I. Introduction
Following the Global Financial Crisis (GFC), Congress established a commission to investigate its causes. The commission concluded that “dramatic failures of corporate governance and risk management at many systemically important financial institutions were a key cause of the crisis” (National Commission on the Causes of the Financial and Economic Crisis in the United States (2011)). In response to the GFC, Congress enacted the Dodd–Frank Wall Street Reform and Consumer Protection Act (DFA) in July 2010. As one commentator observed: “Based on the presumption that risk management and risk mitigation concerns are best addressed through corporate governance reforms, the Dodd–Frank Act enhances oversight obligations through corporate governance mechanisms” (Johnson (Reference Johnson2011)). A major governance provision of the DFA requires bank holding companies (BHCs) with more than $10 billion in assets to establish a board risk committee.Footnote 1 Legislators appear to have concluded that board risk committees would prevent “excessive” risk-taking, which many viewed as a central contributor to the GFC.
To the best of our knowledge, at the time the DFA was enacted, there was neither empirical evidence nor financial economic theory demonstrating that mandating a board risk committee would create value for bank shareholders or enhance financial system stability. We develop an analytical framework to identify the conditions under which a bank board finds it optimal to establish a risk committee and derive testable predictions. Furthermore, we examine whether the relation between bank risk and performance outcomes and the existence of a board risk committee depends on whether the committee was adopted voluntarily or in response to the DFA mandate. Finally, to better understand the role of risk committees, we draw on interviews with the board risk committee chairs of 14 banks.
Risk-taking is a core banking activity. Consequently, a shareholder-oriented board should devote substantial attention to monitoring a bank’s risk-taking behavior. Effective oversight requires reliable risk metrics. While audit committees help ensure the reliability of accounting metrics, such metrics are insufficient for assessing risk-taking in complex banks. For banks primarily engaged in traditional lending, the contribution of loans to shareholder value can often be evaluated using standard accounting measures that do not require specialized expertise.
However, monitoring risk generally requires nonaccounting risk metrics for more complex bank activities. Evaluating the reliability of these metrics, the processes that generate them, and management’s adherence to board-established risk targets is time-consuming and complex when such metrics are used extensively. When complexity exceeds a threshold, it is more efficient for directors with specialized expertise to conduct this work outside plenary board meetings through a dedicated committee. However, banks whose boards possess greater financial expertise may be better equipped to conduct this monitoring at the full board level, making them less likely to establish a separate risk committee. Consistent with this reasoning, we find that the likelihood of a bank having a board risk committee is negatively related to board financial expertise (as measured by Minton, Taillard, and Williamson (Reference Minton, Taillard and Williamson2014)) prior to the DFA. We also find that larger banks with more complex activities were more likely to have a risk committee prior to the DFA. Conversely, when risk evaluation relies primarily on accounting metrics, a board risk committee is unlikely to be productive, as these metrics can be adequately monitored by the audit committee, rendering the risk committee partially duplicative.
Establishing a board risk committee entails both costs and benefits when boards seek to maximize shareholder wealth. Among these costs is the potential disengagement from risk issues of directors who are not on the committee. Accordingly, we expect banks to establish a board risk committee when strong oversight of risk management is particularly valuable, namely, when banks lack substantial regulatory or economic capital buffers. Consistent with this prediction, we find that banks with higher Tier 1 capital and market-to-book ratios are less likely to establish a board risk committee prior to the DFA.
Boards and managers may not always be perfectly aligned with shareholder wealth maximization, in which case the above predictions may not hold. Agency conflicts may lead to situations in which a risk committee would be valuable to shareholders but is not established. For example, entrenched management may prefer to avoid the enhanced oversight associated with a board risk committee. Using the measure of board co-option proposed by Coles, Daniel, and Naveen (Reference Coles, Daniel and Naveen2014), we find limited evidence that banks with more co-opted directors on their boards are less likely to have a board risk committee prior to the DFA. Entrenchment may also result in the establishment of a risk committee that does not challenge management meaningfully. However, our interview evidence suggests that the risk committees led by our interviewees are not rubber-stamping.
Next, we examine whether banks with board risk committees differ in risk and performance from those without. Theory does not imply that establishing a board risk committee necessarily reduces bank risk. A risk committee can function effectively by ensuring that appropriate systems, controls, and policies are in place without leading to a decline in the observed risk. Indeed, a bank may rationally choose to take more risk after establishing a risk committee if it is more confident in its ability to manage that risk. Moreover, banks can experience large losses even when their risk management systems operate as intended. Instead, we expect that a board risk committee reduces the likelihood that a bank undertakes excessive risk, defined as risk for which the bank is not adequately compensated. To capture this concept, we use the Sharpe ratio to measure shareholder returns relative to risk. If a bank engaged in excessive risk-taking prior to establishing a risk committee, this ratio should increase following its establishment.
We find no evidence that banks with risk committees experienced better risk or performance outcomes during the GFC than those without. Specifically, these banks do not exhibit lower equity volatility, milder stock return tail risk, higher return on equity (ROE), higher stock returns, fewer impaired assets, or higher Sharpe ratios than other banks. However, they exhibit a lower return on assets (ROA). We then examine how risk and performance differ between banks that voluntarily established a risk committee and those that did so only in response to the DFA, using our full sample period (2003–2018). For banks required to establish a committee, we again find no evidence of reduced risk following the adoption. In contrast, banks that voluntarily establish risk committees exhibit lower tail risk but higher equity volatility. Lastly, banks that voluntarily established a risk committee with greater risk expertise experience fewer impaired assets and higher Sharpe ratios, consistent with our expectation that board risk committees reduce the likelihood that a bank undertakes excessive risk.
Regardless of whether overall risk increases or decreases following the creation of a risk committee, we expect such committees to play an active monitoring and advising role. To assess whether risk committees function as active monitors or merely serve a symbolic purpose, we analyze unique interview data. We conducted 14 interviews with chairs of bank board risk committees, each lasting more than 1 hour. Our findings indicate that risk committees generally engage in active monitoring and advising as expected from the shareholder wealth maximization framework. However, their effectiveness is constrained by the regulatory burden imposed by post-GFC regulatory changes and requirements (such as stress tests, the Volcker Rule, new capital requirements, and DFA requirements concerning risk management), which limit the time available for these activities. The interviews reveal that regulatory compliance is highly time-consuming and substantially shapes committee agendas.
Our interview data help us gain valuable insights into how board risk committees function, which could not be gained using standard data sets. The 14 banks in our interview sample vary substantially in size, and the interviews clearly indicate that committee workload increases with bank size. At large institutions, risk committees address issues that cannot feasibly receive adequate attention in plenary board meetings. Interviewees consistently emphasize the importance of direct access to senior risk management personnel and the development of strong working relationships with them, which facilitates information flow and is inconsistent with a purely symbolic role. Several interviewees also stress the importance of subject-specific expertise tailored to the bank’s risk profile. In many cases, risk committee chairs directly interact with supervisors and regulators. Our LLM-based analysis of interview transcripts corroborates these findings.
Our study contributes to several strands of literature. First, we contribute to the corporate governance literature, particularly in the context of bank governance. While there is extensive literature on corporate boards, it offers limited guidance on optimal board organization (Adams, Ragunathan, and Tumarkin (Reference Adams, Ragunathan and Tumarkin2021)). Existing work focuses primarily on board composition, leadership, and size (see Adams (Reference Adams, Hermalin and Weisbach2017), Banerjee, Nordqvist, and Hellerstedt (Reference Banerjee, Nordqvist and Hellerstedt2020), Carcello, Hermanson, and Ye (Reference Carcello, Hermanson and Ye2011), and Khatib, Abdullah, Elamer, and Abueid (Reference Khatib, Abdullah, Elamer and Abueid2020)). Theoretical studies suggest that under certain conditions, friendly or rubber-stamping boards may benefit shareholders (Adams and Ferreira (Reference Adams and Ferreira2007), Fluck and Khanna (Reference Fluck and Khanna2008)). However, empirical evidence indicates that granting formal authority to board committees can impair board communication and firm performance (Adams et al. (Reference Adams, Ragunathan and Tumarkin2021), Faleye, Hoitash, and Hoitash (Reference Faleye, Hoitash and Hoitash2011)). Although the bank governance literature is extensive (see de Haan and Vlahu (Reference De Haan and Vlahu2016)), it does not establish when a bank benefits from a board risk committee or predict its effect on risk-taking. Our study helps fill this gap.
We also contribute to the literature on bank risk management and the board’s role in it. Prior studies examine the relation between board risk committees and bank outcomes during the GFC or assess the impact of the DFA mandate. Early studies find no evidence that banks with risk committees achieved better stock performance during the GFC (Aebi, Sabato, and Schmid (Reference Aebi, Sabato and Schmid2012), Minton et al. (Reference Minton, Taillard and Williamson2014)). Ellul and Yerramilli (Reference Ellul and Yerramilli2013) find that a higher risk management index, indicating a stronger and more independent risk management function, is associated with lower tail risk and fewer nonperforming loans, as well as higher ROA and stock returns. Hines and Peters (Reference Hines and Peters2015) attribute inconclusive findings to the symbolic role of risk committees, while Iselin (Reference Iselin2020) documents changes in Tier 1 capital ratios around the GFC.
Our study differs from the existing literature by developing and empirically testing a framework that explains when banks choose to establish a board risk committee and when such committees create value. We show that not all banks benefit from having a risk committee, identify the conditions under which one is optimal, and provide evidence that committees perform the roles predicted by our framework. The DFA mandate forced some banks to adopt risk committees that they had previously chosen not to establish. While Balasubramanyan, Daniel, Haubrich, and Naveen (Reference Balasubramanyan, Daniel, Haubrich and Naveen2024) show that this mandate did not causally reduce bank risk, our analysis complements theirs by explaining why some banks voluntarily adopted risk committees and why outcomes differ between voluntary and mandated adopters.Footnote 2 Finally, unlike all prior studies, we provide direct evidence on the activities of board risk committees through interviews with committee chairs.
The remainder of this article is organized as follows: Section II presents our framework and develops testable hypotheses. Section III reports the empirical tests of these hypotheses. Section IV examines bank risk and performance before and after the DFA. Section V analyzes the interview evidence. Section VI concludes.
II. Why Do Banks Have Risk Committees?
In this section, we present a framework for formulating hypotheses about why some bank boards voluntarily establish a board risk committee while others do not. We first consider the board’s decision when it maximizes shareholder wealth and is well-informed. We call the resulting explanation for boards choosing to have a risk committee the shareholder wealth maximization hypothesis. We then consider the complications that arise when the board is entrenched, rubber-stamps, or is not well-informed. This framework enables us to evaluate the consequences of forcing banks to establish a board risk committee.
A. When Does a Board Risk Committee Help Increase Shareholder Wealth?
Adams et al. (Reference Adams, Ragunathan and Tumarkin2021) examine an extremely large sample of public firms from 1996 to 2010 and find that boards have an average of three to four committees. Boards of public firms typically establish audit, compensation, corporate governance, and nominating committees. Sometimes boards of public firms have additional committees, but if they do, they have few of them. For instance, the board of directors of Microsoft has an environmental, social, and public policy committee. Microsoft’s board does not have a committee focused on its cloud operations or Windows, although the profits generated from these activities are worth hundreds of billions of dollars. JPMorgan Chase’s board has committees similar to those of Microsoft’s, but it also has a risk committee. JPMorgan Chase does not have a committee for its asset management or customer finance divisions.
There are at least four reasons why firms do not have more standing committees and why they do not have standing committees charged with responsibilities related to their operating divisions. First, firms are run by management, and the board’s role is not to second-guess day-to-day operating decisions. If Microsoft’s board had a committee monitoring its cloud activities, the committee might find it difficult to avoid interfering with management and could make it harder for the firm to pursue its overall strategy. Second, board members have fiduciary duties, including a duty of care that requires them to be informed about and responsible for the board’s decisions rather than delegating them to others. As a result, issues debated in a committee must still be considered by the full board, which necessarily limits the range of issues that can be handled by a committee. Third, board members have limited time. If directors devote attention to one issue, they necessarily have less time for others. Moreover, requiring directors to spend more time on board matters makes it more difficult to attract members with diverse skills and experience, potentially reducing board effectiveness. Fourth, committees can reduce board engagement and hinder communication among directors (Adams et al. (Reference Adams, Ragunathan and Tumarkin2021)). Effective communication is critical for board functioning (Malenko (Reference Malenko2014)). Committees may form cliques that reduce information sharing, encourage block voting, and allow members to withhold information from the full board.
Committees are especially useful for specialized tasks that the full board is unequipped to handle and/or would find inefficient to address in a plenary session. For example, the audit committee oversees a company’s financial reporting processes, internal controls over financial reporting, and financial statement audits (SEC (2003)). The board cannot fulfill its responsibilities if it cannot rely on a firm’s financial statements. However, the board can delegate much of the work to ensure that the process of producing financial statements is reliable. The audit committee can then report its efforts to the board, and the full board does not need to be familiar with the technical accounting details.
A risk committee can perform specialized tasks similar to those of an audit committee. Just as accounting generates metrics used to assess firm performance, risk management generates risk metrics essential for evaluating firm risk and whether management is pursuing a commonly agreed-upon strategy. To assess whether a bank’s risk-taking is consistent with its business model and strategy, the board must rely on management’s representations of risk, typically conveyed through risk metrics. A board committee can ensure that the data and risk representations are reliable. Therefore, an individual board member does not have to know the details required by a committee to be comfortable with the data and risk representations.
Every board relies on metrics produced by a firm’s accounting process. For example, accounting data inform the board about a bank’s leverage, asset composition, and loan performance. Banks that primarily lend to small firms and individuals generate metrics such as loan losses and internal loan ratings. Because these metrics can typically be evaluated through the audit process, a risk committee is not necessary to ensure their reliability for the board.
Large and complex banks are in a different situation. Forward-looking risk metrics are essential for them to manage risk and for the board to evaluate management’s risk-taking. For instance, a bank that makes markets in derivatives relies on more complex risk metrics to understand the risks of such activities. Another example is the ubiquitous value-at-risk (VaR) measure, which represents the maximum loss for a given confidence level (Jorion (Reference Jorion2007)). The accounting function does not produce such metrics. Further, there is no standardized rulebook, like GAAP, for producing such risk metrics. For risk metrics to be helpful to management and the board, they must be reliable across the bank according to similar rules; thus, a centralized risk function is generally required. The usefulness of the metrics depends, in part, on the quality of the risk management function; therefore, the board must monitor it. Furthermore, assessing the risk for certain banks requires evaluating risks that are difficult to quantify. For instance, the risk of two otherwise identical banks might be quite different if risk limits are monitored differently and compliance with those limits varies. Similarly, the assessment of risk metrics might differ across banks with different cultures. In addition, for a complex bank, monitoring risk metrics and risk management functions is time-consuming and requires expertise. Finally, having the audit committee perform these tasks may reduce its effectiveness in fulfilling its traditional responsibilities.Footnote 3
Therefore, a board risk committee is helpful for large and complex banks focused on shareholder wealth maximization. It must ensure that the metrics are reliable and consistent with the firm’s strategy. The committee must be confident that the risk metrics cover all risks material to the bank. It must ensure that processes exist to produce the metrics and that the bank stays within the established limits for the metrics. When relevant metrics are produced as part of the accounting process, a risk committee is not necessary. In other words, simple banks do not need a risk committee. As a bank increases in size and complexity, we expect the establishment of a risk committee to maximize shareholder wealth.
With both audit and risk committees, there is no concern about usurping the functions of management, since the board cannot perform its functions without relying on the metrics these committees focus on. If management resists deeper probing of these metrics, it may signal to the board that the metrics are unreliable. These committees are expected to probe because management may have incentives to withhold information from the board.
