managing information flow, resources, capabilities, and committee discussions
Does the charter require the risk committee to receive

4 EPS requirement and review regular reports on not less than a quarterly 63% 20% 0% 32%
basis from the BHC’s CRO?

has access to additional internal and external resources
5 Leading practice (consultants, internal experts, etc.), without prior 97% 0% 45% 9%
approval from management or the board, in fulfilling its
duties?

meets in executive session?
BCBS guidance/ Does the charter note the need for communication and
7 coordination between the risk committee and the audit 77% 10% 45% 9%
leading practice committee?
Does the charter require the risk committee to

BCBS guidance/ coordinate with the compensation committee to
8 30% 0% 36% 5%
leading practice determine policies for executive compensation and
incentives?
Does the charter mention the provision of training to

9 Leading practice enhance committee members’ knowledge of complex 0% 0% 27% 5%
risk oversight and regulatory issues?
19
EPS Large Non-US

or leading % % % %
Does the charter require the committee or the full board

10 Leading practice to periodically evaluate and report on the committee’s 100% 0% 41% 9%
performance?
Holding senior management accountable for overall risk management, and for specific emerging risk issues
Does the charter delineate managerial responsibility for

risk management?
EPS requirement/ Does the charter clarify that the board risk committee
12 oversees senior management’s implementation of risk 90% 7% 68% 14%
leading practice management strategy?
Does the board risk committee’s charter require that

13 Leading practice the committee sanction, approve, and review charters of 40% 0% 5% 9%
management risk committees?
Does the charter require the risk committee to identify

and report risks (including emerging risks) and risk
management deficiencies, and ensure effective and
timely implementation of actions to address them?
BCBS guidance/ Does the charter require the board risk committee to
15 oversee management’s oversight of risks related to 47% 0% 18% 9%
leading practice information and cybersecurity?
Does the charter assign responsibility to the risk

16 Leading practice committee for oversight of risks stemming from 7% 0% 18% 5%
unethical employee conduct or behavior?
Does the charter require the committee to periodically

17 BCBS guidance oversee the readiness and review the results of the 57% 13% 50% 14%
bank’s stress-testing program?

committee to oversee risks stemming from third parties?

19 Leading practice committee to oversee risks stemming from financial 47% 3% 27% 5%
models?
Supporting the independence and stature of the CRO, and risk management and compliance functions
Does the charter require the risk committee to approve

the appointment, dismissal, or changes to the position
20 BCBS guidance 73% 3% 18% 14%
of the CRO, and review his/her performance and
compensation?

supports the role of CRO such that the CRO has sufficient
stature, authority, and seniority within the organization,
and is independent from individual business units?
20
EPS Large Non-US

or leading % % % %
Does the charter state that the CRO reports directly to

both the risk committee and CEO of the company?
Does the charter require that the board risk committee

23 BCBS guidance 27% 0% 27% 5%
report on the state of risk culture at the bank?
Does the charter mention the committee’s role in

24 EPS requirement preserving or maintaining the independence of the risk 43% 10% 18% 0%
management function?
Does the charter require the integration of risk

management and associated controls with management
goals and its compensation structure for its global
operations?
Does the charter suggest that the board risk committee

26 Leading practice or its members be available on an ad hoc/unscheduled 23% 10% 32% 0%
basis to the bank’s risk management function(s)?
Maintaining a capable board risk committee composition and structure
Does the bank have a risk committee that is separate

from the audit committee, with sufficient authority,
stature, independence, and resources that reports
directly to the board?
Does the board risk committee have a formal, written

charter that is approved by the board of directors?
Does the charter require the risk committee to include

at least one risk management expert with experience in
identifying, assessing, and managing risk exposures of
large, complex financial firms?
Does the charter require the risk committee to be

chaired by an independent director?
Does the charter require that the chairman of the risk

committee be a different board of director member than
the chairman of the board, and the chairs of the finance
and audit committees?
Does the charter require that a majority of the risk

committee’s members be independent?
Does the charter note that all board of director members

of the risk committee must be independent?
*Large US banks include nonbank US SIFIs.

