Article Icon

Risk Oversight & Your Bank’s Board
By Charles J Thayer
Originally prepared for the Western Independent Bankers

Is your board prepared to discuss risk oversight with your bank’s regulators in your next exit meeting? What will bank regulators expect your board to be doing in your role of risk oversight?

These questions do not have concise answers today. Regulatory guidelines are evolving and focused on Systemically Important Institutions. However, experience has taught community bank directors that regulatory expectations for large financial institutions tend to trickle down.

On July 17 the Financial Stability Board (FSB) published Principles for an Effective Risk Appetite Framework (RAF). The FSB Principles “set out key elements for: (i) an effective risk appetite framework, (ii) an effective risk appetite statement, (iii) risk limits, and (iv) define the roles and responsibilities of the board of directors and senior management.”

The FSB document is available at:

Definitions often differ across regulatory jurisdictions and the FSB Principles aim to establish common nomenclature to “help facilitate a common understand between regulators and (banks).”

Risk Appetite Framework (RAF)

The FSB indicates that an appropriate RAF should define your bank’s risk capacity, risk appetite, risk limits, and risk profile.

Some examples: (1) your bank’s legal lending limit might be $20 million but your internal policy limit is $10 million, (2) regulatory guidelines for loan concentrations may exceed your internal limitations and/or (3) your board may have established bond portfolio duration limitations to limit interest rate risk. All such policy limits must be considered as a whole to understand your bank’s existing risk profile.

Risk Committee?

FSB Principles do not prescribe how your board should provide oversight of bank strategy, your business plan, and the models and systems to measure and aggregate risks.

Many banks have established board risk committees. I believe the role for such committees must be carefully integrated with the role of the full board and other committees such as audit. The overlay of a new risk committee within your existing board and committee structure may be counterproductive.

The American Association of Bank Directors (AABD) recommends that board members NOT approve individual loans (except Reg. O).  Board members should focus on such issues as credit policy, loan concentrations, interest rate risk, operational risk, compliance risk and regulatory risk. The work related to credit and interest rate risk oversight is an appropriate assignment for a board risk committee and provides an opportunity to replace existing board committees such as loan and investment.

The distinction of duties between the Risk Committee and the Audit Committee can be described as the following:

  • The Risk Committee’s job is to focus on setting and monitoring polices and limits outlined by the FSB Principles – looking out the windshield and providing guidance to keep your bank out of the ditch.
  • The job of the Audit Committee is to insure that management is in compliance with external regulatory requirements and is operating within the policies and limits established by the Risk Committee. Audit Committees are already overburdened and a Risk Committee is complimentary, not an overlap with Audit Committee responsibilities. Some degree of shared committee membership may help avoid overlap and prevent gaps.

Many specialized consulting firms are in the process of broadening their services to include enterprise risk management (ERM). When seeking outside guidance it is important for your new risk committee to maintain perspective and not just adopt a ‘cookie-cutter’ ERM program designed to enhance fee income for a consulting firm.

FSB Principles list twelve responsibilities for the board of directors, which may be assigned to your risk committee. These responsibilities include:

  • Approve the firm’s RAF, developed in collaboration with the CEO, CRO and CFO.
  • Hold the CEO and other senior management accountable for the integrity of the RAF.
  • Regularly review and monitor actual versus approved risk limits.
  • Obtain an independent assessment (through internal assessors, third parties or both) of the design and effectiveness of the RAF.

Over time, I expect these responsibilities to become part of all regulatory exams, including community banks. They represent best practice today and I recommend they be reviewed and incorporated by your board in advance of regulatory requirements.

Charles J Thayer is Chairman of Chartwell Capital Ltd. He serves as a bank director and is Chairman Emeritus of the American Association of Bank Directors. He is the author of “It Is What It Is”, the book describing the recapitalization of AmericanWest Bank. He can be reached at [email protected]