The Triumvirate of Risk Oversight: Aligning the Risk Chair, Regulator, and CRO

Introduction, by James Lam

It was November of 2012. The board of directors at E*Trade Financial and Bank took a big chance on me: They had just voted to add me to their group, even though I had no prior experience serving on the board of a public company or a bank. At that time, E*Trade was both. They also named me chair of what would be a critical element in E*Trade’s hoped-for turnaround—the risk oversight committee (ROC).

Today, E*Trade is a subsidiary of Morgan Stanley, providing that bank’s customers with access to securities trading, investment accounts, and information services. At the start of November 2012, E*Trade was a public company facing many challenges. Undercapitalized and losing money, the stock was trading at around $8, down 99% from its 1999 peak prior to the dot-com crash. An activist investor had injected billions of equity and debt capital, and joined the board as well as the ROC. The company’s unsecured debt ratings were B-/B2.

E*Trade was also operating under the tight regulatory restraints of two memorandums of understanding (MOUs), one from the Federal Reserve and the other from the OCC. Given these challenges, the company’s imperative to improve its board governance and risk management was urgent. I understood this mission clearly. While I had not been a public company or bank board director, I had served as chief risk officer at two large financial institutions, a board director at private companies, and a risk consultant and trainer to many organizations including the major bank regulatory agencies.

At the center of the effort was a trio of roles I have come to think of as the “Triumvirate of Risk Oversight” at any financial institution: the ROC chair, the lead bank examiner, and the CRO. Over a decade later, the “triumvirate” at the center of E*Trade Financial and Bank’s drive to improve governance and risk management has reunited to share insights about our experiences. We hope they will be useful to today’s bank directors, risk and compliance professionals, and bank regulators and examiners.

I will provide my perspective as the ROC chair—the part of the triumvirate responsible for providing independent risk oversight and effective challenge. Jim Trotta, who was in large bank supervision at the Federal Reserve Bank of Richmond, will share his experiences as E*Trade’s lead examiner at that time—the role responsible for ensuring the overall safety and soundness of the bank, including compliance with laws and regulations. And Paul Brandow will provide perspectives from his role as CRO, where he was charged with implementing risk management programs that met board expectations and regulatory requirements, as well as adding value to the business (see Figure).

This article provides a positive case study on how alignment between the ROC chair, lead examiner, and CRO can help achieve common objectives while satisfying the various requirements for each role. We will discuss how we overcame hurdles to accomplish our commonly held goals in each of five key areas of an enterprise risk management (ERM) framework:

• Strategy and culture.
• Governance and policy.
• Risk assessment.
• Risk management.
• Reporting and monitoring.

Strategy and Culture

An effective ERM program must be aligned with the company’s business strategy and objectives, including M&A activities, innovation and growth, and capital management. The ERM program must also be aligned with the company’s desired risk and compliance culture. In this important area, the ROC chair, lead examiner, and CRO had the following common goals:

• A robust ERM program that was appropriate for the strategy, scope of operations, size, and complexity of the organization.
• A strong culture of risk management and compliance from the boardroom to executive and middle management and front-line employees.
• The CRO serving as a strategic partner to the board and executive management in key business decisions.

ROC Chair Perspective (James Lam)

As ROC chair, I helped set “the tone from the top” from the board with respect to our commitment to risk management and compliance. That included working with our bank examiners with mutual respect, timely cooperation, and full transparency. The board held the CEO, CRO, and executive team accountable for the resolution of the MOUs and matters requiring attention (MRAs). On an ongoing basis, I met one-on-one with the lead examiners from the Fed and OCC to keep communication lines open and ensure that we were aligned on the key areas for improvement. Over time, I established very strong relationships with our lead examiners. CRO Paul Brandow and I really appreciated the pragmatic approach the lead examiner, Jim Trotta, and his team took. They personified the “people make policy” adage in aligning E*Trade’s available resources with the appropriate time needed to meet heightened regulatory expectations. With good communication, we never experienced a “gotcha” moment with Jim or his team.