Source: Deloitte analysis.
21
Figure 6. Institutions represented in the analysis, by country
US Japan Spain
China Switzerland Sweden
UK Italy The Netherlands
France Germany
Source: Deloitte analysis. Deloitte Insights | deloitte.com/insights
22
ENDNOTES
1. Thomas P. Vartanian, “Why would anyone sane be a bank director?,” Wall Street Journal, August 28, 2017.
2. Governor Jerome H. Powell, “The role of boards at large financial firms,” Speech at the Large Bank Directors
Conference, Chicago, Illinois, August 30, 2017.
3. “Proposed guidance on supervisory expectation for boards of directors,” Federal Register, August 9, 2017.
4. US Department of the Treasury, “A financial system that creates economic opportunities: Banks and credit
unions,” June 2017.
5. As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see “About Deloitte” for a
detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be avail-
able to attest clients under the rules and regulations of public accounting.
6. About the term “leading practice”: For purposes of this paper, we consider risk governance practices to fall into
a range, from leading to lagging. Some industry practices may be considered leading practices, which are gener-
ally looked upon favorably by regulators, industry professionals, and observers due to the potentially superior
outcomes the practice may attain. Other approaches may be considered prevailing practices, which are seen to
be widely in use. At the lower end of the range are lagging practices, which generally represent less-advanced
approaches and which may result in less-than-optimal outcomes. Items reflected as leading practices herein are
based on subject-matter experts’ experience with relevant banks and financial institutions.
7. In brief, the “effective challenge” standard requires risk management practices to be critically examined by over-
sight bodies with sufficient competence, power, and incentives to generate change; Federal Reserve and OCC,
“Supervisory guidance on model risk management,” April 4, 2011.
8. Barney Jopson, “US regulator moves to loosen Volcker rule,” Financial Times, August 3, 2017.
9. “Federal Reserve releases results of Comprehensive Capital Analysis and Review (CCAR),” Board of Governors of
the Federal Reserve System, June 28, 2017.
10. Federal Reserve, “Enhanced prudential standards for bank holding companies and foreign banking organiza-
tions: Final rule,” March 27, 2014.
11. Basel Committee on Banking Supervision, “Corporate governance principles for banks,” Bank for International
Settlements, July 2015.
12. “Supervisory expectations for the board of directors,” Board of Governors of the Federal Reserve System.
13. Edward Hida, Global risk management survey, 10th edition, Deloitte University Press, March 2, 2017.
14. The Fed’s proposed BE Guidance describes effective boards as those which: (1) set clear, aligned, and consistent
direction regarding the firm’s strategy and risk tolerance; (2) actively manage information flow and board dis-
cussions; (3) hold senior management accountable; (4) support the independence and stature of independent
risk management and internal audit; and (5) maintain a capable board composition and governance structure;
“Supervisory expectations for the board of directors,” Board of Governors of the Federal Reserve System.
16. Ibid.
17. Ibid.
18. Ibid.
23
19. Gavin Finch, “World’s biggest banks fined $321 billion since financial crisis,” Bloomberg, March 2, 2017.
21. Ibid.
22. “Getting bank governance right: The bank board member’s guide to risk management oversight,” Deloitte, 2009.
23. Edward Hida and Julian Leake, “The future of risk in financial services,” Deloitte Touche Tohmatsu Limited, 2017.
24. Anna Mok and Ronnie Saha, “Strategic risk management in banking,” Inside magazine, 2017 edition.
26. Hida and Leake, “The future of risk in financial services.”
27. Kevin Nixon, David Strachan, and Christopher Spoth, “Too complex to manage? Global bank governance in a
structurally reformed world,” Deloitte Center for Regulatory Strategy, September 2017.
28. Lisa Lambert, “Trump to order US Treasury to delve into taxes, post-crisis reforms,” Reuters, April 21, 2017.
29. Jill Treanor, “World’s biggest banks face £264 billion bill for poor conduct,” Guardian, August 14, 2017.
30. Cindy Chan, Natasha de Soysa, Dominic Graham, Richard Burton, and David Strachan, “Senior managers regime:
Individual accountability and reasonable steps,” Deloitte.
31. John Reosti, “Cyber threats prompt run on tech experts for bank boards,” American Banker, May 17, 2016.
32. Governor Jerome H. Powell, “The role of boards at large financial firms.”
33. Governor Daniel K. Tarullo, “Corporate governance and prudential regulation,” Speech at the Association of
American Law Schools 2014 Midyear Meeting, Washington, DC, June 9, 2014.
34. Governor Jerome H. Powell, “The role of boards at large financial firms.”
24
ABOUT THE AUTHORS
VAL SRINIVAS
Val Srinivas is the banking and securities research leader at the Deloitte Center for Financial Services,
Deloitte Services LP, where he is responsible for driving the Center’s banking and securities research
platforms and delivering world-class research to clients. Srinivas has more than 15 years of experience
in research and marketing strategy in credit, asset management, wealth management, risk technolo-
gy, and financial information markets. Before joining Deloitte, he was the head of marketing strategy
in the institutional advisory group at Morgan Stanley Investment Management. Prior to this, Srinivas
spent more than nine years leading the global market research and competitive intelligence function at
Standard & Poor’s. He has written several articles for Deloitte Insights, and most recently co-authored
First impressions count: Improving the account-opening process for Millennials and digital banking customers.
STEPHEN FROMHART
Stephen Fromhart is a manager at the Deloitte Center for Financial Services, Deloitte Services LP, cover-
ing the banking and capital markets sectors. Before joining Deloitte, Fromhart spent 15 years at American
International Group where he directed a research and strategy group covering multiple industries. In ad-
dition, he led the sovereign risk analysis unit for the company’s credit risk rating committee. He has also
been a contributor to white papers for the World Economic Forum. Fromhart earned his Master’s degree
from the School of International and Public Affairs at Columbia University. He most recently co-authored
First impressions count: Improving the account-opening process for Millennials and digital banking customers.
URVAL GORADIA
Urval Goradia is a senior market insights analyst at the Deloitte Center for Financial Services, Deloitte
Services LP. Goradia researches and writes on a range of themes in banking and capital markets, including
strategy, regulation, risk, and the impact of disruptive technologies, with specific focus on performance
considerations. Before joining Deloitte, he was a financial institutions credit analyst at the Fitch Group.
Goradia is a CFA charterholder, and is earning an MBA at New York University. He has written several
articles for Deloitte Insights, including Pricing innovation in retail banking: The case for value-based pricing.
25
BANK BOARD GOVERNANCE CONTACTS
SCOTT BARET
Scott Baret, Deloitte & Touche LLP, is a vice chairman and leads Deloitte’s banking and securities prac-
tice in the United States. He guides the strategic direction of the sector as well as its go-to-market strat-
egies and resources. Baret has worked extensively with large domestic and international banking and
securities clients. His recent financial, business, operations, and risk management advisory assignments
have focused on assessing, improving, and transforming the way senior management, boards, and or-
ganizations approach risk management across the enterprise.
EDWARD HIDA
Edward Hida, Deloitte & Touche LLP, is the global leader of the Risk & Capital Management network and
a partner in Deloitte Risk and Financial Advisory. He has more than 30 years of experience and serves
large clients in various financial services sectors including banking, insurance, securities, and asset man-
agement. Hida has substantial experience consulting and providing commentary and views on a variety
of governance, risk management, regulatory and related issues.
26
ACKNOWLEDGEMENTS
The authors would like to specially acknowledge Abhishek Gupta, analyst, Deloitte Services India Pvt.
Ltd. and Yashu Singh, senior analyst, Deloitte Services India Pvt. Ltd. for their research support and
contributions.
The authors and the Center also thank the following Deloitte professionals for their support and
contributions:
Michelle Chodosh, senior manager, Deloitte Center for Financial Services, Deloitte Services LP
Patricia Danielecki, senior manager, Deloitte Center for Financial Services, Deloitte Services LP
Erin Loucks, manager, Deloitte Services LP
27
CONTACTS
Industry leadership and board Deloitte Center for Financial Services

