sal banks. Specifically, we focused on the following features:
• Committees at the board level in charge of risk issues, and
frequency of meetings.
• Risk committee composition for those banks that have a
dedicated committee for all risks.
• Existence of a designated CRO, and his or her reporting
line and status in the management structure of the firm.
Most large banks run complex businesses with many different business lines, often including non-banking activities. It
takes both skill and time to understand all the risks to which
these institutions are exposed, how these risks interrelate and
how they could expose a bank to losses well beyond its risk tolerance. Without this awareness, however, it is difficult for the
board to provide effective checks and balances to the bank’s
using committees to gain a more focused understanding of
risk, typically by assigning responsibility to a committee focused on all risks, or on specific risks only. (Alternatively, they
can also assign complete risk oversight to the audit committee.)
We therefore distinguish those banks with an all-risks board
committee from those with a board committee that oversees
only specific risks (such as credit risk), or those that have no
dedicated risk committee but instead assign risk oversight to
the audit committee.
Our results show that the presence of an all-risks committee
is still not common practice across large banks, not even for
complex institutions (see Tables 1A and 1B). Specifically, only
49% of the banks in our sample have a board risk committee
in charge of all risks. The rest are split between banks that as-
Most large banks run complex businesses, often including non-banking
activities. It takes both skill and time to understand all the risks to which
these institutions are exposed and how these risks interrelate.
management. For these reasons, we would expect that large
banks would adhere to the following best practices:
1. A dedicated board-level risk committee that supervises
all types of risks and meets on a frequent basis (at least bimonthly). While the full board retains ultimate responsibility
for risk oversight, it is not realistic to expect that the full board
can effectively discharge its duties without a robust committee structure. Moreover, it would be very challenging for the
audit committee of a bank to ensure focused oversight of both
financial reporting/controls and risk management given the
significant burden placed on this committee in recent years.
2. A majority of members of the risk committee with extensive and first-hand financial experience, and at least some
members with previous risk management experience.
3. A CRO who reports jointly to the CEO and the board,
and who is a member of the bank’s executive committee.
In our analysis, we looked at each of these areas, focusing on
comparing and contrasting risk governance practices for different types of banks and for different geographical regions.
Positive Momentum, but Still Significant Room for
Improvement
Bank boards have historically adopted various approaches to
sign risk oversight responsibility to the audit committee (34%)
and banks with a risk committee overseeing only specific risks,
most typically credit risk (17%). The results do not differ significantly between complex institutions and universal banks, as
shown in Table 1A (below).
Interestingly, the analysis by geographical region (see
Table 1B, next page) indicates that in both North America
and Europe, only about 40% of the banks have an all-risks
board committee, while for Asia-Pacific this is a feature for
all banks examined — although it should be noted that the
sample in this case is very small.
Table 1A: Board Committees Overseeing Risk —
Breakdown by Type of Bank
Banks with all-risks committee
Banks with risk committee
for specific risks only
Audit committee only
Total
8
Universal
9
17
2
5
15
4
7
20
6
12
