Federal and state regulators are intensifying their scrutiny of banks’ risk management systems, with particular focus on operational risk and advance planning.
In today’s environment, regulators are citing banks more frequently for not having proactively implemented and maintained risk management systems appropriate for their current size, complexity, and overall risk profile. Agencies have singled out lapses in change and issues management, and noted that strategic growth plans do not sufficiently consider the impact of a bank’s future size and complexity on its risk profile.
Background
Regulators have long focused on the importance of risk management. In their own ways, the Federal Reserve (Fed), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Consumer Financial Protection Bureau (CFPB), and state regulators have continued to evolve their oversight of the systems in place to identify, measure, monitor, and control risk at federally insured banks.
Beginning in 1996, the Fed began rating state member banks and bank holding companies (BHCs) on the adequacy of their management of risk, including their systems of internal controls (SR 95-51). At that time, the Fed made an observation that still rings true today:
“During recent years, the Federal Reserve has increasingly emphasized the importance of sound risk management processes and strong internal controls when evaluating the activities of the institutions it supervises. This greater emphasis reflects the view that properly managing risks has always been critical to the conduct of safe and sound banking activities and has become even more important as new technologies, product innovation, and the size and speed of financial transactions have changed the nature of banking markets.”
In 2004, the Fed further emphasized the importance of risk management and instituted a BHC rating system known as Risk Management, Financial Condition, and Impact (RFI).[1] Today, BHCs with assets between $3 billion and $100 billion and smaller BHCs that are deemed complex are subject to RFI ratings, which include four components of risk management:[2]
- Board and senior management oversight;
- Policies, procedures, and limits;
- Risk monitoring and management information systems; and
- Internal controls.
BHCs’ risk management systems and control environments are evaluated against the backdrop of the organization’s risk profile and complexity. With this approach, the Fed focuses the RFI ratings for BHCs not only on their financial condition but also on how well they identify, measure, monitor, and control risk, with a particular emphasis on board and senior management oversight.
Also in 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its Enterprise Risk Management—Integrated Framework, which defines essential enterprise risk management (ERM) components, discusses key ERM principles and concepts (including with respect to culture, governance, and the now widely embraced three-lines-of-defense approach), suggests a common ERM language, and provides clear direction and guidance for ERM. This framework, updated in 2017, is widely used today by financial services firms, publicly traded companies, and independent public accounting firms.
On the legislative front, the 2002 Sarbanes Oxley Act requires the top management of publicly traded firms to individually certify the accuracy of the financial information disclosed to regulators and shareholders, placing an additional spotlight on internal controls.
Maturing Focus
In the 18 years since the Fed initiated RFI ratings, BHCs have built out their risk management systems. Recently, though, we have been seeing cases where BHCs with significant growth plans—whether through internal growth, acquisitions, or both—are being asked to make the requisite investments to upgrade their risk management systems in advance of planned growth.
We have also seen an increasing emphasis on operational risk management, in line with this OCC definition: “Operational risk is the risk to current or projected financial condition and resilience arising from inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events.” This covers a large number of operational risk management areas in a typical bank or BHC, including human resources/management succession, information security, information technology, internal audit, financial crimes prevention and detection, business continuity and disaster recovery, training, first-line quality assurance, second-line monitoring and testing, third-line assurance, third-party risk management, and model risk management.
The Fed, FDIC, and OCC have each stressed the importance of operational risk management in recent risk reports, as follows:
- The Fed’s May 2022 Supervision Report highlighted operational resilience as a key supervisory focus, including cybersecurity and information technology risks and third-party vendor risk management. For regional and community banks, increased dependence on and activities with third-party technology providers are of particular concern.[3]
- The FDIC’s 2022 Risk Review stated that operational risk is one of the most critical risks to banks and particularly called out cyber threats and illicit activities.[4]
- The OCC’s Spring 2022 Semiannual Risk Perspective stated that operational risk is elevated as banks respond to an evolving and increasingly complex operating environment. Geopolitical tensions have elevated cyber risks globally. Key areas of operational risk highlighted by the OCC include cybersecurity, innovation, adoption of new products and services, and third-party risk management.[5]
Considering these concerns, it is not surprising to see regulators giving closer scrutiny to the systems banking organizations have in place to identify, measure, monitor, and control operational risk. Banking organizations have long had programs that address discrete pieces of operational risk like business continuity, information security, or third-party risk management, but regulators want to see how these individual programs are organized and coordinated so that there is appropriate governance over this important risk area.
Meeting Regulators’ Expectations
To meet regulators’ elevated expectations for operational risk management, banking organizations of all sizes need to be able to demonstrate how they comprehensively address the following four components across all aspects of operational risk:
- Board and senior management oversight;
- Appropriate policies, procedures, and limits;
- Risk monitoring and risk management systems; and
- Effective and sustainable systems of internal control.
The makeup of the systems required will depend on the risk profile of the organization and its size and complexity. A community bank may have one board committee that oversees internal audit and risk management, and a single management committee where all the components of operational risk are discussed. For larger the organizations, however, more extensive policies, procedures, metrics, and governance bodies may be needed to cover greater complexity. Notably, integrating various programs into an operational risk management system can be challenging.
Meeting regulators’ calls for advance planning will also take effort. As organizations grow either organically and/or through acquisitions, regulators are looking for commensurate investments in risk management systems to be made in anticipation of growth, thereby giving them time to mature and prove their effectiveness and sustainability. Any organization that is contemplating growing significantly in the next five years should ensure their growth plans include concurrent enhancements to their risk management systems.
[1] SR 04-18 superseded by SR-19-4.
[2] The largest institutions are subject to the “LFI” rating. The components of this rating are capital planning and positions, liquidity risk management and positions, and governance and controls (see SR 19-03). This rating continues the emphasis on risk management.
[3] Federal Reserve System, Supervision Report, May 2022, https://www.federalreserve.gov/publications/files/202205-supervision-and-regulation-report.pdf.
[4] FDIC Risk Review, June 2022, https://www.fdic.gov/analysis/risk-review/2022-risk-review.html.
[5] OCC Semiannual Risk Perspective, Spring 2022, https://occ.gov/publications-and-resources/publications/semiannual-risk-perspective/files/semiannual-risk-perspective-spring-2022.html.