OCC s risk governance guidelines go beyond heightened expectations

Transcription

1 OCC s risk governance guidelines go beyond heightened expectations New guidelines from the Office of the Comptroller of the Currency aimed at strengthening governance and risk management at large U.S. financial institutions clarifies areas of uncertainty in regard to how covered institutions are expected to go about establishing and adhering to written frameworks governing management and control of their risk-taking activities. For banks boards, the new guidelines are specific enough to eliminate regulatory ambiguity, and go well beyond a simple box-checking exercise. Instead, board members are being called on to be proactive in their banks risk management processes, questioning management and challenging the CEO and CFO when appropriate. The OCC expects boards to become more heavily involved in all phases of their banks risks and risk management and the guidelines allow them to seek help from internal audit (IA), independent risk management (IRM), and outside experts, the new guidelines do create an expectation of heightened board involvement in the risk governance process. To that end, they surely mean more frequent meetings between boards, independent risk management, and internal audit coupled with more detailed documentation of boardroom risk discussions. Of significance is that the new standards were issued as guidelines rather than regulations. Under Section 39 of the Federal Deposit Insurance Act, if a national bank or federal savings association fails to meet standards set out in a regulation the OCC must require the bank to submit a plan setting out how it will come into compliance. On the other hand, if a similar institution fails to meet a standard set out in a guideline the OCC has the discretion to require submission of such a plan. As guidelines rather than regulations, the OCC has flexibility to determine the best course of action with regard to any bank failing to meet any of the new standards. The guidelines status speaks to the OCC s expectations that banks particularly large institutions will embark on a continuous process of risk governance improvement, embedding risk management in every activity. Who s affected? Published in September 2014, the final guidelines apply to insured national banks, insured federal savings associations, and insured federal branches of foreign banks with $50 billion or more in average total consolidated assets. The guidelines also apply to OCC-regulated institutions with less than $50 billion in average total consolidated assets if that institution s parent company controls at least one other covered institution. The minimum standards established in the guidelines supersede the heightened expectations for governance and risk management programs the OCC issued after the financial crisis. Large banks have been subject to those heightened expectations since While the final guidelines are generally the same as those proposed in January 2014, they have been revised in response to industry input to provide clarity. Implementation dates for the new guidelines are staggered based on the size of the institution.

2 When do banks need to comply? Designing and implementing a risk governance framework Standards for the Board of Directors National banks are expected to establish a formal documented risk governance framework that is both flexible in nature and aligned with overall strategy. This written framework should cover all risk categories which apply to the bank including (i) credit risk, (ii) operational risk, (iii) interest rate risk, (iv) compliance risk, (v) liquidity risk, (vi) strategic risk, (vii) price risk, and (viii) reputation risk. Under the OCC guidelines, each member of the board is expected to oversee the bank s compliance with safe and sound banking practices. As part of meeting that expectation, the board is to require management to establish and implement an effective risk governance framework that meets the minimum standards described in the OCC s guidelines. The OCC guidelines provides that the bank s formal, written risk governance framework is designed by IRM and approved by the board. The board s role in creating that risk governance framework is a significant one. As the World Bank Group s International Finance Corporation has noted, Risk governance principles are, above all, the responsibility of the Board of Directors and of the most senior executives and management bodies of a banking institution. 1 The board or its risk committee is expected to approve significant changes to the framework and monitor compliance with the framework by overseeing management s implementation of it and holding management accountable for fulfilling their responsibilities under the risk governance framework. The risk governance framework should set out delegations of authority from the board to management committees and executive officers as well as the risk limits established for material activities. It should also include processes for management s reports to the board covering policy, limit compliance, and exceptions. Standards for the risk governance framework A bank may leverage the parent s framework if it meets the outlined minimum requirements and the bank can demonstrate in a documented fashion that the risk profiles of the bank and the parent are substantially the same (i.e., the bank s total consolidated assets on average represent at least 95% of the parent s). In cases in which a covered bank s risk profile is not substantially the same as its parent s, the guidelines allow the bank in consultation with the OCC to incorporate or rely on elements of the parent s risk governance framework in developing its own framework if those components are consistent with the guidelines. While a bank might need to develop some specific components, it might be able to borrow parts of the parent s framework. 1 Standards on Risk Governance in Financial Institutions, International Finance Corporation, 2012.