Bank boards set policies regarding risk-taking. In recent years, the policy for large banks has been formulated through risk appetite statements (International Institute of Finance (2011)). These statements define the level of risk that the board considers appropriate for a bank. With a more traditional bank, it is typically straightforward to ensure that management’s risk-taking is within the limits prescribed by the board. However, with more complex and larger institutions, bank-wide metrics can hide risk-taking, which could be inconsistent with the board’s risk appetite for the bank. Therefore, to ensure that the board has an unbiased and accurate assessment of a bank’s risk, the board or a risk committee must probe deeper to ensure that risk is monitored adequately and that risk metrics capture excessive risk-taking.
Given its business model, a bank’s optimal risk level maximizes shareholder wealth within regulatory and legal constraints (Stulz (Reference Stulz2016)). The board plays a key role in setting the target risk level and ensuring that the bank’s risk does not deviate from it. Suppose that a bank’s board has been operating without a risk committee. Perhaps the functions of the risk committee were performed either by the audit committee, as the relevant metrics were primarily accounting-based, or by the full board. As the bank becomes larger and more complex, the board concludes that a risk committee is needed. With greater confidence in risk metrics and the process that produces them due to the presence of a risk committee, the board may become more comfortable with the bank taking additional risks within regulatory and legal constraints.
Finally, we expect banks to be more likely to adopt risk committees if mismanaging risk is particularly costly. Banks with larger equity cushions may be less likely to establish a board risk committee if the cushion substitutes for risk management investments.
B. Why Would a Bank Board Not Have an Effective Risk Committee?
As discussed in Section II.A, a board may rationally choose not to have a risk committee because it would not maximize shareholder wealth. Other factors may discourage its establishment or effectiveness. It is well known that boards can fail to do their jobs (Jensen (Reference Jensen1993)). One reason is that entrenched management unduly influences the board. If the CEO is entrenched, she may prefer that the board not have a risk committee, as the committee may constrain her actions. We refer to this perspective as the entrenchment hypothesis. However, if the CEO is entrenched and has co-opted the board, the risk committee would likely be co-opted as well and may not pose a threat to management. In this case, the committee’s role would be merely window-dressing. Hence, if management is entrenched, the bank may lack a risk committee or have an intentionally ineffective one.
A risk committee could be ineffective because the board rubber-stamps management decisions (Fluck and Khanna (Reference Fluck and Khanna2008)). Such a board does not gather information independently and simply approves management’s proposals. Similarly, a rubber-stamping risk committee simply endorses management’s recommendations instead of independently assessing risks and making informed decisions regarding them. This behavior often stems from the board’s lack of incentives to collect information or effectively monitor management. Consequently, a rubber-stamping risk committee provides no greater benefit to the bank than having no risk committee. The predictions of the entrenched management hypothesis are similar to those of the rubber-stamping hypothesis: in both cases, management faces no effective risk committee oversight. However, Fluck and Khanna (Reference Fluck and Khanna2008) argue that shareholders may benefit when the board does not collect information because the board’s inaction may prompt management to share more information. Hence, ultimately, monitoring may be more effective because the board receives more information, assuming that it uses that information. Alternatively, a board that frequently aligns with management can be considered friendly. Shareholders may benefit from a friendly board to the extent that management will be more willing to seek help and advice from it (Adams and Ferreira (Reference Adams and Ferreira2007)). Evidence that a risk committee independently seeks information suggests that it is not merely a rubber-stamping entity.
The board may lack information and may not know that a risk committee could benefit shareholders. In this case, a board may eventually introduce a risk committee as it learns about its value. A board that experiences more risk issues, such as unforeseen adverse developments or outcomes that endanger the bank, would be more likely to introduce a risk committee. We refer to this perspective as the learning hypothesis. Based on this hypothesis, banks with more adverse risk experiences should be more likely to adopt a risk committee.
Institutional investors generally exert greater influence than individual retail investors and often use this influence to encourage management actions that enhance shareholder wealth.Footnote 4 Hence, banks with higher institutional ownership should be better informed about the benefits of a board risk committee.
C. Impact of a Mandated Risk Committee
Suppose that a board without a risk committee is required by law to establish one. Adding a committee could hinder shareholder value if the board had previously decided against one because it believed that it would not enhance value. In this case, the board might prefer a passive risk committee so that its addition would make no difference. However, because various risk committee tasks are mandated by the DFA and regulators monitor the risk committee (for instance, by reviewing the minutes of committee meetings), there are limits to how passive the risk committee can be. In any case, if the board had previously concluded that a board risk committee was unnecessary, there would be no reason to expect that a newly established committee would affect the bank’s risk-taking.
In cases of entrenched management, imposing a board risk committee on management that does not want one may not reduce bank risk, as there are good reasons to believe that CEO power does not typically lead to greater risk-taking. For instance, the CEO might want a “quiet life” (Bertrand and Mullainathan (Reference Bertrand and Mullainathan2003)), in which case the bank would take too little risk. In fact, many studies find that entrenched CEOs take less risk than CEOs whose incentives are better aligned with shareholders (John, Litov, and Yeung (Reference John, Litov and Yeung2008), Kumar and Rabinovitch (Reference Kumar and Rabinovitch2013), Saunders, Strock, and Travlos (Reference Saunders, Strock and Travlos1990)). If entrenched management takes too little risk, it is unlikely that a risk committee will force management to take even less risk. In related cases involving a rubber-stamping board, a risk committee may be established, but it simply rubber-stamps management decisions and would not reduce bank risk.
Finally, a board may fail to establish a risk committee when one would be appropriate, even if it seeks to maximize shareholder value. In this case, imposing a risk committee could be helpful. However, again, there is no reason to expect that doing so would reduce risk. The board might choose to take more risks with more information.
III. Empirical Determinants of Risk Committee Choice and the Dodd–Frank Act Mandate
In this section, we examine whether banks that chose to have a risk committee before the DFA are those we expect to have one with a board focused on maximizing shareholder wealth, namely, large and complex banks and banks with a small equity cushion. We first review the DFA mandate in light of our explanations and then provide empirical evidence on the determinants of risk committee adoption in 2006. We also investigate the determinants of risk committee expertise. We expect that factors that increase the likelihood of having a risk committee also increase the likelihood that the committee possesses greater risk expertise.
A. The Dodd–Frank Act Mandate
The DFA requires large publicly traded banks to establish a board risk committee. By limiting this mandate to publicly traded banks, Congress signaled that the primary motivation is corporate governance: the lack of such a committee constitutes a governance failure detrimental to shareholders. Implicitly, the assumed failure of governance leads banks to take on more risk than would be optimal for shareholders, and as a result, leads banks to create potential systemic risk. The DFA mandate goes beyond merely requiring certain banks to have a risk committee. It requires the committee to review risk-management policies, oversee the operation of the risk-management framework, and ensure that the risk-management framework remains appropriate. The mandate also describes the elements required for an appropriate risk-management framework, including processes and systems to i) establish managerial and employee responsibility for risk management, ii) ensure the independence of the risk-management function, and iii) integrate risk management into the compensation structure. While the mandate appears quite intrusive, it does not entrust the committee with risk management, a managerial function, but rather with overseeing risk management processes and systems.
While one might argue that the DFA only requires firms to follow good governance practices for risk management, it is a “one-size-fits-all” solution. As a result, it may include requirements inappropriate for certain types of banks. The downside of the “one-size-fits-all” DFA solution is that it imposes costs on those banks that would not have chosen to meet these specific requirements on their own because doing so would not have been economically worthwhile or would have destroyed shareholder wealth.
B. Banks With and Without a Risk Committee Over Time
In this section and the next, we use a sample constructed as follows: We first collect data on publicly traded U.S. financial institutions from 2003 to 2018. We start with a list of savings and loans holding companies (SLHCs), BHCs, and commercial banks from the PERMCO-RSSD link table provided by the Federal Reserve Bank of New York.Footnote 5 The DFA risk committee mandate applies directly to public BHCs with assets above $10 billion.Footnote 6 BHCs are regulated by the Federal Reserve. The Office of the Comptroller of the Currency (OCC) requires commercial banks with assets exceeding $50 billion that are not BHCs to comply with the DFA board risk committee mandate and may extend this requirement to banks with assets as low as $10 billion, effectively bringing these banks under the DFA mandate.Footnote 7 Section I of the Supplementary Material describes the samples and data used in all the analyses in this study.
