Bank board risk governance Driving performance through enhanced risk oversight

Boards of directors at large banks may have built a strong risk oversight foundation, but many still have work to do in adopting leading practices.

View the related infographic.

DUP_1072_intro-imageA look at board risk committee charters of large banks

In recent quarters, two groups of large US banks showed substantially different operating results. The average return on average assets (ROAA) in one group was 57 percent higher. Otherwise—in terms of average total assets and other characteristics—the two groups were roughly similar.

One key difference between the two groups was that the board risk committee charters of the higher-performing banks documented the need for a risk expert.1

Of course, correlation doesn’t mean causation, and because it is only in recent times that the more rigorous risk governance practices have been introduced, it will be a while before one can examine the long-term relationship between robust risk governance and financial performance. Requiring a risk expert on the board risk committee is just a strong sign of a bank’s commitment to risk management and governance, which, in theory, can exert a positive influence on performance.

Many banks seem to have taken this lesson to heart. Efforts to strengthen risk management and instill appropriate policies and a “risk intelligent” culture throughout the organization have become top priorities for many banks. Major failures in risk management and oversight, some carrying heavy costs, show the stakes are high. Board risk committees, as the highest level of risk oversight, and crucial promoters of the “tone at the top,” are increasingly focused on this transformation.

Regulatory expectations in the area of risk management are only adding to the pressures flowing from other regulations. In particular, in the United States, the Federal Reserve’s enhanced prudential standards (EPS) require bank holding companies (BHCs) to have additional risk governance standards in place as of January 1, 2015—a key driver of recent efforts (see Appendix C for more specifics). Similar rules issued by other agencies, such as the Office of the Comptroller of the Currency (OCC)’s heightened standards, also set new expectations for duties, membership, and other practices, increasing the onus on bank boards. And the Federal Reserve’s Comprehensive Capital Analysis and Review (CCAR) program has spurred enhanced focus on governance over banks’ risk and capital management programs.

Internationally, the European Union’s Capital Requirement Directive IV is likely having a similar impact on bank boards’ risk governance practices.2 Another driver is the recently revised set of principles on bank corporate governance issued by the Basel Committee on Banking Supervision, which also encourages greater board-level risk oversight.3

In meeting these new standards, banks will need to show not only technical compliance with policy and process requirements, but also, increasingly, that their board risk committees are capable of presenting effective challenges to management decisions as part of their oversight duties. This is also stipulated by the OCC’s heightened standards.

In other words, these regulations have increased both director responsibility and potential liability. The impact of this increased responsibility may have had some unintended consequences, as shown in a study by Per Ardua Associates in which 80 percent of financial sector nonexecutive directors surveyed said the risk committee is the most challenging.4 Three possible explanations of the survey’s responses are the broad range of board risk committees’ responsibilities, risk committees’ forward-looking nature, and the technical nature of regulatory compliance.5

Two previous studies by the Deloitte Center for Financial Services6, in 2009 and 2011, reviewed the board risk committee charters of large US and foreign banks to understand risk oversight practices at these institutions, and suggested steps boards can consider taking to strengthen risk governance.7 This new study shares the same goal and updates our research, building on both these previous studies and Deloitte’s large body of published work on board risk governance.

The main difference now is that many governance practices highlighted in our 2009 study have since then been codified into rules that banks have to, or will soon have to, follow. The new rules, several of which originate from legislative mandates, enable us to both make more informed evaluations of the current state of risk oversight and provide some insight into the challenges banks face as they strive to comply with these new regulatory mandates.

A caveat

As in our previous studies, we use board risk committee charters of BHCs to infer banks’ practices in this area. Board risk committee charters are key guiding documents on board-level risk oversight, and a clear way to demonstrate commitment to oversight and communicate management and board responsibilities. Charters may also be seen as important tools to inform other stakeholders, such as counterparties, investors, and regulators, about institutions’ board risk governance policies.

We acknowledge that charters might not fully reflect all the actions, policies, and activities that board risk committees in these institutions actually follow. Likewise, there might be items in the charters that are not implemented in practice. As such, we suggest that our results be interpreted in that light. However, we believe that comprehensive, clear, and accurate risk committee charter documentation is an essential foundation of strong board-level oversight.

Key findings: Where have banks made the most changes?

Heightened regulatory expectations, increased market complexity, and performance needs have necessitated further advancement in risk management, both across organizations and in the board risk committees overseeing them. Many banks, in particular the larger US institutions, have significantly enhanced their board risk governance since our last study in 2011. Yet the updated available data indicate that some improvements are still works in progress.

For example:

  • One hundred percent of large US banks (see research methodology) have board risk committees—most of which are fully dedicated to risk, rather than combined with other responsibilities—as well as formal charters. But just 39 percent of these charters document the need for a risk expert on the committee, a role required by the Federal Reserve’s EPS and one that is a major contributor to effective oversight.8
  • All large US banks’ board risk committee charters establish the board risk committee’s oversight of risk management policies and procedures, but only 57 percent explicitly state that the committee possesses authority to approve major risk management policies. This, again, is a requirement of the Federal Reserve’s EPS.
  • Most (86 percent) large US banks’ board risk committee charters establish board committee oversight of management’s implementation of risk strategy, but just 36 percent require the risk committee to oversee processes and systems designed to protect the independence of the risk management function.

Global systemically important banks (G-SIBs) outside the United States, though not subject to the same regulatory expectations as US banks, appear to have further to go. A small number do not have dedicated board-level risk committees, and many more have not documented their responsibilities in depth. In general, non-US bank board risk committee charters are not as detailed as US bank board risk committee charters. In particular, oversight authority and provisions for the independence of the risk management function among non-US banks find limited mention compared with US peers’ charters.

Just one of the US banking subsidiaries of foreign institutions in our sample had a publicly available board risk committee charter. The compliance date for the Federal Reserve’s EPS for this group is 2016, a year later than for US banks. Though charters are not explicitly required by regulations, formally codifying board risk oversight responsibilities may help institutions prepare to meet US regulators’ stringent standards. And going beyond compliance, charters can help board risk committees establish and communicate their priorities within their organizations as well as to investors, regulators, and the public.

Research methodology

Board risk committee charter analysis

The Deloitte Center for Financial Services developed a list of 25 criteria applicable to board risk committee charters. These criteria are based on a wide range of regulatory requirements and leading practices9 identified by subject matter specialists, but in particular draw on the requirements of the Federal Reserve’s “Enhanced Prudential Standards for Bank Holding Companies and Foreign Banking Organizations.”10

In conducting our research we obtained the following documents, where publicly available:

  1. Board risk committee charters of US financial holding companies with assets greater than $50 billion as of March 31, 2014, according to the Federal Financial Institutions Examination Council (FFIEC). Savings and loan holding companies were omitted because they are not subject to the same regulatory risk management requirements as bank-affiliated financial holding companies.
  2. Risk and/or hybrid board risk committee charters, or similar documents, where available in English, of all non-US G-SIBs.11
  3. Board risk committee charters of US nonbanks that have been designated systemically important financial institutions (SIFIs) by the Financial Stability Oversight Council.

In total, 48 board risk committee charters were reviewed and assessed using the attributes shown in Appendix A to determine whether or not the charter met each criterion. The assessments were performed from August through September 2014 using the latest, publicly available documentation.

Risk governance and financial performance

The analysis of the relationship between performance and certain board risk governance criteria is based on the board risk committee charter analysis described above using data from SNL Financial.12 All financial data shown are averages of 2013 and first-half 2014 quarterly results, the period that most closely corresponds with the dates of the board risk charters reviewed. The time period used for the analysis is limited by the availability of relevant data; many of the practices that charters document and that are of concern are responses to recent regulations.

Due to lack of data, the performance analysis is limited to US institutions. Four US institutions that are part of our charter analysis, but have substantially different business profiles than the banking institutions in our sample, have also been excluded (for example, BHCs that draw a significant proportion of revenues from their payments operations). The excluded institutions do not bias the results directionally—in fact, they are generally consistent with the effects highlighted.

Why this matters: Connecting risk governance and performance

As regulatory expectations evolve, banks have little choice but to continue improving their board risk governance practices. But getting it right has to be more than a compliance exercise. Leading institutions will aim for higher standards, whether they are required by regulations or not.

The improvements banks make may matter on multiple levels. Managing risk in line with strategic objectives is management’s job, yet board risk committees have a critical role to play through their oversight of management risk-taking, and risk management practices’ alignment with firm goals.

The committee can also make an important contribution to shaping an institution’s broader risk culture—the strength of which is essential for effective enterprise-wide risk management. And, more broadly, improved governance is good business: It may have an impact on business performance.
Our analysis, though pertaining to a relatively short timeframe, supports this intuitive connection. Several board risk governance criteria we analyzed, including the risk expert requirement, show positive relationships with performance (as measured by ROAA, figure 1).13 The same patterns hold for similar measures, such as return on average equity.

DUP_1072_Figure 1. Profitability and board risk governance, 2013-1H2014

These relationships extend to other performance metrics as well, if not universally. Notably, nonperforming loan ratios show a similar pattern as ROAA (figure 2).

DUP_1072_Graphic: Deloitte University Press | DUPress.com Figure 2. Loan quality and board risk governance, 2013-1H2014

To be clear: These connections don’t mean that inserting these items in banks’ risk committee charters would lead to improved performance. But considered a sign of the institutions’ overall commitment to risk governance, they indicate that a connection may exist between good risk governance and stronger performance.

Other research lends additional support. A 2012 academic study examining the relationship between risk governance and bank financial performance found that banks in which the chief risk officer (CRO) reported directly to the board exhibited both higher returns on equity and stronger stock returns during the recent economic turmoil, compared with financial institutions where the CRO reported to a management executive.14

Evolving bank board risk committees: Trends and findings

These performance links appear to be reinforced by the continuing evidence of risk management lapses, which have, in turn, increased regulatory pressure. More stringent rules mandate new attention to structure, membership, reporting lines, and independence of bank boards and their risk committees.

In attending to their board risk governance, banks have started with the fundamentals. Items such as the scope of the committee, its governing documents, and the qualifications for membership may seem mundane, but they are fundamental to board risk committees’ effectiveness. Recognizing this, many firms have paid close attention to these building blocks.

Our analysis of bank board risk committee charters confirms this impression of strengthened board risk governance (figure 3). As of 2014, 89 percent of the largest US banks in our assessment had established standalone risk committees (100 percent, if committees combining risk responsibility with related areas like compliance are included) as opposed to 74 percent in 2011 and only 53 percent in 2009. Documentation standards have also taken firm root: All US institutions reviewed have established (and made public) formal board risk committee charters—though currently only one of nine large foreign-owned US banks has done so.

DUP_1072_Figure 3. Board risk committee structure and organization

However, some US banks may consider further adjustments to their board risk committees’ governance structures. For example, some banks’ committees combine risk oversight with other areas like audit or compliance, which might give committees greater breadth, but may also limit the time and focus members can devote to core risk issues.

Banks should weigh this trade-off between breadth and depth carefully. As a recent Deloitte Touche Tohmatsu Limited study highlights, “Board workloads have increased, as have those of audit committees, which are often tasked with risk oversight.”15 One solution might be to schedule board risk committee meetings such that board members on other committees may participate when needed, as some institutions already do.

In contrast to the strides made by many US banks, several non-US G-SIBs do not have dedicated board risk committees. As discussed with respect to US bank boards, combining risk responsibilities with audit may hinder committee members’ abilities to oversee both areas. Several other non-US institutions do have independent risk committees, but do not document their operations in publicly disclosed charters or terms of reference, limiting the transparency—and possibly the rigor—of board-level risk governance.

Membership: Room for improvement in expertise and independence requirements

As much as the scope of the committee matters, its composition may matter more. Committee members without the right mix of expertise and experience may be challenged by complex risk measures and regulatory issues.16Board risk committees without sufficient numbers of independent members may run afoul of regulatory mandates. More importantly, these shortcomings might handicap board risk committees’ ability to offer the perspective needed to avoid potentially costly gaps in oversight.