3 At the heart of the overall framework is the risk appetite statement, which describes what a safe and sound risk culture looks like to the bank and lays out how the bank would assess risk which are difficult to quantify and outline which are acceptable. The risk appetite sets benchmarks for capital, liquidity, and earnings, along with the level of risk that may be taken in each line of business and in each key risk category the bank monitors. Many banks will have to act immediately to fulfill this requirement. The bank should set limits at levels that take into account appropriate capital and liquidity buffers and prompt management and the board to reduce risk before the covered bank's risk profile jeopardizes the adequacy of its earnings, liquidity, and capital. The OCC expects banks to state their risk appetite through formal thresholds and benchmarks on both a businessline level and on the broader institutional level for the criteria discussed above.. Overall, the emphasis is on the granularity of risk assessment and reporting. 2 Moving forward While the final impact of the guidelines will vary by institution, a thorough review of the bank s practices determine its alignment with the heightened expectations is an essential first step. In addition, consideration should be given as to whether the following actions are needed based on the current state assessment: 1. Ensure that the relevant stakeholders understand the requirements set out by OCC s governance and risk management guidelines: Refresh and conduct any trainings needed for the senior management and board of director levels Conduct a board of directors self-assessment to get an initial cut of the current state Determine whether the internal reporting requirements and their frequency need to be changed 2. Assess the bank s structure to ensure a strong framework can be implemented: Ensure roles and responsibilities are clearly defined and follow those outlined by the OCC Evaluate whether any changes are needed to ensure comprehensive and effective front line unit (FLU), IRM, and IA functions Review the current FLU specific business plans and to the extent possible, strengthen and document the links to the banks broader strategic plan Expand the types of risks being assessed to those which might be harder to quantify but are extremely important and are under regulatory scrutiny such as reputational, strategic and operational risks Assess the management information systems currently in place and evaluate whether enhancements are needed to ensure that systems are in place to monitor and report risk using reliable data Establish a talent management program which would ensure that each line of defense is qualified and properly trained for the specific role 3. Develop an implementation plan which identifies all of the key activities to be conducted to ensure the establishment of a strong risk governance framework Final thoughts The OCC s new risk governance framework guidelines present a number of issues to which banks boards and management should pay particular attention to ensure successful compliance. Those issues include: Navigate carefully Some institutions, particularly foreign banks, will need to be wary of differences between the OCC s guidelines and other agencies standards. Although guidelines are typically issued on an interagency basis, neither the FDIC nor the FRB joined the OCC s proposal. However, if a comment from the OCC and one from another regulator are applicable, both need to be complied with. 2 See the OCC guidelines for additional guidance on the processes and documentation of such areas as: addressing limit breaches, concentration risk management, risk data aggregation and reporting, and talent, compensation and performance management.

