7 Ways “Conduct Risk” Can be Handled by Bank Boards - John P. Carey and Kathlyn L. Farrell
John P. Carey and Kathlyn L. (Lyn) Farrell
January 12, 2018
Serving on a bank board in the U.S. has never been a low-risk proposition.
But now, after Wells Fargo’s sales practices consent orders, enforcement actions, civil money penalties, and subsequent investigations, the responsibilities of a bank board member have come under the highest scrutiny ever.
Boards must oversee complex organizations with significant risks surrounding consumer protection, liquidity, interest rates, credit, and, in today’s environment, culture and conduct.
New governance concepts emerge
In 2014, the Office of the Comptroller of the Currency published guidelines establishing heightened standards for risk governance. Thus, the term “credible challenge” became part of the parlance of bank risk management organizations and boards of directors. The guidance requires that boards and independent risk management executives exercise a “credible challenge” to the decisions and actions of a bank’s executive management.
The specifics for how and when to exercise this credible challenge responsibility have been less than clear.
The preamble in the guidance offers some insight into what is required. It provides that offering a credible challenge does not mean that a director has to make management decisions, but it does mean that a director must have a comprehensive understanding of the bank’s risk-taking activities and be ready and willing to ask the right questions and challenge management when necessary.1
Since this regulatory pronouncement there has been much written on what boards should do to meet their responsibility to credibly challenge the bank’s risk management and culture. With renewed regulatory focus on conduct risk, ethical behavior, and bank culture in general, how does a bank director effectively fulfill his or her responsibilities to engage in effective oversight; credibly challenge bank management; and protect the bank’s stakeholders from monetary penalties and reputation damage related to conduct risk?
Some real world guidance for other boards to consider is out there. The Wells Fargo organizational behaviors that triggered the enforcement actions for unfair sales practices, the backlash that followed, and the subsequent report commissioned by the bank board’s independent directors to identify the root causes for this behavior help clarify the basis for executing credible challenge in this new age of conduct risk.
The Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report
, dated April 10, 2017, is an extraordinary example of a board taking steps to determine what happened within the institution and to provide transparency and accountability for the problems it uncovered.
Understanding “conduct risk”
The term “conduct risk” was first made popular by financial regulators in the United Kingdom. There is no universal definition for conduct risk. However, the term is generally defined as the risk that a bank’s employees will harm customers or abuse financial markets and thereby damage their bank’s reputation. Alternatively, it refers to risks that relate to the way bank employees conduct themselves in the treatment of customers or in maintaining market integrity and how those behaviors affect the institution’s reputation.
Many factors influence conduct risk, but none is more important than an institution’s culture. Most institutions have a specific set of core values that purport to guide their culture and how they do business. However, these values alone do not establish a bank’s culture.
Core value statements are only a start. The most important influence on the development of an organizational culture is how management lives those values—and how managers are rewarded or penalized for their behavior.
Employees who work in a culture where the value statements are of one mind but the actual rewards and penalties are based on a different set of implicitly encouraged behaviors will always follow where those incentives lead.
Some of the Wells Fargo management and employees in the Community Bank division acted in a manner that was directly contrary to Wells Fargo’s long-standing “vision, values and goals,” according to the Wells Fargo report. The report found that the behaviors of the senior executives in the Community Bank line of business valued the rogue behavior of employees as exhibited by the manner in which rewards and punishments were dispensed.
Thus the Wells Fargo culture formed around the incentivized “values”—certainly not the written ones. This is how culture works. Values statements feature traits that often include honesty, integrity, customer service, and “doing the right thing.” Conduct risk arises when performance management systems (i.e., rewarding some behaviors and punishing others) become misaligned with the organization’s written value statement.
This misalignment can quickly lead to misbehavior—invalidating stated core values. No doubt a bank’s board has responsibility for overseeing the institution’s conduct risk management. Besides the organization’s culture, the state of conduct risk will often depend on the structure and strength of the bank’s risk management organization.
Pertinent questions for the board include:
• How does a board member offer an effective challenge to management on conduct risk issues?
• How does the board learn of deviations from the institution’s core values taking place within a line of business, i.e., a developing rogue culture?
• What does the board do if it suspects that the conduct risk behaviors are outside the bank’s risk tolerance?
• What responsibility does the board have for the bank’s organizational structure?
• How does a board of directors demonstrate that it is exercising effective credible challenge?
We believe that the keys to offering and demonstrating effective credible challenge are found in the following strategies.
1. Establish—and maintain—independence
The board must be independent of executive management in order to pose credible challenges, and it should be able to demonstrate such independence when necessary. All publicly held regulated financial institutions are required to have independent directors serve on their boards. (This is a good practice even for those institutions that are privately held.)
However, in general, the longer a director serves, the more difficult it will be to consistently maintain such independence.
A long-time director does not automatically lose an independent perspective, but it is true that one must work to keep this perspective fresh. The longer a director serves, the more he or she knows executive managers and tends to trust them.
It is only human nature to develop trust in those we know well. Having a well-defined tenure policy—in other words, term limits—can help avoid the potential risk that a board will lose objectivity or, even worse, develop complacency with the status quo.
Maintaining a healthy skepticism can be difficult, but it is essential. So, long-time directors must consciously and consistently consider if they are effectively offering an independent credible challenge.
It might not come naturally.
2. Demand timely and relevant information
Boards are often overwhelmed with information to review in preparation for board and committee meetings. This is particularly true of those directors sitting on audit or risk committees.
It is hard to spot the snake in the haystack, as it were, but obtaining the right information is key to knowing if a challenge is needed.
According to the Wells Fargo report, the board did not receive information related to the bank’s sales practice problems in a timely fashion or in a format that was useful to them. The board expressed its dissatisfaction and subsequent reviews were commissioned. Unfortunately, valuable time was wasted.
In large organizations, everything moves slowly. Conducting reviews can take inordinate amounts of time. And the board reporting review process often has many steps. When there is a problem, the faster the board becomes aware of it, the faster remediation can happen.
It is critical that boards insist on receiving timely, clearly presented, concise, and pertinent information on high-risk areas. The latter include such issues as possible consumer protection regulatory violations; market manipulation; and all conduct risk areas that carry significant reputational risk.
Management must be held accountable for the effective presentation of information, including the highlighting of red flags. Board members should not be satisfied with having to ferret out issues themselves.
For example, according to the Wells Fargo report, management did not tell the board the actual number of employees who had been fired for opening unauthorized accounts. They learned this number from the regulatory consent orders. Having this information would have raised a red flag on that business line’s culture and might have led the board to discover the true nature of the problem much faster.
3. Question everything, including the bank’s governance structure
Of course, board members should question anything that appears to be outside the bounds of industry standards or, even worse, legal boundaries.
But in large organizations, the fallacy of scale can be a problem.
In the case of the Wells Fargo sales incentive problem, the issue involved a tiny percentage of Wells Fargo’s consumer accounts. It is easy to look at this as a small problem in the context of the size of the bank’s customer base. However, when that small percentage in fact involves millions of customers, the press, the public at large and, most importantly, Congress will not view the matter as “small.”
Board members must view problems from the public’s perspective as well as from their own position.
Boards (or their committees) should have access to reports, including trending information on consumer complaints, employee turnover, instances of fraud, internal whistleblower information, and lawsuits, among other things. This information is the most relevant for determining the existence and magnitude of conduct risk inside a bank.
Boards should also periodically review and question the efficacy of the bank’s risk management structure. Executive management usually determines the management and reporting structure and asks the board for approval.
Nonetheless, the Wells Fargo report places much of the blame for the sales incentive problem on the autonomous authority of the business lines and the bank’s risk management structure. Further, having a decentralized risk and control structure didn’t allow for issues to centrally join, according to the report, thereby hindering effective oversight.
Credibly challenging executive management includes questioning whether the structure of control functions (e.g.
, independent risk, compliance, and first line of defense organizations) and their relationships to the line of business are set up to work well. In addition, they must have appropriate stature within the organization.
The risk committee of the board bears a particular responsibility to ensure that the members of the bank’s risk organization are able to effectively do their jobs, as well as escalate issues, without hindrance.
Further, the compensation committee can ensure that financial, risk management, and corporate culture goals are properly aligned when making incentive compensation decisions.
Moreover, boards should consider ensuring that a committee of the board has specific jurisdiction over ethics, culture, and conduct. This committee should, among other things, oversee management’s efforts to create and nurture a culture of compliance, ethics, proper conduct and ethical decision-making throughout the organization.
4. Dig deeper
Board members should feel free to continue to ask questions on any topic until they receive complete answers. Board reports are necessarily “executive summaries,” since board members do not have time to review detailed reports or spreadsheets.
However, if something in a summary raises questions, a board member should easily be able to receive the complete report or other related information and review it until all questions are answered.
Directors have been known to contact other bank staff members—beyond senior executive management—to pose questions and obtain more detailed information. Talking to bank employees is an excellent way to receive a different perspective. Directors can receive the required “color commentary” on a situation.
To be able to accomplish this, directors should have full access to employees, particularly to all areas of management.
Direct interaction with employees provides more informed judgments and balanced viewpoints, while avoiding overly filtered information flows. It further allows for an additional avenue for the escalation of issues within the organization.
If top executives are reluctant to allow board members to talk to lower levels of bank management, there is a risk that serious issues have not been appropriately escalated to board oversight.
5. Watch for signals
The problems at Wells Fargo were not new.
According to the Wells Fargo report, there were signals that appeared many years before the board was made aware of the potential seriousness of the sales incentive issues. Employee exit interviews and terminations, whistleblower reports, customer complaints, media reports, blogs, lawsuits, and, finally, a lack of full transparency by the business line and senior management were all early signals of potential problems with the culture at the Community Bank.
A board member must be fully informed and look for consistent trends as they develop. Paying attention to potential clues from all of the bank’s stakeholders will help directors be prepared to ask the right questions and challenge management where appropriate.
6. Ask for outside help when needed
One interesting detail revealed in the Wells Fargo report is how often the board felt that senior management did not provide reliable information on the sales incentive issue during board presentations.
When the board is not confident that it is receiving the straight story, it can always ask for the assistance of outside independent firms and engage them to work directly for the board to review the issue.
The Wells Fargo board did exactly that when it eventually commissioned an independent investigation of the sales incentive issue. A firm with loyalties only to the board, whose engagement specifies that it reports to the board and not to senior management, will be able to conduct reviews, unearth what is really happening, and provide an unfiltered report back to directors.
Should the board have concerns about areas of the bank that are not highlighted by management, commissioning either an internal audit or external review of those areas will help ensure that appropriate light is cast on potential areas of risk. Such topics may come from industry developments or through parallel experiences that board members bring from other industries.
By digging deeper into areas beyond what is presented by management, the board will demonstrate appropriate engagement and help drive an agenda that is forward thinking and proactive.
7. Demonstrate credible challenge
Credible challenge activity usually occurs during a board or board committee meeting. The documentation of these meetings is in the written minutes, which presumably describe with specificity the discussions taking place. The more detail of board questions and robust discussions of issues that appears in the minutes, the better challenges will be documented.
Other means to document challenges include:
• Emails that include questions for executive management.
• Notes and reports of meetings that directors have with outside consultants or lower-level bank employees.
If a director has a concern about an issue, particularly one involving conduct risk, he or she should make certain that the concern is documented to ensure that there is proof that a challenge was made to executive management.
Remember, if a challenge isn’t documented, then, in the view of many stakeholders, it never happened.
Tough job goes with the board seat
Providing effective credible challenge is not easy. Independent board members often have other full-time jobs, and serving as a board member is not a light load.
Nevertheless, the risks posed by employee conduct to a bank’s reputation are great and require effort to monitor fully. In order to meet their responsibilities, board members must remain fully independent, be fully informed, pursue probing questions, and show resolve when executing effective oversight.
1 The Federal Reserve and the Basel Committee on Banking Supervision have adopted similar requirements for bank boards. See SR 12-17/CA 12-14: Consolidated Supervision Framework for Large Financial Institutions, Board of Governors of the Federal Reserve System, Division of Banking Supervision and Regulation, Division of Consumer and Community Affairs (Dec. 12, 2012); Review of the Principles for the Sound Management of Operational Risk, Basel Committee on Banking Supervision (Oct. 6, 2014) ↩
View as PDF
As appeared in: Banking Exchange