Lead Examiner Perspective (Jim Trotta)

The first thing I would say about my experiences supervising E*Trade starting in 2011 was I immediately noticed that innovation was a core piece of their DNA—a positive to support longer-term recovery efforts. However, there was work to do. E*Trade experienced several CEO changes during the Great Recession era, which hampered the focus of their recovery prior to my interaction with the firm. In addition, the shutdown of the Office of Thrift Supervision transitioned the firm to OCC/Fed oversight, instantly increasing regulatory expectations for risk governance. At first, I was not thinking specifically about the positives of alignment with Paul and James. But I was focused on being a disciplined yet creative supervisor while influencing and helping Paul and James to be the best risk governance change agents for E*Trade. Our interrelationships became strong, alignment took shape, and the firm’s risk culture steadily improved.    

A very important initial step to build trust with the firm was deploying, in addition to myself, two veteran Fed large bank examiners who were highly experienced in ERM and capital management. The three of us had just spent five years together successfully supervising another large firm through the height of the recession with a positive outcome. We learned the importance of quality examination work coupled with consistent, concise, and timely communications. Together or separately, the three of us articulated clear, consistent messages in these critical areas to E*Trade. Our supervision strategy was:

• Transition the firm so that it could articulate and execute an achievable “risk-off” strategy properly aligned to its operational and capital limitations.
• Influence the evolution of E*Trade’s risk culture.
• Provide correct supervisory ratings.

I believe our well-planned and executed examination work (coordinated with our excellent OCC examiner partners) and disciplined communications, especially with CRO Paul and ROC Chair James, enabled our “triumvirate” as a collective change agent. And to be clear, Paul and James were both excellent communicators with the supervision team early and often throughout the process. Bottom line: The Federal Reserve gave E*Trade a damn good overall supervision package.         

CRO Perspective (Paul Brandow)

When I joined E*Trade in 2008 at the request of the then-CEO, he asked for an assessment of the risk management function. There was lots of activity, but in my report to the board I summed up the situation with a car analogy: “The engine is running and making a lot of noise but the car’s not moving.” Being asked to “fix it” was an unexpected and massively rewarding challenge so late in my career.

Building a comprehensive ERM framework consistent with best practices and regulatory expectations only began in earnest in 2011, so when James joined the board there was still much to be done. Establishing an awareness and concern for risk throughout the organization was a high priority. We started by asking our Fed and OCC examiners to share their observations about what made for strong risk cultures in other organizations. With these insights we developed a multi-track program. We:

• Introduced the ERM framework to the firm in seminars with first-line leaders.
• Published risk perspectives regularly on the firm’s online employee channel.
• Strengthened risk committees.
• Highlighted risk in annual offsite leadership conferences.
• Periodically assessed risk awareness through employee surveys.
• Established risk escalation protocols (including a confidentiality option).
• Conducted regular training sessions.
• Incorporated “concern for risk” as part of annual performance reviews.

Our mantra became “risk is part of everyone’s job.”

Another goal was to gain a level of trust with our regulators. As noted, we were moving from the OTS to the OCC and Fed, which had very different expectations. You can imagine how much credibility we had. But building trust did not include caving in when we believed the regulators had it wrong. We were among the first firms to establish a robust loan modification program, believing it would achieve the best outcomes for E*Trade and our clients. The regulators thought otherwise, believing we were just “kicking the can” down the road and jeopardizing safety and soundness. Proving them wrong—which we did—required considerable effort and analysis. The transparency we displayed in doing so was instrumental in building credibility.

Governance and Policy

The board and management governance structures support the essential organizational processes for ERM. Board-approved risk management policies provide guidelines and risk limits for acceptable and unacceptable risk-taking activities. To improve governance and policy, we had the following shared objectives:

• Board directors on the ROC should have diverse and deep risk management expertise so they can provide credible and effective challenge to management.
• Risk management and compliance functions should be sufficiently independent and appropriately resourced.
• Board-approved risk management policies should document accountabilities and requirements, including risk escalation, risk appetite, and risk acceptance.

