Related Knowledge

Most Viewed Knowledge

Risk Management (Formally) Drives into the Boardroom

POV 03.19.2010

This article will be appearing in the April issue of Western Independent Banker Director’s Digest.

Don’t be surprised if you see various rules regarding Board responsibilities, specifically those issued by the Securities and Exchange Commission (SEC) in December 2009, show up in our banking regulations sometime soon. In fact, banks have to comply with requirements similar to several of the SEC requirements already.

What is most telling in this year-end SEC pronouncement is the emphasis on the Board’s role in relationship to risk management. Three important issues are covered and that as a consultant I deal with every day while working with both troubled and sound financial institutions in their risk management programs.  These issues are compensation policies and procedures, materiality, and Board level risk oversight; each is discussed below.

Compensation Policies and Practices

Compensation practice is an area that carries risks along with the reward. The traditional view of compensation is one of paying for performance. If you worked 40 hours last week you would be paid for 40 hours.  For a majority of the employees at the bank this is still true. It is on the sales side, and in particular, the lending area, where there is significant opportunity for payment practices to lead to risky strategies. Unlike selling a house or some other product, a loan impacts a bank well past the closing date.  And it doesn’t take long to drive a bank into trouble with the wrong compensation scheme for lenders. 

A few years ago we were engaged by a bank to conduct a management and board supervision study. The bank was under a regulatory order and the study was one of the requirements of the order. We discovered that just 2 years prior the bank had hired a new chief credit officer (CCO), who quickly brought in a new group of lenders. The new CCO had set up a compensation scheme whereby the lender was paid a quarterly commission based on the production for that quarter. The CCO had created the same scheme for himself.  As a result, the bank experienced significant growth. But this was not quality credit growth because the CCO changed the underwriting standards and put a bunch of poor loans on the books, which began to manifest themselves as the economy deteriorated. In short order, the bank went from being profitable to almost failing. 

What should a good compensation plan contain? The plan should contain, at the least, an adjustment factor for the quality of the loan portfolio managed by the lender (which is a standard approach in community banks). So even though the lender generated x dollars of loan, the commission paid should be adjusted down by the quality of the loans.


Materiality is an important concept for risk management in that it helps the bank focus on material events and not get lost in the clutter of losses the bank will experience. As I tell bankers, “Expect to lose money at everything you do”. Keeping watch on what is material enables you to discover the functions that could significantly impair the organization. Bankers can get caught up in the small dollar losses because of our strong accounting tendencies and miss the big exposure. 

As an organization grows, it should revisit the concept of materiality and ensure the material loss amount grows with it. One bank I am familiar with grew by 400% yet still had the same (low) amount identified as being material. As a result, key controls tripled and reached a point where they were impeding the organization by raising costs and impacting customer service. 

The Board should consider adopting a definition of materiality as a part of the risk management program, one that explicitly states what the Board should attend to so they don’t move their eyes off of the big exposures and losses.

Risk Oversight

Risk oversight is important because it begins to define the Board’s role in the organization. Up until now, the concept of risk management has been emphasized at the Board level, yet, in reality, the Board is not charged with risk management. Management is what the management team is deployed for. If the Board were responsible for managing risk, they would need to spend far more time at the bank than the 10 to 20 percent of time a Board member typically does (this is based on 250 business days a year and assumes the Board member spends between one and two days a month on bank business).  Risk management is a full time job or more in today’s environment. 

So what is meant by risk oversight? Risk oversight refers to the Board overseeing the risk process at the bank and ensuring management has built a sound and robust risk management process. To start, the oversight could be in the form of the Audit Committee, and include compliance, loan review and the other functions set up to manage risk. For a small bank, all of these functions may report independently to the Board. As the bank grows, the development of a risk management function becomes important. 


The push is on to make the risk management discipline a separate and distinct function inside your bank. Adopting the right structure, with the right rules and disclosures, enables you, as a Board member, to direct the bank toward long- term profitability and performance. Think of the new SEC rules as a view into the future and aspire to them in your efforts to maintain and sustain a safe and sound organization.