I later extended this
argument in 2009 and advocated mandatory risk management committees that were
independent of management and included risk-management expertise at least for
the the largest and most systemically important financial firms.
On January 16, 2014,
the OCC took a giant leap in this direction and combined with prior regulatory
releases by the SEC and the Federal Reserve (which acted pursuant section 165(h) of the Dodd-Frank Act)
the stage is set for a more rationalized corporate governance law and
regulation. Here are the requirements of the new risk management guidelines in
the OCC's own words:
- The roles and responsibilities of those organizational units that are fundamental to the design and implementation of the risk governance framework. These units are front line units, independent risk management, and internal audit. Together, these units should establish an appropriate system to manage risk taking.
- A comprehensive written statement that articulates the bank’s risk appetite, which serves as a basis for the risk governance framework. This statement should include both qualitative components and quantitative limits.
- Board of directors’ oversight of a bank’s compliance with safe and sound banking practices. The board should ensure that the bank establishes and implements an effective risk governance framework that complies with the guidelines.
- Active board oversight of a bank’s risk-taking activities. This includes establishing accountability for management’s adherence to the risk governance framework. The board should also evaluate management’s recommendations and decisions by questioning, challenging, and, when necessary, opposing, management proposals that could lead to excessive risk taking or pose a threat to safety and soundness.
- Composition of the board of directors. A board of directors should have at least two independent members who are not part of the bank’s or the parent company’s management.
The OCC’s risk
management guidelines apply to all banks with over $50 billion in assets.
Therefore virtually every large bank in the U.S. will now be required to adopt
some form of ERM.
These new
requirements are additional risk management mandates to those the Fed
proposed in late 2011. The Fed’s ERM mandates apply to all systemically important financial
institutions with a primary focus on bank holding companies with over $50 billion in assets. The Fed's proposal mandates an independent risk management committee, risk management expertise and an ERM function that is independent of the CEO.
The SEC, for its
part, already requires that all public firms disclose their risk management practices to investors pursuant to the mandatory disclosure requirements applicable
to such firms. These regulations took effect in 2009.
Taken together, it is clear that a new paradigm is emerging in corporate governance, and ERM is at the center of that paradigm. To the extent that independent risk management committees emerge that directly supervise a chief risk officer and more risk management expertise is brought to bear in the public firm (and the financial sector in particular), perhaps corporate governance can evolve toward a regime that gives investors more precisely the risk profile they bargain for. That would be a major improvement. After all, deeply deficient risk management pervaded all aspects of the Great Financial Crisis of 2008.
ERM as refined by the OCC and the Fed holds the potential to define a new "best practices" in corporate governance for communication of a firm's risk profile and the control of risks within the firm to meet that profile.
Law review article forthcoming. . .
No comments:
Post a Comment