3-1579.294

SAFETY AND SOUNDNESS—Supervisory Guidance on Board of Directors’ Effectiveness^*

The Federal Reserve expects the board of directors (also referred to as a firm’s “board”¹) of a large financial institution to be effective in its oversight of the firm. The board serves a critical role in maintaining the firm’s safety and soundness² and compliance with laws and regulations, as well as the continued financial and operational strength and resilience of a firm’s consolidated operations.³ This guidance describes attributes of effective boards of directors that have been observed over time in the course of the Federal Reserve’s supervision. Responsibilities that are typically the purview of senior management, including most daily and operational decisions, are not described in this guidance.

This guidance adopts a principles-based approach to describe attributes of effective boards and provides illustrative examples of effective practices. This approach reflects the view that including standardized expectations would not take into account material differences in activities, risk profile, and complexity among large financial institutions as they relate to boards of directors.

In developing this guidance, the Federal Reserve considered other statutory and regulatory authorities that impose requirements and expectations concerning the roles, responsibilities, and expectations of a firm’s board of directors. For example, the Federal Reserve reviewed applicable Delaware law,⁴ rules promulgated by the U.S. Securities and Exchange Commission, and listing requirements implemented by the New York Stock Exchange (NYSE) and the Nasdaq Stock Market. This guidance does not supersede or replace any applicable legal, regulatory, or listing requirements to which firms may currently be subject in the United States, and nothing herein is believed to conflict with such requirements.

Attributes of an Effective Board of Directors 1. Set Clear, Aligned, and Consistent Direction Regarding the Firm’s Strategy and Risk Appetite

An effective board oversees the development of, reviews, approves, and periodically monitors the firm’s strategy and risk appetite.⁵ Such a strategy and risk appetite are clear and aligned, and include a long-term perspective on risks and rewards that is consistent with the capacity of the firm’s risk-management framework. The alignment of strategy and risk appetite helps the firm to maintain sufficient financial and operational strength and resilience for safety and soundness and to promote compliance with laws and regulations.

A clear strategy articulates a firm’s strategic objectives for its businesses while helping to establish and maintain: (a) an effective risk-management structure; (b) appropriate processes and resources for strategy implementation, plans, and budgets for each business line and risk management or control function; and (c) an effective risk management and control function. A clear strategy also provides direction to senior management about how to determine which business opportunities to pursue consistent with the firm’s risk appetite and risk-management capacity.

A clear risk appetite includes sufficient detail to enable the firm’s chief risk officer (CRO) and its independent risk-management function⁶ to set firm-wide risk limits.⁷ A clear risk appetite specifies the level and types of risk that the board is willing to assume, that the board believes the firm is capable of managing, and that allows senior management to establish risk-management expectations and monitor risk-taking for the full set of risks. A firm’s strategy and risk appetite are aligned when they are developed, reviewed, and approved consistent with one another even though they are not necessarily developed and approved simultaneously.

An effective board also considers the capacity of the firm’s risk-management framework when overseeing aspects of the firm’s strategy and risk appetite. This practice helps to confirm that strategic plans are commensurate with the firm’s ability to identify and manage risks, including identifying activities that could pose a material risk to the safety and soundness of the firm, threaten the financial system, violate the law, or harm consumers.

For example, if the firm is considering a new line of business, a clear strategy explains how conducting the business would be consistent with the firm’s risk appetite and changes that would need to be made to the firm’s risk-management program and its controls to effectively manage different or additional risks posed by the new business. If the strategy calls for expansion into a new line of business or a new jurisdiction, the board evaluates the increased level of risk. In addition, an effective board reviews any corresponding risk management or controls enhancements, including those related to compliance with U.S. laws,⁸ that are necessary to align with the risk appetite. The same evaluation is conducted on a regular basis to assess growth strategies within current businesses and products.

A firm’s policies, programs, and plans are sufficiently clear regarding the allocation of responsibilities to enable the board to evaluate senior management’s execution of the firm’s strategic plan. An effective board reviews and approves significant policies, programs, and plans based on the firm’s strategy, risk appetite, risk-management capacity, and structure. These include but are not limited to the firm’s capital plan,⁹ recovery and resolution plans,¹⁰ audit plan,¹¹ enterprise-wide risk-management policies,¹² liquidity risk-management policies,¹³ compliance risk-management program,¹⁴ and performance management and compensation programs. An effective board might review summarized forms of policies, programs, and plans, with the summarized form including sufficient detail and context for the board to make an informed decision and to consider consistency with the firm’s strategy, risk appetite, and risk-management capacity.

