When it comes to corporate governance, will the financial crisis do for risk management committees what Enron did for audit committees?
That very well may depend on whether the legislative corollary to the financial crisis is anywhere as game-changing as the Sarbanes-Oxley Act.
Meanwhile, banks certainly are acting to improve their day-to-day management of risk, but they have been relatively slow to change corporate bylaws in ways that would formalize the reforms and hold directors accountable for carrying them out.
A new study from the Deloitte Center for Banking Solutions says none of the charters governing the boards of 30 major commercial banks requires that a board member have relevant experience in risk management. At March 31 just seven defined risk governance in detail — one more than at the start of the year — and only six charters listed funding and liquidity risk among the board's oversight responsibilities. This was two more than at the start of the year but still a relatively small number in an industry nearly undone last fall by funding and liquidity fears.
The authors of the Deloitte study say that the best charters would clearly define a board's risk management duties, articulate the board's appetite for risk and its tolerance for risk-related losses, set guidelines for discussions of risk between board members and senior executives and specify procedures for monitoring risk.
And though board charters rarely attract much attention outside of proxy season — and even then their potency as headline grabbers is suspect — the Deloitte report says a well-defined charter is important for specifying a board's risk management roles; creating a sense of accountability; and communicating the commitment to risk management to regulators, investors and the general public.
"We'd like to see, irrespective of regulation, a focus on boards' getting the right structures and defining the right type of processes that should be in place" for controlling and reporting risk, said Scott Baret, a partner in Deloitte & Touche LLP and a co-author of the study, which will soon be shared with clients. "It does make a difference."
Some of the charters requiring regular reporting on risk issues by management called for quarterly disclosures; others failed to specify how often such disclosures should be made. And risk management committees are not a universal feature of bank boards. Sixteen of the banks examined in the study, which examined 25 of the largest U.S. commercial banks and five global banks based outside the United States, had separate risk committees. Three had a combined committees overseeing risk management and audit functions.
Guidance from the Bank for International Settlements, the Office of the Comptroller of the Currency and other regulatory bodies offers a loose framework for approaching risk management issues.
But there is no parallel to the specific requirements for audit and finance oversight mandated by Sarbanes-Oxley.
With the debate over the financial system seemingly stuck on issues of agency structure rather than reforms at the company level, regulation of risk management may never get to the same depth, said Edward Hida, a Deloitte partner and co-author of the study.
"The specific requirements are not shaped with anywhere near the same level of detail as they are for finance matters," he said. "Much of this will have to be conducted by firms themselves."