4 Seek alignment The roles and responsibilities of banks business and operational units are fundamental to designing and implementing an effective risk governance framework so it s essential that banks review their organizational structures to ensure that they align appropriately with the new standards. Retain informed, involved directors The guidelines provide that boards, relying on information from IRM and IA, should question, challenge, and, when necessary, oppose management s recommendations and decisions that could cause the bank s risk profile to exceed the stated risk appetite or jeopardize the safety and soundness of the covered bank. Promote consistent engagement The OCC intends to assess compliance with standards applying to boards by engaging directors in frequent conversations with examiners. The standards aren t meant to lead to scripted conversations between boards and management, or for directors to demonstrate opposition to management in each meeting. Instead, the OCC intends for boards to oppose management s recommendations and decisions only when necessary. Three lines of defense: The foundation of the new guidance New risk governance framework guidelines from the Office of the Comptroller of Currency base banks risk governance frameworks on three lines of defense : front line units (FLUs), independent risk management (IRM), and internal audit (IA), an approach already employed by many large banks. For many other banks, however, the emphasis on the three lines will make it necessary to assess their ability to employ the three lines adequately in the fashion envisioned by the guidelines. Some may need to enhance their risk management practices and many of those banks will also find it necessary to determine where responsibility does or should reside for various risks. Because of the new guidelines reliance on the three lines of defense as the heart of the risk governance framework, while the role of each line might not change substantially the regulatory scrutiny it will face no doubt will. Consequently banks must understand the three lines role in the risk governance framework and evaluate their ability to present a robust three lines of defense, making improvements where needed. The requirements for each line of defense are: FLUs To provide flexibility in the framework s design, the OCC allows front line units to meet their responsibilities alone or with assistance from other units. Each front line unit s policies including the unit s risk limits must be reviewed and approved by IRM to ensure consistency across the bank s risk governance framework. And each front line unit is responsible for compliance policies and procedures associated with its activities. IRM The guidelines don t require IRM to assess risks independently of the CEO, though the IRM s risk assessment is subject to CEO oversight and IRM should report material risks as well as significant disagreements with the CEO to the board. IRM is expected to use its risk assessments to design appropriate actions when necessary, even in cases where the bank s risk appetite or formal risk limits haven t been exceeded. IRM also is required to notify the CEO and the board of cases in which front line units aren t adhering to the risk governance framework. The OCC expects IRM, in conjunction with IA, the CEO, and the board of directors, to assess whether the bank s risk management practices are developing in an appropriate manner and consider benchmarking these practices against peers, where possible. IA The OCC guidelines require IA to report its conclusions and any material issues and recommendations to the bank s audit committee. Under the guidelines, IA is responsible for maintaining an inventory of all processes, product lines, services, and functions which, along with IA s risk assessments, are known as the internal audit universe. The OCC emphasizes IA s rating the risk presented by each frontline unit, but it allows IA to leverage frontline units or IRM s risk assessments as long as it applies independent judgment in doing so. Internal audit may periodically adjust its risk assessments based on changes in the bank s strategy and the external environment. In addition, the audit plan should include ongoing monitoring to identify emerging risks and reevaluate units, product lines, services, and functions that receive a low risk rating with reasonable frequency. The audit plan must evaluate the adequacy of and compliance with all framework policies, procedures, and processes, and the final guidelines require IA to review the audit plan periodically, notifying the audit committee of any significant changes. The final guidelines also provide that IA institute a quality assurance program to ensure that its policies, procedures, and processes reflect emerging risks and improvements in industry internal audit practices.

5 As FLUs, IRM, and IA carry out their responsibilities within the framework they may seek the assistance of outside experts. By contrast, organizational units in the bank are not allowed to delegate responsibilities under the framework to external parties. Next steps for the three lines Define roles and responsibilities The risk governance framework should include well-defined risk management roles and responsibilities for FLUs, IRM, and IA. Evaluate risks and where they reside It s essential to determine what risks exist in the various front line units and who has ownership of them. Enhance risk management processes To meet the OCC s goals of embedding risk management in every facet of the bank it s necessary to make sure that appropriate risk management processes and risk controls exist throughout the organization. Review organizational structures Given the important role of FLUs in meeting the new OCC guidelines banks should review existing organizational structures to ensure they align appropriately with the heightened standards. Give IRM and IA appropriate stature The OCC believes a critical element of an effective risk governance framework is for IRM and IA to have the organizational stature needed to effectively carry out their roles and responsibilities. That stature must be demonstrated by the attitudes of the board, CEO, and others within the bank toward those units. One area for IRM and IA to focus on now is fully understanding and embracing their stature. This means not only ensuring that the OCC guidelines are met, but assisting management and the front line in satisfying the OCC s getting to strong expectations. Contacts Tariq Mirza National Managing Director Bank Advisory & Regulatory Services T E tariq.mirza@us.gt.com Christopher Paulison Managing Director, Business Advisory Services T E christopher.paulison@us.gt.com The authors wish to acknowledge the contributions of Michelle Berman to the research underlying this article. About Grant Thornton LLP The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest-quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the world s leading organizations of independent audit, tax and advisory firms. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinctive legal entity Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd