An alarming aspect of the March meltdown that took out Silicon Valley Bank (SVB), Signature Bank, and First Republic Bank is that each had a stand-alone risk committee. We need to know what went wrong because risk committees are now commonly found at “most large companies,” according to a Big Four audit partner I talked to, and are assumed to protect against imprudent governance and management. So what do we know?
Part of the problem with risk committees stems from who sits on them. The Wall Street Journal reported that at Silicon Valley Bank only one risk committee member had experience in risk management. Other members had résumés “far removed from conventional risk management.” One owned a Napa Valley vineyard, another spent a career at a consulting firm, while the chair was a venture investor, the WSJ said.
First Republic’s risk committee was notable because it was the board’s only standing committee with just three members instead of five, according to Clifford Rossi, a business professor at the University of Maryland. And although the risk committee had an outside advisor, “none of the three members have direct banking risk management experience; their backgrounds are in health care, venture capital and academia, though they each are highly accomplished in their respective fields.”
——
Federal law requires publicly traded U.S. bank holding companies with total consolidated assets of $50 billion or more and some financial firms to establish stand-alone risk committees that report to the full board. From there the practice has spread — voluntarily — not only to smaller banks but to many companies across industries.
With a quick search I found board-level risk committees at Pure Storage, Inc. (data storage and management), La-Z-Boy Incorporated (household furniture), Ocean Biomedical, Inc. (third-party biomedical technologies), ICC Holdings, Inc. ( specialty insurance carrier), Getty Images Holdings, Inc. (visual content provider), and Regency Energy Partners LP (natural gas processing), among others.
While it’s hard to know how well or unwell non-bank risk committees are performing, some must have problems like those found at the failed banks, especially gaps in high-level expertise.
Expertise is essential for a nuanced understanding of risk. Prof Rossi, who I mentioned above, says “while audit is critically important, the diversity and complexity of risks require a very different set of skills, balanced between quantitative and qualitative.”
Another problem is potential role confusion and duplication. How is the risk committee’s role different from what the audit committee and full board do? For example, some standing committee charters purport to assign shared compliance oversight to both the audit and risk committees. Can that work in practice?
Comments from the Big Four partner I talked to provide some insight about this confusion. “Historically audit committees and risk committees may have been one,” the partner said, “but [because of] the increasing burdens of [audit] committees, the move has been to create separate committees for risk and audit. Risk gets most of the more interesting stuff. And then the risk committee chair summarizes for the audit committee and vice versa.”
That interplay between risk and audit committees is fraught with governance landmines. As a result of Section 301 of the Sarbanes-Oxley Act, companies trading on national exchanges such as the NYSE and Nasdaq must have an audit committee. In contrast, stand-alone risk committees are only mandated for publicly traded banks that meet the $50 billion threshold and some financial firms, per Dodd-Frank. For any other organizations, risk committees are voluntary.
But whenever there’s a board-level risk committee, other directors, including overburdened audit committee members, will likely defer to it and be tempted to rely on it exclusively. Will that cause risk oversight to fall through the cracks? With the failed banks in mind, I’d guess it sometimes happens.
(Meanwhile, liability for oversight of the company’s risk management falls on the full board under Delaware law. So passing the buck to a risk committee won’t work.)
The March bank failures gave risk committees a black eye. But perhaps the black eye will spur others to ask important questions: Are risk committee members qualified for their roles? Is the risk committee intended to supplement or replace other board oversight? And is the risk committee constituted and functioning in a way consistent with any legal limits on its authority and responsibility?
Comments are closed for this article!