CRO says NY Fed faces same op risks as commercial banks

“The predominant risks the bank faces have shifted since the end of the financial crisis,” says Rosenberg

Joshua Rosenberg
Joshua Rosenberg: interconnectedness between 12 reserve banks is an additional op risk

The Federal Reserve Bank of New York occupies a special place in the pantheon of US financial regulators. As the beat cop for the Federal Reserve's Second District, which includes New York and parts of New Jersey and Connecticut, it supervises and regulates many of the world's largest banking institutions.

The New York Fed is also effectively the markets division of the Federal Reserve System. It conducts open market operations to implement monetary policy decisions and intervenes in foreign exchange markets to achieve US dollar exchange rate policy objectives. It serves as the primary point of contact for foreign central banks, facilitating payments of funds in US dollars and the purchase and sale of foreign exchange and Treasury securities, as well as the storage of monetary gold.

In this regard, the New York Fed is not unlike a large commercial bank – and the operational risks it must tackle are broadly similar, says Joshua Rosenberg, its chief risk officer (CRO).

"The operational risks that the bank faces aren't fundamentally different than those faced by a commercial bank," he says. "The same types of things that a commercial bank is concerned with – cyber and insider threats, dependence on outsourced service providers, challenges associated with data management, business continuity and resiliency – if you looked at a list of top risks for commercial banks, I think those would be on it. If you ask what some of the top risks we have are, you would also likely see those as well."

Operational risk has moved up the Fed's agenda since the financial crisis, when market and credit risk naturally dominated the conversation, says Rosenberg. His own career mirrors this shift. An economist by training, Rosenberg joined the New York Fed as a research economist in 2001 from New York University's Stern School of Business, where he was an assistant professor of finance, conducting research on derivatives, volatility modelling and risk management. He moved to the New York Fed's risk management group during the crisis, where he helped develop the term asset-backed lending facility – a post-crisis attempt to steady the stricken market for asset-backed securities.

As the crisis eased, Rosenberg found himself dealing with more operational issues. This continues to be the case. In July 2015, Rosenberg was appointed CRO, with overall responsibility for implementing and enhancing the New York Fed's risk management framework, including its approaches to enterprise, financial and operational risks.

"Enterprise risk management and operational risk management were areas I encountered later in my career," he says. "They resonate a lot with me now, as the predominant risks the bank faces have shifted since the end of the financial crisis."

In an interview with, Rosenberg discusses the changing nature of the risks the New York Fed faces, how he works with his counterparts at the other reserve banks and the board of governors, and the future of operational risk management.

How did you come to be CRO?

Joshua Rosenberg: During the financial crisis, the bank reached out to a broad variety of people, including in research, to analyse and respond to those unprecedented events. I joined teams working on the design and risk management of the term asset-backed securities facility and the commercial paper funding facility. At that point, my career took a little bit of a change as my focus became more pragmatic and operational in terms of risk management.

In 2009, the bank decided to create a centralised risk group to look at the new financial risks the bank was facing as a result of the special liquidity facilities set up to mitigate the crisis. I helped build that group, and its leader, our bank's first CRO, asked me if I would want to direct one of the risk functions. I led an area that we called risk analytics that built risk models, conducted independent price verification, and performed model validation. When we decided to create an enterprise risk management team to look more broadly at risks across the bank, I started up and then led that group as well.

What is the function of the risk group that you oversee?

JR: The mission of the risk group is to support the bank's ability to manage risk within its risk tolerance while pursuing its objectives. In the three lines of defence framework, which is the approach we take to risk management in the bank, the first line is the business; both conducting business activities and, in the course of doing its business, taking risk and managing those risks. The second line of defence is independent risk management, providing oversight and an independent view of the bank's risks to stakeholders, including the management committee and our board of directors. The risk group is responsible for the second line in terms of financial, operational and strategic risks, and we work closely with our compliance area on compliance risks. The third line is our internal audit area that ensures the first and second lines are executing on their responsibilities.

new-york-fed-2New York Federal Reserve building

What operational risks are present in the bank's daily business?

JR: In all of the activities that we conduct – from financial services, to monetary policy support, to supervision – there are operational risks because we rely on people, processes and information systems. In any business, the specifics of exactly how those risks might be manifested and the types of risk events that might occur might be different, but we're running a diverse set of businesses here. All of them are subject to errors. That's why we value the discipline of operational risk management, and we apply it in very similar ways to the way a bank or corporation would.

Does the New York Fed face unique operational risks?

JR: In my view, the operational risks that the bank faces aren't fundamentally different than those faced by a commercial bank. The same types of things that a commercial bank is concerned with – cyber and insider threats, dependence on outsourced service providers, challenges associated with data management, business continuity and resiliency – if you looked at a list of top risks for commercial banks, I think those would be on it. If you ask what some of the top risks we have are, you would also likely see those as well.

We do have relatively complex interactions and dependencies across the 12 reserve banks for many infrastructure services, including technology. Most of the reserve banks are both service providers and service receivers from other reserve banks. For example, IT systems support might be in one bank, HR technology might be in another, email services might be in another. For that reason, we focus a significant amount of attention on governing and managing these dependencies as a source of operational risk.

How does the New York Fed's operational risk management programme operate?

JR: Underlying the bank's operational risk management programme are the core risk management activities of identification, assessment, mitigation and monitoring of risk. We have an operational risk framework that articulates roles and responsibilities for the three lines of defence in operational risk management, and it also describes in more detail what the policies and procedures are that support that. For example, risk identification and risk assessment includes risk event reporting and analysis of risk events. That's good practice for any company to understand the mistakes it has made, to learn from them, and take proactive steps to do better.

A second practice which is very common in the industry, that we also follow, is risk control self-assessment, where business areas look in detail at the inherent risks that their business faces, the controls they have in place, the resulting residual risks, and, where necessary, establish additional action plans to adjust risk to an acceptable level.

Monitoring, reporting and escalation are all critical to us. We regularly report on risk exposures, risk events and mitigation plans to the management committee and to the bank's board of directors. Our central operational risk area also synthesises the risk events, the risk control self-assessments, and other information they have to identify the bank's key operational risks. There's a fair amount of heavy lifting and analysis involved in putting together a picture from these disparate sources of information, which includes outreach to individual businesses. We ask, for example, if management of information technology assets is a key residual operational risk for the bank, something that we need to focus on; what are the mitigation plans, and how are those plans progressing.

How are risk management activities co-ordinated at the reserve bank and system levels?

JR: We have governance at the system level that includes oversight from the board of governors that impacts all of the reserve banks, and we have a conference of presidents and a conference of first vice presidents, which are bodies that allow us to do co-ordinated planning, strategy and focus on risk issues and other critical issues. Those are the kinds of top-level governance we have to pull us together, despite the fact that we're separate entities with separate boards of directors and separate management. So there are forces to pull us towards the centre. At the Federal Reserve System level, there is an enterprise risk management group under the conference of first vice presidents that is looking broadly and thinking about how we can understand and manage risks in a holistic way across the system.

How do you quantify your operational risks?

JR: Quantification in the operational risk space is challenging. One way to put operational risk quantification in context is using a KuU framework in terms of the known, the unknown, the unknowable risks. I view operational risk as being closer to one of the unknown risks that are difficult to quantify. We might be able to describe the states of the world that are the ones we're trying to avoid, but it's hard to accurately assign probabilities to them.

Since it is difficult to precisely quantify both the magnitude of inherent risk you face in the operational space and how much you reduce it by taking particular mitigating actions, we capture operational risk levels using broad risk buckets.

I do think it's important to understand the amount of risk reduction you get from a particular control, since you have to choose among a whole portfolio of potential mitigation activities, all of which have different costs and effectiveness. We are all resource-constrained. We all need to decide how to optimise our budget and get the most bang for the buck in terms of expenditures on risk mitigation, so you don't want to just choose the next project on the list.

Do you draw upon the operational risk expertise of the supervisory group?

JR: We work very closely with our supervisors to provide us with insights into what state of the art practices are in the industry, and also to understand what their advice is and what critiques they have of industry practice. So we leverage the knowledge and expertise of supervision and the learning they have from interaction with the private sector to make our own internal policies and procedures more effective.

Do you tend to recruit from outside or do you develop talent internally?

JR: We are very open in our hiring and interested in finding the best talent – whether it's inside or outside the bank. That said, we put a lot of effort and focus on developing our internal talent. People who come to the bank have a strong mission focus and are dedication to the institution. We have a bright, dedicated group of people and we invest heavily in them, but we also actively look to the outside for expertise.

Has your experience in academia been useful to your career at the Fed?

JR: Risk management has many prongs to it. We have the market and credit risk piece that's mostly driven by data and complex models, and that's the world I grew up in and was my research focus. That experience provided me with a conduit into the broader world of risk management. Enterprise risk management and operational risk management were areas I encountered later in my career. They resonate a lot with me now, as the predominant risks the bank faces have shifted since the end of the financial crisis.

One of the other things that I learned in the academic world, through the referee report process when we submit papers to academic journals, was how to listen to criticism and be able to make changes to deal with that criticism. When you submit an article and get back a report that has 20 reasons why you're wrong, you can either be defensive and not take the criticism and not learn from it and not get your paper published, or you can take it in and constructively adjust and improve. For me, in an organisational context, it helps to learn how to hear those types of criticisms.

Have you ever considered returning to academia?

JR: The practical issues we deal with at the Fed are so compelling, as are the theoretical issues that underlie them, especially in the organisational risk space around how you organise institutions, how you improve processes that involve people, and what are the psychological and organisational aspects to that. I've been interested and I approached these problems in the same way that I approached problems in academia, which is to do lots of reading, talk to experts, and try to synthesise ideas across disciplines. I find the work here to be incredibly intellectually challenging, and the problems meaningful.

What do you think the future holds for risk management?

JR: We're learning a lot from work in psychology, work in organisational theory, and work in behavioural finance to understand and go beyond understanding risks solely based on models that assume rationality and complete information to approaches that recognise the greater complexity of human behaviour. In the future, I think we will see risk management approaches that more fully leverage these insights.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact or view our subscription options here:

You are currently unable to copy this content. Please contact to find out more.

Financial crime and compliance50 2024

The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector

Investment banks: the future of risk control

This survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here