Risk Governance: Banks Back to School

The following post comes to us from Dan Ryan, Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP, and is based on a PwC publication.

On September 2, 2014, the Office of the Comptroller of the Currency (“OCC”) finalized its risk governance framework for large banks and thrifts (“Guidelines”) that was proposed in January 2014. [1] The Guidelines formalize the heightened risk management standards that the OCC has been communicating through the supervisory process for several years, but do so somewhat more flexibly than the January proposal (“proposal”) did. Although many firms have been working to enhance their risk management programs to meet the proposal and supervisory communications, most still have work to do in order to meet the Guidelines’ requirements.

The Guidelines maintain the proposal’s emphasis on risk governance at the bank level to ensure safety and soundness, and affords the OCC greater flexibility (prescribed under regulations) to take enforcement actions in response to a bank’s compliance failure. The responsibility to oversee risk management remains with the Board of Directors which retains its ultimate risk governance oversight role; however, the Guidelines clarify that the Board need not take on responsibility for day-to-day managerial duties as the proposal had suggested.

Two other key changes since the proposal bring the Guidelines closer to common industry practices and afford some flexibility to banks. First, the Guidelines narrow the proposal’s definition of a front (or “first”) line unit within the “three lines of defense,” [2] thus bringing fewer support organizational units or functions into the first line (which would subject them to the Guidelines’ requirements for first line units). This change is especially important for functions that have traditionally been second line (e.g., Legal) or otherwise were not accountable for risk. [3]

Second, although the Guidelines maintain the stringent requirements that a bank must meet in order to adopt its parent Bank Holding Company’s (“BHC”) Risk Governance Framework wholesale (including a 95% asset similarity test which, under our analysis, no bank meets), banks now have more flexibility in leveraging their parent BHC’s resources in other ways. Namely, the Guidelines allow (and encourage) banks to adopt individual components of their parent BHCs’ Risk Governance Framework (“RGF”) in consultation with the OCC, but only if the components are modified to adequately address the bank’s risk profile [4] and are otherwise consistent with the Guidelines’ requirements.

Banks may also leverage BHC personnel as long as the personnel’s duties to the BHC do not impede their service to the bank (e.g., by compromising their independence within the bank’s risk governance framework). Thus, under the Guidelines, the parent BHC’s Chief Risk Officer (“CRO”) may serve as the bank’s CRO (i.e., “dual hatting”) and report to both the Bank’s and BHC’s CEOs. This change resolves the confusion around reporting structure between the proposal (which was silent on dual hatting) and the Federal Reserve’s (“Fed”) finalized Enhanced Prudential Standards (“EPS”) [5] which require bank CROs to report to BHC executives.

This post analyzes these two areas where the Guidelines provide more flexibility than the proposal, and provides our view of what firms should be doing now.

The Guidelines’ changes from the proposal

Definition of the three lines of defense

The Guidelines change the proposal’s definitions of the first and second lines of defense which differed significantly from common industry practice, and from guidance issued by other regulatory bodies. [6] Most importantly, the proposal defined first line of defense units broadly to include any function that engages in revenue generation or supports the first line. This broad definition would have covered support functions (e.g., Legal, finance, treasury, IT, and human resources) that have traditionally been placed outside of the first line, which would then subject these functions to second line oversight among other requirements.

The Guidelines narrow this definition by introducing a second necessary condition for bringing support functions into the first line, i.e., that the function also be accountable for risk. However, a function of a support unit may still be considered a front line unit if it is accountable for risk and satisfies one of the Guidelines’ other criteria. [7]

Leveraging the parent BHC’s resources

To ensure decisions made at the BHC level do not jeopardize the soundness of the bank, the Guidelines (similar to the proposal) require a separate RGF for the bank where the risk profiles of the BHC and the bank are not the same. Under the Guidelines, a bank and its BHC parent have the same risk profile only if the bank’s assets represent 95% of the BHC’s assets, [8] a condition that by our analysis is not met by any of the 23 large firms to which the Guidelines apply. [9]

