Home > Third Release 2025 > Risk Is Our Business: Application of Risk Management Protocols*
Print Article

August 2025

Risk Is Our Business: Application of Risk Management Protocols*
by William Mark, Lead Examiner, Supervision and Regulation, Federal Reserve Bank of Chicago

Charles Evans, former president and chief executive officer of the Federal Reserve Bank of Chicago, once said, “Dealing with uncertainty and managing risk can come in many forms. But it always entails studying the problem from many angles and thinking about what could go wrong.”1 Federal Reserve examiners take this perspective when evaluating the risk management processes of state member banks during community bank examinations. When assigning a community bank’s risk management rating, examiners use a risk assessment matrix to characterize the different types of risk that contribute to the bank’s overall risk profile as well as the related effectiveness of its risk management.2

Traditional Supervisory Approach

The determined effectiveness of a community bank’s risk management program is an important consideration by examiners in assigning a bank’s supervisory ratings, both the component ratings and composite rating. The definitions of each component of the Uniform Financial Institutions Rating System, which is commonly referred to as the CAMELS rating system,3 state that examiners will consider the effectiveness of a bank’s risk management efforts when assigning each respective rating.4 As a result, when examiners identify material deficiencies in a bank’s risk management practices, they reflect the effects of such deficiencies when assigning the corresponding CAMELS component rating. Similarly, when examiners assign the management, or M, component rating, they consider the overall effectiveness of a bank’s aggregate risk management efforts.

The Risk Management Rating and Related Supervisory Guidance

In 1995, the Federal Reserve introduced guidance on the assessment of risk and risk management at state member banks and bank holding companies and concurrently established an explicit numerical, standalone risk management rating.5 The risk management rating represents a formal assessment of overall risk management, which is intended to focus on and highlight the necessity of centralized risk management under the attention of a state member bank’s board of directors and senior management. This rating helps Federal Reserve examiners communicate the effectiveness of the overall risk management practices at the bank and a forward-looking assessment of preparedness to accommodate prospective risk. Other components of the supervisory rating framework are predominantly reliant on point-in-time reported data of a bank’s condition. The risk management rating scale ranges from 1 through 5 in ascending order of supervisory concern: (1) strong, (2) satisfactory, (3) fair (or less than satisfactory from a practical perspective), (4) marginal, and (5) unsatisfactory.6

All facets of a state member bank’s activities are integrated by examiners into the overall assessment of the bank’s risk management. Although specialty examinations, such as those involving information technology, Bank Secrecy Act/anti-money laundering compliance, fiduciary/trust activities, consumer compliance, and the Community Reinvestment Act, may have been conducted at different times, the overall safety and soundness examination incorporates the results of these specialty examinations into the overall assessment of the bank’s risk management. Examiners consider the status of outstanding issues and how things may have changed since the last supervisory review.

Elements of Risk Management

Former Director of the National Economic Council Gary Cohn once stated, “If you don’t invest in risk management, it doesn’t matter what business you’re in, it’s a risky business.”7 Federal Reserve guidance explains that the effectiveness of risk management practices and related systems for identifying, measuring, monitoring, and controlling these risks is determined by considering the four elements of sound risk management (Figure):8

  • Board of directors and senior management oversight
  • Policies, procedures, and limits
  • Risk monitoring and management information systems (MIS)
  • Internal controls

The board of directors is expected to provide leadership and oversight by defining the institutional risk level and establishing a business strategy consistent with this risk appetite. Senior management implements this vision and ensures that risks are controlled and that compliance with statutes and regulations is maintained. The board of directors approves the policy framework that senior management develops and implements to address the types of risks arising from a bank’s activities. These policies and procedures provide guidance for management and staff decision-making, including limits designed to prevent excessive and imprudent risks. In this fashion, policies, procedures, and limits serve as practical mechanisms to convey the bank’s risk appetite. Risk monitoring and MIS provide the board of directors and senior management with timely and accurate information about the bank’s activities and risk exposures. This information also provides management and staff with tools to monitor and execute control measures. An effective internal control structure is critical to safe and sound operations, promoting reliable financial and regulatory reporting, safeguarding assets, and facilitating compliance with relevant statutes, regulations, and internal bank policies. An independent party should periodically test the effectiveness of controls and provide reports either directly to the board or to its designated committee.

