Banks are resisting an effort by the US Federal Reserve to hold individual business units accountable for risk management.
Proposed supervisory guidance issued by the Fed in January assigns responsibility for risk governance and controls to business heads, independent risk managers and senior management – a departure from existing guidance, which focuses almost exclusively on the role of boards and senior managers.
“The Fed has made a very important change” with the proposed guidance, said Richard Cech, a senior bank examiner for operational risk at the Federal Reserve Bank of New York, at the OpRisk North America conference on March 21. “Ten years ago, all the supervisors were loading everything onto the board. The proposed rules are more realistic about the behavioural dynamics of an organisation.” He was speaking in a personal capacity.
Under the new approach, business heads must ensure the risks emanating from their units are managed effectively and in a manner consistent with the firm’s overall strategy and risk tolerance.
However, some banks worry the language in the proposal will expose every part of their operations to additional supervisory scrutiny and review. “The guidance employs a very broad definition of ‘business line’, which has the potential to capture nearly any business unit or function, in a manner that does not necessarily correspond with … an understanding of whether that unit or function is the source of material risk,” writes Stefan Gavell, head of regulatory, industry and government affairs at State Street, in a comment letter dated March 15.
The Fed’s proposal defines a business line as a “unit or function of a financial institution, including associated operations and support that provides related products or services to meet the firm’s business needs”.
This may lead to a duplication of effort and potentially create confusion for senior management
Robin Vince, Goldman Sachs
Banks say that definition is too broad, and could result in back-office and technology teams being subjected to supervisory examinations and review.
In a separate comment letter, Eric Varvel, chief executive of Credit Suisse’s US operations, criticises the Fed’s definition as a “one-size-fits-all approach” that would apply business line management principles to non-business functions.
Other banks have objected to the proposal on the basis that it requires business heads to take on responsibilities that are typically performed by the risk function. For instance, the guidance requires business line management and the risk department to report to senior management on the risk profile of individual businesses. “This may lead to a duplication of effort and potentially create confusion for senior management,” writes Robin Vince, chief risk officer at Goldman Sachs, in a comment letter dated March 15.
A spokesperson for the Fed said it is reviewing the comments received on the proposed guidance.
The controversy over the Fed guidance is part of an ongoing debate over the three lines of defence (3LOD) model for risk management, which has proved to be unwieldy to implement. While some have praised the 3LOD model for helping to promote a stronger risk culture, others say embedding risk and controls personnel within the first line boosts overheads and blurs the distinction between the risk and business functions.
Some banks have tried to address this blurring of the lines by creating intermediaries between the first, second and third lines. HSBC, for example, has identified five different roles: first-line risk owners; first-line control owners; business risk and control managers; second-line risk stewards; and second-line op risk officers. “Business risk and control managers bridge the gap between the second line and the true risk owners, such as the trading desk heads or the head of the mortgage business,” said Kathleen Stack, deputy head of US operational risk at HSBC, at the OpRisk North America conference on March 21.
The Fed has never officially endorsed the 3LOD model, which formed an important part of the Basel Committee on Banking Supervision’s 2011 Principles for the sound management of operational risk. However, the Fed’s examiners employ the 3LOD concept in their supervision of banks. “Our approach is to look at independent challenge and feedback,” said Cech. “Lines of reporting can be extremely important in terms of levels of candour in communications.”
Editing by Kris Devasabai
The week on Risk.net, September 8-14, 2018Receive this by email