Achieving Heightened Standards Within Principled ...

24
Achieving Heightened Standards Within Principled Regulatory Guidance Craig Lane Managing Director Basel & Strategic Programs BMO Financial Group Global Association of Risk Professionals November 2014

Transcript of Achieving Heightened Standards Within Principled ...

Achieving Heightened Standards Within Principled Regulatory Guidance

Craig Lane

Managing Director

Basel & Strategic Programs

BMO Financial Group

Global Association of Risk Professionals

November 2014

2

The views expressed in the following material are the

author’s and do not necessarily represent the views of

the Global Association of Risk Professionals (GARP),

its Membership or its Management.

Comments in the presentation are the speaker’s own

and not those of his employer.

3 | © 2014 Global Association of Risk Professionals. All rights reserved.

BMO Snapshot

BMO (for Fiscal 2013)

$16.2B in revenue

$537B in assets

$4.2B in net income

45,500 employees

12MM customers

BIII Common Equity T1 Capital: 9.9%

US BHC (BMO Financial Corp)

Founded 1882, top 25 Bank

$178.7B in assets

600 retail branches

Wealth management, Capital Markets

Primarily upper Midwest with material

presence in FL and AZ

14,500 employees

Senior debt A3/A+ rated

BMO 2013 Annual Report

https://www.bmoharris.com/us/about/newsroom/bank-facts

FQ1’14 Average

BMO North American Footprint

4 | © 2014 Global Association of Risk Professionals. All rights reserved.

Opening Remarks

This presentation is intended to assist on any number of programs addressing

principled regulatory guidance but focuses on one emerging item – OCC Heightened

Standards for Large Banks.

BMO’s US operation continues to seek achievement of Strong ratings across a

number of its risk functions.

― This presentation describes the Bank’s approach that works well for the unique structure and

risks for the organization.

― This approach for another financial institutions may offer a different level of success.

― Purpose of the presentation is to provide the overview of BMO’s approach and allow the audience

members to make assessments on applicability to your institution’s approach.

“Principled” approach in this context denotes level of detail.

― Heightened Standards is considered by the banking community to be prescriptive in several

areas.

― The contrast being made in this presentation is lack of specificity. The Proposed Rule seeks

objectives versus other regulation such as Dodd-Frank or Sarbanes-Oxley where requirements

down to the task-level are mandated.

5 | © 2014 Global Association of Risk Professionals. All rights reserved.

Topics

Regulatory Environment

Program Approach

Challenges & Observations

6 | © 2014 Global Association of Risk Professionals. All rights reserved.

Topics

Regulatory Environment

7 | © 2014 Global Association of Risk Professionals. All rights reserved.

Regulatory Guidance Issued To Establish Principles

While media and legitimate industry attention has been paid to the most burdensome

of detailed regulatory and legislative requirements, occasionally regulators release

guiding principles:

Apr 2011: Joint US Supervisory Guidance on Model Risk Management

Jan 2013: Basel Principles for Effective Risk Data Aggregation and Risk Reporting

Aug 2013: Federal Reserve Capital Planning at Large Bank Holding Companies: Supervisory

Expectations and Range of Current Practice

Jan 2014: OCC Draft Notice of Proposed Rulemaking on Heightened Expectations

Sep 2014: Establishing Heightened Standards for Certain Large Insured National Banks

OCC Heightened Standards deviates from previous detailed rules (SOX, Dodd-Frank)

In contrast to most regulations this is thirty-three pages.

New content substantially less than other regulations.

Input from embedded examiners but centrally written.

Rule has two major principles

− Risk governance framework, and

− Board composition and responsibilities.

Challenge: How does an institution develop stronger framework and practices

in the absence of specific rules and requirements?

OCC Comptroller Curry RMA GCOR Conference May 8, 2014

8 | © 2014 Global Association of Risk Professionals. All rights reserved.

Canadian Environment More Principle Approach

Although mirroring the spirit of US rules (SOX, Dodd-Frank), Canadian regulations often

not as voluminous as US counterparts.

Canada has one main banking supervisor which streamlines supervisory coverage.

The marketplace is an oligopoly with six major banks

Principle-based rules allows for dialogue between supervisor and institution to understand

interpretation.

Regulator monitors best practices and apply among impacted institutions. Banks can carefully engage

in dialogue for the improvement of the system.

