Climbers hanging over the void

How financial services boards can reform committee oversight


Financial services boards have experienced significant change over the past few decades.


In brief

  • Board oversight responsibilities have grown materially in recent years.
  • Committee oversight has become challenging as a result, leading to gaps in coverage, especially for emerging risks.
  • Boards should step back to align oversight.

Financial services boards have experienced significant change over the past few decades. Two decades ago, they had to adapt to changes brought about by the dotcom crash and the implementation of the Sarbanes-Oxley Act. A decade ago, the global financial crisis (GFC) necessitated material enhancements to risk oversight. Five years ago, board oversight extended to conduct and culture. Most recently, due to COVID-19 and climate change, environmental and social matters have come to the fore, as well as calls for more innovation, technological transformation and the delivery of long-term value. In some ways, it feels like waves of board-level revolution, joined together by continuous evolution.

Another mini-revolution is required, but this time from within. The layering of responsibilities and expectations is pushing board governance to its limits. The favored solution – yet another committee – may have almost run its course.

Boards have to step back, catalog what they are and should be doing, redesign their governance process so that it works more effectively and communicate that governance to their stakeholders.

What gets chartered gets done

EY recently reviewed board committee charters of 20 large players in financial services – banks, insurers and asset managers, as well as a few technology providers to the industry. The analysis was revealing:

  • Financial risks, in general, were well covered, especially credit, liquidity, market and interest rate risks. Some specified their review of the financial budget and recovery-and-resolution plans. Perhaps surprisingly, though, few, if any, highlighted committee review of credit, liquidity or capital stress testing.
  • Nonfinancial risks were fairly well covered. Operational risks, such as business continuity, third-party and enterprise data were highlighted in most cases, as were risks associated with technology (e.g., cybersecurity and information security). Compliance-related risks (such as regulatory, financial crimes and internal fraud) were commonly cited, as were legal and reputational risks. Omissions were fairly broad, however, with few or no references to talent, model, external fraud, conduct or fiduciary risks. Environmental risks were nowhere to be seen.
  • From a functional perspective, as one might expect, firms routinely note oversight of internal audit and many cited oversight of the risk group. Some cited overseeing aspects of the businesses, but few mentioned oversight of compliance, finance, tax or legal functions. The associated risks may have been mentioned, but not the oversight of the actual functions, as is done with internal audit – whereby annual plans, budgets, succession planning and other functional elements are routinely discussed by the audit committee.

Some might say that looking at committee charters for signs of oversight is overstating their relevance. Lawyers often promote the less-is-more perspective on such matters, reasoning the more that’s in charters, the more explicit responsibility (and perhaps liability) falls on directors’ shoulders. That may have a modicum of truth.

However, if committees don’t put oversight of specific risks in their charters, isn’t there a danger the risks get cursory or no review? After all, every year, committees evaluate their effectiveness in achieving their objectives in reference to the coverage of roles articulated in their charters. In any case, it could leave doubts in shareholders’ minds that risks are being properly governed, since they only see what responsibilities are in charters.

Pigeonholing oversight is more challenging than ever

In some ways, governance issues of the past were easy to assign. Financial reporting and internal control issues fell to the audit committee. Risk matters to the risk committee. Compensation to the compensation committee. Director selection to the nominations committee.

Over the past decade, the governance of governance has gotten messier.

A growing set of risk matters have become jump balls between committees. The most obvious example is between audit and risk committees – think compliance, ethics, cybersecurity, privacy, data governance and so on. Depending on the angle, any of these issues could fall to one, or both, of these committees.

Even the administration of governance has become more challenging. In the past, the nominating committee – often now renamed the nominating and governance committee (N&GC) – had the sole role overseeing the production of the proxy statement. But as new disclosure requirements were added, other committees have been drawn into the production process – first, in reviewing the Compensation Disclosure & Analysis, then risk oversight, and now environmental, social and governance (ESG).