We obtain financial data for each financial institution. For SLHCs and BHCs, we use data from the FR Y-9C reports, which are filed quarterly by all BHCs. The data for commercial banks are from quarterly FFIEC 0031 (call) reports. In addition, we include quarterly data from Compustat Fundamentals Bank files. The sample is merged with the CRSP daily files to obtain stock return data. We then merge the resulting data set with risk committee and director data from BoardEx. We supplement the BoardEx data with DEF 14A filings from SeekEdgar.Footnote 8 Although BoardEx data begin in 2000, coverage is limited until 2003, so our sample starts in 2003. Requiring BoardEx data reduces the sample size for some analyses.
In Table 1, we show in column 1 the number of banks in our sample for each year, depending on whether they have all the data used in our analyses. The number of banks that meet our sampling criteria falls from 475 in 2003 to 206 in 2018. Next, we report the fraction of banks with risk committees by year in column 2. This ratio for our whole sample is 0.051 in 2003. It increases dramatically over our sample period, peaking in 2018 at 0.714.
Next, we focus on large banks (assets over $10 billion). We assume that the DFA mandate applies to these banks, either because they are BHCs or because of the OCC policy. As expected from our framework, these banks are much more likely to have risk committees than small banks. In 2003, only 20% of large banks have a risk committee. The percentage of large banks with such committees has exceeded 45% since 2007. Starting in 2014, over 90% of large banks have a board risk committee.Footnote 9 Not surprisingly, the number of large banks increases during our sample period, whereas the number of small banks falls sharply. However, the percentage of small banks with risk committees increases by more than 19 times over our sample period. At the end of our sample period, 54.2% of small banks have a risk committee.
To examine the determinants of banks’ adoption of risk committees prior to the DFA mandate, we focus on 2006 to avoid influences from discussions surrounding the DFA’s adoption and the GFC. In Table 2, we compare banks with a risk committee in 2006 to banks without one using bank characteristics from the same year. The Appendix provides detailed definitions of all the variables used in this and the next section. We show the correlations among the variables in Section II, Table IA2 in the Supplementary Material.
As discussed in Section II, based on the shareholder wealth maximization hypothesis, we expect banks with risk committees to be larger, more complex, and have lower equity cushions. Table 2 shows that banks with risk committees are much larger than those without. Following Laeven and Levine (Reference Laeven and Levine2007), we measure complexity (Complexity) as one minus the absolute difference between net interest income and other operating income divided by total operating income. Table 2 shows that banks with risk committees are more complex than others. Consistently, these banks have more C&I loans and trading assets and fewer deposits. In addition, banks with risk committees have a lower equity cushion because they have a lower Tier 1 ratio.
The entrenchment hypothesis predicts that a bank board beholden to the CEO is less likely to have a risk committee, as the CEO is expected to value managerial discretion. We use the co-option measure from Coles et al. (Reference Coles, Daniel and Naveen2014) to measure entrenchment. This measure (Entrenchment) is the fraction of board members appointed after the appointment of the current CEO. We find no difference in Entrenchment between banks with risk committees and those without. Another measure of CEO power is Duality, defined as 1 if the CEO also serves as chairman of the board, and 0 otherwise (Adams, Almeida, and Ferreira (Reference Adams, Almeida and Ferreira2005)). The value of Duality does not differ between banks with and without board risk committees.
With respect to variables that are informative about the learning hypothesis, we consider the board’s financial expertise, since boards with greater financial expertise already possess the knowledge and experience relevant to risk oversight, making additional learning about risk committees less necessary. We measure the board’s financial expertise, Board Financial Expertise, following Minton et al. (Reference Minton, Taillard and Williamson2014). There is no difference in Board Financial Expertise between boards with and without risk committees. As discussed, we expect banks with a risk committee to have greater institutional ownership (Institutional Ownership). We find that banks with risk committees have substantially higher average Institutional Ownership than other banks (48% vs. 31%). However, this difference is likely attributable to the larger size of banks with risk committees, as institutional ownership tends to increase with firm size. As noted earlier, we expect a bank’s adverse risk experiences to enhance its board’s learning about risk management. We compute the stock return for the 1998 crisis, following Fahlenbrach, Prilmeier, and Stulz (Reference Fahlenbrach, Prilmeier and Stulz2012). This measure, Crisis Return, captures the stock drawdown during the 1998 crisis. We expect banks with larger drawdowns to be more aware of the potential benefits of a risk committee, given their more adverse experience. However, we find no difference in Crisis Return between banks with risk committees and those without.
To assess the relation between bank characteristics and the existence of a risk committee more directly, we estimate linear regression models in which the dependent variable RC indicates whether a bank has a risk committee in 2006. The regression results are reported in Panel A of Table 3.Footnote 10 The sample for these regressions consists of all publicly traded banks with required data available, regardless of their total asset values. We use firm characteristics measured in 2005 to predict whether a bank has a risk committee in 2006. All regressions include Total Assets, Complexity, the interaction of Total Assets and Complexity, Tier 1 Ratio, and Market-to-Book as regressors. We then add selected regressors in columns 1 through 4. In column 5, we include all regressors. The number of observations varies across columns as we use all banks with available data for each specification. For instance, some banks lack data for certain variables because they are not covered by BoardEx or did not exist in 1998.
As expected and consistent with the shareholder wealth maximization hypothesis, we find that larger, more complex banks and those with lower equity cushions are more likely to have a risk committee. In column 1, the coefficient on the interaction between Total Assets and Complexity is significantly positive, whereas the coefficient on Tier 1 Ratio is significantly negative. Based on the entrenchment hypothesis, we expect the coefficients on Entrenchment and Duality to be significantly negative. However, neither coefficient is statistically significant. In column 2, we add Institutional Ownership, but its coefficient is not statistically significant. However, the interaction between Complexity and Total Assets is also not significant. We then add Board Financial Expertise in column 3, and its coefficient is not statistically significant. The interaction between Complexity and Total Assets is again significant. We add Crisis Return to the regression reported in column 4, and it is not significant. The interaction between Complexity and Total Assets is also not significant; however, the sample size is much smaller because Crisis Return is available for fewer banks. When we include all the variables in column 5, we find that the interaction between Complexity and Total Assets, Tier 1 Ratio, and Market-to-Book has significant coefficients. We also find that Entrenchment and Board Financial Expertise have significant negative coefficients. The coefficient on Entrenchment supports the entrenchment hypothesis. In contrast, the coefficient on Board Financial Expertise runs counter to the learning hypothesis, which predicts that a board with greater financial expertise is more likely to understand the potential benefits of a board risk committee. However, a board with greater financial expertise may be able to address risk-related issues more effectively in plenary sessions, reducing the need for a separate risk committee.
Panel A of Table 3 does not consider risk committee expertise. We expect that the reasons that motivate boards to have a risk committee also motivate them to have risk expertise on the committee. Consequently, we expect the predictions of the shareholder wealth maximization hypothesis to hold when accounting for risk expertise. We construct a variable that proxies for the risk expertise of the risk committee, RC Risk Expertise. This variable is the fraction of risk committee members (excluding those who also serve on the audit committee) who have prior outside risk committee-related experience, outside CFO or treasurer experience, or an MBA or a master’s degree in finance. A bank whose risk committee has no members with risk expertise is assigned the same RC Risk Expertise value as a bank without a risk committee. The number of observations decreases because we cannot obtain the necessary information to construct RC Risk Expertise for all banks. The loss of observations differs across columns because the data requirements differ across them. Table 3, Panel B, presents the regression results, where we replace the dependent variable RC with RC Risk Expertise. The interaction of Complexity and Total Assets has a positive and significant coefficient in the same columns as in Panel A. Tier 1 Ratio has a negative and significant coefficient in columns 2 and 3. The coefficient on Market-to-Book is never statistically significant. Neither Entrenchment nor Board Financial Expertise is significant.
A comparison of Panels A and B of Table 3 indicates that Panel B fully supports the shareholder wealth maximization hypothesis.Footnote 11 In contrast, Panel A reports a significant negative coefficient on Entrenchment, suggesting a role for managerial entrenchment. These results can be reconciled by noting that entrenchment can make a bank less likely to establish a board risk committee; however, conditional on having one, entrenchment does not appear to reduce its risk expertise. In other words, the observed level of risk expertise within the board risk committee is consistent with the shareholder-value-maximization hypothesis, although the evidence does not rule out the possibility that entrenchment deters the formation of such committees.
IV. Do Banks With Risk Committees Perform Better and Have Less Risk?
An investigation into whether banks with risk committees exhibit lower risk and perform better must address obvious difficulties. Ideally, one would compare a bank with a risk committee to the same bank without one at the same point in time. However, such an exercise is not feasible. As a result, when comparing the performance and risk of a bank with a risk committee to a bank without one, one may be comparing different banks and hence attributing differences in performance and risk to the existence of a risk committee when these differences are explained by unobserved firm characteristics.
To address the differences between banks with risk committees and their counterparts without them, the literature often employs a regression discontinuity design (RDD). This approach compares financial institutions around the $10 billion asset threshold after the DFA mandate took effect. Balasubramanyan et al. (Reference Balasubramanyan, Daniel, Haubrich and Naveen2024) use this approach. They also use a difference-in-differences (DiD) approach, comparing the risk of banks that voluntarily maintained a board risk committee prior to the DFA with that of banks that only established such committees in response to the DFA mandate. Using either approach, they find no evidence that banks required by the DFA to establish a risk committee—those without one prior to the DFA—exhibit lower stock return volatility or other risk measures when they have a risk committee.
Unlike the earlier studies, we examine whether banks exceeding the DFA threshold differ in risk and performance if they voluntarily establish a risk committee before the DFA mandate, and whether the risk and performance of banks that introduce a risk committee differ because of the DFA change. We first investigate whether banks that exceeded the DFA threshold in 2006 and had a risk committee performed better and had lower risk during the GFC than those that exceeded the threshold but did not have a risk committee. We then test whether banks that meet the threshold perform better and exhibit lower risk after establishing a board risk committee by comparing those that adopted the committee voluntarily before 2010 with those that did so in or after 2010. Banks adopting the committee in or after 2010 did so knowing that it was mandated by the DFA and had to be in place by the compliance deadline.
A. The Performance of Banks During the GFC and Board Risk Committees
There is extensive literature on bank performance during the GFC. We do not aim to explain bank performance during the GFC; instead, we investigate whether banks that met the DFA threshold before the GFC and had a board risk committee differ in risk and performance from banks that met the threshold but did not have a board risk committee. In 2006, 24 of the 61 banks in our sample that meet the DFA threshold of $10 billion in assets have a risk committee. To assess whether these banks perform differently and have different risk levels during the GFC, we control for variables that capture bank differences. We also include an indicator for the year 2008, which means that we effectively use year fixed effects. In regressions of performance and risk measures on these control variables, if they capture differences among banks exceeding $10 billion in assets, the coefficient on an indicator variable for whether a bank has a risk committee measures the effect of having a risk committee on the dependent variable.
The dependent variables include two risk measures, three performance measures, two real outcome measures, and one combined performance–risk measure. The risk variables are annual stock return volatility (Equity Volatility) and Tail Risk, which is the negative of the average stock return on the 5% worst return days during a year. The performance variables are ROA, ROE, and Annual Stock Return. The real outcomes are loan losses relative to total assets (Loan Loss/Assets) and nonperforming loans relative to total assets (Nonperforming Loans/Assets). The variable that combines performance and risk is the Sharpe Ratio, defined as the excess stock return over the risk-free rate divided by the standard deviation of the stock return.Footnote 12
Table 4, Panel A, reports our regression estimates where the dependent variables are measured in 2007 and 2008, and the independent variables are for 2006 (except for an indicator variable for 2008). We have 77 observations, as we lose observations because of data requirements. The independent variables include Board Financial Expertise, Crisis Return, Complexity, Total Assets, Tier 1 Ratio, Market-to-Book, Entrenchment, Duality, Year2008 (an indicator variable for the year 2008), and Institutional Ownership. The test variable in the regression is an indicator for whether a bank had a risk committee in 2006 (RC2006). Its coefficient is never significant for risk measures or real outcomes. It is significantly negative for ROA. There is no evidence that banks with risk committees in 2006 performed better or had less risk during the GFC. In Table IA4 in the Supplementary Material, we estimate the same regression with the addition of Deposits/Assets, Securities/Assets, C&I Loans/Assets, Real Estate/Assets, and ROE. We do not include a measure of trading assets because trading assets are extremely highly correlated with Total Assets. We omit these variables from the regressions that we highlight because they can be considered direct outputs of risk management policies. Including them does not change our conclusions. In Panel B of Table 4, we replace RC with RC Risk Expertise as our test variable. The results are similar, except that ROA is not significantly related to RC Risk Expertise.
In summary, the coefficients on RC2006 in Panel A of Table 4 are not significant, except for the negative coefficient in the regression in which the dependent variable is ROA. In Panel B of Table 4, the test variable is RC Risk Expertise, and none of its coefficients are statistically significant. Therefore, our evidence does not support the view that large banks without a risk committee in 2006 would have experienced lower risk, better performance, or improved real outcomes during the crisis if they had a risk committee. In other words, if the DFA requirement was motivated by the view that excessive risk-taking caused the GFC and that a board risk committee would reduce such risk-taking through improved governance, our evidence does not support this view.
B. Do Banks Have Lower Risk After Being Required to Adopt a Risk Committee?
We examine differences in risk and performance between large banks with and without board risk committees from 2003 to 2018. We use a DiD regression format, where treatment is the introduction of a risk committee. We include a bank in the sample for the first time whose assets exceed the DFA threshold. During the sample period, a large bank with a risk committee either introduced a risk committee voluntarily or was forced to introduce one because of the DFA. We assume that banks that introduce a risk committee before 2010 do so voluntarily, and those that introduce it in 2010 or later do so involuntarily due to the DFA mandate. We further assume that all banks with assets in excess of $10 billion have to introduce one as a result of the DFA if they do not have one in 2010, since the OCC effectively extended the DFA requirement to banks that are not part of holding companies. Our approach suffers from a potential endogeneity issue in that banks can choose when to meet the DFA mandate as long as they introduce a risk committee before the deadline.Footnote 13 We use an indicator variable, RC Before 2010, which equals 1 for every year that a bank that introduced a risk committee before 2010 has a risk committee. RC After 2010 is an indicator variable that equals 1 for each year a bank that introduced a risk committee in or after 2010 has a risk committee. We use bank and year fixed effects. However, to identify bank fixed effects, we must exclude banks that enter the sample period with a risk committee.
Table 5 presents the regression results. In Panel A, the test variables are the risk committee indicator variables. RC After 2010 is not statistically significant for any of the risk, real outcomes, or performance variables. Therefore, there is no evidence that banks that had to introduce a risk committee because of the DFA have less risk afterward. We find more nuanced results for RC Before 2010. It is negatively associated with Tail Risk, ROE, and Annual Stock Return but positively associated with Equity Volatility. In Panel B, we use RC Risk Expertise variables as our test variables. RC Risk Expertise Before 2010 is negatively associated with Nonperforming Loans/Assets. The coefficient on RC Risk Expertise Before 2010 of −0.005 is economically significant. Going from zero risk expertise to RC Risk Expertise of 0.5 would be associated with lower Nonperforming Loans/Assets of 0.25% when Nonperforming Loans/Assets for banks with a risk committee is at its mean value of 0.5% in 2006. Furthermore, we find that the Sharpe Ratio is positively associated with RC Risk Expertise Before 2010. RC Risk Expertise Before 2010 is not associated with Tail Risk or performance measures. In contrast, RC Risk Expertise After 2010 is positively associated with Loan Loss/Assets, suggesting greater risk, and with ROA and ROE, suggesting better performance. Since neither ROA nor ROE is risk-adjusted, the better performance could reflect greater risk. The results in Table 5 are not sensitive to the regressors. Table IA5 in the Supplementary Material shows that regressions using only the risk committee indicators and fixed effects yield similar coefficients on those indicators.
