During 2006, when Lehman Brothers posted record profits of $4.05 billion, board members convened just two meetings of the firm's finance and risk committee. A year later, as credit markets froze and the bank sailed towards oblivion, the risk committee again met only twice. It is not possible to say how many times the committee would have got together in 2008 because the firm is now bankrupt. Perhaps they had been hoping to squeeze another meeting into the calendar.
The committee's meeting schedule was one of the revelations provided to a congressional hearing on Lehman's collapse by corporate governance expert Nell Minow on October 6. She also criticised the fact the risk committee was chaired by an octogenarian - although the board member in question, Henry Kaufman, at least had an impressive Wall Street resume, with a long stint at Salomon Brothers. The same could not be said of the other committee members: one was a Broadway producer; one had a long and distinguished career in the US Navy; one had run a Spanish-language TV station; and a fifth once chaired IBM, but retired from that post in 1993. In total, these five directors had been on Lehman's board for 55 years.
"Even in the post-Sarbanes-Oxley world, boards and their committees are too often considered either an operating division of the company or a social event rather than a risk management tool," says Minow, who runs The Corporate Library, a corporate governance research firm, in Portland, Maine.
Lehman's governance practices at board level were not all that different from other banks The Corporate Library covers, Minow says. But she was shocked by the fact the risk committee only mustered the energy to meet twice as the financial crisis gathered steam. "It is almost Monty Python-esque. It is absurd. It is inherently risky to have a risk committee that only meets twice a year," she said.
Not many people would quibble with that, but once the discussion moves beyond meeting schedules and into more vexing questions about what kind of qualifications risk committee members need to have and how far their responsibilities should stretch, consensus becomes elusive. In theory, these issues matter because risk committees have a vital fiduciary role to play. They are there to set the boundaries of risk-taking within the organisation, to check management stays within those boundaries, and to knock a few heads together if it looks like things are going awry. "The role of the risk committee is to act as the shareholders' watchdog, challenging management from a specialist risk point of view, on behalf of the main board. In some respects they are the last line of defence," says Charles Beach, a director in the performance improvement practice at PricewaterhouseCoopers (PwC) in London.
In practice, though, are these reasonable expectations? Most boards - and therefore most risk committees - are staffed by directors from a wide array of backgrounds. However often they meet, it seems unrealistic to think that directors who have made their name in mining, advertising or consumer products should have been able to spot looming liquidity and valuation risks in the structured credit market. Even if a risk committee was staffed entirely with career bankers, it might still be a stretch for them to grill executives on the subtleties of fair-value accounting, the nuances of value-at-risk measures or counterparty risk concentrations in the credit derivatives market.
"It is asking too much. We are fooling ourselves if we think a risk committee of the board, without the right skills, can properly interpret these things. It is set up for failure," says Bob Mark, a former chief risk officer at CIBC, who now runs his own California-based consulting firm, Black Diamond. He is also executive director of the Masters in Financial Engineering programme at University of California, Los Angeles's Anderson School of Management.
There are a number of ways to ensure risk committees are better equipped. One answer is to insist that one or more of the committee's directors have some relevant expertise, says David Clark, an alumnus of Bankers Trust and a former senior adviser to the UK Financial Services Authority (FSA), who now sits on the boards of four institutions, including Westpac Europe and Tullett Prebon. "You have got to have people on the board who understand the risk attached to the products that the bank is trading in, otherwise it is very difficult for the board to grasp exposures at all. I am not saying everybody has got to be a risk expert, but the board has got to have a mixed skill set and it is absolutely crucial that somebody in there has an understanding - a very good understanding - of risk."
It is not the first time this has been voiced. In 1993, a Group of 30 task force chaired by then-JP Morgan chairman Sir Dennis Weatherstone produced a report that offered 24 recommendations for the management and governance of derivatives businesses. One guideline called for every dealer to have on its board at least two people with an in-depth knowledge of derivatives products. "The recommendations for boards were astonishingly simple. If you want to know what best practice is, I would say go and have a look at that report because, frankly, it is just as valid today as it was 15 years ago. You have got to go and do those things," says Clark.
That sounds straightforward enough, but the non-executive world isn't overflowing with former risk managers, structuring heads and derivatives traders. An alternative suggested by Black Diamond's Mark is to provide risk committees with an independent risk management adviser - someone who doesn't have voting power but can help directors make sense of the complex information they receive from management. It is a role Mark himself played for energy trading firm Entergy-Koch prior to its acquisition by Merrill Lynch in 2004. "Before each meeting, I put in a significant amount of time reviewing all the risk information that was going to be presented, and it was my job to be an independent expert working on the board's behalf. I was there to help them interpret the information they were seeing and to ask pithy questions."
PwC's Beach predicts this kind of approach will become more common as a result of the crisis, as board risk committees realise they need to pursue their agendas more vigorously. He envisages a beefed-up secretariat emerging as a support function for the board and its risk committee, in some cases seeking independent reports and analysis, and helping to focus the directors' attention on the issues that matter.
In that kind of scenario, having relevant experience on the risk committee may not be critical. Instead, directors would just need to be good watchdogs - decisive, tenacious and not scared to ask for more information. The Corporate Library's Minow says part of the reason the banking industry appeared to sleep-walk into the crisis was the 'Emperor's new clothes' effect: directors didn't understand the intricacies of the credit business, but didn't want to admit to it.
William Martin, chief risk officer at Wilton, Connecticut-based investment manager Commonfund, argues risk committee members can be effective with or without relevant experience as long as they have the right risk sensibility. At Commonfund, Martin has a reporting line to the chairman of the board's audit and risk committee, who has a deep, sophisticated knowledge of finance, investments and risk management, he says. "He helps facilitate discussions that go deep into risk-specific issues or, more broadly, across economic, investment and business-related issues. It's a very effective, healthy environment."
By way of contrast, in one of Martin's previous posts, the risk committee's chairman had no direct risk management experience - but proved to be just as effective. "In terms of background, he was anything but a risk manager, but he had a sixth sense about risk and business. He just knew what questions to ask," Martin recalls.
A lack of expertise isn't the only obstacle, though. Even a committee stuffed to the gills with risk specialists will find it hard to be effective if the information it receives is flawed - and the crisis has highlighted the weaknesses of a number of widely used metrics, such as credit ratings. Black Diamond's Mark points out that, during the first half of 2007, there was little indication of the meltdown to come, nor of the fact many banks were about to lose their shirts. For instance, an AAA rated tranche of a mortgage-backed securities transaction that had been insured by an AAA rated monoline would still have looked pretty much bullet-proof. "There was no reason for this to feature on your top 10 hit parade of risks. All the way up the chain of command, people were happy to load up on this kind of asset because they were getting pretty good returns for an AAA rated bond, and nobody stopped to ask whether the rating was correct in the first place. You can't expect a board member to start pulling apart rating methodologies," says Mark.
Similarly, the risks that would later emerge in trading books were not being captured by VAR measures, which work well enough in good times but give little clue to the actual losses banks can suffer when markets go haywire. PwC's Beach says the crisis has been a painful reminder of these limitations: "VAR provides important information, but at the same time it is a simplified view of the world. Those kinds of values need to be supplemented and supported by different forms of stress, scenario and sensitivity analysis, and other measures like notional value. In addition, for products that are complex and potentially illiquid, there is an increasing recognition of the need to look at valuation uncertainty and to consider valuation and cashflow stress tests covering situations where liquidity dries up completely. So I think lessons have been learned about the metrics that needed to be presented."
It was the job of the chief risk officer to explain to risk committees what numbers to trust as the crisis unfolded, believes Commonfund's Martin. "Around the middle of 2007, it became clear pretty quickly that typical risk metrics were not keeping up with what was going on in the market, as with historical simulation-based metrics or time series based on monthly data. As that persisted, part of the chief risk officer's responsibility was to move away from such metrics and towards higher frequency, fact-based analysis with qualitative commentary. For me, it is the responsibility of the chief risk officer to initiate and manage this transition and communicate it effectively to the directors."
