What Dodd-Frank Tells Us About the Impact of Risk Oversight Functions on Bank Risk

The Dodd-Frank Wall Street Reform and Consumer Protection Act (“DFA”) was signed into law in July 2010.  The DFA introduced several reforms; collectively, these reforms were intended to reduce the risk of the financial sector and to provide financial stability following the banking crisis of 2007-2008.  In a new paper, we investigate the effect of one specific mandate in the DFA: the requirement for banks to have a board-level risk committee (“RC”) and a chief risk officer (“CRO”).

The DFA required all publicly traded banks with at least $10 billion of consolidated assets to have a risk committee consisting of members from the board of directors.  The compliance deadline was July 1, 2015.[1] All publicly traded banks with assets ≥ $50 billion had to additionally designate an executive as the CRO by January 1, 2015.  We study whether these mandates resulted in improved risk management at banks.  While the impact of the risk management function on bank risk has been studied before (for example, see Ellul and Yeramilli, 2013), the notable advantage of our study is that we are able to make causal inferences.  Specifically, we take advantage of the passage of the DFA to assess the causal impact of the RC and CRO on bank risk using difference-in-difference and regression discontinuity methodologies.

The DFA may have no impact on risk if banks treat the regulatory requirements for an RC/CRO as nothing more than a nuisance, or if the members of the RC or the CRO are not qualified enough to catch serious problems.  It is also possible that the DFA had the intended effect of lowering risk of the banks that appointed an RC/CRO following the mandate.  Finally, it is possible that some banks may realize that they were taking too few risks and, given the increased confidence that they have because of the oversight of the RC and CRO, they might actually have increased their risk following the passage of the law.  The overall effect of the RC and CRO on risk is, therefore, an empirical issue. Our main finding is that the DFA mandate for banks above a certain size to appoint an RC and/or a CRO has no impact on bank risk.

To identify the impact of the RC and CRO, we start by employing a difference-in-difference methodology.  Our “treated” sample (affected banks) consists of only those banks that were shocked by the law to adopt risk oversight functions, rather than those that were simply affected by the law because they were above the size threshold.  That is, the treated firms are those that were subject to the law but were not compliant as of the signing of the law.  To account for banks being given up to five years to comply with the law, we exclude the years between the passage of the law and banks’ compliance with the law.  For example, for a treated bank that installed an RC only in 2012, we exclude the year 2011 from the analysis.  Thus, for this hypothetical treated bank, the years 2010 and earlier constitute the pretreatment period and the years 2013 and onwards constitute the post-treatment period.  Our control group is the set of banks that were subject to the law but were already compliant as of the passage of DFA.

The DFA had several requirements in addition to the requirement concerning RC/CRO. In that sense, our experiment is similar to studies that examine how firm performance changed because of changes in board independence mandated by the Sarbanes Oxley Act (SOX). Similar to the DFA, SOX had several requirements in addition to changes in board independence (such as certification requirement by the CEO and CFO, changes in audit and nominating committee independence etc.).  The studies that used SOX as an exogenous shock to board independence focused on firms that were compliant in terms of board independence versus firms that were not, a research design very similar in spirit to what we adopt here (for example: Chhaochharia and Grinstein (2009) and Guthrie, Sokolowsky, and Wan (2012)).

We additionally employ a regression-discontinuity approach to identify causation.    The idea is that banks just below the threshold ($10 billion for the RC and $50 billion for the CRO) are similar to those just above the threshold.  However, those above the threshold are subject to regulations regarding the RC and CRO while those below are not.  Thus, this analysis limits our sample to firm-years after the passage of the law, that is, from 2011 onward. Our treated sample of firms is exactly the same as with the DID. That is, these are firms that were subject to the law but were not compliant as of the signing of the law.  The control firms are those that were below the asset threshold and were not compliant.  To study the impact of the RC, we pick a bandwidth of $7 billion because the tier of banks that the Federal Reserve monitors starts at $3 billion.  Thus, to be included in our regression discontinuity sample, firms must have assets between $3 billion and $17 billion.[2]

We use data on bank holding companies and financial holding companies from 2005 to 2018.  We consider all years for a given bank as long as its assets are greater than $3 billion in any of the sample years.  Our main proxy for risk is aggregate risk, which is the standard deviation of daily returns. We also use four other proxies for risk: tail risk, the expected default frequency, a measure of derivative usage, and a measure of non-performing loans.  Overall, out of the 120 specifications that are based on either the DID or regression discontinuity frameworks, we observe that the coefficient of the relevant risk oversight measure is significantly negative 3 percent of the time (consistent with the stated aim of DFA) and significantly positive 14 percent of the time (which goes against the stated aim of the DFA).  The remaining 83 percent of the time, the coefficient is statistically insignificant.  Thus, overall, we conclude that the mandated presence of an RC and a CRO has no significant causal impact on risk.  Our results contribute to two broad areas within the corporate finance and banking literature, specifically the impact of governance and the determinants of bank risk-taking.


[1] This limit was raised to $50 billion by the Economic Growth, Regulatory Relief, and Consumer Protection Act passed in May 2018.

[2] To study the impact of the CRO, we pick a bandwidth of $30 billion, so firms must have assets between $20 billion and $80 billion to be included in our sample.  There are very few observations in this bandwidth, however, and we are unable to estimate the RD regression to study the impact of the CRO.

This post comes to us from Lakshmi Balasubramanyan at Case Western Reserve University’s Weatherhead School of Management, Naveen D. Daniel at Drexel University, Joseph G. Haubrich at the Federal Reserve Bank of Cleveland, and Lalitha Naveen at Temple University. It is based on their recent article, “Impact of Risk Oversight Functions on Bank Risk: Evidence from the Dodd-Frank Act,” forthcoming in the Journal of Banking & Finance and available here.