Looking again to board risk charters for evidence, it appears many US banks have missed the opportunity to document the composition of their risk committees (figure 4). This may be because they have yet to adjust to regulatory mandates and leading practices on membership. Just 39 percent of board risk charters require a committee member to have “experience in identifying, assessing, and managing risk exposures of a large, complex financial firm,” as required by the Federal Reserve’s EPS. But there has been much improvement. In 2011, in the last study we did of board risk committee charters, no banks had this requirement. A smaller percentage of non-US G-SIBS have specifically addressed this issue: Only 15 percent of their charters mention risk expertise.

DUP_1072_Figure 4. Board risk committee membership

That said, both US banks and non-US G-SIBs appear to have taken steps to strengthen the independence of the committee. Nearly four in five US firms reviewed have documented a requirement for one or more independent directors on the risk committee, as do 60 percent of non-US G-SIBs. In our 2011 study, just 30 percent of US banks documented requiring an independent director.

Surprisingly, not all US institutions’ board risk charters require the risk committee chair to be independent, another EPS requirement. In fact, just 61 percent of US banks’ board risk charters reviewed do.

Fortunately, in actual practice, US institutions usually meet both regulatory requirements and leading practices regarding independence. All US board risk committees in our sample had an independent chair, and many committees consisted entirely of independent directors.17 Not including these actual practices in the board risk committee charter is a clear missed opportunity to demonstrate commitment to the committee’s independence.

Increased responsibilities and scope of oversight

To respond to their expanded responsibilities, board risk committees have seen an increase in the depth and breadth of their oversight authority. The heft of new requirements and notable performance difficulties have drawn focus to this issue. This is particularly noted in banks’ efforts to meet the “effective challenge” standard expected by US regulators. (In brief, the “effective challenge” standard requires risk management practices to be critically examined by oversight bodies with sufficient competence, power, and incentives to generate change.18)

The impact of increased expectations is gradually becoming visible in board risk charters. One hundred percent of US banks’ board risk committee charters and 75 percent of non-US G-SIBs’ charters now require the board risk committee to oversee policies and procedures establishing risk management governance and risk-control infrastructure (figure 5).

Figure 5. Board risk committee responsibilities

This is also evident in the breadth of risks covered by the committee. Nearly 80 percent of US banks’ board risk charters make committees responsible for oversight of exposure to a set of risk categories including not only credit risk, market risk, and operational risk, but also liquidity risk, reputational risk, and capital management. In 2011, just 63 percent covered this broad set. Clearly, firms have strengthened the board risk committee’s authority. At a minimum, they have documented practices that meet a higher standard.

However, only 57 percent of US banks’ board risk charters place the responsibility to approve the firm’s broad risk management policies with the board risk committee. This fact indicates that the board risk committees in nearly half the firms reviewed may be missing a key oversight mechanism. Still, US firms are significantly further ahead of their non-US counterparts in this respect: Only 10 percent of non-US G-SIBs have such stated approval authority.

Risk oversight also seems to be rather reactive. Only one in five US bank risk committee charters (a) specify that alerts on emerging risks should be provided to the board risk committee and (b) authorize the committee’s oversight of timely and effective remediation by management. Non-US G-SIBs show similarly muted resolution, with only 15 percent of their charters mentioning the communication of emerging risks and oversight of remediation. In other words, this is an area where there appears to be room for improvement.

This comprehensive oversight can give committee members greater understanding of the interplay of risks to which the firm is exposed, while giving them the focus needed to make sure they address emerging issues promptly.

Resources to support board risk committees’ activities

Of course, effective oversight authority and responsibility require adequate support and resources. Here, US banks have made substantial gains, boosting training programs for board members and increasing authority to retain outside experts. Charters indicate that almost all domestic board risk committees have unfettered access to internal and external experts (figure 6). And 71 percent have the option to meet in executive session, either with key officers of the company or without management present. On both these dimensions, US firms score better than they did in 2011, and better than non-US G-SIBs: Only 33 percent of US board risk committee charters provided for executive sessions in 2011 and only five percent of non-US G-SIBs do so currently.

DUP_1072_Figure 6. Board risk committee resources and support

Role in promoting independence of the risk management function

Authority and expertise matter little if a firm’s risk culture and risk management functions are weak. While senior executives are responsible for providing for and ensuring the capability of the risk management function, the board should require and support management in its efforts to develop and maintain an independent, well-resourced risk management function. Perhaps more importantly, as the organization’s ultimate risk oversight authority, the board risk committee is responsible for promoting a strong risk culture.