Exams are more often conducted within an environment of horizontal reviews.

Substantial reliance is placed on the 3rd line of defense to make representations.

With many years of designing programs within the bounds of principled guidance of home

regulators (OSFI), US Risk Management enters the Heightened Expectations program

leveraging its comfort and experience and is sharing some of its approaches here.

9 | © 2014 Global Association of Risk Professionals. All rights reserved.

Heightened Standards

Timing

Guidelines apply to banks >$50B which must comply no later than 18 months from issuance date

(May 2016).

Covered banks between $750B and $100B have 6 months to comply with Guidelines.

Covered banks over $750B must comply by Nov 10, 2014 (60 days from issuance date).

Guidelines provide the OCC an ‘opt-in’ clause for any bank’s whose operations are complex

enough to require compliance.

Replaces

No longer “Getting To Strong” or “Heightened Expectations”.

Banks are not determined on being ‘Strong’ but rather compliance to the guideline.

− Individual functions still maintain the criteria. For example capital adequacy, controls, management are

all still evaluated on ‘weak’, ‘fair’, ‘strong’, ‘etc’.

This is not replacing nor intended to conflict with the Fed Enhanced Prudential Standards applied

to Foreign Banking Operations

10 | © 2014 Global Association of Risk Professionals. All rights reserved.

First & Second Line of Defense - Definition

First Line of Defense: Front Line Unit

“Any organizational unit or function thereof…that is accountable for one of several enumerated

risks and that either

−Engages in activities designed to generate revenue or reduce expenses…”

−Provides operational support or servicing to any organizational unit or function..in the delivery of products

or services to customers; or

−Provides technology services to any organizational unit or function covered by these guidelines.”

Functions can be split between Front Line and not Front Line. For example, the part of

Finance focused on expense reduction would be a front line unit requiring oversight by

Independent Risk Management but the part of Finance providing oversight to enterprise-wide

policies on preparing the company’s financial statements would not be a front line unit.

Risks can transfer if, for example, a portfolio of accounts is moved from part of the bank to

another then the part of the bank that is now managing the accounts is designated a Front Line

Unit even if it did not originate the portfolio.

Second Line of Defense: Independent Risk Management

“Any organizational unit within the bank that has responsibility for identifying, measuring,

monitoring, or controlling aggregate risks.”

The Board (or risk committee) reviews and approves the Framework, and appointment/removal of

Chief Risk Executive.

CRE should have unrestricted access to the Board of Directors.

11 | © 2014 Global Association of Risk Professionals. All rights reserved.

First & Second Line of Defense - Responsibilities

Front Line Unit

Assess material risks associated with their activities.

Adhere to a set of written policies that include front line unit risk limits.

Establish and adhere to procedures and processes necessary to ensure compliance with

the aforementioned written polices.

Adhere to all applicable policies, procedures, and processes established by independent risk

management.

Develop, attract, and retain talent and maintain appropriate staffing levels and adhere to talent

management processes and compensation and performance management programs.

Second Line of Defense

Primary responsibility for design of a Framework commensurate with the bank’s size,

complexity, and risk profile that meets the Guidelines.

Should identify and assess, on an ongoing basis, the bank’s material aggregate risks and

use such risk assessments as the basis for determining if actions need to be taken to strengthen

risk management or reduce risk given changes in risk profile.

Establish and adhere to enterprise policies that include concentration risk limits.

Establish and adhere to procedures and processes necessary to ensure compliance with the

aforementioned policies and to ensure front line units meet Guidelines.

Communicate to the CEO and the Board or risk committee significant instances where a front line

unit is not adhering to the Framework or not meeting the Guidelines.

12 | © 2014 Global Association of Risk Professionals. All rights reserved.

Third Line of Defense

Audit

Maintain a risk-based audit plan that considers emerging risks and issues.

Report conclusions and material issues to the Audit Committee.

− Reports of any material issues should include root cause and,

− Determination of the effectiveness of front line units and independent risk management in identifying and

resolving issues in a timely manner.

On an annual basis, assess the design and effectiveness of the risk governance framework

for appropriateness to the size, complexity, and risk profile of the bank.

Communicate significant instances of noncompliance with the framework.

