All signs indicate that the lasting legacies of the financial crisis will include an increased focus on how financial services companies manage risk and how regulators and shareholders hold board directors ultimately responsible for inadequate risk management oversight.
In the United Kingdom, the government-commissioned "Walker Report" found that "governance failures contributed materially to excessive risk taking in the lead up to the financial crisis." Moody's Investor Service has said that the effectiveness of a financial firm's management will be an important rating consideration. The SEC has proposed greater disclosure concerning the role of the board in this area. And a growing number of regulatory enforcement orders require boards of banks to increase their oversight of the bank's affairs in specific ways.
Directors, senior management and the regulators have a unique opportunity to address these concerns and demonstrate awareness, cooperation and competence before irresistible pressure builds to pile on weighty demands and requirements.
Two challenges must be met. First, regulators and legislators must avoid the understandable reflex to overload institutions with prescriptive "thou shall"-type rules. Second, during a period of great uncertainty and change with many day-to-day pressures, boards and senior management need to take the time to engage in a real dialogue about risk.
Let's address the regulators first. The natural tendency, when something has gone awry, is to pile on specific and detailed requirements. As understandable as this is, in a heavily regulated industry such as banking, the number of specific requirements often exceeds what any human could reasonably be expected to handle — especially on a cumulative basis.
Experienced bank managers can tell you that a thick, overly detailed board package often leads to an unproductive discussion. A more targeted package, that raises the right questions and provides the necessary details, enables the board to focus on those matters warranting its attention. Still, banking laws and regulations are drafted in such a way as to encourage a check-the-box approach.
For example, bank management is required to notify its board (or a committee) of every suspicious activity report the bank files. These reports advise law enforcement agencies of the possibility of a crime occurring and must be filed whenever there is reasonable suspicion. Institutions file literally hundreds, if not thousands, of these reports each month. Do we really want the board, or one if its committees, to review each one? Likewise, by regulation the board of a national bank must review its banking hours. The hours during which a bank is open are important, but this is clearly a management, not a board, issue.
Bank directors who conscientiously address these detailed and voluminous requirements would have insufficient time to consider more significant matters. In times of financial change and flux, bank directors can be stretched thin as they attend to overall capital, liquidity and risk tolerance matters. Ideally, regulators would conduct a systematic review to remove existing requirements that needlessly take board time. This would allow boards to spend their time on matters that impact the bank's safety and soundness. At a minimum, regulators should avoid worsening a difficult situation by piling on additional overly detailed risk management requirements that will distract boards from managing genuine risks.
Instead, regulators should insist that bank management have in place an appropriate process to identify, review and understand the risks their organization faces. The process must focus on the specific business of each institution and neither it nor the regulators' examination of the process should proceed in a boilerplate fashion.
Effective risk management involves the board and senior management ensuring that a process is in place to assess, weigh and mitigate (or accept) known risks. This challenge frequently requires a look across technical and complex line and staff areas. It is a never-ending process that must include changes in the environment.
That point is particularly important. If recent analyses of the current economic crisis are correct, more effort needs to be directed at unexpected and unanticipated forward-looking risks. A pressured and downsized in-house staff may not have the time to look for the unexpected, especially during times of stress when daily developments require immediate and nearly full-time attention.
Delegate the less-vital decisions, such as those regarding banking hours, to a trusted person down the management chain, while the senior team focuses on these three questions:
- What internal and external changes could impact key product lines, major customers and other stakeholders and significant assumptions about risk? This includes consideration of legal, accounting, regulatory trends and a thorough understanding of the processes that they will impact.
- How does our existing organization view risk? This includes a review of existing processes, including contingency planning, regulatory and legal updates and new-product development, with an emphasis on how staff members view their roles in these situations.
- Finally, what kinds of red flags should we be following closely? This involves a discussion of the kinds of events that should trigger a targeted review of products, services and underlying risk assumptions affecting the company generally.
Let's give boards and senior management the time to consider these issues. This alone will be a tough job.
