Enterprise Risk Management (ERM) isn’t a new concept. In fact, within the last five years or so, many banks have integrated a more global view into their risk management efforts. So why does the Office of the Comptroller of the Currency’s (OCC) recent guidance put such fear into the hearts of community bankers? The answer is twofold. Even though this guidance isn’t directed at their market, community banks justifiably fear that these standards will be informally applied to them. After all, regulatory history has a clear precedent of such trickle-down effects. But more importantly, community banks wonder how in the world they will implement such heightened ERM standards and still do their actual job—banking. We’re here to break through the murk and help you conquer your fear of ERM, because in the end, ERM will benefit your bank’s business position just as much, if not more, than its regulatory condition.
The OCC Takes the Lead on Risk Management
Much has been written about institutions that fared the best during and after the 2008 financial crisis. Those with strong risk management, especially those that had fully adopted an ERM approach, were exposed to less risk because they had done a better job identifying and monitoring their overall exposure as well as the interconnectedness between various types of risk. In addition, their ERM approach meant they were much better equipped to effectively deal with any exposures they did face in the crisis.
As part of their efforts to avoid a repeat financial crisis, federal regulators have acknowledged the importance of stronger and more robust risk management. The OCC has been the lead voice on this issue since 2010, when it announced its “heightened expectations” for risk management. In 2011, the OCC further defined these expectations, and by 2012 it began considering them during examinations of large and mid-sized institutions. Then just over a year ago, the OCC proposed formal guidance on the heightened expectations for large banks, which was finalized in September and became effective for the largest institutions (= $750 billion in assets) before year’s end.
KEY ELEMENTS OF THE OCC’S GUIDANCE
The OCC’s formal guidance, as published on Sep. 2, 2014, sets the expectation that covered banks will establish and implement a formal risk management Framework, and defines the roles and responsibilities of all key parties involved in maintaining that Framework. The key elements include:
- Covers credit, interest rate, liquidity, price, operational, compliance, reputation, and strategic risk
Required Written Documentation:
- Framework approved by the board of directors or its risk committee that spells out any delegations of authority by the board and the processes for reporting to the board, and is updated and reviewed at least annually by independent risk management to address changes in internal or external factors, emerging risks, or the bank’s strategic plan
- Three-year strategic plan
- Risk appetite statement
Key Parties and their Primary Responsibilities to the Framework:
- Chief Executive Officer: development of the strategic plan and risk appetite statement
- Board of Directors (must include at least two independent members): active supervision of the Framework, including challenging management on risk-taking activities when appropriate
- Three Lines of Defense as defined by the OCC—frontline units; independent risk management led by the Chief Risk Executive; and internal audit led by the Chief Audit Executive: the design, implementation, and ongoing maintenance of the Framework
- Banks with $50 billion or more in average total consolidated assets
- Banks with less than $50 billion in average total consolidated assets that either
- Have a parent company that controls at least one other covered institution, or
- Whose operations are deemed by the OCC to be highly complex relative to its risk-management capabilities
THE BIG QUESTIONS FOR NON-COVERED INSTITUTIONS
What, if anything, do those key elements and the detailed specifics in the final guidance mean for community banks and others that are outside of the covered definition? Will the guidance be informally applied to them simply because it is out there? And will the definition of covered institutions be expanded in the future to include smaller banks? Based on public statements, the OCC does not appear to have plans at this point to apply the guidance to community banks. Several legal experts who advise the financial services industry, however, have expressed caution and concern.
In a client advisory, Alston & Bird LLP warns that time will tell “whether the OCC’s guidelines establish de facto standards among all banks with regard to risk management discipline …”ii While Davis Polk & Wardwell LLP made this cautionary statement in a presentation on the subject: “State banks are not subject to the OCC’s risk governance guidelines, but similar principles likely will be applied by the Federal Reserve and the FDIC to large state members and non-member banks.”iii And Ballard Spahr LLP commented in a September legal alert that “notwithstanding the (OCC’s) disclaimer, we have some lingering concern that, over time, examiners will impose on community banks various elements of the ‘heightened expectations’ guideline under the label ‘best practices.’”iv
For our part, we can’t predict the future, but we will tell you that our sources in Washington, D.C., echo the OCC’s public comments that they do not want to require the guidance at smaller institutions. The agency is, however, keen on recommending the guidance as a way to help the community bank market and other non-covered institutions strengthen their risk management stance. And rightly so, because you can’t manage what you don’t adequately identify and monitor. Continuing to manage risk in silos fails to capture its full impact and the interconnectedness between the various types of risk, which ultimately yields a very flawed picture of your overall risk position.
RISK MANAGEMENT MEETS STRATEGIC PLANNING
In a way, community banks and other non-covered institutions have the best of both worlds right now— the benefit of the guidance without the regulatory mandate. Not convinced of the benefit? Consider this: without ERM, individual business units or functions guard the risk in their own shop because they know it best, right? But down in the valley of that unit, they can’t see how their risk is connected to the risk in all other units or how it affects the overall institutional risk. Using an ERM approach to risk changes that perspective by opening up a global view to all business units. So instead of being stuck in individual, sight-limiting valleys, everyone has a crystal clear view from the mountaintop.
Now, how do you get from point A (the old way) to point Z (fully integrated ERM)? We understand it’s a huge undertaking, so this is the biggest question on your mind. The best place to start is with the OCC guidance, because it gives you an initial roadmap for creating two vital ERM elements—the Framework AND the strategic plan. Pulling together the Framework will require tapping key persons within the Three Lines of Defense, studying all policies and procedures, and formally identifying all risks within the OCC’s eight categories. Developing the strategic plan then flows from that Framework through a comprehensive risk assessment from which to articulate your corporate mission and strategic vision for a three-year period. This marriage between risk management and strategic planning ensures you understand where you are now, where you’re headed if you stay on your current course, where you actually want to be, and how best to get there.
COMMUNITY BANKS DON’T HAVE TO FIGURE THIS OUT ON THEIR OWN
We’re not trying to downplay the work involved in getting to an ERM state; it’s monumental indeed. Rather, we want to underscore the importance and ultimate benefit of that work. If, at some point, regulators choose to apply this guidance formally or informally to a broader range of institutions, yours will be well ahead of the curve. Further, this forward-thinking approach will yield stronger and more consistent business results regardless of regulatory requirements. And help is available for this task beyond the resources from the OCC. CSI uses a combined consultative and automated software approach to help community banks go from A to Z without sacrificing their actual day jobs as bankers. Imagine the clarity and productivity that can come to that day job when ERM has been fully internalized to the point that it’s second nature. Now that is a fear conquered.
Davis Polk & Wardwell, LLP; Risk Governance; Visual Memorandum on Guidelines Adopted by the OCC; November 7, 2014.