[author: Walter Donaldson, II CFE]
On January 16, 2014, the Office of the Comptroller of the Currency (OCC) released a proposal seeking comment on guidelines that would establish minimum standards of governance, risk management and board independence for certain large national banks, Federal savings associations, and Federal branches (collectively, “banks”). The guidelines are intended to become an integral part of the OCC’s safety and soundness regulations (12 CFR Part 30).
The OCC would apply these guidelines to insured national banks, insured Federal savings associations, and insured Federal branches of foreign banks (but not uninsured trust banks or uninsured Federal branches and agencies) with average total consolidated assets equal to or greater than $50 billion. However, the OCC would reserve authority for applying the guidelines to smaller banks if it determines that the operations of a bank are highly complex or otherwise present heightened risk, based on analysis of the bank’s complexity of products and services, risk profile, and scope of operations.
In response to the financial crisis, the OCC developed the following five “heightened expectations” of large national banks, which until now have only been informally communicated to banks:
(1) preserve the sanctity of the charter, imposing on the board of directors a primary fiduciary duty to ensure the bank operates in a safe and sound manner
(2) maintain a well-defined personnel management program that ensures appropriate staffing levels and provides for orderly succession, as well as compensation tools that motivate and retain talent that does not encourage imprudent risk-taking
(3) define and communicate an acceptable risk appetite across the organization
(4) institute reliable oversight programs that include the development and maintenance of strong audit and risk management functions, as measured against the OCC’s standards and leading industry practices, and
(5) install an independent board of directors that has an understanding of the bank’s risk profile thorough enough to challenge decisions made by management.
The OCC’s proposal would convert these heightened expectations into heightened standards promulgated in enforceable guidelines (the Guidelines). Part I of the Guidelines introduces the standards, explains the scope, and defines key terms; Part II prescribes minimum standards for creation of a risk governance framework; and Part III provides minimum standards for board oversight of the risk governance framework.
Introduction and Scope
Part I of the Guidelines expresses the OCC’s expectation that a bank establish and implement a risk governance framework for managing and controlling its risk-taking activities. A bank may use its parent company’s risk governance framework if the framework meets the minimum standards created by the Guidelines, the risk profiles of the parent and the bank are substantially the same, and the bank has demonstrated through a documented assessment that its risk profile is substantially the same as its parent’s.
Standards for a Risk Governance Framework
Part II of the proposed regulations requires banks to establish and adhere to a formal written risk governance framework, designed by independent risk management1 and approved by the board of directors. This framework, which is to be reviewed and updated at least annually, must specifically cover credit risk, interest risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk.
The Three Functions
The risk governance framework should cover three functions: (1) front-line units, (2) independent risk management, and (3) internal audit.
Front-line units are any organizational units that engage in activities designed to generate revenue for the bank, provide services to the bank (e.g., administration, finance, treasury, legal, or human resources), or provide information technology support to any organizational unit covered by the Guidelines. Front-line units are responsible for managing the risks associated with their activities by assessing these risks, establishing written policies to identify and control the risks, creating and following procedures to ensure compliance, and following the bank’s talent management processes and compensation management programs.
Independent risk management is required to oversee the bank’s risk-taking activities and assess the risks independent of the chief executive officer (CEO) and front-line units by taking primary responsibility for designing written risk governance consistent with the Guidelines; identifying the bank’s material aggregate risks to determine if risk management actions need to be taken; and establishing policies and procedures to identify, measure, and monitor risk in a manner consistent with the bank’s risk appetite statement (described below) and the risk governance framework. Independent risk management must communicate with the CEO and the board, as appropriate, about material risks and significant instances where the independent risk management’s assessment of risk differs from that of a front-line unit or the CEO. Independent risk management also is expected to follow the bank’s talent management processes and compensation management programs.
Internal audit is required to ensure that the bank’s risk governance framework complies with the Guidelines by maintaining an inventory of its material businesses and products while assessing the associated risks, establishing an audit plan, and reporting to the board the conclusions and recommendations from the audit work. Internal audit is expected to act independently in assessing the design and effectiveness of the risk governance framework, communicating to the board significant instances where front-line units or independent risk management are not adhering to the risk governance framework, and establishing a quality assurance department to ensure that internal audit’s policies comply with applicable regulatory and industry guidance. Internal audit also must follow the bank’s talent management processes and compensation management programs.
