Be very clear in language and wording in governance documents … no matter your company size … to avoid confusion and potential legal problems.
A third governance example from Silicon Valley Bank (SVB) …
SVB had an apparent language mismatch in their Risk Committee charter. The charter serves as an example of how even a short company governance document can create disconnects if taken at face value and not worded carefully.
Here’s some of the first part of the SVB Risk Committee charter:
“The Committee’s purpose is to act on behalf of the Board in fulfilling its oversight responsibilities:
- Oversight of the Company’s enterprise-wide risk management policies and frameworks;
- Oversight of adherence to the Company’s risk appetite, risk profile and risk culture;
- Oversight of the Company’s Risk function and leadership; and
- Oversight of various risk management activities across the Company.”
OK thus far … a pretty common overview and typical Board committee type responsibilities – “oversight.”
Now the language mismatch.
SVB had an interesting situation in how risk governance was structured based on later parts of the charter: “The Committee shall be responsible for the appointment, performance evaluation (including goal setting), compensation, and termination of the Chief Risk Officer (the “CRO”), in coordination with the Compensation and Human Capital Committee, as appropriate. The Committee shall also be responsible for validating the CRO has the stature and experience to execute her or his role effectively. The CRO shall be subject to dual reporting: (i) to the Committee on a functional basis, and (ii) to the Chief Executive Officer of the Company on an administrative basis.”
In short, the Board via the Risk Committee was directly responsible for selecting/hiring, evaluating, compensation, etc. of the Chief Risk Officer based on the language in the charter. Not just final approval/disapproval of CEO actions or recommendations. The Chief Risk Officer was responsible to the Board functionally, not the CEO. The Board directly managed the risk function.
This contrasts with common formal Board structures where the Board selects, evaluates, and compensates the CEO who in turn is responsible for doing the same for the rest of the company. Selected functions like audit, risk, cybersecurity, and other functions the Board deems critical often have “dotted line” relationships to the Board for direct information flow, unfiltered by anyone else. Boards may also have final approval authority – concurrence or nonconcurrence – for selection, evaluation, compensation, etc. for key positions.
The language mismatch is “oversight” versus direct responsibility for managing the risk function. Not the same thing … at all.
🔎 Check your company key governance documents, paying attention to the language as an outsider would read them. Or, better yet, have an outsider read. Any things not clear?
Leave a Reply