Others argue the directors should not be overreliant on information and guidance from management - even the supposedly independent risk function. Instead, risk committees need to be armed with a battery of probing questions, argues Black Diamond's Mark. While it may be unreasonable to expect a committee member to break down rating methodologies, it wouldn't be unreasonable to expect questions to be asked about the way a portfolio of assets would perform if there was a dramatic change in the market. "A savvy board member might have said: 'This is all very interesting. I see we are loading up on super-senior mortgage risk - what does all this look like if housing prices drop 20%? What happens to our investment? And not only that, what happens to all the other investments made by other people in this stuff? What kind of systemic risk would we be looking at?' Now, that would have been a beautiful response. But how many committee members were capable of something like that?" he asks.
Despite all these problems, experts say risk committees can and do make a genuine contribution to risk management. Commonfund's Martin highlights the key relationship between the chief risk officer, the chief executive and the entire board - a triumvirate at the highest level of the firm who each have their own part to play in risk management. "My view is that the board defines broadly the risk appetite of the organisation and the chief executive is responsible for running the business within the context of the pre-defined risk appetite. The chief risk officer works primarily as a strategic adviser to link the executive authority with its governance structure by providing a medium to escalate, debate and address risk issues. This helps build a strong, inclusive risk culture which then spreads throughout the firm."
As such, he says, regardless of the committee's meeting schedule, the board and/or its risk committee, the chief executive and the chief risk officer should all be actively involved as any significant risk issues develop. Moreover, the chief executive should be the driving force in this process. "I have found that it works best when you have a proactive chief executive who is very comfortable with an open, transparent dialogue around risk management, both with the board and within the firm" says Martin.
It is also important to promote active involvement on the part of risk committee members, says Black Diamond's Mark. When he was at CIBC and regularly presenting risk reports to the board-level committee, Mark says he would encourage dialogue, stopping regularly to ask for questions and then opening up a discussion. He was also happy to continue the dialogue outside of the meetings. "There were certain board members who would ask for that. They would say they wanted to know more about why the risk measures associated with a certain business moved up or down, for example - and I loved it when that happened. That was fabulous, because you got to know the board member a little better and you knew they were listening and were engaged."
Former FSA adviser Clark says effectiveness rests in part on organisational structure. It is often the case that business lines have their own risk review committees locally authorising loans or trades or new products. Stacked on top of that are risk committees at the group level and a risk committee for management. The whole, wobbly pile is topped off by the risk committee of the board. This proliferation of committees may instil a degree of organisational complacency - a belief that someone somewhere will catch the risk, says Clark. More importantly, the fracturing of committees by risk types and business lines - while hard to avoid - can make it difficult to unite all the disparate risks again further up the chain. "By all means have separate risk committees, but overall risk appetite and exposure must be pulled together for boards to observe, manage and be responsible for it. Credit, market and operational risk are different disciplines but increasingly overlap and it is essential to make sure all three risk types are reviewed with an eye on how they overlap and interrelate. I think it is the board's job to insist that is being done - they need to see a fully integrated picture of risk," he says.
But the ultimate tool to make risk committees more effective could be the power wielded by the people they are supposed to represent - shareholders. Most of the time, investors show little obvious interest in the workings of an organisation's most powerful risk management body, only getting involved when something has gone wrong and fingers need to be pointed or lawsuits filed. That's partly because they have little power to shape the board, says The Corporate Library's Minow.
"One of the most important initiatives I support - and that will get some attention in the new administration - is the idea of majority vote. Under current law, directors do not have to have the support of the majority of the shareholders. It seems to me that if we did require a majority of the votes cast in order to be able to serve on a board, it would be possible for shareholders to remove directors who did not do their job on risk management, or who did not do a good job on executive compensation. I think that would be very worthwhile, very constructive."