The CEO is responsible for developing a written strategic plan, to be approved by the board, which covers a three-year period and contains a comprehensive risk analysis, articulating an overall mission statement together with strategic objectives, and explaining how the bank will achieve those objectives. The strategic plan, subject to continuing review and update, also must delineate how the bank will update the governance framework to account for changes in its risk profile.
A comprehensive written statement that articulates the bank’s risk appetite is intended to be the foundation of the risk governance framework. The risk appetite statement must contain qualitative components (i.e., describing a safe and sound risk culture, how the bank assesses and accepts risks, etc.) and quantitative components (i.e., incorporating sound stress testing processes and addressing the bank’s earnings, capital, and liquidity position). Keying on that, the risk governance framework must include concentration risk limits and any applicable front-line unit risk limits that ensure that front-line units do not create excessive risks or exceed the limits established in the risk appetite statement. The framework is expected to require: (a) board review and approval of the risk appetite statement; (b) internal communication and enforcement of the bank’s risk appetite statement in a way that ensures all employees align their risk-taking decisions with the risk appetite statement; (c) monitoring by independent risk management of the bank’s risk profile relative to its risk appetite and reporting that to the board; (d) monitoring of compliance by front-line units and reporting that to independent risk management; and (e) where necessary due to the level and type of risk, monitoring by independent risk management of compliance by front-line units with applicable risk limits and reporting of any concerns to the CEO and board.
Talent Management and Compensation
As part of the bank’s talent management processes, the board of directors is responsible for hiring a CEO (and approving the hiring of the CEO’s direct reports), one or more chief risk executives (CREs) and a chief audit executive (CAE), each of whom have the skills and abilities necessary to design and implement an effective risk governance framework and to establish reliable succession plans. The board also must oversee talent development, recruitment and succession planning processes for personnel two levels down from the CEO, as well as for independent risk management and internal audit. The bank should also establish compensation and performance management programs that ensure that: (a) the CEO, front-line units, independent risk management, and internal audit implement and adhere to an effective risk governance framework; (b) front-line unit compensation plans and decisions appropriately consider the level and severity of issues and concerns identified by independent risk management and internal audit; (c) the talent needed to design, implement, and maintain an effective risk governance framework is attracted and retained by the bank; and (d) incentive-based payment arrangements encouraging inappropriate risks are prohibited.
Standards for Board of Directors
Part III of the proposed regulations imposes standards on the board for oversight of the risk governance framework. Consistent with its duty to oversee the bank’s compliance with safe and sound banking practices, the board is required to ensure that the bank establishes a risk governance framework meeting the minimum standards described in the guidelines, including approval of any subsequent changes. The board must actively oversee risk-taking activities and document its challenge of — or even opposition to — management decisions that could cause the bank’s risk profile to exceed its risk appetite or threaten safety and soundness. Expect a heightened level of supervisory examination and attention to bank board minutes. The board is expected to exercise sound, independent judgment and include no fewer than two members who are not part of the management of the bank or its parent company. The board must also establish a formal, ongoing training program for independent directors covering complex products and services having a significant impact on the bank, as well as laws and regulations applicable to the bank, among other critical topics identified by the board. In addition, the board is required to conduct annual self-assessments evaluating its effectiveness in meeting these standards.
Pepper Point: By adopting guidelines to replace its previous practice of communicating heightened expectations informally through speeches and nonpublic enforcement actions, the OCC is exercising its statutory authority to prescribe safety and soundness standards, and, in doing so, gains the enhanced ability to use the full array of its enforcement powers (e.g., civil money penalties, suspension or removal of officers and directors, cease-and-desist orders) against any bank that fails to submit and comply with an OCC-approved plan to correct violations of the heightened standards.
Pepper Point: The OCC has described the Guidelines as “providing additional supervisory tools to examiners.” We expect these tools to be used not only to force improvements in bank governance and financial stability, but also to intensify pressure on a bank’s board to reinforce its Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) compliance program as an overall part of the bank’s board approved risk profile.
Pepper Point: While the Guidelines leave no doubt that independence of judgment is a core principle of bank governance and risk management, through its solicitation of comments the OCC signals that the door has not yet closed to alternative approaches that may achieve its objectives.
1 Independent risk management is any organizational unit within the bank that has responsibility for identifying, measuring, monitoring, or controlling aggregate risks.