Next week, Bank Director releases its annual Risk Practices Survey. In advance of that report, let me share an excerpt from a risk management-focused piece by KPMG’s Lynn McKenzie and Edmund Green — How a Board Can Credibly Challenge Management on Risk — that foreshadows some of the results.
As our industry evolves, banks increasingly rely on complex models to support economic, financial and compliance decision-making processes. Considering the full board of a bank is ultimately responsible for understanding an institution’s key risks — and credibly challenging management’s assessment and response to those risks — let me share the eight considerations that KPMG wrote about for board members as they evaluate their risk oversight.
(1) Do our board members (particularly directors on audit or risk committees) know our bank’s top enterprise risks — those that threaten our bank’s strategy, business model, or existence?
(2) Does our bank have a formal risk management process? Do directors know how management identifies and manages risks, both existing and emerging, and if there is a process of accountability? Does the board have comfort that management has the proper talent to manage today’s risks?
(3) Does the bank have a formal risk appetite statement? If not, how does the board oversee that management is not taking risks outside of the bank’s stated risk tolerance? Is there a protocol to escalate a risk issue directly to the board? Is there evidence that management recognizes the critical need to timely communicate risk issues to board members? Is there a process for the board to evaluate the impact of compensation on management’s risk-taking?
(4) As the bank takes on new initiatives or offers new products and services, does the board understand the process to evaluate the risks prior to decisions being made? Is there a clear threshold for when items need to be brought to the board before finalizing a decision?
(5) In examining management’s reporting process, are directors concerned whether they are getting relevant data? Are they getting so much detail that it cannot be absorbed? Are they getting data at such a high level that it’s impossible to evaluate risk?
(6) Does the board recognize that risk management done well adds competitive advantage and value by addressing gaps in operations? Viewing risk management solely as a compliance function increases the chances of wasting time and money.
(7) Is the board ensuring that, in dealing with the regulators, the bank is “getting credit’’ for the risk management activities it is doing well by being able to describe the programs that have been instituted—or actions taken—that will enable the bank to “harvest value” from its enterprise risk management process?
(8) Finally, given the importance of “tone at the top,’’ are directors satisfied that the proper culture of “doing the right thing’’ exists across the organization?
As many know by now, the 2,300+ page Dodd-Frank Act requires publicly traded banks with more than $10 billion in assets to establish separate risk committees of the board, and banks over $50 billion to additionally hire chief risk officers. Not surprisingly, many institutions under these thresholds have similarly established committees and recruited executives into their bank.
By taking a more comprehensive approach to risk management, I continue to see institutions reap the benefits with improved financial performance… and yes, this too foreshadows next week’s research report. To view the entire KPMG article, here is the link (don’t worry, no registration required). I’ll post more about the Risk Practices Survey along with a link to both the full results and summary report here next week.