The current public controversy notwithstanding, valuable governance lessons arise from JPMorgan Chase’s internal analysis of the highly public 2012 losses in its synthetic credit portfolio; the saga of the so-called “London Whale”. The internal JPMorgan analysis should not be confused with the March 15 report on the “Whale Trades” issued by the Senate Permanent Subcommittee on Investigations.  Neither should its credibility be undermined by the Subcommittee’s critical report.
JPMorgan’s primary findings were contained in an exhaustive report of the trading strategies and management activities that led to these losses, prepared by a management task force.  Additional findings and recommendations were included within a much shorter companion report prepared by the board’s Review Committee. This companion report concentrated on the board’s risk oversight practices.  To a certain extent, the “sizzle” was contained in the lengthier management task force report, with its focus on what happened, why it happened, and who was to blame for it happening. But from a governance perspective, the lessons for corporate America are in the companion report, with its focus on improving the process by which risk information is reported to the board. These governance recommendations are highly relevant today, because the broader fiduciary landscape has been dominated of late by concerns about the quality of board oversight of risk.
Boards are increasingly focused on the effectiveness of the reporting process by which they receive risk and compliance information, in order for them to take appropriate action in a timely manner. The basic expectation is that the board will receive compliance and risk related information fully and promptly, so it can better exercise its oversight responsibility. There is a greater boardroom recognition that when that information reporting process breaks down, bad things can and will happen.
This notwithstanding the historically supportive position of the Delaware courts concerning the board’s oversight of legal compliance and business risk. The Caremark, Stone and in re CitiGroup line of decisions are generally deferential to a board’s determination of how detailed its risk monitoring system should be, and set a very high burden of proof for establishing breach of duty liability.  Indeed, the bar has been set so high that liability for business risk oversight “is possibly the most difficult theory in corporation law upon which a plaintiff might hope to win judgment”.  This may prove hollow comfort to the board when confronted by regulatory or media scrutiny or constituent challenge. Boards are increasingly sensitive to the practical implications of the increasingly ubiquitous “Where was the board?” headline, that is altering the risk sensitivities of governing boards across the spectrum of commerce.
In this case, the JPMorgan management task force review concluded that the credit portfolio risks weren’t presented to the risk policy committee in a timely manner. Because of that delay, the committee wasn’t able to address the issue in its nascent stage and potentially mitigate the risks to the organization. It wasn’t a question of deficient governance, but rather one of deficient reporting. The companion Review Committee report responds proactively, by recommending ways to strengthen the board’s oversight of the risk management function. And in doing so, it provides a highly practical template for other boards, across industry lines, to replicate.
JPMorgan’s recommendations reflect an awareness of the kinds of “real world” risk and compliance reporting challenges found in many organizations, and are presented and categorized in a manner that provides a very practical “checklist” for corporate counsel evaluating improvements in board reporting practices:
- Presentation of Information to the Risk Committee: The focus here is on mechanisms that will better “organize and distill” information that the risk committee requires in order for perform its obligations. Issues that “keep management awake at night” are to be timely shared with, and appropriately evaluated by, the committee. Management should regularly provide the committee with information concerning significant anticipated changes to the underlying business and to the risk profile of that business. Reporting from management should also address compliance with corporate risk management policies, including a periodic evaluation of the independence and capabilities of risk management staffing.
- Roles and Responsibilities of the Risk Committee: Greater clarity is needed in terms of the respective roles of those committees that address business risk (e.g., Audit and Risk Policy) to avoid inefficient overlap and to reduce the potential that certain issues may “fall between the cracks” of committee jurisdiction. This also extends to the quality and frequency of communications between committees with responsibilities for risk oversight.
- Responsibilities of the Members of the Risk Committee: There is a clear recognition that service on audit and risk committees will require a greater individual time commitment. This arises from the increasing demands on these committees, and the increasing complexity of those demands. The expectation is that the heightened level of involvement and commitment of committee members will serve to demonstrate to organization employees the board’s commitment to effective risk and compliance management. There is an indirect suggestion that the qualifications for committee membership must be particularly sterling.
- Reporting Lines, Independence of Risk Management Personnel: There is an endorsement of the need for risk management personnel to be independent (both in fact and in appearance), and to have appropriate compensation and hierarchical positioning so their roles are taken seriously by employees.
- Committee Meetings: An improved information reporting system should make risk/compliance committee meetings more efficient, and allow for a more streamlined agenda. That notwithstanding, the committee should consider the need to increase the frequency and length of individual meetings in order to allow proper consideration of issues presented to the committee.
- External Support to the Committee: The committee should have the ability to retain an outside advisor for assistance to supplement the information and expertise provided by members of the risk management team.
- Communications with Regulators: The committee is encouraged to engage in more frequent informal meetings with regulators as may be appropriate, to discuss corporate risk management topics and concerns of interest to those regulators. In addition, the committee should assure itself that all regulatory reports relating to corporate risk management issues have been promptly and appropriately satisfied.
- Role of the Internal Auditor: The corporate Internal Audit function should be more systematically involved in the risk management function as part of its audits — even to the extent of adding more staff. Particular focus could include the required periodic review and setting of risk limits, the response to limit exceptions, the independence of risk management personnel and the extent of compliance with company risk management policies.
- Role of Compensation Committee: Compensation of senior management should reflect a “robust” evaluation of their adherence to applicable risk and compliance control standards and the support of a “Firm first” culture. Members of the risk policy committee and control persons in both risk and finance should be consulted as part of the process.
With this episode, the JPMorgan board has placed a serious emphasis on the critical connection between information reporting and governance oversight. That process indeed counts, because a failure of process can seriously compromise the effectiveness of governance checks and balances. And that is an always-timely message.
To be sure, its recommendations arise in the context of huge trading losses suffered by one of the world’s largest and most organizationally sophisticated financial institutions. So at one level, the recommendations can be considered specific to the unique facts and circumstances arising from the deeply complex “London Whale” scenario. But these recommendations also arise in the context of allegations of business risk and legal compliance failures that are not unique to JPMorgan or to high finance, but can arise in any corporation, no matter the industry.
So at another, practical level, the JPMorgan recommendations provide a very useful template from which corporate boards in other regulated industries can evaluate the effectiveness of how they receive and process risk and compliance information from staff. The Senate Permanent Subcommittee’s 307 page report understandably focuses on the identification of breakdowns and the assignment of responsibility. And so did, notably, 129 page JPMorgan management task force report. But neither of those reports should detract from the broader governance application of the 18 page report by JPMorgan’s Review Committee. And that’s what makes it compelling reading for corporate counsel.
 Report of JPMorgan Chase & Co. Management Task Force Regarding 2012 CIO Losses (January 16, 2013) http://investor.shareholder.com/jpmorganchase/events-files.cfm
 Report of the Review Committee of the Board of Directors of JPMorgan Chase & Co. Relating to the Board’s Oversight Function with Respect to Risk Management (January 15, 2013), Id.
 In re Caremark International Shareholder Derivative Litigation, 698 A. 2d 959 (Del. Ch. 1996); Stone v. Ritter, 911 A.2d 362 (2006); In re Citigroup Shareholder Derivative Action, 984 A.2d 106 (Del. CH. 2009).
 In re CitiGroup, supra.