provide qualitative disclosures regarding their approach to enterprise risk management including: 1) whether there is a comprehensive enterprise-wide risk management function; 2) the extent of board involvement in that function; 3) whether the CEO controls that function; 4) the breadth of expertise available to address firm risks; and 5) any differences between management and risk managers regarding the firm’s current risk profile.
I later extended this argument in 2009 and advocated mandatory risk management committees that were independent of management and included risk-management expertise at least for the the largest and most systemically important financial firms.
On January 16, 2014, the OCC took a giant leap in this direction and combined with prior regulatory releases by the SEC and the Federal Reserve (which acted pursuant section 165(h) of the Dodd-Frank Act) the stage is set for a more rationalized corporate governance law and regulation. Here are the requirements of the new risk management guidelines in the OCC's own words:
The proposed guidelines set forth the minimum standards for the design and implementation of an institution’s risk governance framework and provide minimum standards for oversight of that framework by the board of directors. The guidelines include provisions regarding:
- The roles and responsibilities of those organizational units that are fundamental to the design and implementation of the risk governance framework. These units are front line units, independent risk management, and internal audit. Together, these units should establish an appropriate system to manage risk taking.
- A comprehensive written statement that articulates the bank’s risk appetite, which serves as a basis for the risk governance framework. This statement should include both qualitative components and quantitative limits.
- Board of directors’ oversight of a bank’s compliance with safe and sound banking practices. The board should ensure that the bank establishes and implements an effective risk governance framework that complies with the guidelines.
- Active board oversight of a bank’s risk-taking activities. This includes establishing accountability for management’s adherence to the risk governance framework. The board should also evaluate management’s recommendations and decisions by questioning, challenging, and, when necessary, opposing, management proposals that could lead to excessive risk taking or pose a threat to safety and soundness.
- Composition of the board of directors. A board of directors should have at least two independent members who are not part of the bank’s or the parent company’s management.
The OCC’s risk management guidelines apply to all banks with over $50 billion in assets. Therefore virtually every large bank in the U.S. will now be required to adopt some form of ERM.
These new requirements are additional risk management mandates to those the Fed proposed in late 2011. The Fed’s ERM mandates apply to all systemically important financial institutions with a primary focus on bank holding companies with over $50 billion in assets. The Fed's proposal mandates an independent risk management committee, risk management expertise and an ERM function that is independent of the CEO.
The SEC, for its part, already requires that all public firms disclose their risk management practices to investors pursuant to the mandatory disclosure requirements applicable to such firms. These regulations took effect in 2009.
Taken together, it is clear that a new paradigm is emerging in corporate governance, and ERM is at the center of that paradigm. To the extent that independent risk management committees emerge that directly supervise a chief risk officer and more risk management expertise is brought to bear in the public firm (and the financial sector in particular), perhaps corporate governance can evolve toward a regime that gives investors more precisely the risk profile they bargain for. That would be a major improvement. After all, deeply deficient risk management pervaded all aspects of the Great Financial Crisis of 2008.
ERM as refined by the OCC and the Fed holds the potential to define a new "best practices" in corporate governance for communication of a firm's risk profile and the control of risks within the firm to meet that profile.
Law review article forthcoming. . .