In conclusion, the analysis in this section provides no evidence to support the hypothesis that banks forced to adopt a board risk committee have lower risk. In contrast, we find that banks with a risk committee introduced before 2010 have lower risk. This evidence is stronger when we use the risk committee’s risk expertise as our risk committee measure. Banks whose board risk committees were introduced before 2010 and have greater risk expertise exhibit lower nonperforming loans and a higher Sharpe ratio. To the extent that a higher Sharpe ratio indicates that a bank is less likely to take excessive risk, our results support the view that voluntarily establishing a board risk committee with greater risk expertise helps curb excessive risk-taking.
V. What Do Board Risk Committees Do?
We investigate what risk committees do and whether their activities are consistent with our shareholder wealth maximization hypothesis. The questions we are most interested in require complex, detailed answers and follow-up questions, which made them unsuitable for a survey. Therefore, we conducted in-depth interviews with 19 risk committee chairs of publicly traded U.S. financial institutions. Because we conducted our interviews after the DFA was fully implemented, they provide insight into risk committee practices after the DFA.
A. The Sample of Interviews
To develop the potential sample of interviewees, we started with a list of all U.S. publicly traded firms whose proxies indicated that the firm had a board committee whose name included the word “risk” as of November 2016 and had an SIC code in the 6000 group. After retrieving company information and the names of the chairs of the board committees with the word “risk” in their titles, we identified 203 firms. We conducted 19 interviews with risk committee chairs from these firms, ensuring that none of these committees included the word “audit” in the name (e.g., “risk and audit” committee). This approach is consistent with other interview studies on board committees, including, for example, Clune, Hermanson, Tompkins, and Ye (Reference Clune, Hermanson, Tompkins and Ye2014). Of these 19 firms, 14 were depository institutions: 10 commercial banks and 4 savings institutions. We refer to this subsample as banks. Our investigation focuses on these 14 banks. The median market capitalization of the participating firms is $3.2 billion, and the mean is $19.27 billion. The median asset size is $17.7 billion. Of the 19 participating firms, 12 met the DFA requirement of having a risk committee. In 2006, only the four largest banks had risk committees.
The interviews were conducted in 2017 by one coauthor via phone (14), videoconference (2), or face-to-face (3). We used the semi-structured interview method as advised by Radcliffe (Reference Radcliffe2010) and others. We recorded each interview and sent it to a professional service for transcription to ensure accuracy. To promote candor in the interview, we agreed to write the paper in such a way that neither the interviewee nor the financial institution would be identifiable. Furthermore, we sent the interviewees a draft of the paper prior to submission for publication so that they could verify their anonymity. The average interview length was 132 minutes, and we believe that the number of interviews was appropriate, as there were few new insights gained from the last few interviewees.Footnote 14 , Footnote 15
B. Risk Committee Charters
A risk committee charter, approved by the board, is essentially a written “job description” for the risk committee. We reviewed the charters of the risk committees of the participating financial institutions available to us (12 of 14), and they consistently emphasize the oversight role of the risk committee. In all cases, the CRO reports to the risk committee in some form.Footnote 16 The charters we reviewed clarify that the risk committee has an oversight or monitoring role and no management role. Instead, they focus on overseeing risk management frameworks, processes, and metrics.
C. Why Do Boards Have Risk Committees?
Twelve of our 19 interviewees were aware of some of the history underlying the formation of their risk committees. Eight stated that the committee was voluntary and/or existed before the DFA. Even on boards that formed a risk committee because of the DFA, no interviewee told us that they would revert to housing risk in the audit committee if the mandate were lifted.
Quotes from interviewees at banks with voluntary risk committees generally support the shareholder wealth maximization hypothesis. Consistent with this hypothesis, the following quote recognizes the value of a dedicated risk committee as a bank becomes larger and more complex. In particular, the metrics overseen by an audit committee and a risk committee are different. Furthermore, the audit committee does not have the capacity in terms of both time and committee qualifications to provide an appropriate focus on risk:
Even if that Dodd–Frank [Act] hadn’t occurred, some of us would have evolved a risk committee. It’s just too much on the audit committee. (…) Also, the RC needs a little different skill set than financial expertise needed on an audit committee. (NYSE Bank RC Chair (#10))
It would be very difficult to do with a bank of that size and complexity not to have a separate Risk Committee. In addition to risk issues related to [the] size and complexity of the business, a commercial bank also needs to meet all the regulatory requirements. Meetings would get too long if audit and risk are housed in one committee. Also, the skills, knowledge, and experience that are required to be a good Chair of an Audit Committee don’t necessarily translate over to be a good Chair of a Risk Committee. (NYSE Bank RC Chair (#13))
D. Assessing Risk Metrics and Risk Management Processes
Risk committee chairs view the tasks of the risk committee as quite different from those of the audit committee and believe that different skills are involved. As discussed in Section II, risk metrics are forward-looking. Risk chairs are also acutely aware that there is no rule book for risk metrics. These differences are exemplified by the following quote:
If we can envision driving down the road – risk committee members are looking out the windshield and looking for hazards in the road, roads to turn on and the other committee is looking in the rearview mirror to see what has gone on before. (NASDAQ Bank RC Chair (#11))Footnote 17
Given the differences in the responsibilities inherent in the audit and risk committees, our interviewees generally reasoned that the portfolio of skills available to each committee should be different. When we asked the interviewees for their views on their actual or desired skill sets on the risk committee, diversity of thought and skills/experience was a common theme:
The diversity of talents and backgrounds is really important. We’ve got two current CEOs and a retired CEO of larger, complex financial institutions. They’ve been responsible for managing risk at their organizations and they’ve seen what’s worked and what hasn’t worked. (NYSE Bank RC Chair (#13))Footnote 18
In sum, our interviewees serving on risk committees recognized that their responsibilities differed sufficiently in nature from those on the audit committee and, therefore, warranted a different skill portfolio to fulfill their risk oversight responsibilities. This observation is consistent with the shareholder wealth maximization hypothesis. Furthermore, it contradicts the rubber-stamping hypothesis to staff the risk committee with members who have a portfolio of qualifications that empower them to effectively conduct their oversight responsibilities.
E. How Does the Committee Acquire Information?
Eighteen of our interviewees responded to a question about who they primarily interact with at the firm, and all stated that they interact primarily with the CRO. For 15 of the 18 interviewees, these interactions were both in-person and by phone. These interactions are inconsistent with the view of rubber-stamping boards proposed by Fluck and Khanna (Reference Fluck and Khanna2008). With that view, a rubber-stamping board free-rides on information collection, but here we find that the risk committee chairs actively collect information from the banks without going through the CEOs.
A common theme among the interviewees is the importance of having a good relationship with the CRO. As reflected in the quote below, the importance of a healthy relationship is fundamental because it promotes relevant information being communicated from the CRO to the risk committee chair promptly:
You have to be comfortable that you can pick up the phone or they can pick up the phone and say, “There’s something going on, or something you should be aware of,” and over time, that develops a comfort level with the senior person in the function and, in this case, it’s the CRO. I don’t think the CRO of this institution or any of the big institutions could exist or continue to exist if the chair of the risk committee or some of the senior people on the board started to feel that they were not straightforward and effective in communicating the risk that they are trying to manage. So, I think the relationship is very important, and as the relationship gets better, surprises, which occur naturally, end up being communicated early. (NYSE Bank RC Chair (#4))Footnote 19
CEOs can be reluctant to allow board members to interact directly with employees without their presence, especially if they want the board to serve as a rubber stamp. No interviewee discussed situations in which the CEO erected obstacles to direct interactions with risk function personnel. Our interviewees were largely confident that their processes resulted in the committee discussing the “right” issues with the “right” information.Footnote 20
F. The Interactions of the Risk Committee with Management and Regulators
Suppose a risk committee operates in a manner that maximizes shareholder wealth subject to legal and regulatory constraints. In that case, it will not only monitor the execution of the bank’s approved risk policies but also act in an advisory capacity to management. Furthermore, the risk committee’s processes should promote a relationship with regulators that results in meeting regulatory constraints while simultaneously pursuing a level of risk consistent with maximizing shareholder wealth. In this section, we examine how our interviewees interact with management, how they balance the monitoring versus advisory roles of the risk committee, and how they interact with regulators.