Banks that do not meet this 95% threshold may request consideration from the OCC that the bank’s risk profile is substantially the same as its parent’s risk profile (based on a written analysis provided by the bank). However, given the OCC’s focus on “raising the bar” and seeking stronger bank-level risk governance, such requests will be closely scrutinized and likely difficult to be granted, at least until the regulators gain more confidence around the banks’ risks management practices. Some firms may choose to argue that the combined assets of several of their banks (with similar risk profiles) meet the 95% threshold in the aggregate, but this is unlikely to sway the OCC given its focus on each bank’s unique risk profile and necessary risk governance. Therefore, banks will need to take the costly step of establishing a separate RGF from their parent BHC’s, including separate systems, controls, and risk management positions. [10]

While the Guidelines are strict regarding wholesale adoption of the parent BHC’s RGF by the bank, the Guidelines provide banks with more flexibility to adopt individual components of the BHC’s RGF after adequate modification. Modification is necessary to ensure that the adopted component is appropriate in managing the bank’s risk profile, and otherwise conforms to the Guidelines requirements. We would expect certain components of the BHC’s RGF, for example internal audit or credit review functions, to be reasonable candidates to leverage for the bank’s RGF.

The Guidelines also provide flexibility for the bank to leverage its parent BHC’s personnel. Similar to the proposal, the Guidelines allow the bank to have multiple Chief Risk Executives (“CREs”) in lieu of a CRO, and require the bank’s CRO (or CREs) to have a direct reporting line to the bank’s CEO and unfettered access to the bank’s Board. However, whereas the proposal was silent on the common industry practice of the BHC’s CRO dual hatting as the Bank CRO, which confused some institutions, the Guidelines explicitly allow this practice. A dual hatting CRO under the Guidelines may report to both the Bank’s and the BHC’s CEOs. [11]

Despite these changes, the Guidelines’ reporting requirements remain intent on elevating the CRO’s stature (and that of CREs) to one level below the CEO, which is inconsistent with current practices at some firms. For example, in many cases in the industry, the Chief Compliance Officer (“CCO”) serves as the CRE responsible for independent risk management of the compliance function and reports to the General Counsel, who in turn reports to the CEO. Under the Guidelines, firms that employ this structure must change their reporting lines to place the CCO directly below the CEO. [12]

What should banks be doing now?

As banks move closer to full compliance with the Guidelines, [13] those seeking to achieve a “strong” OCC assessment rating [14] should:

  • Ensure that management has a clear understanding of the bank’s risk profile, and that the bank’s RGF is consistent with its risk profile, including risk appetite setting, exposure limits, and risk aggregation and reporting.
  • Assess the need for change in the bank’s structure and hiring practices for effective and independent risk management:
    • Apply the Guidelines’ definition of first line units against support functions (especially those that are more likely to meet the definition such as IT) to identify functions that must be brought into the first line of defense.
    • Build a framework that assigns clear responsibility within the three lines of defense to individuals that is consistent with the bank’s risk appetite, strategic planning, and concentration and limit setting. Set performance standards and compensation based on this assignment of responsibility.
    • Establish talent management programs for each line of defense to recruit, train, and retain qualified personnel. Specifically, review independent risk management hiring requirements to include adequate experience for effective challenge and oversight of the first line.
    • Ensure the CRO/CREs have a direct reporting line to the bank CEO. For example the CCO must report directly to the bank CEO (or CRO overseeing all risk) rather than to the General Counsel.
    • Determine the right balance between combining risk responsibilities into a single CRO versus having multiple CREs, and establish independent lines of communication between the CRO/CREs and the bank’s Board and CEO.
  • Develop an implementation roadmap and identify key activities needed to establish the bank’s RGF:
    • Assess the case that can be made that the bank’s risk profile is the same as the parent BHC’s, in order for the bank to adopt the BHC’s RGF wholesale.
    • Since wholesale RGF adoption is unlikely, determine which components of the BHC’s framework could be modified to fit the bank’s risk profile (in consultation with the OCC).
    • Identify resources for establishing the bank’s RGF and ensure adequate resources are available.


