It’s time for US bank boards to reassess their effectiveness for risk management and regulatory compliance

The Federal Reserve recently released its long-anticipated guidance on board effectiveness for banks (SR 21-3), which codifies an evolving set of regulatory expectations developed over the past five years. Even before this release, banks have faced greater scrutiny of the board’s effectiveness, undergoing exams and receiving feedback including public consent orders. This regulatory scrutiny has often been reactive, emerging when banks haven’t resolved previously identified issues even as remediation timelines have lagged. The release of this guidance suggests that supervisors may begin to look more proactively at the board’s effectiveness even before large-scale or widespread issues emerge.

After briefly summarizing the guidance, this post offers our perspective on the key implications for banks, including changes relative to previous guidance. We conclude with an overview of how boards can respond.

Understanding the regulatory guidance

In 2017, the Federal Reserve requested public comment on a proposal to enhance the effectiveness of boards of directors, seeking to consolidate and clarify over 170 supervisory expectations for the Board described through a multitude of existing SR letters.

The final guidance just published, SR 21-3 (summary), retains the core tenets of the 2017 proposal with a few changes, including updating the applicability threshold to $100 billion or more in assets (from $50 billion), clarifying role differences between boards of directors and senior management, and removing the requirement that banks provide board self-assessment results to examiners.1

SR 21-3 identifies key attributes of an effective board, along with details on how boards can fulfill these attributes. Some of these details are prescriptive, while others provide examples of how the guidance may be met. There are five key attributes:2

  1. Set clear, aligned, and consistent direction regarding the firm’s strategy and risk appetite. Boards oversee the development of, review, approve, and periodically monitor the firm’s strategy and risk appetite. The board also reviews and approves significant policies and plans, such as the firm’s capital plan.
  2. Direct senior management regarding the board’s information needs. Boards should direct senior management to provide information sufficient to enable the board to make sound decisions. In addition, boards should seek information about the firm and its activities outside of regular board and committee meetings. Directors should take an active role in setting board and committee meeting agendas.
  3. Oversee and hold senior management accountable. Boards should oversee and hold senior management accountable for implementing the firm’s strategy and should oversee and regularly evaluate senior managers’ performance and compensation. The board should also review internal and external complaints to support its evaluation of management effectiveness.
  4. Support the independence and stature of independent risk management and internal audit. Boards, through risk and audit committees, should support the stature and independence of the firm’s functions, including their budgets, staffing, and systems of internal controls.
  5. Maintain a capable board composition and governance structure. Boards should consider whether their composition, governance structure, and practices support the firm’s safety and soundness and the ability to promote compliance with laws and regulations.

Key takeaways from the guidance

Boards and senior management should keep in mind four major implications of SR 21-3: the greater likelihood of the board’s effectiveness being proactively examined, the need for board oversight to be principles-based and appropriate to the firm’s characteristics, the importance of caution when considering any rollbacks of board responsibilities, and the possibility that board members’ mindsets may need to shift.

Greater likelihood of proactive examinations. Supervisors may become more likely to examine the board’s effectiveness proactively. As outlined in the Federal Reserve’s Large Financial Institution (LFI) rating system, assessments of the bank’s governance and controls typically include reviews of senior management’s effectiveness and governance, the bank’s risk management framework and controls, and independence and effectiveness of independent risk management, among other areas.

SR 21-3 is explicitly linked to the LFI framework, indicating that examiners may use the guidance as a key input to their annual LFI assessment of governance and controls, with reviews of board effectiveness becoming more the rule than the exception. In addition, examiners may continue to conduct targeted examinations of the board’s role related to other identified issues. These examinations may include an assessment of the board’s activities and senior management’s engagement of the board to determine the effectiveness of these interactions and the information flow.

Principles-based board oversight commensurate to the bank’s risk profile. The scope and nature of board oversight should remain principles-based and commensurate with the firm’s risk profile, size, and complexity. While the guidance provides specific examples in some areas, the Federal Reserve emphasized that the guidelines are principles-based, and these examples should represent the minimum bar for the board’s oversight, not the totality of the expectations. We have seen examples of where boards may need to be especially thoughtful:

  • Policy reviews and approvals. The guidance references certain policies that boards should approve, such as enterprise-wide risk management policies, but boards, working with senior management, should thoughtfully determine what additional policies, programs, and plans they ought to review and approve.
  • In-depth reviews of senior-management approaches. The guidance notes that boards should, as part of holding senior management accountable, engage in robust inquiry into topics such as drivers, indicators, and trends related to current and emerging risks. Boards should determine what additional topics warrant such in-depth reviews—say, talent or the controls environment—based on long-standing risk issues.
  • Consideration of risk appetite. The guidance notes that the board, as part of considering new lines of business, should take into account the firm’s risk appetite when it evaluates the risk introduced and the associated risk management capabilities to be built. Beyond this, boards should ensure that risk appetite is incorporated into all relevant discussions with senior management, including consideration of M&A or expansions to new geographies.