governance contacts
Jim Eckenrode
Scott Baret Managing director
Vice chairman, US Banking & Securities leader Deloitte Center for Financial Services
Deloitte & Touche LLP Deloitte Services LP
+1 908 902 1383 +1 617 585 4877
sbaret@deloitte.com jeckenrode@deloitte.com
Edward T. Hida II, CFA Val Srinivas, Ph.D.

Global Risk & Capital Management leader Banking and Securities Research leader
Financial Services Deloitte Center for Financial Services
Deloitte & Touche LLP Deloitte Services LP
+1 212 436 4854 +1 212 436 3384
ehida@deloitte.com vsrinivas@deloitte.com
28
Sign up for Deloitte Insights updates at www.deloitte.com/insights.
Follow @DeloitteInsight
Contributors
Editorial: Karen Edelman, Nikita Garia, and Abrar Kahn
Creative: Sonya Vasilieff, Tushar Barman, and Mahima Nair
Promotion: Haley Pearson
Artwork: Livia Cives
About Deloitte Insights

Deloitte Insights publishes original articles, reports and periodicals that provide insights for businesses, the public sector and
NGOs. Our goal is to draw upon research and experience from throughout our professional services organization, and that of
coauthors in academia and business, to advance the conversation on a broad spectrum of topics of interest to executives and
government leaders.
Deloitte Insights is an imprint of Deloitte Development LLC.
About this publication

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or its
and their affiliates are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other
professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be
used as a basis for any decision or action that may affect your finances or your business. Before making any decision or taking
any action that may affect your finances or your business, you should consult a qualified professional adviser.
None of Deloitte Touche Tohmatsu Limited, its member firms, or its and their respective affiliates shall be responsible for any
loss whatsoever sustained by any person who relies on this publication.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its
network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent
entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to
one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States
and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public
accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2017 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

4106 - Bank Board Risk Governance

Uploaded by

Copyright:

Available Formats

4106 - Bank Board Risk Governance

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

4106 - Bank Board Risk Governance

Uploaded by

Copyright:

Available Formats

A research report by the Deloitte Center for Financial Services

What’s next for bank board

COVER IMAGE BY: LIVIA CIVES

A sea change beckons | 3

Analysis of 2016–2017 charters, and comparison to

Raising the bar on governance to navigate choppy

Orienting the compass to meet renewed

A sea change beckons

the Fed’s 2017 Comprehensive Capital Analysis and

The risk committee Review process, for example.9

the nature of risks to shifting risks; and reengineering mechanisms to as-

mechanisms to assign mittee, we acknowledge that they do not necessar-

oversee management’s odology as transparent, public, and comprehensive

strategy and appetite. ity and intent.

We reviewed the following documents, where publicly available:

Analysis of 2016–2017 charters,

1. Setting risk policies, risk-management framework when approving the

Figure 1. Oversight of risk policy, governance infrastructure, and risk strategy

Does the charter . . .

indicate that the committee oversees 3%

Figure 2. Actively managing information ﬂow, resources, and capabilities

Does the charter . . .

require the risk committee to coordinate

mention the provision of training to

nature and structure of compensation incentives set 3. Holding senior management

Figure 3. Oversight of risk management, and holding senior management accountable

Does the charter . . . Large US banks Non-US G-SIBs

2017 83% 7%10% 64% 5% 32%

require the committee to identify and 41% 14% 45%

deﬁciencies, and ensure eﬀective and timely

require the committee to oversee 2017 47% 53% 18% 9% 73%

require the committee to oversee risks 2017 7% 93% 18% 5% 77%

require the risk committee to oversee 2017 13% 3% 83% 5% 95%

2017 47% 3% 50% 27% 5% 68%

drivers, indicators, and trends related to current 4. Supporting the

Figure 4. Supporting the independent risk function and the CRO

Does the charter . . . Large US banks Non-US G-SIBs

2017 70% 30% 18% 5% 77%

require the committee to approve the

review the CRO’s performance and

indicate that the committee supports the

2017 27% 73% 27% 5% 68%

5. Maintaining a capable years hence, almost every bank in our analysis—in

Figure 5. Risk committee composition and structure

Is the committee . . . Large US banks Non-US G-SIBs

separate from the audit committee, 100% 95% 5%

Does the charter . . .

require that the committee include at least

stipulate that the risk committee chairman 3% 97% 5% 95%

require that a majority of the risk

committee’s members be independent? 2014 54% 46% 32% 5% 63%

NON-US G-SIBS SHOULD GRAB THE OPPORTUNITY TO

Raising the bar on governance

Present effective challenge

Committees should to bank’s strategic choices, and the risks of those

tutions’ capability and preparedness to track and Stay vigilant as management

Orienting the compass to

Table 1. Mapping charter analysis questions to Fed BE expectations

EPS Large Non-US