Top 10 op risks: board overstretch

The burden of post-crisis regulatory change has fallen most heavily – and rightly so – on boards of directors. Even in 2009, the US Securities and Exchange Commission was already taking a critical look at bank boards, many of which had proved themselves completely inadequate when faced with the credit crisis – encouraging banks to disclose their directors' qualifications in response to the appointment of unqualified 'celebrity' directors such as Thomas Franks, commander of the catastrophically flawed US invasion of Iraq.

Over the next four years, little happened to allay suspicions that many bank directors were simply out of their depth. The failure of risk management that led to JP Morgan's $6 billion loss in 2012 – the London Whale incident – happened under the aegis of a three-person risk committee, consisting of the president of the American Museum of Natural History, the chief executive of aerospace manufacturer Honeywell, and James Crown, president of investment manager Henry Crown & Company (whose five-year experience of banking ended in 1985).

Gaps in risk expertise at board level were being blamed as a key cause of the crisis almost as soon as it happened – with, it seemed, good reason. And ambitious growth plans may also push directors beyond their limits – as happened at the UK's Co-operative Bank, the Treasury Select Committee heard in October 2013. The Co-op took on a merger with the Britannia building society and was planning an acquisition of Lloyds retail branches when financial problems forced it to retrench.

As cases of board members falling short of the mark have multiplied, the pressures on the board have also increased. David Green, director of the UK Serious Fraud Office, has made no secret of his desire for revised fraud law to make it easier to follow fraud cases up the ladder. "It's funny how the email trail dries up" at board level, he told an audience in June 2013.

The G-30 group of former senior supervisors has told boards to pay more attention to risk culture and liaison with regulators. The UK Financial Conduct Authority blamed "inadequate challenge from senior management" for shortfalls in anti-money-laundering at major UK asset managers in October 2013. And elsewhere, from new anti-bribery standards from the UK national standards body, BSI, to improved protections for whistleblowers and disclosure of beneficial ownership, the breadth of bank boards' responsibilities is wider than ever.

Increasingly, regulators are following the approach expressed in the new BSI anti-bribery standard, described by the BSI's product manager, Suzanne Fribbins. "It's up to the board to take leadership, and say that they take responsibility that there is no bribery taking place – there's definitely a focus on top management."

Board members in the post-crisis bank have three main responsibilities: under laws such as the US Dodd-Frank Act, they are responsible to a much greater degree for overseeing day-to-day operations, compliance and risk management. They also face pressure to take on much more detailed oversight of risk management, including risk models (an area in which many US boards have been failing), capital decisions, determining risk appetite and risk-reporting requirements.

Finally, regulators are now also looking to boards for close supervision of senior management, the chief executive and chief risk officer in particular, which will involve seeking information from sources at all levels rather than relying on senior management alone. Boards of directors are increasingly responsible for justifying risk management and capital decisions to sceptical regulators. And, as well as looking down to the bank's operations and out to the regulators, they will also be required to watch each other – recruitment of new directors and the membership of the compensation, risk and audit committees are all now under closer scrutiny.

Putting together a board of directors now requires much more attention to the skills and experience of specific members – which will narrow the pool of eligible candidates. Independence rules, especially for the risk and audit committees, narrow the pool of available candidates further, to the point where several European banks have complained since the crisis of having difficulty filling these vital positions.

The penalties for failure are also much greater. Clawback arrangements are to come into force more widely, for directors as well as senior management, in the US under the Dodd-Frank Act. The UK Treasury has announced that directors of failed banks should be assumed to be unsuitable to fill the same role at other banks – and that a new criminal offence of serious misconduct should be introduced, aimed at directors and executives who are culpably negligent or incompetent.

The US Federal Deposit Insurance Corporation has also been stepping up the number of personal liability lawsuits it files against the directors of failed banks – another alarming trend for board members, especially in the context of the haziness, and variation from jurisdiction to jurisdiction, on what the limits of personal liability and the definition of a director's "duty of care" actually are.

Our previous Top 10 Operational Risks for 2014...

Index rigging
Back to introduction