ROC Chair Perspective (James Lam)

In the aftermath of the 2008 financial crisis, regulators and institutional investors expect bank boards to have at least one risk expert. I was appointed to the E*Trade board due mainly to my risk management experience. After my appointment, the board continued to add directors with a wide range of risk expertise. That was thanks to our governance committee. Led by a strong and effective chair, it made sure that the board had the right directors through ongoing board evaluation and refreshment. As for the ROC, it eventually included three directors with deep expertise in ERM, cybersecurity, and capital markets. Our group of qualified risk directors helped establish credibility and trust with our regulators. We also provided effective challenge and expert guidance to management. While we respected the “nose in, fingers out” principle of board oversight, we were also able to provide a “guiding hand” when it was appropriate. One governance process we deployed was the establishment of ad-hoc “working groups” of directors and executives to tackle specific risk management issues in an informal and collaborative setting.

Because the ROC relied heavily on the office of the CRO, it was critical that Paul was sufficiently independent, and that there was a relationship of trust. One of my first official acts was working with the CEO and general counsel to add a section in the ROC charter that formalized the independence of the CRO and the reporting relationship with my committee. It stated that the ROC, in conjunction with management, shall evaluate the annual performance of the CRO and that management must get the committee’s approval prior to any action related to the CRO’s appointment, termination, role in the organization, and compensation. This strengthened the independence of the CRO. Over the years, I received timely and candid escalations of risk management issues from Paul, even when they were of a highly sensitive nature.

Lead Examiner Perspective (Jim Trotta)

The first part of our supervisory plan was to get a clear view of corporate governance at E*Trade and identify the most significant weaknesses immediately. Considering the company’s weakened condition, speed mattered. At the time, the firm had several director openings, including one for a skilled risk practitioner—someone who knew what structure and effectiveness looked like relative to risk oversight and understood the board’s role. It was clear that Paul was experienced and strong in the CRO role. But filling the risk director role was also critical, too, considering the still-developing nature of E*Trade’s strategy and its weak enterprise risk infrastructure. Given James’s deep experience in risk, we were optimistic when he came on-board. James immediately met with me one-on-one. While the word “triumvirate” did not come to mind, I felt confident that my team, Paul, and James would be effective in shepherding the firm.    

Interestingly, the board also felt it was a great opportunity to implement a third-party board assessment to help ensure optimal functionality. Boards tend to avoid this process, but it can be instrumental in improving their effectiveness. That was  especially the case with an activist shareholder on the board. This third-party board assessment from a reputable firm coupled with enhanced self-assessments provided action steps to improve board governance and oversight. Pushing for this third-party board assessment turned out to be an important part of our regulatory supervision.

I can’t over emphasize what I said earlier regarding the shift from the OTS to OCC/Fed supervision. The change was sudden and the new emphasis on risk management structure and strength was a stark difference. I knew early on we needed to define the most critical gaps so remediation could begin. I also knew, given the scope of change required, that I needed to be strategically pragmatic to guide E*Trade’s remediation: It would feel more like a marathon than a sprint for them. My team and E*Trade agreed to a “no surprises” relationship. Yes, finite remediation timeframes were important, but quality implementation was paramount. We required that E*Trade discuss remediation plan implementation difficulties in real-time. Then, to the extent possible, I would be flexible with completion dates.   

Board risk oversight was a core topic during our initial work. The board needed to formally document, internalize, and improve execution of its accountability for risk oversight and risk functions. I felt that starting with the board regarding their risk accountability would lead to the recruitment of a strong ROC chair and naturally support Paul and the build-out of enterprise risk management. James’s demand for strong independent governance provided absolute clarity regarding the CRO’s independent reporting line.  

Development of a risk appetite statement and defined risk capacity relative to capital were also first-order items. Initially, the company did not have a formal risk appetite statement or capital management framework. The resolution of the regulatory findings, and the foundational buildouts truly benefited from our decision to add very senior regulatory staff who communicated extremely well with the CRO and ROC Chair. Risk appetite and capital management frameworks developed quickly.       

