As financial services organizations emerge from the most severe economic rupture in generations, many are making efforts to respond to the heightened expectations of multiple stakeholder groups. Among these expectations is the initiative captured by the phrase “getting to strong.” This expression originates primarily from the methods for evaluating risk management practices in banks from the Office of the Comptroller of the Currency (OCC). Bank Director magazine talked recently to Cory Gunderson and Tim Long, both managing directors with risk and business consulting firm Protiviti, about specific regulatory expectations and what bank management should focus on.
How has the regulator guidance on risk changed for big banks?
Tim Long: Coming out of the recent downturn, the regulators believed that many of the largest and most complex financial services institutions did not have the level of risk management and board oversight that was required given the level of complexity and risk embedded in their organizations. The OCC thus undertook an effort called “heightened expectations” to require the largest and most complex banks to upgrade their risk management systems and achieve a strong rating, as defined in the OCC risk assessment process.
What kind of effort will it take to get to a strong rating?
Tim Long: It will vary based on how regulators currently view the company’s risk management process. The good news is that this is an open book test. There are definitions and guidance that the examiners use when making their value judgments to assign the ratings. What the OCC also noted, and what may be bad news for some institutions, is that the satisfactory ratings of some firms going into the downturn may have been overly generous and did not fully reflect some deficient practices. So with the increased focus on ratings, and the additional requirements for enterprise risk management contained in the Dodd-Frank Act and Basel capital accords, some banks may struggle just to keep their satisfactory ratings, even if they improve current practices.
What suggestions do you have for boards wanting to achieve a strong rating from their regulator?
Cory Gunderson: The first thing they need to understand is that there are various aspects of risk management to address. In very simple terms, there has to be a coordinated effort between the lines of business, risk management and the assurance functions like internal audit, generally referred to as the third line of defense. The board and management need to direct the development and execution of this initiative. There should be written plans with specific milestones, and there must be close communication and collaboration between all impacted parties.
What are the challenges of something like this for internal audit?
Tim Long: Internal audit is an area that will be significantly affected by both “heightened expectations” as well as regulatory and legislative mandates under the Dodd-Frank Act and Basel capital accords. Much of the roadmap for the increased requirements is contained in part 165 and 166 of the Dodd-Frank Act and was recently published for comment as enhanced prudential standards.
Cory Gunderson: When you look at the increased requirements for internal audit as it pertains to capital and liquidity planning, stress testing, corporate governance and resolution planning, internal audit groups face a daunting task. Regulators now expect internal audit functions to audit around and opine on the effectiveness of the enterprise’s risk management function. This is a new requirement for some internal audit groups and it may require some of them to bring in additional expertise and skill sets.
For smaller banks that don’t want to hire a full-time chief risk officer, what should they do?
Tim Long: The question they will have to answer is, “should we?” In many cases, most of the risk of a community bank is going to be contained in its credit portfolio. So while they may not need a full-time chief risk officer, they certainly do need to have the ability to keep abreast of legislative and regulatory mandates, and have a clear line of sight into the business units of the institution to understand how various mandates will affect them.
Cory Gunderson: They also need to have executives in the organization thinking and talking about event risk that could impact them. Finally, all institutions need a means to identify and track emerging risk areas as a matter of good business practice.
Cory Gunderson is a managing director with Protiviti and leads the firm’s U.S. Financial Services practice as well as its Global Risk & Compliance practice. In 2009, he was named one of the Top 25 Consultants by Consulting Magazine and was one of three recipients for Excellence in Financial Services.
Tim Long is a managing director with Protiviti’s Global Risk & Compliance and Financial Services practices. Long was most recently senior deputy comptroller at the Office of the Comptroller of the Currency.