1. The Monitoring, Advisory, and Collaborative Dynamics of the Risk Committee
Although risk committee charters formalize and delineate the risk committees’ responsibilities with a heavy emphasis on risk monitoring, our interviews reflect that the committees also advise and collaborate with management while being cognizant of not slipping into a management role. Regarding the role of the committee versus management, our interviewees were clear that it was the job of management and not the committee to execute the board’s approved risk policies:
So, our job is to look at policies and make sure that they are setting an appetite that – setting the bounds or the barriers on the road, so to speak, that management has to drive in, and then our second function is to review programs that we have in place to manage risk, mitigate risk, or monitor risk, and make sure that we think that they’re covering everything that needs to be covered –, but our job is not to actually manage any of the risks, and, so, I think it’s a pretty good, clear distinction. (NYSE Bank RC Chair (#2))
When asked how challenging it is to avoid crossing the line into the management role, on a scale of 1 (not challenging) to 5 (highly challenging), the mean response was 1.25. While the interviewees understand and abide by the respective committee and management roles, there are many examples in which they not only monitor but also collaborate with and advise management. For instance, risk committee members, at times, have better information about developing risks in industries that the bank interacts with than the bank’s risk management team and convey that information to bank risk managers.
Given the importance of a good relationship between the CRO and the committee, it is not surprising that the relationship dynamics involve both advice and collaboration. The literature shows that there can be tension between the monitoring and advising roles of board members (Adams and Ferreira (Reference Adams and Ferreira2007)). A greater focus on monitoring can make it difficult for the board to advise management, as management may be unwilling to communicate information that would help both the board’s advising and monitoring roles. When we asked the interviewees on a scale of 1 (easy) to 5 (difficult) how difficult it is to maintain a sense of healthy skepticism in the relationship, the mean response was 2. Interviewees suggest that maintaining healthy skepticism depends on both the quality of management personnel and the committee’s commitment to rigorous oversight. When we asked our interviewees how often the committee disagreed with management on elements of risk policy, on a scale of 1 (never) to 5, the mean response was 1.7, indicating little conflict.Footnote 21
2. The Relationship Between Risk Committees and Regulators
A significant change following the GFC is that regulators increased risk management requirements for large banks. Banks became subject to a battery of stress tests depending on their size. Furthermore, the DFA directly placed some risk management responsibilities on the board. Consequently, these additional responsibilities might necessitate the establishment of a board risk committee, even in the absence of a DFA mandate.
We asked the interviewees to assess the time that risk committees spend on regulatory issues. They report that their committees spend a mean (median) of 53.7% (50%) of meeting time on regulatory issues. The interviewees’ discussion of regulatory issues focuses on ensuring that regulatory mandates are met. Financial firms face regular inspections, and much of the meeting time is spent dealing with issues that may arise from a recent inspection or preparing for an upcoming inspection. An additional consideration that some chairs discussed was the Dodd–Frank Act Stress Test (DFAST). Some committees had to devote substantial time to the DFAST.
The interviewees from larger banks reported significant challenges in fulfilling their risk committee responsibilities compared to those from smaller banks. However, even smaller banks acknowledged challenges. Post-DFA, the risk committees appear to have a large regulatory agenda over which they do not seem to have much discretion. Furthermore, due to regulatory ambiguity, they must engage with regulators to ensure that they are addressing regulatory issues as regulators expect them to. The following quote illustrates this point:
Another thing that’s a normal part of interaction between myself and the CRO is we have periodic, once, maybe twice a year, one-on-one meetings with our primary regulators. … We meet with the regulators and get their feedback about their sense of priorities to be sure we’re going deep enough on the things that are top of their list. I also talk about it at pre-meeting conversation with the CRO. (NYSE Bank RC Chair (#8))
A common theme among all our bank interviewees was that there were direct interactions with regulators, either through meetings with the risk committee chair between meetings or during the normal meetings of the full board. Some interviewees described circumstances in which they would push back against the regulator if appropriate. However, even when the interviewee believed that the pushback was warranted, there were instances in which the regulator prevailed.
Risk committee chairs appeared to focus heavily on managing relationships with regulators, in part because regulators could impose significant challenges on the committee specifically and the bank more broadly.Footnote 22
I came from a very heavily regulated industry, and I understand regulation, the responsibility of the regulator, and that my job is to make him the best regulator that he possibly can be. Which means I don’t ever surprise him or ever embarrass him. I always give him a heads-up. And I never give my customers a reason to complain to him. If I’m successful in those areas, I’ll be fine in a regulated industry. You gotta create a culture that has respect, and you can’t have people that disrespect the regulator. (NYSE Bank RC Chair (#1))
G. Monitoring and Time Constraints
We used two LLMs, GPT-5-Mini (GPT) and Gemini-2.5-Flash (Gemini), to extract quantitative information from the 14 transcripts concerning the monitoring and advisory roles of the risk committees and their use of time. The prompts used for the two LLMs and the exact questions asked are reproduced in Section IV of the Supplementary Material. We report the results in Figures 1 and 2. For each question, we report the ratio of positive answers to the total number of positive and negative answers, separately for each LLM and averaged across both LLMs. We also provided the LLMs with the option to conclude that the transcript contained no evidence. Figures IA1 and IA2 in Section IV of the Supplementary Material report the percentage of transcripts for each question with no clear evidence for each LLM.
Figure 1 reports the percentage of bank risk committee interviewees that large language models classify, with clear evidence, as agreeing with five questions related to the committee’s monitoring role. We use two models, Gemini 2.5 Flash and GPT-5 Mini, which were instructed to read each interview transcript and answer “Yes,” “No,” or “No Evidence” to each question. The exact questions and prompts are listed in Section IV of the Supplementary Material. For each question, we report the percentage of interviewees classified as agreeing by each model, along with the average between the two.
Figure 2 reports the percentage of bank risk committee interviewees that large language models classify, with clear evidence, as agreeing with five questions related to the committee’s use of time. We use two models, Gemini 2.5 Flash and GPT-5 Mini, which were instructed to read each interview transcript and answer “Yes,” “No,” or “No Evidence” to each question. The exact questions and prompts are listed in Section IV of the Supplementary Material. For each question, we report the percentage of interviewees classified as agreeing by each model, along with the average between the two.
Starting with the risk committee’s monitoring role, we first ascertained whether the committee chair or members communicated directly with employees reporting to the CRO without the involvement of the CRO or CEO. Few transcripts provided clear evidence on this point (six for GPT and eight for Gemini). Among those with substantive answers, 65% indicated that RC chairs engaged in such communications. We then asked whether the risk committee chair or members interacted with the CRO outside board meetings without the CEO’s involvement on issues other than the committee agenda. Almost all transcripts contained answers, and 100% of the answers were positive. A majority of risk committees, but not all, have executive sessions with the CRO that exclude the CEO. Moreover, a majority of risk committees hold meetings between the risk committee chair and regulators without the CEO present. Finally, we asked whether the CRO reports to the risk committee. On average, 63% of the responses were positive. The evidence in Figure 1 supports the active monitoring role of most risk committees in that they can pursue issues without being constrained by the CEO or even the CRO.
