Compliance committee, risk committee battle at JPMorgan Chase


Over the years, I noted that more boards have set up risk management committees. But is there a need to set up a committee to look specifically at "compliance risk?"

The risks of noncompliance have loomed large as of late, especially in the financial services industry. One of the little-noticed remedial steps forced on JPMorgan Chase by regulators was the forced creation of a compliance risk committee, to comprise at least three directors. But that's not the only step the bank will be required to take.

The bank already has a risk policy committee with four directors. The mission seems portfolio oriented. It's mission statement is that, "The Risk Policy Committee is responsible for oversight of the CEO's and senior management's responsibilities to assess and manage the corporation's credit risk, market risk, interest rate risk, investment risk, liquidity risk and reputational risk, and is also responsible for review of the corporation's fiduciary and asset management activities."

The bank's Chief Risk Officer, who reports to the CEO, is also accountable to the board, primarily through this committee. Should the new compliance committee effectively be an offshoot of the existing risk committee? Or would the bank be wise to set up a separate committee with separate members and have the risk committee act independently?

At this point, you could make a case for separate committees, though lots of coordination would be expected around trading and portfolio activities that could get the entire bank in trouble. The whole idea is to prevent a repeat of the London Whale fiasco. Banks in general need to think about how the board oversees core risk and compliance activities and whether it makes sense to consider them as part of a larger GRC effort. -Jim