Board risk committee charters indicate that many institutions take this responsibility seriously, but our study finds that US banks may need to make progress before they can sufficiently satisfy regulatory expectations—or at least better document the steps they have already taken. Most board risk charters of domestic banks either directly or indirectly establish management’s responsibility for managing risk and the risk committee’s oversight of this responsibility (figures 7 and 8). However,  just above a third explicitly highlight the committee’s role in requiring and fostering the independence of the risk management function.

Figure 7. Board risk committee’s role in protecting independence of CRO and risk management function

DUP_1072_Figure 8. Board risk committee reporting linesOrganizational reporting—both in terms of reporting lines and timing of formal reports—is a potential weak link in adequately supporting the risk management function. The board risk charter analysis indicates that establishing norms and safeguarding communication may be challenging banks. Only 36 percent of US firms’ board risk charters explicitly require the CRO to report on risk management to the committee on at least a quarterly basis. Similarly, just 36 percent of board risk charters state that the CRO reports directly to both the risk committee and the bank’s CEO. Both of these are governance expectations of the EPS.

Two other findings further identify places where banks can improve. First, only 32 percent of US banks’ board risk charters have language indicating that the board risk committee actively supports the role of CRO such that the CRO has the independence and authority to fulfill his or her responsibilities. For example, the charter may specify that the board risk committees may review the CRO’s hiring, compensation and incentive structure, and dismissal; may verify his or her freedom of action; and may take similar steps. This is a modest improvement from the 15 percent recorded in 2011, but could be higher and better documented.

Second, only 11 percent of US banks’ board risk committee charters document the ability of the CRO or other risk officers to communicate on an unscheduled basis with the committee. The OCC’s heightened standards require the chief risk executive within each bank to be positioned a level directly below the CEO, and mandates that the chief risk executive have unrestricted access to the board and its committees. As banks make moves to comply or document compliance with these rules, further advances are expected on both counts.

The progress in this area has also been modest for the global banks included in the study. A notable difference relative to their US counterparts was a lack of direct or indirect assignment of risk management responsibility to senior management. That said, one of the few areas global banks scored relatively higher was in the risk management function’s access to the committee via unscheduled interactions.

Role in driving risk awareness and culture

Setting the right "tone at the top" is critical for firms’ efforts to improve risk management. But the lack of board-level documentation supporting the alignment of risk with incentive structures shows a missed opportunity to reinforce this tone. Our board risk committee charter analysis suggests that only 43 percent of US banks have mandated integration of risk management concerns into compensation, a regulatory requirement and one that is essential to strengthening the firm-wide risk culture.

Overcoming challenges in board risk governance

Now that the EPS standards are in effect for US BHCs with total assets above $50 billion, firms should eschew the temptation to just meet the letter of the law and focus instead on implementing leading practices to enhance risk governance standards.

By aiming high, these banks face numerous challenges (figure 9). However, they can overcome these hurdles with a combination of disciplined attention to standards and rigorous assessment of their committees’ performance.

DUP_1072_Figure 9. Overcoming implementation challenges

Challenge 1: Enhancing authority

Making sure board risk committees have sufficient authority and objectivity should be a top priority, but setting the right boundaries can be difficult in practice.

“Board education is the biggest challenge.” —CRO of a G-SIB

The analysis of board risk charters, especially those of US banks, suggests that boards have strengthened risk committee powers. However, this authority may need further extension. One such area is the ability to oversee all risk types, including emerging risks such as cyber risk, to enable the committee to develop an integrated and comprehensive view of the firm’s overall risk exposure.

Overcoming the challenge: The risk committee should have, under the purview of the board, responsibility and authority to review and approve risk management policy for all risk types. Liaising with other committees for a better understanding of the firm’s wider activities is helpful, even necessary, but the risk committee should be the ultimate overseer of risk policy.

An important factor in objectivity is the presence of independent directors—the Federal Reserve’s EPS requires the committee chair to be independent, while the OCC’s heightened standards require two independent members. Given the importance of risk governance and the beneficial role of independent members, risk committees should seek more independent directors, and may even consider mandating a majority in their governing documents.

Operational burden on US BHCs of foreign banks

Many large foreign banking organizations operating in the US will need to establish intermediate holding companies (IHCs) over their US banking and non-banking subsidiaries, as part of the new EPS requirements. Essentially, these foreign banks will now need to manage their US operations as if they were standalone US BHCs. To transition to this new structure, foreign banks face a number of difficult tasks. They will likely need to rationalize existing entities, establish new ones, and reallocate or raise new capital to fulfill new requirements.

In particular, many foreign banking organizations will have to create new capabilities to manage risk and capital at the IHC level. The upgrades entailed as these functions are separated from the parent company will need to be designed carefully to meet the complex array of new regulatory and business needs.

Overcoming the challenge: Banks should start early to meet the new compliance requirements. Fortunately, foreign banks can take some advantage of the slightly lengthened schedules (EPS compliance by 2016, for example) to learn leading practices from domestic organizations.

Challenge 2: Building risk expertise

Banks’ risk exposures have grown exceedingly complex, making them steadily more difficult to understand for everyone, including experts. Accordingly, board risk committees need to continuously build the expertise needed to fully understand the nature, extent, and potential impact of the risks that banks face.

Firms have found qualified directors with a financial background and experience in managing the risks of large complex financial firms to be a limited talent pool. Additionally, many current directors may lack the technical knowledge or recent professional experience necessary to interpret quantitative risk data. This may handicap their ability to form an independent view of risk and increases reliance on management’s assessment.

Overcoming the challenge: Committee composition should include at least one or two risk management experts—directors who satisfy regulatory expertise requirements. Other directors should have the requisite background to understand the bank’s operating environment, risk policy, and regulatory expectations.

In addition, these directors should also be educated about the key quantitative parameters that the firm uses to monitor risk and the tolerance limits of those parameters, and the committee should have the authority to retain external risk and industry experts to supplement this knowledge when needed.

Case in point: The board risk charter of ING Group explicitly requires members of the risk committee to have relevant business knowledge and adequate understanding of risk management related to the activities of the company and its group entities.19

Challenge 3: Strengthening risk culture

Strengthened reporting structures and aligned risk and business incentives can help promote a risk-aware environment. Setting the right tone at the top is the single-most-used cliché when referring to board risk governance. However, extending responsibility and awareness of risk throughout the organization is no easy task.

Driving a risk culture can be especially difficult for large organizations due to their inherent complexity. On the other hand, with regulators’ eyes focused on large firms with a view to minimizing systemic risk, many smaller firms have yet to begin taking action to revamp their governance structures.

Overcoming the challenge: Fostering a strong risk culture should be as much of a board risk committee responsibility as that of senior management. Building senior management incentive structures that place a premium on being risk-aware is critical. Otherwise, governance efforts are likely to falter—with potentially serious consequences for performance.

Similarly, CROs and other senior risk personnel should have the flexibility to approach the committee at any time.

Cases in point: The board risk committee charters of HSBC20 and HSBC Bank USA,21 HSBC’s US subsidiary, provide the CRO with direct access to the committee chair at all times.

“The biggest difference between large and small institutions is in embedding risk culture, and the time required to implement it; that is, the ‘tone from the top’ and the level of effort required.” —CRO of a G-SIB

Moving forward

As banks continue to revamp their risk management policies and practices, board-level risk governance should be a priority. Without careful attention to regulatory mandates and leading practices, banks may find themselves unprepared to meet these high expectations. Perhaps more importantly, insufficient attention may lead to negative business consequences. And as the data from our new study illustrate, many institutions have not yet shown sufficient focus.

This paper may help banks consider these crucial next moves. Our criteria and assessments indicate many basic steps toward an increasingly rigorous governance structure. Institutions that have yet to put these standards in place, or fully document them, may wish to use these as a short-term action plan.

In the longer term, however, the benefits may go beyond compliance. As our analysis indicates, some leading risk governance practices may be connected with improved performance outcomes. And in an environment of continuing uncertainty and an elevated degree of regulatory risk, new investments in improved board risk governance may prove farsighted.

Appendix A: Full list of criteria assessed and results by type of institution

Number EPS requirement or a leading practice? Criteria Large US banks(% “yes”) Non-US G-SIBs(% “yes”)
1 EPS requirement/leading practice Does the bank have an independent risk committee, separate from the audit committee, with sufficient authority, stature, independence, and resources, that reports directly to the board? 89% 75%
2 EPS requirement Does the board risk committee have a formal, written charter that is approved by the board of directors? 100% 50%
3 Leading practice Does the board risk committee’s charter require that the committee sanction, approve, and review charters of management risk committees? 36% 10%
4 EPS requirement Does the risk committee charter require the risk committee to include at least one risk management expert with experience in identifying, assessing, and managing risk exposures of large, complex financial firms? 39% 10%
5 EPS requirement Does the charter require the risk committee to be chaired by an independent nonexecutive director? 61% 25%
6 Leading practice Does the charter note the presence of independent directors (nonexecutive director, senior independent director) on the board risk committee? 79% 60%
7 Leading practice Does the charter note that all members of the committee be independent directors? 54% 15%
8 EPS requirement Does the charter require the risk committee to oversee policies and procedures establishing risk-management governance, procedures, and risk-control infrastructure for its global operations? 100% 75%
9 Leading practice Does the charter note that the board risk committee oversees the risk management framework over individual entities as well as the firm? 7% 15%
10 EPS requirement Does the charter require the risk committee to approve and periodically review the risk-management policies of the BHC's global operations and oversee the operation of the BHC's global risk management framework? 57% 10%
11 EPS requirement/leading practice Does the charter clarify that the board risk committee oversees senior management’s implementation of risk management strategy? 86% 55%
12 EPS requirement Does the charter require the risk committee to identify and report risks (including emerging risks) and risk management deficiencies, and ensuring effective and timely implementation of actions to address them? 21% 15%
13 EPS requirement Does the charter establish managerial responsibility for risk management? 79% 30%
14 EPS requirement Does the charter provide for the independence of the risk management function? 36% 10%
15 EPS requirement Does the charter require the integration of risk management and associated controls with management goals and its compensation structure for its global operations? 43% 35%
16 Leading practice Does the charter note that the board risk committee communicates current risk exposures and future risk strategy to the board? 100% 75%
17 EPS requirement Does the charter require the risk committee to review and approve the contingency funding plan at least annually, and whenever the company materially revises the plan? 25% 0%
18 Leading practice Does the charter indicate that the board risk committee oversees the current risk exposures and future risk strategy, including strategy for capital and liquidity management, as well as for credit, market, operational, compliance, reputational, and other risks of the bank? 79% 40%
19 EPS requirement Does the charter require the risk committee to receive and review regular reports on not less than a quarterly basis from the BHC's CRO? 36% 0%
20 Leading practice Does the charter suggest that the board risk committee receive unscheduled communication from the bank’s risk management function? 11% 25%
21 Leading practice Does the charter require that the board risk committee receive scheduled communication from the bank's risk management function? 100% 55%
22 EPS requirement Does the charter state that the CRO reports directly to both the risk committee and CEO of the company? 36% 20%
23 Leading practice Does the charter indicate that the board risk committee supports the role of CRO such that the CRO has sufficient stature, authority, and seniority within the organization, and is independent from individual business units? 32% 5%
24 Leading practice Does the charter indicate that the board risk committee holds executive sessions? 71% 5%
25 Leading practice Does the charter indicate that the board risk committee has access to additional internal and external resources (consultants, internal experts, etc.), without prior approval from management or the board, in fulfilling its duties? 96% 40%

Appendix B: Additional sample characteristics

DUP_1072_Figure 10. Institutions represented by country

see endnotes 22 & 23

Appendix C: Relevant regulatory requirements

DUP_1072_Appendix C

Deloitte’s governance, risk, and compliance services help clients tackle the broad issues of corporate governance, enterprise risk management, and effective corporate compliance. Our governance and oversight services at the board level encompass improving board effectiveness; setting the right tone to make effective decisions; and assessing and implementing ethics programs, training, change management, antifraud programs, and monitoring and reporting.

Read more about our governance, risk, and compliance services on www.deloitte.com.