Fed to Make Banks Pay for Lax Risk Management

We have been obsessing over risk management for more than a decade, and yet too many large financial institutions still don't do it very well.

Why is that? There are lots of excuses, even some good ones, but the fact remains that few companies have devoted enough resources to managing the myriad risks hurled at them day in, day out.

Barbara A. Rehm

That's about to change.

A sliver of the Federal Reserve Board's massive proposal to enhance its supervision of the largest banks spells out exactly what enterprisewide risk management should look like. Qualifications for chief risk officers and board risk committees are detailed and certain reporting lines are required.

It may be the single best shot at preventing another financial crisis because, once the rule is adopted, the executives and boards of our largest firms will all be held to a single risk management standard. And perhaps even more important, regulators will be held accountable if they fail to ensure compliance with the new mandates.

Not surprisingly, some financial companies oppose hardwiring a subjective practice like risk management. They have a point, but this rule is the price the entire industry will pay for the mistakes that bred the 2008 crisis and that have yet to be corrected at some firms. It's hard to trust financial companies to do the right thing when the chief risk officer of MF Global is complaining he was fired for questioning the firm's exposure to European sovereign debt.

"What a shame we have to wait for regulation to force some banks to do this," says Kevin Blakely, the former head of the Risk Management Association who was the chief risk officer at KeyCorp and later Huntington. "What the regulation is trying to do is establish a formalized governance process for managing risk throughout a company. Having that governance process in place is critical to long-term success."

Karen Shaw Petrou, co-founder and managing partner of Federal Financial Analytics, is slightly less diplomatic.

"Everyone talked a good game about enterprisewide risk management, but the regulators didn't do anything more than speechify and the banks did nothing to implement it," she says. "So I think they need rules to ensure, not only that banks do it, but that regulators are held accountable for it."

To illustrate her point, Petrou notes Bank of America elevated Greg Curl to CRO in 2009 after he led the Merrill Lynch acquisition. Dealmakers like Curl would have a hard time qualifying for the CRO position under the Fed's new rule.

The Fed's proposal covers banking companies with more than $50 billion in assets, though even $10 billion-asset companies will need to set up independent risk committees. The Fed's demands will intensify as a firm's size or risk appetite increases. It was required by Section 165 of the 2010 Dodd-Frank Act and is supposed to take effect by Oct. 15. Under the Fed's plans, large financial companies would have to hire experienced chief risk officers who report directly to both the chief executive officer and a committee of the board devoted solely to risk management — no mixing in audit as Capital One does or finance as Citigroup does.

All risk committee members will need to understand risk management principles and practices, but at least one member must "have risk management expertise that is commensurate with the company's capital structure, risk profile, complexity, activities, size, and other appropriate risk-related factors," according to the Fed's proposal.

This expert also should "have experience developing and applying risk management practices and procedures, measuring and identifying risks, and monitoring and testing risk controls with respect to banking organizations."

That's much more than Dodd-Frank mandates. The reform law merely says the risk committee expert should have "experience in identifying, assessing and managing risk exposures of large, complex firms."

But the Fed apparently thinks it might need to get even more specific; the proposal asks whether the Fed should specify "minimum qualifications, including educational attainment and professional experience" for the board expert.

The Fed clearly expects the risk committee to gets its hands dirty. The proposal says the risk committee must approve a risk management framework that:

• Sets risk limitations for each business line.

• Establishes systems for identifying and reporting risks, including emerging risks.

• Monitors compliance with risk limits.

• Ensures effective and timely implementation of corrective actions.

• Integrates risk management objectives into management goals and compensation.

Turning to the CRO, the Fed proposal repeatedly stresses the importance of "independence, expertise and stature." The Fed has a long list of responsibilities the CRO must "directly oversee," including:

• Delegating risk limits and monitoring compliance.

• Developing appropriate processes and systems for identifying and reporting risks and risk-management deficiencies, including emerging risks, on an enterprisewide basis.

• Ensuring any deficiencies are effectively resolved.

By now, the largest banks all have a chief risk officer and most have that person reporting directly to the CEO. Most boards have a committee devoted to risk, although some will have to make changes to ensure that risk management is the committee's sole focus.

The CRO typically has regular contact with the risk committee, but few have the formal reporting structure the Fed has proposed.

The risk management section of the Fed's proposal is tiny compared to the other thorny topics it tackles, including liquidity, stress-testing and counterparty credit limits. Comments on the proposal were due Monday, and there are several criticisms the Fed should weigh as it writes the final rule.

The first is the line separating management duties from board responsibilities. Boards are supposed to set the policies that management puts into practice. But plenty of smart people in the industry believe the Fed's proposal blurs that line.

"Who is really in charge of risk? Is it this quasi-management board member that is a risk expert, or is it the risk expert in the management ranks?" asks David Gibbons, a managing director at Promontory Financial Group who was the CRO at HSBC North America and before that the deputy comptroller for credit risk. "That could be quite confusing."

Promontory teamed with the Korn/Ferry Institute to assess the proposal's impact on the industry. They concluded the Fed's high standards may make it tough to find enough qualified people for the boards of the largest banks.

"The proposed rule would require there to be a person on the risk committee with the same qualifications as the chief risk officer. One implication of that is, where do you find these people?" Gibbons says. "There is a limited supply of talent, and finding someone for the board and finding someone for management means you have doubled the requirement."

So the Fed might want to ease up on the demands placed on the risk committee if for no other reason than to ensure there are enough qualified people to fill those slots.

There is one last thing the Fed should do.

With all the focus on chief risk officers and boards it might be easy to forget that good risk management begins with the people who are committing the bank's capital — the lenders, the traders, the dealmakers.

No doubt the Fed gets that, but highlighting it in the final rule would be a good idea.

Blakely, who also used to be a federal regulator, put it simply.

"All too often risk is considered to be the responsibility of the corporate risk management function. That's not a good environment. You have to have the risk taker feel that he or she has ownership for the risk being taken. Only when you get to that point do you have the right level of accountability.

"When you foster that ownership of risk into the risk takers, it creates a different kind of culture."

Just what we need.

Barb Rehm is American Banker's editor at large. She welcomes feedback to her column at Barbara.Rehm@SourceMedia.com. Follow her on Twitter at @barbrehm.

For reprint and licensing requests for this article, click here.
Law and regulation
MORE FROM AMERICAN BANKER