CRO Outlook

Are Board Risk Committees Up to the Task of Overseeing Large, Complex Banks?

Big banks today boast board risk committees, but the members of those committees often lack the risk expertise needed to ask tough questions on complex issues. What steps can banks take to address this deficiency?

Friday, June 21, 2024

By Clifford Rossi


The top 10 U.S. banks collectively account for more than $12 trillion in assets, reflecting a diversity of products and services. Consequently, these banks are fraught with risk, and careful management of their assets and liabilities is required.

Typically, the board risk committee stands at the apex of a bank’s risk governance structure, overseeing a multitude of risks. Given the criticality, scale and complexity of risk management at extremely large banks, a key question is whether board risk committees have the requisite expertise and credentials to perform their fiduciary duties – including effective challenge of management.

The short answer is no.

clifford-rossiClifford Rossi

Qualifications to be on a bank board risk committee are vague. For example, the Corporate and Risk Governance section of the Office of the Comptroller of the Currency's Comptroller's Handbook indicates that board members should have sufficient skills and backgrounds to perform their duties on assigned committees. But this broad regulatory guidance on board expertise leaves much to the imagination – and may, in fact, be at the root of various bank failures and notable risk events experienced by banks over time.

How well, for instance, did boards of failed banks before the 2008 GFC really understand the complexity of subprime and nontraditional mortgages and credit derivatives – as well as their role in amplifying mortgage credit risk? Fast forwarding to early 2023, were board risk committees well-versed in interest rate and liquidity risk management? Did they understand key concepts, such as economic value of equity and the impact of uninsured deposit attrition rates and betas on interest rate and liquidity risk management?

In both cases, the answer is that very few board risk committee members at banks had the direct risk management experience needed to ask hard questions of management teams – about how these and other risks were being managed – until it was too late.

Breaking Down Board Committees

To gain more insight, I examined the composition of board risk committees of the top 10 U.S. banks, specifically looking at the level of expertise and backgrounds of those members relating to bank risk management. Table 1 summarizes the number of members for each board committee of these banks.


The first takeaway from Table 1 is that bank risk committees collectively have the largest number of board members assigned compared to other bank board committees. However, these banks average only about six members per risk committee. Some companies, such as JP Morgan Chase, have just three risk committee members, while others, such as TD Bank (NA), have 8.

Considering the size and complexity of these institutions, it is obvious that banks can ill afford to assign board members to risk committees who are not well-versed in bank risk management practices. So, what is the current level of expertise of bank risk committees?

Inadequate Risk Experience 

The first thing to note is that large bank boards are comprised of people at the top of their field; the diversity of those backgrounds is essential in performing the various duties of boards, as represented by the different committees shown in Table 1.

When we examine proxy statements and other publicly available documents for the 10 largest U.S. banks, we can gain a clearer understanding of board composition. Using this data, I created a set of categories, reflecting the backgrounds for each committee across (1) members who had direct bank experience; (2) members who had regulatory experience; and (3) members with backgrounds in other nonbanking sectors, including government and academia.

The banking category was further segmented into financial (asset-liability, credit and counterparty risk) and nonfinancial risk and business expertise, while the nonbanking category was split into risk management and business experience.

Members with diverse backgrounds could show up in multiple categories. The results from this exercise are summarized in Table 2.


A total of 103 “experiences” across the 58 bank risk committee members were identified. Of those experiences, only 19.4% were associated with bank financial risk management, while another 20.4% had some type of bank nonfinancial risk background.

One-third of risk committee members had backgrounds from sectors other than banking – including military, geopolitical risk analysis, cybersecurity and information security. Only three percent of those non-bank members had direct risk management experience consistent with practices familiar to banking. Rounding out the composition, five percent of risk committee members had regulatory experience.

The main takeaway from Table 2 is that large banks do not stack their board risk committees with risk experts. In fact, about one-third of risk committee members have no direct bank risk management, regulatory or business experience.

Of course, no amount of board training is going to turn a risk committee member with experience outside banking into a risk expert. What’s more, it is unwise to lean on just one or two members of a bank board risk committee to ask the tough questions on complex risk issues. However, since bank board risk committees are quite small, and since they often lack risk expertise, this overreliance is happening at some large banks today, leaving institutions and their shareholders quite vulnerable – particularly during times of great stress.

Advice for Improving Risk Committees

Effective challenge requires being able to drill down into difficult risk issues with some level of confidence. So, what should be done to improve the bench strength of board risk committees?

Firstly, regulatory agencies should require that board risk committee members have demonstrable, direct experience in bank risk management – particularly at large institutions.

Secondly, to maintain separation between regulators and bankers, and to remove any potential conflicts of interest, ex-regulators should not be permitted to join bank boards.

Lastly, bank board risk committees should have diverse risk management expertise, with at least one member each with a background in credit risk, operational risk, technology/cyber risk and market/interest rate/liquidity risk.

Every bank board risk committee could then be rounded out by members with relevant business experience. For example, given the very different issues associated with managing credit risk, it would be wise to have one member with a consumer credit background and another with commercial credit experience. This would ensure that board risk committees cover all the bases, including every major risk type.

Parting Thoughts

Large banks face a myriad of risks every day across far-flung businesses. One way to mitigate the too-big-to-fail issue is to overhaul the criteria for who is allowed to sit on board risk committees at big banks. These invaluable committee slots should be reserved for only those members possessing hands-on, proven bank risk management experience.

Risk committees are arguably the most important assignment a board member can be given. If oversight is done properly, it can pay enormous dividends by steering a bank away from risky and potentially destructive activities.


Clifford Rossi (PhD) is the Director of the Smith Enterprise Risk Consortium at the University of Maryland (UMD) and a Professor-of-the-Practice and Executive-in-Residence at UMD’s Robert H. Smith School of Business. Before joining academia, he spent 25-plus years in the financial sector, as both a C-level risk executive at several top financial institutions and a federal banking regulator. He is the former managing director and CRO of Citigroup’s Consumer Lending Group.


We are a not-for-profit organization and the leading globally recognized membership association for risk managers.

weChat QR code.
red QR code.

BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals