CastleHill No Comments

In light of new guidance recently published by the Federal Reserve, Managing Partner Tim Carbery hosts a roundtable to discuss the nature, necessity, and evolution of regulatory risk committees. Joining him is Beth Hughes (owner of Bay Redwood Consulting LLC., and Former Managing Director, Head of Risk Governance Validation, America’s Risk Management, MUFG Union Bank N.A.); Yakut Akman (independent consultant, former Chief Third-Party Management Officer, Citigroup), and Joe Iraci (adjunct professor and former CRO TD Ameritrade, INC.).


Beth Hughes opens the floor with a journey to the past. “The first formalized risk management mechanism (that was recorded, at any rate) was a rice futures exchange in Osaka, Japan, dating to 1697,” She begins. “The government immediately regulated it. You can see in that example just what we observe to this day: a dance between risk management, the development of technologies and tools to enhance risk management, and, through regulation, the government’s interest in making sure that those tools are robust and are supporting the public interest.”

She traces this pattern from Osaka, Japan, 1697, to the 2008 Financial Crisis, to February 26th, 2021, when the Federal Reserve published a letter entitled: Supervisory Guidance on Board of Directors’ Effectiveness (

While Hughes notes that much of the guidance is not especially new news for regulatory committees, “The really notable thing about this new guidance is the Fed is saying, ‘Not only are we going to specifically assess the board, not just the bank, not just the operations, but the board on their oversight responsibilities… we are going to take the result of that Fed assessment and incorporate it directly into the Feds rating for that bank.’”


As regulations are clarified and understood, board members will become increasingly dependent upon management to supply them with appropriate information for self-assessment. For Yakut Akman, a crucial element of that framework lies in institutions investing in separate risk committees. 

“Many a time an audit committee assumes that responsibility,” Says Akman. “The argument against having a separate risk committee would be that risk oversight is an overall board responsibility anyway, and various board committees naturally address risks through their respective charter activities.”

While some institutions may have found audit committees to be sufficient to manage risk in the past, a piecemeal approach to risk management sets up companies for failure. The skills required by a risk committee often differ from those of an audit committee, hindering a board’s ability to meet their corporate governance oversight responsibilities. By devoting resources to an established risk committee, an institution can foster an appreciation for risk management at every level of their corporation, increasing overall soundness.  

“Based on my experience in dealing with boards, audit committees, risk committees: even though the tone is set at the top— and it is so important that the board sets the tone, and then the CEO, and then the executive management, and the senior management, and so on and so forth— it’s really a circular process,” Says Akman. “The information that is provided to the board really comes from the bottom, up. If there is not a full understanding and appreciation of risk and risk management at the lower levels, then the boards do not necessarily get a complete picture, or even a correct picture, of what is happening at the lower levels or throughout the company in terms of their risks.”

 “It has to be a part of the overall culture. Otherwise, no matter how talented and skilled and experienced your risk committee is, they are not going to be fulfilling their governance responsibilities as expected,” Akman continues.


While the structure and perspective of an institution’s risk committee is crucial, its ability to evolve is equally important. To that effect, Joe Iraci urges boards to embrace Enterprise Risk Management.  

“If you look at the definition of enterprise risk management, the definition actually says it’s a process. The process is intended to align risk management with corporate strategy,” Iraci explains. “Enterprise risk management, by its nature, actually faces off to the governance structures, including the board.”

He goes on to describe how enterprise risk management ties directly into other headline risk areas, which aids the flow of information throughout an organization. This is particularly important when it comes to reporting information to management and board members for decision-making.

“I think, going forward, that enterprise risk management not only will play a larger role in corporate strategy, but it will also take on a larger role in determining risk culture and firm-wide culture, because at the core of successful firms is a positive corporate culture,” Iraci concludes. “If you get culture right, decision-making starts to be made from value-driven decision making off the tone from the top.”


The tumult of the past year certainly exacerbated the challenges faced by many institutions’ risk management functions. Emerging risk has become even more important for risk committees to consider.   

There are dozens of examples of the impact of emerging risk on institutions unable to adapt to changing circumstances. Iraci points to the COVID-19 pandemic as an example of banks failing to act quickly, hampered by a lack of planning. “If you look at a list of most emerging risks, pandemics actually would have been on there, but nobody actually flagged that the pandemic was going to occur,” He notes. “We lost three to five months of planning across the globe.”

Other recent events, including the environmental crisis in both California and Texas, pushes the importance of incorporating potential risk scenarios into a corporation’s risk appetite. Hughes stresses the criticality of scenario planning: the ability of institutions to integrate a holistic approach to risk management into their operations in a manner that accounts for emerging risks.

“The Nirvana for a risk committee and the risk culture of the organization is really the point where you’re thinking creatively enough with the right quantitative framework underneath to be able to identify not only the risks, but the opportunities, because you can’t make money without taking risks,” Says Hughes. “Which risks do we want to take? What are the right risks? How can we actually drive our business forward with a really risk aware view that will help us make the right choices and be more profitable, more successful? In an environment like this, there’s no way you can be an effective business without risk management disciplines being part of a toolkit.”

Here again, enterprise risk management surfaces as one such tool. Enterprise risk management moves away from more traditional stress tests, which incorporate only a few risk factors pulled from market data, towards scenario analysis. Scenario analysis significantly increases the number of risk factors, pulling from operational and emerging risks to create more comprehensive risk scenarios.

“I think the beauty of enterprise risk management, and the potential of enterprise risk management, is to help boards and management in this area of emerging and strategic risk. They’re not built off quantitative models, they are actually a qualitative analysis,” Says Iraci.

History has a template for those institutions unable to make the switch. “It’s actually the emerging and strategic risk that we’ve seen in the past that are usually what get firms in trouble or point to why firms actually succeed, because they have identified potential marketplace changes and were able to capitalize on that change… boards have to be flexible enough to know when to move from defense to offense, and offense to defense,” Iraci notes. “BlackBerry basically invented the smartphone, but they’re nowhere near the top now, and not to pick on BlackBerry, but there’s numerous examples of firms who were leading edge firms that simply did not make changes off of the marketplace changes.”

The takeaway? Risk committees and regulatory boards need to use qualitative analysis and strategic scenario planning to holistically incorporate all risk disciplines into a forward-thinking management system— or they run the risk of going the way of once ubiquitous mobile technologies.   

“Change does not have to be negative. Change could actually point to a business opportunity. It just has to be analyzed,” Iraci concludes.

Watch episode sixteen of Coffee Chat with CastleHill below to hear the full conversation:

This article was written by Sam Riley, contributor for