CRO Perspective (Paul Brandow)

In 2008, E*Trade’s dedicated second-line risk management function consisted of two professionals, including me. This was embarrassing enough. By the end of 2009, the number of dedicated second-line risk professionals declined to one. As we began building out a comprehensive ERM program the next year it was imperative that we attracted individuals who were qualified and experienced across the broad set of risks facing the company—not just credit, interest-rate risk, and compliance, where the company already enjoyed some strength. First, we brought the credit and interest-rate risk management functions firmly into second-line risk, eliminating any divided loyalties. We then set about hiring proven, experienced professionals in each of . James consistently supported our plans and helped us establish a target state. When our functions were fully staffed by the end of 2015, the CRO organization stood at over 160 professionals, excluding compliance. When it reached that point the conversation changed from “how many more do we need?” to “can we do all this more efficiently?” Never at the expense of quality, of course! 

In many ways the CRO function straddles the line between management and the board. An example is the development of the risk appetite statement (RAS). Creating the document involved ongoing dialogue among the ROC Chair, management (CEO), and the CRO, all while keeping our regulators fully informed. The relationship between James and me was critical. I relied on him to interpret the board’s tolerance for various levels of risk exposure and to challenge our assessment of management’s plans against those tolerances. This back and forth led to a series of qualitative and quantitative statements that in aggregate became the RAS. He also challenged us about the metrics and oversight in place to ensure compliance with the RAS as well as forward-looking indicators of potential emerging risks.

Risk Assessment

Risk assessments, based on both qualitative and quantitative factors, provide the analytical basis to make informed decisions. Paul and his team successfully implemented best-in-class financial risk models, key risk indicators (KRIs), scenario analysis and stress testing, and earnings-at-risk models. Our shared objectives included:

• Effective use of risk models, including data governance and model validation processes.
• Integration of emerging risks, such as cyber risk, into the overall ERM framework.
• Independent assessments provided by the CRO and functional risk leaders to support board and corporate management oversight.

ROC Chair Perspective (James Lam)

Even though we had about $50 billion in assets, we were required to comply with the OCC’s heightened standards for much larger banks. As ROC chair, one of my responsibilities was to set the agenda and time allocation for each ROC meeting. We had limited time and a lot to do. As such, I had little patience with simplistic “check the box” approaches. Instead, the CRO team focused their attention on developing analytical models, useful metrics, and forward-looking and actionable risk assessments for key risks. For example, the ERM and cybersecurity teams collaborated on a scenario-based unexpected loss model for cyber risk to evaluate security controls and insurance strategies.

We built risk models only when they were appropriate for our business and risk profile. For example, given the significance of credit risk, we had a “challenger model” in the second line that Paul’s team used to perform quarterly model validation tests against the credit risk model used in the first line. But when a different examination team, from the OCC, indicated that we should also have a challenger model for interest-rate risk management, we disagreed. I met one-on-one with that team’s senior examiner and argued that, given our long track record of compliance with stringent interest-rate risk limits and lack of financial incentives for excessive risk-taking, a challenger model would be costly and would not provide any material benefits. He accepted my rationale, and that preliminary finding was not included in the final examination report.

Lead Examiner Perspective (Jim Trotta)

The development of model-driven risk assessments by the CRO’s office truly transitioned the risk view from almost solely business line self-assessments to an independent, well-developed view from the CRO. While a very large project, there was a rapid trajectory to quality. This was primarily due to Paul’s deep experience, James’s oversight focus, and our supervision team providing continuous clarity on expectations.    

CRO Perspective (Paul Brandow)

The combination of a market collapse, TARP, CCAR, Dodd-Frank, new regulators with heightened regulatory expectations, and E*TRADE’s own challenges compelled us to develop a comprehensive ERM framework and capabilities. It became clear early on that using models for risk assessment, decision support, and safety and soundness concerns would become increasingly important. The problem was that we had no policy on developing and using models or any validation capabilities. We turned to our regulators for insight about best practices and engaged a third party staffed in part by former regulators. That firm helped us develop a cutting-edge policy and put together an experienced team. We went on to validate more than 30 risk models.

While we did use simplified metrics for reporting risk assessments to the board (depicted with color coding and arrows), they were based on extensive use of models—for  example, for stress testing key risk indicators—to provide quantitative objectivity to those assessments. For the CRO it was far better to rely on verified data than to just say “trust me.”

Like other risk management activities, models rely on accurate, reliable data. Data management and integrity were also core to our regulators’ heightened expectations and became a focus in the latter stages of our ERM development. The challenge was to build an inventory of data sources and a framework of controls that met regulatory requirements but did not rise to the level of “boiling the ocean.” We learned a few lessons in this process—and boiled a little bit of that ocean—but finally got to the right balance.

Risk Management

The ultimate test for effective risk management is its effect on corporate, business, and operational decisions. In this area, our shared goals included:

• Risk/return analysis to support strategic decisions, including M&A, new product and business development, major investments and projects, and capital allocation.
• A dynamic risk appetite management process that would reduce or increase our risk posture at the appropriate times.
• A CRO team that provided independent assessment of key risk management strategies, including risk acceptance and mitigation, risk-adjusted pricing, capital allocation and management, and risk transfer (such as hedging and insurance).

ROC Chair Perspective (James Lam)

In the early years of the turnaround, E*Trade was in a “risk-off” posture: The ROC reviewed and approved management strategies to reduce overall risk, such as winding down the credit portfolio via loan sales, reducing cyber risks with additional security controls, and minimizing operational risk and losses in our back-office operations. This conservative risk approach was consistent with our risk capacity and the growth restrictions imposed by the two MOUs.

Over time, the scope of risk management expanded beyond credit risk, interest-rate risk, and market risk, to include operational risk, cybersecurity, and strategic risk. Importantly, the CRO had a “seat at the table” when it came to strategic decisions. The board would ask Paul for his independent risk assessments prior to approving potential acquisitions, new product development, and major investments and projects.

The company made significant improvements in board oversight and ERM, resulting in the MOUs being lifted in 2015. In addition to regulatory compliance and risk mitigation, an effective ERM program should support intelligent risk-taking and growth and innovation initiatives. In the latter years of the turnaround, with better regulatory and financial footing, E*Trade’s posture was “risk-on”. We repurchased over $1 billion in equity shares and declared the company’s first-ever dividend. We also increased investment risk appetite in a very measured manner. Finally, we significantly reduced the time-to-market for new product innovations. E*Trade became the first brokerage firm to offer stock trading on the Apple watch. It was a proud moment for the whole organization. This milestone reconnected to E*Trade’s heritage as the company that executed the first-ever equity trade on the internet in 1983.

Lead Examiner Perspective (Jim Trotta)

Tightening risk appetite management, formalizing the CRO’s seat at the executive table, and strengthening board capability are all imperatives for effective management. A consistent and strong cadence of protocols leads to a good firm-wide risk rhythm, in which the power of “rinse and repeat” (repeatable, consistent, and strong risk processes) is fully leveraged to reduce risk or usher in new risk taking. A reasonable way to picture all this is relative to business line management, whereby each day brings decision opportunities to either “feed, starve, or kill” business segments or products. Good companies do this well.

E*Trade needed to “kill” certain businesses during its risk-off recovery/remediation strategy—for example, through strategic loan sales in the legacy mortgage book and investment portfolio adjustment. As the company strengthened risk processes, robust vetting and optimal timing made asset sale decisions crisper. Quickly and efficiently, the firm reduced pre-crisis credit risk in the loan and securities portfolios, essentially shrinking into its capital base.

I can’t emphasize enough the importance of building oversight infrastructure prior to deploying new strategies. An early conflict-point regarding risk oversight infrastructure involved corporate compliance.  The legacy structure included two compliance executives, brokerage compliance and banking compliance, reporting to the chief counsel. Lacking a singular corporate compliance officer, E*Trade was not getting an extensive, consolidated view of its state of compliance. Plus, I believed the legacy structure spread the chief counsel too thin. Given it was a longstanding structure, it took time to convince the company of the benefits of adjusting by adding a singular compliance executive. But it did happen, compliance risk oversight improved, and the chief counsel ultimately became the company’s CEO. Building a capable risk governance structure at E*Trade both increased the speed of its risk-reduction strategy and positioned it for a new beginning.

CRO Perspective (Paul Brandow)

Expanding on James’s comments, yes, the MOUs were a factor in the “risk-off” posture. But as I saw it, by 2008 E*TRADE had turned itself into an investment firm as much as an innovative broker—and to almost fatal effect. In the wake of this near-death experience the firm returned to its roots as a broker, eschewing all risks unrelated to that business, even before the emergence of the MOUs. Perhaps it was a classic case of sticking to one’s knitting.

As James notes, with the firm’s financial recovery and a robust ERM program in place, management had more flexibility to expand its risk appetite. Over that time, I had established a pattern of formal and informal dialogue with our examiners that was important in reinforcing a culture of transparency. This fluid conversation also had the benefit of allowing us to communicate and get feedback about the potential expansion of risk appetite before committing to a new strategy.

However, I will confess to being a naysayer when the board challenged management’s conservative risk appetite for its investment portfolio, which allowed only government securities. I worried that this could be another example of the perils of ignoring history. Had we forgotten the painful lessons of 2008? It’s fair to say that I dragged my feet on this and began to feel that the board and management thought that the risk function was being unreasonably stubborn. In the end, though, I relied on our first-class interest-rate and credit risk management teams. Together with an excellent Treasury function, we developed a prudent investment management program agreeable to the board, management, and risk.

Reporting and Monitoring

An effective ERM framework should provide overall assurance with the right metrics, reports, and objective feedback loops. To enhance risk reporting and monitoring, our shared goals included:

• Risk reports with contextualized, quantitative, outside-in, forward-looking, and decision-oriented information.
• Risk metrics and trends shown against performance benchmarks or risk appetite tolerances, along with expert judgment and qualitative assessments.
• An objective performance feedback loop established to monitor overall ERM effectiveness and support continuous improvement.

ROC Chair Perspective (James Lam)

A week before my first ROC meeting, I received the committee package. It was nearly 1,000 pages! It was difficult to see the forest from the trees. I was concerned about the quality of risk reporting because it greatly influences the quality of discussion and decision making. After that first meeting, I worked with Paul to improve the ROC agenda and reporting processes. The result was a standard CRO report that provided a concise summary of the company’s risk profile, including an executive summary, new risk and loss events, emerging risk analysis, risk assessments, and metrics against risk appetite tolerances. The CRO report was about 15-20 pages, and it could be read in about an hour. The fact that Paul studied languages in college helped because he had a very effective writing style.

How do we know if risk management is working effectively? That is a fundamental question that every board should ask. For example, unexpected earnings variance can be a useful and objective performance metric for the overall ERM program. It can be quantified by comparing ex-ante earnings-at-risk analysis and ex-post earnings attribution analysis over a specific period. With my guidance, the CRO and CFO worked collaboratively to produce this ERM performance feedback report on a quarterly basis. It was not my idea, but they named it the “Lam Report,” which became its official name. The directors found the report very useful for understanding not only the company’s risk sensitivities but also the key business drivers. It became a quarterly agenda item and discussion topic for the full board. In one ERM horizontal review, our examination team noted that this analytical report was a first-of-its-kind not seen at even the large global banks. Here, we clearly exceeded regulatory expectations for a midsize bank.

Lead Examiner Perspective (Jim Trotta)

Developing balance in report quality and quantity takes time. Getting comfortable with risk appetite limits, reports, and escalation processes was a large project. Plus, everything cascaded from this, such as more granular risk limits. Fortunately, E*Trade made consistent, meaningful progress, which enabled me to be a pragmatic regulator as the projects unfolded. One size doesn’t fit all, so allowing some room for tailoring helped. The “Lam Report” was icing on the cake, if you will. Properly coming later in the remediation program when better and consistent risk data was developed, it regularly answered the “How are we doing?” question with respect to risk management. By this time, there was a solid “triumvirate” in place as the firm moved forward in a stable state.     