We then turn to the risk committee’s use of time. Our first question was whether the tasks mandated by regulators were time-consuming. The average answer is yes for 82% of the transcripts. We then asked whether the committee allocates sufficient time during meetings to discuss new or developing issues. Interestingly, there is disagreement between the LLMs. GPT finds 38% of the yes answers, and Gemini finds 75%. We then ask whether the committee allocates sufficient time to discuss nonroutine issues. The result is similar to that of the previous question. Additionally, there is strong evidence that the chair or committee regularly advises the CRO. Finally, we ask whether the risk committee chair spends substantial time on risk committee matters outside of committee meetings. Again, we find strong positive evidence. The evidence in Figure 2 shows that regulatory matters are time-consuming; however, the evidence on whether these matters prevent the risk committee from discussing unexpected risk issues or issues expected to become important in the future is unclear. A direct reading of the transcripts suggests that the regulatory burden varies substantially across banks. In particular, the regulatory burden is viewed as much more constraining for banks subject to stress tests.
VI. Conclusion
The DFA mandates that banks above a certain size threshold establish a board risk committee, reflecting the presumption that greater board-level attention to risk-taking would reduce bank risk. However, little scientific evidence supports this presumption. Greater attention to risk can lead management to take more or less risk, depending on the bank’s strategy and risk appetite. Hence, we do not expect the mere establishment of a risk committee to reduce bank risk. Rather, its presence may enable banks to take on risks more closely aligned with their strategic objectives. If such committees serve shareholders’ interests, any benefits should be reflected in improved performance rather than mechanically lower risk.
The academic literature provides little guidance on the conditions under which a bank should have a board risk committee and limited evidence on the functions of such committees. From the perspective of shareholder wealth maximization, establishing a risk committee entails both costs and benefits. The costs include reduced engagement by the full board, whereas the benefits arise from delegating complex risk oversight to directors with specialized expertise. We argue that these benefits are greater for large, complex banks that rely on nonaccounting risk metrics. We also consider alternative explanations for the absence of a risk committee. Under the entrenchment hypothesis, management resists the creation of a risk committee to limit its oversight. Under the learning hypothesis, boards may adopt a risk committee only after gaining experience with its potential benefits. Our interviews provide some limited support for both hypotheses, but generally support the shareholder wealth maximization framework that we develop.
Our empirical analysis provides the strongest support for the shareholder wealth maximization hypothesis. Large, complex banks and those with smaller equity cushions are more likely to voluntarily establish a risk committee. In addition, we find limited evidence that board entrenchment is negatively related to the existence of a board risk committee but unrelated to committee risk expertise. Banks that would have been subject to the DFA mandate prior to the GFC but did not have a risk committee were neither riskier nor worse performing during the crisis. Using data from 2003 to 2018, we find no evidence that mandating risk committees reduces bank risk. In contrast, banks that voluntarily adopt risk committees experience better outcomes—lower nonperforming loans and higher Sharpe ratios—when those committees possess greater risk expertise. We find no comparable effects for banks that adopt risk committees in response to the mandate.
To better understand the practices of risk committees, we interviewed board risk committee chairs at 14 banks. The interviews refute the view that risk committees act merely as rubber stamps. Committee chairs report actively collecting information independent of management, monitoring risk, and advising senior executives. A key finding is that, in the post–DFA era, risk committees devote a substantial portion of their time to regulatory requirements, limiting the time available for other risk oversight activities.
Overall, our findings show that the value of a board risk committee depends on why it is established and the expertise of its members. Risk committees adopted voluntarily and staffed with relevant expertise are associated with improved risk-related outcomes, whereas committees formed in response to regulation are not. These results underscore the importance of viewing board organization as an endogenous governance choice rather than a uniform solution.
Appendix. Variable Definitions
This appendix provides definitions of the variables used in the analyses.
- Annual stock return:
-
Annual return of common stock.
- Board financial expertise:
-
Fraction of board members with financial expertise, following the definition in Minton, Taillard, and Williamson (Reference Minton, Taillard and Williamson2014).
- Complexity:
-
$$ 1-\left|\frac{\mathrm{Net}\hskip0.42em \mathrm{i}\mathrm{n}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{t}\ \mathrm{i}\mathrm{n}\mathrm{c}\mathrm{o}\mathrm{m}\mathrm{e}-\mathrm{O}\mathrm{t}\mathrm{h}\mathrm{e}\mathrm{r}\ \mathrm{o}\mathrm{p}\mathrm{e}\mathrm{r}\mathrm{a}\mathrm{t}\mathrm{i}\mathrm{n}\mathrm{g}\ \mathrm{i}\mathrm{n}\mathrm{c}\mathrm{o}\mathrm{m}\mathrm{e}}{\mathrm{Total}\ \mathrm{o}\mathrm{p}\mathrm{e}\mathrm{r}\mathrm{a}\mathrm{t}\mathrm{i}\mathrm{n}\mathrm{g}\ \mathrm{i}\mathrm{n}\mathrm{c}\mathrm{o}\mathrm{m}\mathrm{e}}\right|. $$
- C&I loans/assets:
-
Commercial and industrial loans, divided by total assets.
- Crisis return:
-
The bank’s stock return from Aug. 3, 1998 (the first trading day in August 1998) until the day in 1998 on which the bank’s stock attains its lowest price, following Fahlenbrach, Prilmeier, and Stulz (Reference Fahlenbrach, Prilmeier and Stulz2012).
- Deposits/assets:
-
The sum of non-interest-bearing deposits and interest-bearing core deposits, scaled by the book value of assets.
- Duality:
-
1 if the CEO is the board chair, and 0 otherwise.
- Entrenchment:
-
Co-option measure from Coles, Daniel and Naveen (Reference Coles, Daniel and Naveen2014). The number of co-opted directors/board size. A co-opted director is one who joined the board after the CEO.
- Equity volatility:
-
The annualized standard deviation of daily stock returns (in percentage).
- Market-to-book:
-
Market value of equity, divided by the book value of equity.
- Institutional ownership:
-
Fraction of shares owned by 13-F institutional investors.
- Loan loss/assets:
-
Total loan loss written off, scaled by the book value of assets.
- Nonperforming loans/assets:
-
Total nonperforming loans, scaled by the book value of assets.
- RC2006:
-
1 if a bank has a risk committee (excluding those that have a combination of risk and audit committee) in 2006, and 0 otherwise.
- RC before 2010:
-
1 if a bank has a risk committee (excluding those that have a combination of risk and audit committee) and the risk committee starts before 2010, and 0 otherwise.
- RC after 2010:
-
1 if a bank has a risk committee (excluding those that have a combination of risk and audit committee) and the risk committee starts in 2010 or after, and 0 otherwise.
- RC risk expertise:
-
Fraction of risk committee members (excluding those who also serve on the audit committee) who have prior outside risk committee-related experience, outside CFO/treasurer experience, or an MBA/finance master’s degree. A bank whose risk committee has no members with risk expertise has the same value of RC Risk Expertise as a bank without a risk committee.
- RC risk expertise before 2010:
-
RC Risk Expertise for banks that start a risk committee before 2010.
- RC risk expertise after 2010:
-
RC Risk Expertise for banks that start a risk committee in 2010 or after.
- Real estate/assets:
-
Loans secured by real estate, divided by total assets.
- ROA:
-
Net income plus interest expense divided by average assets over the prior year.
- ROE:
-
Net income divided by average equity over the year.
- Sharpe ratio:
-
The excess stock return over the risk-free rate divided by the standard deviation of the stock return.
- Securities/assets:
-
Total securities divided by the book value of assets.
- Tail risk:
-
The negative of the average stock return on the 5% worst return days in a given year (Ellul and Yerramilli (Reference Ellul and Yerramilli2013)).
- Tier 1 ratio:
-
The ratio of a bank’s equity capital and disclosed reserves to its total risk-weighted assets.
- Total assets:
-
Natural logarithm of total CPI-adjusted assets in 2000 dollars.
- Trading/assets:
-
Total trading assets divided by total assets.
Supplementary Material
To view supplementary material for this article, please visit http://doi.org/10.1017/S0022109026102816.
Open access