Maintain a quality assurance program that ensures audit’s policies, procedures, and processes

comply with applicable regulatory and industry guidance and appropriate to the bank’s risk profile

and update to internal and external risk factors and emerging risks.

Chief Audit Executive should report directly to the CEO.

Same standards of attracting, developing, and retaining talent appropriate to fulfill role in the framework are required.

13 | © 2014 Global Association of Risk Professionals. All rights reserved.

CEO Responsibilities

CEO is responsible for development of a documented strategic plan with input from

front line units and independent risk management.

At least annually, Board should evaluate and approve and monitor management’s effort to

implement.

Strategic plan should cover a 3 year period and contain a comprehensive assessments of

risks that have or could have an impact during this period.

The bank should have a written statement that articulate a bank’s risk appetite and serves as a basis for the Framework.

Risk appetite defined as “aggregate level and types of risk the board and management are willing

to assume to achieve the bank’s strategic objectives and business plan, consistent with applicable

capital, liquidity, and other regulatory requirements.”

− Qualitative components include culture

− Quantitative limits incorporate sound stress testing and earnings, capital, and liquidity.

‹ Risk limits may be designed as thresholds, triggers or hard limits.

‹ Aggregated individual limits can exceed the bank’s risk appetite statement.

Review of the risk appetite statement by the board’s risk committee should be done

annually.

Communication of the appetite statement should be initially and ongoing reinforcement.

14 | © 2014 Global Association of Risk Professionals. All rights reserved.

Board Risk Committee Responsibilities

Require management to establish and implement an effective risk governance

framework.

Approve and subsequent “significant changes”

Actively oversee the bank’s risk-taking activities and hold management accountable for adhering to the framework.

Demonstrated by question, challenge, oppose management’s proposed action plans, and have an

understanding of the risk taking activities. Bringing in third-party expertise is permitted.

Review and approve the framework and risk appetite, and significant changes, at least annually

Review and approve a written talent management program the provides for development, recruitment and succession for the CEO, CRO, and Chief Auditor

Exercise independent judgment and credible challenge.

Independent judgment will be assessed, in part, based on a board member’s other responsibilities and

the extent to which they could be in conflict with the bank’s interests.

Maintain at least two independent directors.

Establish and adhere to ongoing training for all directors.

Conduct an annual self assessment to the guidelines.

15 | © 2014 Global Association of Risk Professionals. All rights reserved.

Topics

Program Approach

16 | © 2014 Global Association of Risk Professionals. All rights reserved.

ERM Program Structure

The foundation of meeting Heightened Standards is a

solid program.

Regulators review US Risk Management along with

Compliance and AML as part of overall “Independent

Risk Management”. Audit is often included in this

definition.

Risk Stripes (horizontal rows) are aligned to both bank

and regulator organizational structures. Within US Risk

Management, each Stripe has a single accountable risk

professional that is responsible for ownership of the

framework.

Risk Themes are initiatives that cross all Risk Stripes

and include: Risk Appetite, Talent Management, Model

Risk, Technology, and Capital Management/Stress

Testing. Given the breadth of activities, there may be

more than one owner.

Supervisors assign a rating to each risk stripe which

rolls up to the Management rating and ultimately into

the legal entity composite rating.

Operational

Pricing

Liquidity

Interest Rate

Ris

k T

hem

es

Program

Office

Compliance

AML

Audit

Ind

ep

en

de

nt

Ris

k M

an

ag

em

en

t

Heightened Standards

“Enhancing Risk Management (ERM) Program”

Commercial Credit

Consumer Credit

17 | © 2014 Global Association of Risk Professionals. All rights reserved.

Inputs to Assessing Risk Stripe Performance

Ongoing Projects

Self

Assessments

Examiners

Annual Ratings

Inputs to Heightened Standards

Program from multiple sources

both within and outside the

bank.

Identified enhancement

opportunities with project

details and timelines shared

with examiners.

Supervisory

Reviews

Corporate Audit

Reports

Examiners

Review Criteria

External

Assessments

18 | © 2014 Global Association of Risk Professionals. All rights reserved.

Inputs Into Action

Gaps to requirements are

assessed for materiality and

remediated through projects and

specific milestones and activities

providing insight to activity.

The dashboard used to manage

the Program is used for Board

and Regulatory Reporting. There

is a single view on Program

progress.

R/Y/G status is provided by the

Program in almost all instances.

The importance is impartiality. Exceptions are programs where

separate governance is already

in place.

19 | © 2014 Global Association of Risk Professionals. All rights reserved.

Closure Process

Examiners are increasingly

scrutinizing the effectiveness of the

closure process

Closure process is key to integrity

of the Program Office The Program Office reviews projects that are

completed in only 1 of 4 categories (bold

outline)

This comprises about 2/3rds of all projects

Regulatory findings are closed through a

separate independent governance process

Audit findings are cleared through Corporate

Audit retest.

Technical model issues are resolved in a

forum of peer who can effectively challenge

Once the Bank closes a project, the

regulators can review.

Completed

Project

Regulatory

Findings

ERM

Program

Model

Related

Audit

Findings

Closed Project

Regulatory Review

20 | © 2014 Global Association of Risk Professionals. All rights reserved.

Program Process

Over 200 projects comprise the Heightened

Expectations program.

Not all projects are of equal weight or impact.

Program designed to complete majority of projects

by end of 2015. Sustainability & effectiveness is

defined when projects are implemented and

evidenced as integrated within business as usual

processes.

Projects not started include mostly technology but

can include projects dependent on adjacent

stakeholders not directly engaged on Heightened

Expectations program.

Progress reported to Board quarterly.

0

20

40

60

80

100

Oct-13

Nov-14

ERM Program

A documented aggregate rating is provided to Risk Management on a quarterly basis and the

individual risk stripes receive the rating within the annual supervisory cycle Challenge is understanding progress within a risk stripe between annual rating cycles.

The number of projects is expected to increase as the Bank reconciles capital plan

improvements to Heightened Expectation categories.

21 | © 2014 Global Association of Risk Professionals. All rights reserved.

Topics

Challenges & Observations

22 | © 2014 Global Association of Risk Professionals. All rights reserved.

Key Observations – Heightened Standards Program

The Heightened Expectations guidance, as drafted, is a change from many recent

rules which are significantly detailed.

Focus on themes: Risk Governance, Role of the Board, Risk Appetite, etc.

The institution should define it’s own criteria that it is comfortable supporting.

Develop criteria unique to each risk function. BMO has found that the multitude of

examiners’ handbooks for assessing risk functions are useful.

Implementing a strong credible closure process will provide significant credibility

to the bank’s Heightened Expectations program.

Providing a location for examiners’ review of evidence has helped maintain program credibility.

Following several years of 2nd line focus, regulators are shifting attention to 1st line

owned risk management activities. Business Units should expect to demonstrate

sound knowledge and practices as a proactive self regulating entity with ownership

over data management, AML, stress testing, risk appetite, risk reporting, etc.

23 | © 2014 Global Association of Risk Professionals. All rights reserved.

Key Observations – Principled Guidance

In Principled regulatory guidance, be comfortable with ambiguity and change.

Comparisons are made across institutions and examiners will encourage an

institution to improve functions based on practices they have observed elsewhere.

Seek a variety of inputs defining success criteria. While most inputs are within

influences (benchmarking, regulatory assessments, industry literature) can provide

objective viewpoints.

The resulting criteria must be those your institution finds most suitable for itself.

Environment will change in time and the project plan may be modified. Challenge your

institution if the project plan put in place is the right one.

Be assured, don’t ask examiners what should be done; it gives the impression that

the program has little direction.

Asking examiners for feedback on a defined course is considered appropriate.

Environment will change in time and the project plan may be modified. Challenge your

institution if the project plan put in place is the right one.

Leverage counterpart examiners’ feedback from horizontal reviews. Understand

their interest in the subject institution meeting stated objectives.

C r e a t i n g a c u l t u r e o f

r i s k a w a r e n e s s ®

Global Association of

Risk Professionals

111 Town Square Place

14th Floor

Jersey City, New Jersey 07310

U.S.A.

+ 1 201.719.7210

2nd Floor

Bengal Wing

9A Devonshire Square

London, EC2M 4YN

U.K.

+ 44 (0) 20 7397 9630

www.garp.org

About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make

better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies,

academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM®) and the Energy Risk Professional (ERP®)

Exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for

professionals of all levels. www.garp.org.

24 | © 2014 Global Association of Risk Professionals. All rights reserved.