Risk management is all about knowledge. It’s about knowing the threats and opportunities across the enterprise and leveraging that information to make the best decisions. As we said last month, the board determines the bank’s risk appetite, develops a strategic plan that takes risk into account, and approves how risk is governed. The heavy lifting of identifying, assessing, measuring, monitoring, and mitigating risk falls to bank management.
The risk committee is the go-between that helps ensure management and the board understand each other. It lets board members ask questions and ensures management gets clear marching orders.
Crafting a charter
The charter (or bylaws) outlines the responsibilities and expectations of the risk committee. Charters should be detailed to increase consistency and the committee’s value. There is no one right way to write a charter, but it should include:
- Expectations. The committee oversees risk management, but what does that mean? Define the committee’s parameters and powers. This can be very specific or a broad mandate to cover risk at a high-level.Specify what kind of decision-making authority the committee has. That might include authority to make management decisions about how to track and communicate risk and what kind of resources will be allocated. What types of materials should it review, and where do deliberation results go? The committee should define the responsibilities of management, whether that’s minimum standards or fully fleshed out.
- Committee members. The makeup of the committee depends on the culture and environment. The risk committee commonly has two board members, but that’s not a hard and fast rule. A financial institution can put as many board members on the board as it wants, depending on its environment and culture.There also needs to be representation from the C-suite. Sometimes it’s the risk officer and CEO for dual control. Other times, when a risk officer has been with the CEO for a long-time and has a strong relationship, it might be okay to have the CRO meet without the CEO. Other times the CEO needs to serve as a buffer or guide the message because he’s not on the same page as the risk officer. Consider the political factors at your institution.You don’t want every member of the C-suite on the committee. Too many individuals will only increase debate and hurt productivity. The goal is to avoid surprises by having the most appropriate voices represented.
- Meeting frequency and notification. Determine how often the committee should meet, who can call a meeting, and how much notice will be required. The risk committee should meet at least quarterly. It’s also a good idea to empower board committee members to call an ad hoc or immediate committee session. Determine how much notice is required, whether its 8 hours, 12 hours or some other time period. Decide how far in advance agendas must be provided.
- Quorum. How many committee members need to be at a meeting for it to be official? How many board members need to be present? If any board members are present, minutes must be taken.
- Location. Must meetings be held in person, or can they be conducted over the phone? The charter might require at least one in-person meeting over a calendar year.
When drafting a charter, it’s fine to look at other institutions’ charters, but it’s important to customize it to your own institution. Every institution has a different approach to risk management depending on its size, risk appetite, business lines, and other factors. Adopting another institution’s charter may mean including elements that aren’t applicable to you. Whatever you borrow must be germane to your resources, abilities, and what you do.
Ultimately, the board should approve all charters, including the charter for the risk committee.