Caution in reducing board responsibilities. Boards should be careful in rolling back existing practices as a result of the updated guidance. While SR 21-3 in some cases overrides previous guidance for boards, such as removing the expectation that boards “ensure” management is appropriately managing risks (e.g., in SR 96-10), boards should not assume this means they can dramatically reduce their existing responsibilities. At the very least, they should consider the impacts of any potential changes to existing responsibilities, recognizing that the guidance is meant to be broadly applicable, principles-based, and tailored to the specific institution.

Shifts in director mindsets. Effective adherence to the guidance may require a mindset shift for some directors. While the guidance explicitly says it is not intended to replace or conflict with existing legal requirements, there clearly is an expectation of proactivity, and the bank can be held accountable for the board’s inaction. The guidance often refers to the board “directing” senior management to undertake actions, such as providing sufficient reporting, which may be interpreted as an expectation that boards are to provide stronger guidance than in the past. As evidence of this, there should be a demonstrable impact of the board’s direction and challenge of senior management.

Recommended actions for boards and senior management

In light of these updates, we recommend that bank boards quickly identify critical deficiencies, assess their practices relative to the guidance, and plan how to address any gaps identified.

Identify critical gaps. In short order, the board should identify any time-sensitive deficiencies, including lagging remediation and inadequate management of emerging risks, that could have significant impacts on the bank today. Specifically, boards can start by asking themselves these key questions:

  • Has the bank been outside of its risk appetite in the past two quarters? If so, how long did this last? What was our reaction as a board?
  • Has the bank remediated its audit and regulatory findings in a timely manner? If not, how did we respond as a board?
  • When was the last time we reviewed what information and reporting we receive as a board (and board committees)?
  • Have we recently reviewed and approved key policies, such as enterprise-wide risk management policies?
  • How recently did we evaluate the performance and compensation of senior management, including the linkage of the performance-management program to the firm’s strategy and risk appetite?
  • When we evaluate strategic initiatives as a board, do we review full financials and an assessment of risk and risk management capabilities, impacts on the bank’s risk tolerances, required investment in people and technology, and the opportunity cost of these initiatives?

Undertake a self-assessment. After identifying acute issues and putting in place compensating controls, the board should undertake a self-assessment against the guidance. This should be structured along the dimensions of the guidance and include real examples as case studies to assess the effectiveness objectively, in terms of outcomes. For example, the board can determine how it has reviewed and challenged recent emerging risks, such as cyber risk.

Plan how to address gaps. Develop an aggressive but achievable plan to build out any enhancements required to address gaps. The following actions are common:

  • Enhance board reporting, including for level of detail, consistency and clarity of structure, and comprehensiveness. Board reporting may need to be enhanced to include appropriate coverage of emerging risks, such as cyber and climate change, as well as to ensure appropriate cascading of reporting from more granular management reporting up to a synthesized level for the board.
  • Clarify roles and responsibilities between senior management and the board, including interaction models and reporting lines from management committees to board committees.
  • Define the performance management and compensation program to ensure the board has a means of evaluating senior management. Include a feedback mechanism that reflects objective risk outcomes.

For the journey we have described, boards may need support to supplement corporate-secretary functions that may be thinly staffed, particularly if enhancements will be significant or require a longer-term implementation. One way to do this while maintaining the board’s independence is to direct the corporate secretary to build out a larger team with broader capabilities, including program-management expertise.

Along with overseeing the continued risks related to the ongoing pandemic, as well as addressing emerging risks such as cyberrisk and climate change, bank boards should prioritize taking a critical look at their own effectiveness. Boards that conduct an honest self-assessment in the coming months will position their institutions for a more thoughtful strategy, better execution, and more effective risk management for years to come.

Click here to download a PDF of this article.

1 These guidelines are largely consistent with the Heightened Standards of the Office of the Comptroller of the Currency (OCC) as they pertain to boards of directors, although each set of guidelines may be more prescriptive on certain topics. For example, the OCC’s guidelines require the board to include at least two independent directors, while the FRB’s guidance is silent on this point. Given this, banks should consider all applicable regulatory guidance relevant to themselves.

2 This summary necessarily excludes the full detail of the guidance, which should be reviewed in detail and assessed at a granular level as part of any gap assessment. In drafting the guidance, the Federal Reserve has likely been particular in its choice of terminology, and we have sought to reflect this specific terminology in our summary.