Citigroup, Part III: Better Board Oversight
Today we return to Citigroup and its $400 million regulatory settlement from earlier this month, a case that offers a cornucopia of lessons for risk and compliance professionals. This time around, we consider what Citi’s board will need to do to rectify the bank’s poor internal governance.
First, let’s recap the case so far. The Office of the Comptroller of the Currency levied a $400 million penalty on Citibank, the consumer banking division of Citigroup, on Oct. 7. This came after years of frustration with the bank, and the consent order singled out four areas where Citi needs major improvement: data governance, enterprise risk management, compliance, and internal controls.
In addition to the $400 million penalty, OCC also imposed a long list of reports and action plans that Citi must implement to fix those four problematic areas. Our first post in this series examined Citi’s data governance. The second post looked at how Citi needs to improve its enterprise risk management.
Now we come to everyone’s favorite subject: the board of directors. The OCC consent order frames the double-headed nature of Citi’s predicament as follows:
The OCC has determined that board and senior management oversight is inadequate to ensure timely, appropriate actions to correct the serious and longstanding deficiencies and unsafe or unsound practices in the areas of risk management, internal controls, and data governance at the bank. Furthermore, inadequate reporting to the board hinders its ability to provide effective oversight.
In other words, Citibank’s internal governance is so bad, senior executives can’t piece together a complete picture of risk and internal control at the bank. Which means management can’t brief the board effectively about what’s wrong and how the bank is trying to fix things. Which means the board can’t provide the guidance and oversight that senior executives need to fix things properly. Round and round we go, ad nauseam.
Assignments for the Board(s)
First, OCC ordered Citibank’s board to form a compliance committee of at least five members, with the majority of those people being independent directors. (Citibank’s board currently has only seven directors, five of them independent.) That compliance committee must meet quarterly and keep records of its meetings.
Then comes the homework. Every quarter, the compliance committee must provide a written progress report to Citibank’s full board, and that report has to discuss four items:
- A review of Citi’s data quality, including “metrics that are accurate and meaningful;”
- A description of the steps the bank needs to take to comply with each article of the OCC consent order (there are 10 significant articles in the order);
- The specific actions already undertaken to comply with each article of the consent order; and
- The results and status of those corrective actions.
The Citibank board then has to forward each report to the OCC, along with whatever notes and additional comments directors have made to it.
Meanwhile, the Federal Reserve has its own consent order with Citigroup, the corporate parent that encompasses Citibank and the rest of Citi’s operations. That order doesn’t require the creation of a compliance committee. It does require Citigroup’s board to provide a written report to the Fed, explaining how the board will do better to hold senior managers accountable for remediation plans, risk management, and effective board reporting.
After that preliminary report, Citigroup’s board will then need to send quarterly updates to the Fed about how Citigroup is improving data quality, enterprise risk management, and compliance risk management.
On a practical level, those progress reports that Citigroup submits to the Fed will be guided by the progress reports that Citibank submits to the OCC. I don’t know how similar each report will be, but clearly the material is substantively the same and both boards will need to collaborate closely.
Getting Granular in Board Duties
The OCC order for Citibank is much more detailed in what that board should do to improve oversight. Article 12 of the order lists all the improvements OCC expects the board to make, and several are goals you might want to implement in your own organization.
First, the board needs to adopt governance processes that will empower executives responsible for risk management. For example, Citibank will need to establish processes for “review and credible challenge by a senior management risk committee.” I don’t know precisely who would serve on that risk committee, but clearly people in the Second Line of Defense would be included.
The board will also need to clarify reporting lines between the board and senior executives to assure that there is “effective, independent oversight of front-line units.” That has to mean risk managers in the Second Line of Defense, since they’re the ones who will provide that independent oversight of the First Line (as discussed in our previous post about the improvements to enterprise risk management that Citi has to make).
The point in all this is that Citibank’s board needs to implement processes that give the bank’s risk management function real power to challenge operating units in the First Line of Defense; and to speak directly with the board when necessary.
Second, the board needs to pay more attention to risk appetite. Not only will the board need to adopt a statement of risk appetite; it will then need to review and reappove that statement every year, and assure that the metrics and limits included in that statement remain relevant to the bank’s top risks. If the board wants to change the risk appetite statement, the board will need to document the rationale for those changes.
Mechanisms like this force a board to take risk appetite seriously. Too often a board can just rubber-stamp whatever statement of risk appetite is proposed by management, without careful thought about the metrics to set boundaries around that appetite or whether business operations have changed so much that a new statement is warranted. OCC’s requirements here are a good example of how to keep directors engaged with an important part of their job.
Third, the board needs to establish processes to identify and manage new risks that might arise thanks to organizational change. This point strikes me as particularly important, because many enterprises can stumble into trouble by launching new products or reorganizing operations without anticipating the risks that those actions might bring. That’s how Citigroup found itself crosswise with OCC and the Fed in the first place: the bank made so many acquisitions and reorgs over the years that its risk management systems could no longer keep up.
So now the board needs to assure that two things exist:
- Controls and risk management systems to ensure that risks from new activities or redesigns are appropriately identified, measured, monitored, and controlled; and
- An approval process to ensure that nobody tries anything whacky without proper pre-approval. Those approvals must be timely, done by proper personnel, and documented.
Yes, Citibank management itself will need to execute those processes, but the board still needs to assure that those processes exist and actually work.
Fourth, the board needs to assure strong, effective processes to track employee complaints. That directive applies both to senior executives in charge of implementing Citibank’s corrective action plan (see our first post for details about that); and to all employees and the complaints they submit generally. The board needs to assure that “any themes are appropriately identified and reported to a designated Board committee.”
That’s a lot, so let’s recap. Citibank’s board needs to assure that:
- Risk management executives are empowered to exercise independent oversight of the First Line of Defense.
- The board itself reviews its statement of risk appetite annually.
- The bank considers the risks from new products or reorganizations before embarking on those projects.
- Internal complaints are tracked, managed, and reported to the board as necessary.
OK, that’s enough for today. Later this week we’ll conclude our Citigroup series with a look at compliance risk management.