CRO Perspective (Paul Brandow)

In recalling the evolution of our board reporting, I was reminded of how fragile credibility can be. We regularly changed metrics to make them more effective at communicating risk, but at one point the lead examiner who replaced Jim felt that a senior member of my risk team was being misleading about the reason for a change. That led directly to an MRA (the first in years) and tension with the board, and it compromised the effectiveness of my team member. I needed to fix that—not just with the examiner but with the board—and believed that, at most, my team member was guilty of careless communication. I relied on my own credibility to undo the damage, but it took a while.

Meanwhile, during the first few years of building out the ERM framework there was activity on many fronts—new risk committees, the introduction of robust risk assessments, new risk measurement protocols, and so on. Each activity generated data, and it felt like the more data we delivered to the ROC, the more they would see that as evidence of progress. As James implied, though, it lacked synthesis and clarity. And there was little in the way of cogent analysis.

During 2013 we initiated a major overhaul. We structured the report around the firm’s eight principal risks, each with a dedicated section that included a summary and risk level assessment by the second-line risk owner, followed by key metrics tracked against risk appetite tolerances. There was a section dealing with risk escalations and another identifying emerging risks. Starting late that year the report began with an overall summary written by me that contained my assessment of the firm’s overall risk levels and attested to compliance (or not) with the risk appetite statement. I actually signed it, which in retrospect seems a little grandiose, but I wanted to emphasize that it was my independent view.

By 2015 the ROC committee members (and our regulators who received all our risk documents as a matter of course) had a report that clearly stated where we stood with respect to the firm’s risks, including the data that backed up our conclusions, and gave the examiner ample information to challenge us. It took us five years and four CEOs to get there, but we made it.

After all that time and effort, it was gratifying to hear from one of Jim Trotta’s successors that our ERM framework and execution would compare favorably against any firm in the large bank group.

And those 1,000 pages?  They were still there in the back of the book!

Epilogue

In October 2020, Morgan Stanley acquired E*Trade for $13 billion, or nearly $59 per share—over seven multiples of the roughly $8 share price at the start of November 2012. It was the largest bank acquisition since the financial crisis. The full board, corporate management, and all associates contributed to the turnaround. At the same time, the alignment between the ROC chair, lead examiner, and CRO was instrumental in resolving our MOUs and MRAs, as well as improving board oversight and ERM.

The purpose of this article was to provide our first-hand experiences on how the Triumvirate of Risk Oversight—the alignment of our three roles—can lead to improved risk management. In closing, we would offer the following thoughts:

• The ROC chair, lead examiner, and CRO have different and independent roles. We should respect and reinforce each other’s roles while agreeing on, and working toward, common objectives.
• Enterprise risk management should not be defined as only a function of the second line of defense, but more broadly as an organizational capability, as we have discussed throughout this article.
• The CRO must have appropriate independence, authority, and resources. A high-performing ERM team empowers objectivity, supports board and regulatory requirements, and impacts first-line decision making and overall risk culture.
• ERM practices and regulatory exams must go beyond “check the box” approaches. Risk management programs should exceed regulatory standards and add value to the business.

Just as a meticulously crafted three-legged stool provides maximum stability and support, the “triumvirate” of risk oversight committee chair, lead examiner, and CRO—working toward common goals and in alignment—can establish a strong foundation for effective risk governance and oversight.

James Lam is a risk management consultant and board director. Paul Brandow, now retired, served as CRO of E*Trade Financial and E*Trade Bank. James Trotta is a retired Vice President of the Federal Reserve Bank of Richmond. The views expressed in this article are solely and individually those of the authors. The authors would like to thank Lester Sussman, Lead Director of East West Bancorp, for providing general input to this article.