[1] See PwC’s Regulatory Brief, Risk governance: OCC codifies risk standards, paving the way for increased enforcement actions (February 2014) for a discussion of the proposal. The Guidelines apply to (a) insured national banks, federal savings associations, and federal branches of foreign banks (collectively “banks”) with average total consolidated assets of $50 billion or more, (b) banks below $50 billion if the Bank’s parent controls at least one other entity to which the Guidelines apply, and (c) banks below $50 billion that have highly complex operations or otherwise present heightened risk, as determined by the OCC.
(go back)

[2] The “three lines of defense” are a well-known risk governance concept recognized by regulators and adopted by the industry. The first line of defense is part of the business unit and is responsible for managing the risks it undertakes (e.g., by setting its risk appetite). The second line consists of independent risk management functions, separate from the first line, that have responsibility for identifying, measuring, monitoring, or controlling aggregate risk. Finally, the third line of defense—internal audit—provides independent assessment and assurance on the entire risk framework.
(go back)

[3] The Guidelines require that functions be brought into the first line that are (1) accountable for one of the eight risks referenced in the Guidelines, and (2) engage in one of the three following activities: (a) generating revenue or reducing expenses, (b) support the delivery of products and services to customers, or (c) provide technological support to first line units. The Guidelines added the first prong of this test to the proposal, and refer to the following risks: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk.
(go back)

[4] Banks must consider the appropriateness of BHC resources to the bank risk profile at least annually (e.g., in the areas of risk appetite, strategic planning, roles and responsibilities, and monitoring processes).
(go back)

[5] See PwC’s First take: Enhanced prudential standards (February 19, 2014) (Discussed on the Forum here).
(go back)

[6] The proposal’s definition of the three lines of defense differed from the standards issued by the Basel Committee on Banking Supervision, the Committee of Sponsoring Organizations, and the Financial Stability Board, which generally align with the common industry practice of placing only revenue-generating functions in the first line.
(go back)

[7] See note 3.
(go back)

[8] Assets are measured as average total consolidated assets over the four most recent quarters.
(go back)

[9] In response to the proposal, several firms requested that this threshold be reduced to as low as 80%. However, our analysis also indicates that most banks would still not be able to meet this even lower hurdle.
(go back)

[10] We also expect this issue to affect a majority of Foreign Banking Organizations (“FBOs”) once their Intermediate Holding Companies (“IHCs”) are created as required under the EPS rule. These IHCs will own significant US assets (e.g., broker-dealer operations) that are outside of the bank and are therefore unlikely to meet the 95% threshold. See PwC’s Regulatory Brief, Foreign banks: US admission price rising (July 2014).
(go back)

[11] This change also clarifies the confusion around potential misalignment between reporting requirements under the proposal and under the Fed’s EPS rule. The EPS rule requires the bank CRO to report directly to the BHC CRO rather than to the bank CEO. The proposal’s silence on whether the bank CRO may report to a BHC executive had raised concerns that such reporting might not be permissible under the Guidelines.
(go back)

[12] Alternatively, in structures where the CRO is one level below the CEO and oversees all risk, it would be appropriate for the CCO to report to the CRO.
(go back)

[13] The Guidelines’ compliance deadline is tiered based on bank size, from 60 days after the Guidelines’ publication in the Federal Register for the largest banks (those with over $750 billion in assets), to 18 months for the smallest (those with $50-100 billion in assets).
(go back)

[14] At the core of the OCC’s bank supervision is a risk assessment framework that (a) assesses how well risks are identified, measured, controlled, and monitored by the bank, and (b) assigns a rating of strong, satisfactory, or weak to the bank. We anticipate compliance with the Guidelines to be an integral part of achieving a strong rating under that framework.
(go back)

Both comments and trackbacks are currently closed.