Beyond broadening committee scope and charters, the standard answer has been to add a new committee. Coming out of the 2008-09 GFC, many financial institutions established risk committees, separate from the audit committee. While there were growing pains – notably how to manage issues that span committees – firms now appreciate the higher quality of risk governance that is in place. More recently, some firms have been chartering separate technology committees, recognizing that, as firms scale up their digital transformation, more detailed committee oversight is required (the decision point here is whether to focus solely on technology risks or the technological change at large).

However, the addition of new committees is no panacea. For one, there’s only so many directors, which constrains options for staffing committees. Secondly, new committees bring governance challenges – the need for joint sessions, cross-committee membership, distribution of more materials to more directors and so on.

Moreover, going forward, chartering a new committee may not address the issue. Take two examples:

ESG oversight

These issues are broad, even more so since COVID-19. Matters related to climate change, employee well-being, social unrest and societal engagement are now very much in the fore and will remain so. Arguably, this is the first time ever that E, S and G are on par with one another and need to be managed simultaneously. Some firms have broadened the scope of the N&GC or established new committees focused on ESG or corporate social responsibility. However, the breadth of issues still means ESG governance spans other committees – the audit committee has to consider disclosures about ESG, especially those linked to financial statements; the risk committee has to consider associated risks (e.g., the impact of climate change on the firm’s risk profile and its assets and liabilities); the compensation committee needs to oversee talent and diversity and inclusion (D&I) matters; and the N&GC has to embed ESG matters into director selection.

Culture oversight

Historically, directors focused attention on “tone at the top” – it was very much a board-level issue, but the audit committee paid attention to whistleblower matters. After the GFC, the focus extended to tone in the middle or tone at the bottom, and even what some called “bounce from the bottom” (i.e., the degree to which issues get properly escalated up through the organization). A distinct term, “risk culture,” joined the nomenclature.

As the definition of culture expanded, the risk committee took on a more prominent role with culture. As COVID-19 has shown, the compensation committee now has a more prominent role to play in evaluating if corporate culture remains strong, especially if firms make work from home a fixed part of their operating models. The full board is asking how does our culture promote collaboration, innovation and long-term growth? Thus, culture oversight has spread across the board and its committees.

Unchart(er)ed territory: redraw the lines of governance, don’t just paper over the cracks

There is a growing crescendo of calls to come out of the COVID-10 crisis not simply with a “new norm,” but rather with a better, smart future. In our view, this extends to board governance.

An evolution refers to gradual change over time, while revolution refers to fundamental change in a short period of time. Financial institution board governance needs something in between. The overall structure of the board and its committees is well engrained: audit, risk, compensation and governance committees are viewed as baseline requirements. Investors expect them. There is no need to change the basics.

The emergence of new committees seems positive. These highlight the board’s deeper focus on long-term value drivers, such as technology and ESG.

The thing that needs to change is the governance of governance, and in short order.

Boards would gain by stepping back to articulate a comprehensive set of issues that require board and/or committee oversight. This articulation should be fairly broad – not simply what is overseen today (in charters or not), but with a view to what issues may need to be added to the list in coming years. Obvious gaps likely relate to technology, major organizational change and disruption, culture, ESG and human capital. As noted above, there may also be specific risks falling off the oversight agenda.

With the list in hand, the board – led by the lead director and committee chairs – should rethink how matters are allocated to the full board and/or one or several of its committees. Where issues span committees, boards should be more precise about which aspects of governance fall to which committee.

After considering the allocation of responsibilities, boards should consider the implications: which executives align or support which committees? What changes are required to the breadth and quality of reporting to the full board and each committee? What changes in the practice of governance are required (e.g., reassignment of directors, cross-membership, use of joint sessions, enhancements to director education)? Making necessary changes will bring life to the revised governance framework.

And, yes, committee charters should be updated.

Summary

Financial services board responsibilities have grown significantly over the past decade, but board committees have struggled to keep pace in adapting. Emerging risks are being woven in, but often not without the broader context of effective board and committee oversight. It is time for boards to step back and properly articulate their oversight responsibilities, now and beyond, and to adapt what committees oversee which issues, going forward, and how committees work effectively with each other and with management.



About this article