Dr. Cliff Rossi
To develop and maintain a healthy risk culture, banks must not only close the pay gap between CROs and their peers but also appoint more board members with direct risk management experience to their risk committees.
The investigation into Wells Fargo’s community banking sales practices, including the role of risk management and the board in these practices, has many in search of questions of what could be learned to mitigate future breakdowns in the flow of information on emerging risk issues to key decision-makers.
While significant efforts to bolster risk governance practices at the largest commercial banks have been made in the years since the financial crisis, there appear to be major gaps in the expertise of bank board risk committees at the five largest commercial banks in the US in terms of their direct experience in managing risk organizations at financial institutions. Compounding this issue is an apparent lack of parity in pay at most of these banks between the CRO and peer executives.
Establishing value for products and services is central to banking, and, by extension, executive compensation should be a fair indication of the relative importance a bank places on their senior risk executive. Balance between risk and return must be reflected not just in what regulators expect of banks in establishing risk governance but also, more importantly, by the banks’ actions directly.
That type of balance ensures the organization maintains a healthy risk culture. A company that fully embraces a strong risk management culture would have CRO compensation comparable with peer executives and board risk committees over-represented with members who have direct risk management experience.
The five largest banks in the US reported combined assets of approximately $8.8 trillion at the end of 2016, accounting for 54% of all US commercial bank assets. This extraordinary amount of concentration in banking assets, along with the size and complexity of these firms’ balance sheets, should be sufficient motivation for bank boards to require that their risk committees be disproportionately comprised of members with direct risk management experience.
Lamentably, this is certainly not the case at the five largest banks. Indeed, of the 32 total board members that serve on risk committees across these five banks, only two (or the same number of academics and politicians that sit on these boards) have direct CRO experience.
The size of these five risk committees varies from as few as four members to as many as nine at one of the banks. These committees serve as a critical non-management line of defense, if you will, to challenge the three “official” management lines of defense to ensure that all the bases are covered from a risk management perspective. Consequently, the composition of these committees reveals much about the effectiveness of this critical oversight mechanism.
After reviewing each of the bios of the 32 board risk committee members, I used their experience to classify them into one of eight professional categories (as shown in the chart below). In a few cases where significant experience of a member spanned more than one category, that individual was assigned a fraction (e.g., ½) for each group for which he or she had relevant experience.
Nearly 40% of board risk committees at the five largest commercial banks are comprised of non-risk management bankers and ex-regulators, with another third representing non financial corporate executives. This is not surprising in that there is direct and deep experience in financial services represented by these members. However, none of these backgrounds is equivalent to having direct experience in managing risk at a major commercial bank.
There simply is no substitute for having overseen the processes and issues associated with managing risk at a large banking institution. Individuals holding CRO roles at financial institutions know the inner workings of the governance process; the weaknesses in business and risk processes and controls; and the sometimes contentious nature between line risk management, the business and the corporate risk function. That experience would serve risk committees well in asking the hard questions of management about emerging and existing risks, as well as the actions being taken to address them.
Of course, this is not to imply that board members with other backgrounds are unable to pose tough, probing questions. Rather, the point is that direct risk experience matters, because it can significantly elevate a risk committee’s ability to ferret out risk issues that merit board review that may otherwise be difficult to ascertain.
The talent pool might at first glance seem thin for eligible board members with risk management experience; however, over the past 20 years, both the CRO position and the risk management profession have grown substantially. While the focus of this analysis has been on the top five banks, these findings do beg the question of what the composition of the rest of the banking sector looks like.
Turning to CRO compensation for these same five banks, based on a review of their annual disclosures, it is clear that the CRO for two of the banks did not make the cut with respect to the total compensation doled out to the highest paid executives. Moreover, two of the three banks that reported the CRO among their highest paid executives pay the CFO significantly more (57% at one bank and 90% at another) than the CRO. This means, of course, that only one bank paid its CRO more than the CFO.
While it is impossible to draw any broad industry conclusions from this data, two facts are evident at the top five banks: (1) the CRO is, overall, not compensated as well as the CFO; and (2) board risk committees are vastly underrepresented by members having direct bank risk management experience.
If anything, the financial crisis and recent headline-grabbing risk management failures should serve as a reminder that banks must balance risk and return to create long-term shareholder value. Ensuring that risk committees are over-represented by individuals with direct risk experience, and that CROs attain compensation parity with CFOs, will go further to securing effective risk governance at these firms than any regulatory edict.