I am pleased to be here and to have the opportunity to speak about cyber-risks and the boardroom, a topic that is both timely and extremely important. Over just a relatively short period of time, cybersecurity has become a top concern of American companies, financial institutions, law enforcement, and many regulators. I suspect that not too long ago, we would have been hard-pressed to find many individuals who had even heard of cybersecurity, let alone known what it meant. Yet, in the past few years, there can be no doubt that the focus on this issue has dramatically increased.
Posts Tagged ‘Risk committee’
Corporate risk taking and the monitoring of risks have remained front and center in the minds of boards of directors, legislators and the media, fueled by the powerful mix of continuing worldwide financial instability; ever-increasing regulation; anger and resentment at the alleged power of business and financial executives and boards, including particularly as to compensation during a time of economic uncertainty, retrenchment, contraction, and changing dynamics between U.S., European and emerging market economies; and consistent media attention to corporations and economies in crisis. The reputational damage to boards of companies that fail to properly manage risk is a major threat, and Institutional Shareholder Services now includes specific reference to risk oversight as part of its criteria for choosing when to recommend withhold votes in uncontested director elections. This focus on the board’s role in risk management has also led to increased public and governmental scrutiny of compensation arrangements and their relationship to excessive risk taking and has brought added emphasis to the relationship between executive compensation and effective risk management. For the past few years, we have provided an annual overview of risk management and the board of directors. This overview highlights a number of issues that have remained critical over the years and provides an update to reflect emerging and recent developments.
The Federal Reserve has issued a final rule adopting a tiered approach for applying Dodd-Frank enhanced prudential standards to foreign banking organizations (“FBOs”). Under the tiered approach the most burdensome requirements (e.g., the requirement to establish a top-tier U.S. intermediate holding company) will only apply to FBOs with large U.S. operations, whereas fewer requirements will apply to FBOs with limited U.S. footprints.
We have summarized below the Dodd-Frank enhanced prudential standards that will apply to the following FBOs with limited U.S. footprints:
This post describes the final regulations issued by the Federal Reserve Board (the “FRB”) on February 18, 2014, that radically modify the former requirements applicable to foreign banking organizations (“FBOs”) pursuant to the FRB’s Regulation K. The final rules (the “Final Rules”) impose various requirements on large FBOs that previously have been applied to large U.S. domestic bank holding companies and banks under the Dodd-Frank Act. In addition, however, the Final Rules also alter many of the former approaches to the regulation of FBOs in general, including the necessity for many FBOs to form “U.S. intermediate holding companies” for their U.S. operations.
Regardless of the category an FBO falls into, the Final Rules present significant additional compliance burdens.
On February 18, 2014, the Board of Governors of the Federal Reserve System (the “FRB”) approved a final rule (the “Final Rule”) implementing certain of the “enhanced prudential standards” mandated by Section 165 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act” or “Dodd-Frank”). The Final Rule applies the enhanced prudential standards to (i) U.S. bank holding companies (“U.S. BHCs”) with $50 billion (and in some cases, $10 billion) or more in total consolidated assets and (ii) foreign banking organizations (“FBOs”) with (x) a U.S. banking presence, through branches, agencies or depository institution subsidiaries, and (y) depending on the standard, certain designated amounts of assets worldwide, in the United States or in U.S. non-branch assets. The Final Rule’s provisions are the most significant, detailed and prescriptive for the largest U.S. BHCs and the FBOs with the largest U.S. presence—those with $50 billion or more in total consolidated assets and, in the case of FBOs, particularly (and with increasing stringency) for FBOs with combined U.S. assets of $50 billion or more or U.S. non-branch assets of $50 billion or more.
In a Director Note recently published, The Conference Board reviews current corporate practices on risk oversight by members of the board of directors of U.S. public companies. The study is based on findings from a survey of 359 SEC-registered business corporations conducted by The Conference Board in collaboration with NASDAQ OMX and NYSE Euronext. Data are categorized and analyzed according to 22 industry groups (using their Standard Industrial Classification, SIC, codes), seven annual revenue groups (based on data received from manufacturing and nonfinancial services companies) and five asset value groups (based on data reported by financial companies, which tend to use this type of benchmarking).
The publication details where the board assigns risk oversight responsibilities, whether it avails itself of dedicated reporting lines from senior management on risk issues, and the degree to which it adopts a standardized framework on enterprise risk management (ERM). Given the correlation between risk and strategy, data on the frequency and forms of strategic reviews is also presented.
The following are the main findings discussed in the study.
The current public controversy notwithstanding, valuable governance lessons arise from JPMorgan Chase’s internal analysis of the highly public 2012 losses in its synthetic credit portfolio; the saga of the so-called “London Whale”. The internal JPMorgan analysis should not be confused with the March 15 report on the “Whale Trades” issued by the Senate Permanent Subcommittee on Investigations.  Neither should its credibility be undermined by the Subcommittee’s critical report.
JPMorgan’s primary findings were contained in an exhaustive report of the trading strategies and management activities that led to these losses, prepared by a management task force.  Additional findings and recommendations were included within a much shorter companion report prepared by the board’s Review Committee. This companion report concentrated on the board’s risk oversight practices.  To a certain extent, the “sizzle” was contained in the lengthier management task force report, with its focus on what happened, why it happened, and who was to blame for it happening. But from a governance perspective, the lessons for corporate America are in the companion report, with its focus on improving the process by which risk information is reported to the board. These governance recommendations are highly relevant today, because the broader fiduciary landscape has been dominated of late by concerns about the quality of board oversight of risk.
In the paper, It’s (Not) All About the Money: Using Behavioral Economics to Improve Regulation of Risk Management in Financial Institutions, forthcoming in the University of Pennsylvania Journal of Business Law, I focus on the Dodd-Frank Act’s risk management provisions, and specifically the requirement that financial institutions create separate risk committees. The goal of this regulation is to mitigate risks to the financial stability of the US, because despite media attention to financial institutions and great regulatory efforts, including the focus on risk management, little has changed in financial institutions’ business cultures. Indeed, excessive risk-taking by such institutions is still rampant. In the article, I argue that risk-related decision makers do not make decisions about risk-taking in a vacuum, but in an environment where multiple factors, noticed and unnoticed, can influence the decisions. Such factors include cognitive-related biases and group-related biases, and there are tools, which have not yet been analyzed in literature that regulators can use to reduce undesired or excessive risk-taking. Indeed, by shaping such environmental factors in which risk-related decisions in financial institutions are made, regulation can help actors make better, less pro-risk-taking, choices. With the goal of reducing excessive risk-taking by financial institutions, this article builds on an emerging focus in behavioral law and economics on prospects for “debiasing” actors through the structure of legal rules. Under this approach, legal policy may reduce biases’ effects and judgment errors by directly addressing them. Doing so will then help the relevant actors either to reduce or to eliminate these effects and errors. Accordingly, the article suggests using behavioral economic-based legal guidelines to supplement the Dodd-Frank Act‘s risk committee’s requirement. Such legal guidelines would help reduce the degree of biased behavior that risk committees exhibit.
It is generally accepted that the full board has overall responsibility for risk oversight, mirroring the board’s responsibility for overseeing strategy. In deciding how to organize itself to oversee risk and risk management, the question arises as to whether the board should establish a separate risk committee. This article explores that question and provides examples to clarify the role and responsibility of a separate risk committee in situations where the board decides to establish one.
Through the risk oversight process, the board of directors obtains an understanding of the critical risks inherent in the corporate strategy, accesses useful information from internal and external sources about the critical assumptions underlying that strategy, remains alert to organizational dysfunctional behavior that can lead to excessive risk taking, and provides input to executive management regarding critical risk issues on a timely basis. How the board views risk oversight as a process should dictate how it chooses to organize itself for purposes of executing that process. The risk oversight process enables the board and management to develop a mutual understanding regarding the risks the company faces over time as it executes its business model for creating enterprise value. In organizing itself for risk oversight, what are some of the factors for boards to consider and when should boards establish a separate risk committee?