A “Discussion paper on Governance in Commercial Banks in India’’ by the Reserve Bank of India, released on Thursday, has suggested that a bank’s board should constitute a Risk Management Committee of the Board (RMCB) made up of only “non-executive director ( NEDs)’.
A NED is a member of the board who does not have responsibilities within the bank. All directors other than whole -time directors (WTDs) are part-time NEDs.
The RMCB will have to meet with a quorum of three members and two-thirds will be independent directors. Accordingly, the RMCB will be made up of at least three NEDs.
Two-thirds of RMCB will be independent directors of which one member shall have risk management expertise (i.e., direct/supervisory/regulatory oversight of the risk management function in the banking, financial services and insurance industry).Meetings of RMCB will be chaired by an independent director who can't be a chair of any other committee of the Board. Chairperson of the bank shall not be a member of the committee.
The committee has to meet at least six times a year and not more than sixty days should elapse between two meetings. Chief Risk officer (CRO) of a bank shall function as the secretary of RMCB and will report into the committee. Head of compliance of the bank also has to also report to the RMCB.
The role of the RMCB is to assist the board, inter alia, in the following:
– ensure accurate internal as well as external data to be able to identify, assess, mitigate risk,make strategic business decisions, determine capital and liquidity adequacy,
– set the ‘Risk Appetite’ of the bank based on its ‘Risk Capacity’,.
– based on the “Risk Appetite” agreed upon, allocate business unit wide and risk taker wise risk limits,.
– hold the first line of defence accountable for breaches in the risk limits,
-ensure a system where risk management functionaries should not be charged with overseeing activities for which they previously held any revenue generating responsibility or participated in business decision-making or approval process,
– to have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank’s activities explicitly mandate the role of risk functionaries including the CRO to that limited to an ‘Advisor’ to the sanctioning authority i.e., the authority who has been delegated the powers to assume risk,
-ensure clear segregation between risk origination (front office), risk underwriting (midoffice) and risk documentation/operations functions (back office). These functions shall have separate reporting lines and are geographically separated – thus reducing the ability to influence the other if need be, allocate to a committee of the board which will undertake management function, the sanctioning powers to assume risk,.
-evaluate internal controls and risk management systems,
-regularly evaluate the risk faced by the bank through the overall risk profile,.
-introduce oversight of a risk culture dash board with reports to track progress across key culture attributes, indicators to track the frequency along with the treatment of both selfreported control and risk problems as well as whistle-blowing incidents,.
– ensure that adequate risk management processes are in place to assess risk and performance relative to initial projections. To adapt the risk management treatment as the business matures and before, a new product, service, business line or third- party relationship or major transaction is undertaken,
-ensure that reputation risks including conduct risks are captured across various businesses of the bank through quality data and systems,.
-put in place risk reporting systems which are dynamic, comprehensive, accurate and draws on a range of underlying assumptions.
-ensure that risk monitoring and reporting shall not only occur at the disaggregated level (including material risk residing in subsidiaries or other group entities on which there is exposure) but shall also be aggregated to allow for an integrated perspective of risk exposures to convey bank-wide risk, individual portfolio risks besides other risks in a concise as well as meaningful manner,.
– ensure that reports accurately identify external environment, market conditions,trends that may have an impact on the bank’s current or future risk profile, communicate risk exposures and results of stress tests or scenario analyses,
-provoke a robust discussion of, for example, the bank’s current exposures, prospective exposures (particularly under stressed scenarios), risk/return relationships, risk appetite and limits,
-risk reporting systems shall be clear about any deficiencies or limitations in risk estimates,as well as any significant embedded assumptions,.
-ensure a sufficiently robust data infrastructure, data architecture, information technology infrastructure – that is in sync with developments such as balance sheet and revenue growth; increasing complexity of the business, risk configuration or operating structure;
-geographical expansion; mergers and acquisitions; or the introduction of new products or business lines,
-ensure that the ultimate responsibility for the assessment of risks is with the bank even while tools such as external credit ratings or externally purchased risk models and data are used as inputs into a more comprehensive assessment,.
-promote a strong risk culture by ongoing communication about risk issues, including the bank’s risk strategy, throughout the bank;
– promoting risk awareness including encouraging open challenge/communication about risk-taking across the organisation as well as vertically to and from the board,
-ensuring that the board is sufficiently informed while at the same time ensuring that the management and those responsible for the risk management function
avoid voluminous information that can make it difficult to identify key issues,
-guiding the risk management function in presenting information in a concise, understandable and fully contextualised/prioritised manner;
-establish effective communication/coordination with the audit committee to facilitate the exchange of information, effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank,.
-formulate the compliance policy of the bank, containing the basic principles, the main processes by which compliance risks are to be identified and managed through all levels of the organisation..