The last year has been marked by financial debacles: isolated incidents at banks and similar institutions that were largely the result of ineffective risk management. Although they have mostly impacted markets on a small scale, these crises have put a spotlight on regulatory activity in the pipeline, including the Volcker Rule. Additionally, there is legislation in the draft stages that has not received nearly the attention as others.
As required by Sections 165 and 166 of Dodd-Frank, Federal Reserve Regulation YY applies to bank holding companies with consolidated assets of $50 billion or more, and domestic non-bank holding companies the Treasury’s Financial Stability Oversight Counsel says pose a “grave threat” to financial stability.
Regulation YY addresses a wide range of risk-related areas, including capital and liquidity requirements. At the board level, it requires bank holding committees with consolidated assets of $10 billion or more to form risk committees. These risk committees would oversee a “robust” enterprise risk management system. This includes board oversight of areas that have generally been viewed as operational, such as liquidity risk. Blurring the line between oversight and management further, the rule proposes that the required Chief Risk Officer is to report to the risk committee and the CEO.
It is not new for regulators to attempt to create structure and rules around risk oversight. The NYSE Corporate Governance Rules have required the audit committee to discuss policies with respect to financial risk assessment and risk management for years. While it is unsurprising that many companies assign risk oversight to the audit committee—46 percent according to the 2012 Public Company Governance Survey—many of the companies likely affected by the proposed rule already have the structures in place. The following numbers delve into the existing prevalence of the risk committee.
198 Percentage increase in risk committee prevalence over the last five years, according to NACD Public Company Governance Surveys. This increase is from 4.5 percent of public companies in 2008 to 13.4 percent in 2012. KPMG’s Audit Committee Institute found the prevalence of risk committees to slightly higher.
In its 2011 Public Company Audit Committee Survey, 16 percent of audit committee members said their board had formed a standing risk committee. An additional 7 percent said that although a risk committee had not been formed, the board was taking it under consideration.
64 Percentage of those who affirmed their board had a standing risk oversight committee that were from the financial sector, according to preliminary data from the 2012 NACD Public Company Governance Survey. This is barely an increase from 63 percent in 2011. Of those in the financial sector, most were in the banking industry, with minority representation in diversified financials, insurance and real estate.
28 Percentage of companies that responded to the financial crisis by establishing a risk committee of the board of directors, according to Deloitte’s Global Risk Management Survey, seventh edition. Thirty percent noted they responded by reviewing the board’s risk committee structure.
10 Number of companies that have established standing committees for risk oversight, out of the 10 largest bank holding companies by total consolidated assets. In several of the 10 companies, including Goldman Sachs, Morgan Stanley and Wells Fargo, these committees were formed in the last two years. However, the risk committee at JPMorgan has been in place for over a decade. Also of note: Citi’s risk management and finance committee would not suffice under the proposed rule, as risk cannot be part of a joint committee. 8 The average number of times the risk committees of the 10 largest bank holding companies met in 2011. The risk committees of Metlife and Bank of America met most frequently, at 12 and 11 meetings, respectively.
Of note, in its comment letter to the Federal Reserve board, SunTrust—not a member of the 10 largest bank holding companies—noted the potential costs the rules could impose. According to SunTrust, its risk committee met 7 to 8 times per year between 2005 and 2008. Following the financial crisis, the committee met 11 to 13 times per year. With the increased oversight responsibilities suggested by the Fed’s proposed rules, risk committees would most likely have to meet even more frequently, thus imposing more costs.
While the newer provisions of Regulation YY are largely related to board process rather than structure, recent events have proven that increased attention to risk oversight is generally not a bad idea.