2. Direct Senior Management Regarding the Board’s Information Needs

An effective board directs senior management to provide directors with information that is sufficient in scope, detail, and analysis to enable the board to make sound, well-informed decisions and consider potential risks.

An effective board directs senior management to provide it with information that is timely, accurate, and well organized. An effective board also evaluates the sufficiency and quality of information it receives and directs senior management to (a) provide more information, (b) address any concerns regarding the volume, structure, content, or quality of the information it receives, or (c) improve relevant firm processes and practices for the preparation of such information.

An effective board seeks, outside of regular board and committee meetings, information about the firm and its activities, emerging and ongoing risks, personnel, compensation, and other matters. Such additional inquiries are often conducted through special sessions of the board, outreach to staff other than the Chief Executive Officer (CEO) and his or her direct reports, and discussions with Federal Reserve senior supervisors. Director training is another way directors may learn more about topics relevant to their responsibilities and may highlight the need for further director inquiries.

Directors of an effective board, particularly the lead independent director or independent board chair and committee chairs, take an active role in setting board and committee meeting agendas. Directors provide input such that the content, organization, and time allocated to each topic allow the board and committees to make sound, well-informed decisions. If the board’s agenda includes a discussion of growth into a new business, an effective board typically discusses the firm’s risk management and control capabilities that reflect the views of the independent risk management and internal audit functions.

3. Oversee and Hold Senior Management Accountable

An effective board oversees and holds senior management accountable for effectively implementing the firm’s strategy, consistent with its risk appetite, while maintaining an effective risk-management framework and system of internal controls. An effective board executes these responsibilities consistent with safety and soundness and in compliance with laws and regulations, including those related to consumer protection, under a range of conditions. An effective board also oversees and regularly evaluates the performance and compensation of senior management.

To facilitate accountability, an effective board engages senior management in a variety of ways. For instance, at board meetings, engagement is supported by allocating sufficient time to facilitate a candid discussion and debate of information while encouraging diverse views. Directors consider whether and how senior management’s conclusions and recommendations align and support the firm’s strategy and risk appetite. If weaknesses or gaps are identified, the information provided is incomplete, or as otherwise warranted, directors challenge senior management’s assessments and recommendations. Engagement may also take place outside board and committee meetings.

An effective board engages in robust inquiry into, among other things:

Drivers, indicators, and trends related to current and emerging risks;
Adherence to the board-approved strategy and risk appetite by relevant lines of business; and
Material or persistent deficiencies in risk management or control practices, whether in policy or in practice.

An effective board also reviews reports of internal and external complaints, including “whistleblower” reports.

An effective board has independent directors who are sufficiently empowered to serve as an effective check against firm executives who sit on the board and senior management. For example, if the board has an executive chair, independent directors may be empowered through the election of a lead independent director with the authority, among others, to call board meetings with or without the chair present.

A crucial aspect of holding senior management accountable is regular board oversight and evaluation of the performance and compensation of senior management. An effective board oversees and evaluates the development and implementation of performance management and compensation programs that encourage behaviors and business practices consistent with the firm’s strategy, risk appetite, and safety and soundness. This includes promoting compliance with laws and regulations, including those related to consumer protection.

In addition, each component of senior management’s total compensation is informed by the board’s evaluation of the individual’s performance against performance objectives. An effective board approves clear financial and nonfinancial performance objectives aligned with the firm’s strategy and risk appetite for the CEO and business line executives and nonfinancial performance objectives for the chief risk officer and chief audit executive. Similar performance objectives are developed for other members of senior management. An effective board of directors also holds senior management accountable for the implementation of performance management and compensation programs that promote sound risk management, compliance with laws, regulations, and internal standards, including for conduct. Performance management and compensation programs, when combined with business strategies, discourage risk-taking inconsistent with the firm’s strategy and safety and soundness, including compliance with laws, regulations, and internal standards, and promote the firm’s risk-management goals. Consistent with safety and soundness, compliance with laws and regulations, and the firm’s strategy, an effective board oversees succession plans for the CEO, and depending on the size, complexity, and nature of the firm, the chief risk officer, chief audit executive, or other senior management officials.¹⁵

4. Support the Independence and Stature of Independent Risk Management and Internal Audit

An effective board of directors, through its risk and audit committees, assesses and supports the stature and independence of the firm’s independent risk management and internal audit functions. An effective risk committee¹⁶ and an effective audit committee¹⁷ engage in robust inquiry into, among other matters:

the causes and consequences of material or persistent breaches of the firm’s risk appetite and risk limits;
the timeliness of remediation of material or persistent internal audit and supervisory findings; and
the appropriateness of the annual audit plan.

An effective risk committee supports the stature and independence of the independent risk-management function by:

communicating directly with the chief risk officer on material risk-management issues;
overseeing the appropriateness of independent risk management’s budget, staffing, and systems of internal controls;
coordinating with the compliance function; and
providing independent risk management with direct and unrestricted access to the risk committee.¹⁸

After reviewing the risk-management framework relative to the firm’s structure, risk profile, complexity, activities, and size, an effective risk committee effects changes that align with the firm’s strategy and risk appetite.

An effective audit committee supports the stature and independence of internal audit by meeting directly with the chief audit executive regarding the internal audit function, organizational concerns, and industry concerns. The audit committee supports internal audit’s budget, staffing, and systems of internal controls relative to the firm’s asset size, complexity, and the pace of technological and other changes. The audit committee also reviews the status of actions recommended by internal audit and external auditors to remediate and resolve material or persistent deficiencies identified by internal audit, external audit, and findings identified by supervisors.

An effective board monitors the independence and stature of independent risk management and internal audit and takes action if the views of these functions are not taken into account when decisions are made, or if these functions are unduly influenced by business lines.

5. Maintain a Capable Board Composition and Governance Structure

An effective board considers whether its composition, governance structure, and practices support the firm’s safety and soundness and the ability to promote compliance with laws and regulations based on factors such as the firm’s asset size, complexity, scope of operations, risk profile, and other changes that occur over time. Reflecting these factors, an effective board establishes a process designed to identify and select potential director nominees with a mix of skills, knowledge, experience, and perspectives. This process takes into account, for example, a potential nominee’s expertise, availability, integrity, and potential conflicts of interest and considers a diverse pool of potential nominees, including women and minorities.¹⁹

An effective board maintains a governance structure capable of overseeing senior management and addressing issues arising from the firm’s size, scope of operations, activities, risk profile, and resolvability. In addition, an effective board establishes committees and management-to-committee reporting lines to support effective oversight, timely access to information, and sound decisionmaking. An effective board also has the capacity to engage third-party advisors and consultants, when appropriate, to supplement the board’s knowledge, expertise, and experience and support the board in making sound, well-informed decisions.

An effective board evaluates on an ongoing basis its strengths and weaknesses, including the performance of the board committees, particularly the risk, audit, and other key committees. An effective board adapts its structure and practices to address identified weaknesses or deficiencies and as the firm’s asset size, scope of operations, risk profile, and other characteristics change over time.

Issued by the Board of Governors of the Federal Reserve System February 26, 2021 (SR-21-3).

This supervisory guidance applies to boards of directors of domestic bank and savings and loan holding companies with total consolidated assets of $100 billion or more (excluding intermediate holding companies of foreign banking organizations established pursuant to the Federal Reserve’s Regulation YY) and systemically important nonbank financial companies designated by the Financial Stability Oversight Council for supervision by the Federal Reserve.

The terms “board of directors” and “board” include committees of the board.

Federal Reserve regulation and supervision of bank holding companies is authorized under various statutes, including the Federal Deposit Insurance Act (see, e.g., 12 U.S.C. 1818 and 12 U.S.C. 1831) and the Bank Holding Company Act (see, e.g., 12 U.S.C. 1844).

“Financial strength and resilience” is defined as maintaining effective capital and liquidity governance and planning processes, and sufficiency of related positions, to provide for continuity of the consolidated organization (including its critical operations and banking offices) through a range of conditions.“Operational strength and resilience” is defined as maintaining effective governance and controls to provide for continuity of the consolidated organization (including its critical operations and banking offices) and to promote compliance with laws and regulations, including those related to consumer protection, through a range of conditions. See 83 Fed. Reg. 58,724 (November 21, 2018) and 84 Fed. Reg. 4,309 (February 15, 2019).

⁴

See Del. Code Ann. tit. 8 (2016).

⁵

“Risk appetite” is defined as the aggregate level and types of risk the board and senior management are willing to assume to achieve the firm’s strategic business objectives, consistent with applicable capital, liquidity, and other requirements and constraints.

⁶

An “independent risk-management function” is responsible for identifying, measuring, aggregating, and reporting risks in a comprehensive and independent manner.

⁷

The term “risk limits” refers to thresholds that constrain risk-taking so that the level and type of risks assumed remains consistent with the firm-wide risk appetite. Internal risk management sets risk limits in aggregate by concentration and risk type, as well as at more granular levels as appropriate.

⁸

U.S. laws include, without limitation, the Bank Secrecy Act and the Foreign Corrupt Practices Act.

⁹

12 CFR 225.8(e)(iii); 12 CFR 252.47(a); SR letter 15-19, “Federal Reserve Supervisory Assessment of Capital Planning and Positions for Firms Subject to Category II or III Standards;” SR letter 15-18, “Federal Reserve Supervisory Assessment of Capital Planning and Positions for Firms Subject to Category I Standards;” and Federal Reserve paper on Capital Planning at Large Bank Holding Companies: Supervisory Expectations and Range of Current Practice (Federal Reserve Board press release issued on August 19, 2013).

¹⁰

12 CFR part 243; SR letter 14-8, “Consolidated Recovery Planning for Certain Large Domestic Bank Holding Companies;” and SR letter 14-1, “Heightened Supervisory Expectations for Recovery and Resolution Preparedness for Certain Large Bank Holding Companies—Supplemental Guidance on Consolidated Supervision Framework for Large Financial Institutions (SR letter 12-17/CA letter 12-14).”

¹¹

SR letter 13-1/CA letter 13-1, “Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing,” and SR letter 03-5, “Amended Interagency Guidance on the Internal Audit Function and its Outsourcing.”

¹²

12 CFR 252.33.

¹³

12 CFR 252.34(a).

¹⁴

SR letter 08-8/CA letter 08-11, “Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles.”

¹⁵

This may extend beyond requirements to which firms may be subject under other statutory and regulatory authorities. For example, the NYSE requires formalized succession planning for the CEO only. See NYSE Listed Company Manual, section 303A.09. The chief risk officer and chief audit executive are named here given the independence of those positions and the control function each serves.

¹⁶

The risk committee is responsible for the firm’s global risk-management policies and oversight of the firm’s global risk-management framework. 12 CFR 252.33(a). Nonbank financial companies supervised by the Federal Reserve are required to establish a risk committee pursuant to section 165 of the Dodd-Frank Act. 12 U.S.C. 5365(h)(1). Certain savings and loan holding companies subject to this guidance also have risk committee requirements. 12 CFR 238.122.

¹⁷

See SR letter 13-1/CA letter 13-1. Firms that are publicly traded are subject to the audit committee requirements contained in the U.S. Securities and Exchange Commission’s Rule 10A-3 under the Exchange Act of 1934, in addition to any requirements imposed by the applicable stock exchange on which the firm is listed. See, e.g., NYSE Listed Company Manual, sections 303A.06 and 303A.07, and The Nasdaq Stock Market Rules, section 5605(c).

¹⁸

See, e.g., 12 CFR 252.33(a)(3).

¹⁹

“Final Interagency Policy Statement Establishing Joint Standards for Assessing the Diversity Policies and Practices of Entities Regulated by the Agencies,” 80 Fed. Reg. 33,016 (June 10, 2015). The use of the term “minority” is consistent with the use of such term in this interagency policy statement and in section 342(g)(3) of the Dodd-Frank Act.

SAFETY AND SOUNDNESS—Supervisory Guidance on Board of Directors’ Effectiveness*

SAFETY AND SOUNDNESS—Supervisory Guidance on Board of Directors’ Effectiveness^*