Picture

From an examiner’s perspective, the four elements of sound risk management are interrelated. The board of directors is ultimately responsible for establishing the “tone from the top” by determining a bank’s risk appetite and ensuring that the appropriate infrastructure, including human capital, is in place to properly control or mitigate risk exposure. The bank’s policies and procedures convey its risk appetite and corresponding control measures. The bank’s MIS provides the metrics necessary for management to monitor risk levels and ongoing risk management efforts while also serving to inform the board of directors about whether associated risks are at appropriate levels.

The internal control environment, as guided by policies and procedures, is the established structure and practice implemented to control or mitigate risks. Tried-and-true control measures, such as dual controls, separation of duties, and access barriers, combined with a vigilant risk-focused culture that includes periodic training, serve to limit exposures to potential loss. A determination of the effectiveness of independent review functions that validate the adequacy of a bank’s control environment is built into the assessment of internal controls. Independent review functions, such as internal and external auditors, credit quality review, and model and assumption validation, are retained by the board to serve this purpose.

While the four elements of sound risk management are not formally rated at state member banks, the degree of effectiveness certainly factors into the supervisory assessment of a bank’s overall risk management. As such, a community bank should have internal controls, MIS, and internal audit processes appropriate for the size of the institution and the nature, scope, and risk of its activities.9 A bank should modify risk management processes, where warranted, based on changes in activities, asset size, complexity, and risk exposure.

Adequacy of Risk Management

The effectiveness of risk management is directly related to the level of risk inherent in a bank’s business activities and on- and off-balance sheet exposures. Examiners use the risk matrix (Table)10 to depict a bank’s risk levels and likely risk trajectory in the foreseeable future. The matrix aids examiners in assessing a bank’s risk management practices on inherent risk levels, based on a three-tiered rating system:11

  • Weak represents “risk management systems that are lacking in important ways and, therefore, are a cause for more than normal supervisory attention.” Noted deficiencies, such as large gaps in a bank’s oversight, reporting, control environment, or independent review, expose the organization to undue risk of loss and could adversely affect its safety and soundness.
  • Acceptable “indicates that…risk management systems, although largely effective, may be lacking to some modest degree. It reflects an ability to cope successfully with existing and foreseeable exposure that may arise in carrying out the institution’s business plan.” All relevant activities are addressed with a blend of oversight, guidance, reporting, and controls to effectively maintain risk exposures. Identified weaknesses are minor in nature and correctable during business.
  • Strong “indicates that management effectively identifies and controls all major types of risk posed by the relevant activity or function.” An engaged board of directors and management team are complemented by comprehensive policies and timely detailed risk reporting, with an established and extensive internal control environment validated by experienced, risk-focused independent review.

The following table shows the risk matrix used by the Federal Reserve to characterize a bank’s risk profile and the quality of its related risk management efforts. The author’s previous article, published in 2024, provided an overview of risk types as well as the risk matrix assessment criteria, delving more deeply into the concept of inherent risk and risk trends.12

Table: Risk Matrix

Type of Risk

Inherent Risk

Adequacy of Risk Management

Composite Risk

Trend

Credit
  • Low
  • Moderate
  • High
  • Weak
  • Acceptable
  • Strong
  • Low
  • Moderate
  • High
  • Decreasing
  • Stable
  • Increasing

Market
  • Low
  • Moderate
  • High
  • Weak
  • Acceptable
  • Strong
  • Low
  • Moderate
  • High
  • Decreasing
  • Stable
  • Increasing

Liquidity
  • Low
  • Moderate
  • High
  • Weak
  • Acceptable
  • Strong
  • Low
  • Moderate
  • High
  • Decreasing
  • Stable
  • Increasing

Operational
  • Low
  • Moderate
  • High
  • Weak
  • Acceptable
  • Strong
  • Low
  • Moderate
  • High
  • Decreasing
  • Stable
  • Increasing

Compliance
  • Low
  • Moderate
  • High
  • Weak
  • Acceptable
  • Strong
  • Low
  • Moderate
  • High
  • Decreasing
  • Stable
  • Increasing

Legal
  • Low
  • Moderate
  • High
  • Weak
  • Acceptable
  • Strong
  • Low
  • Moderate
  • High
  • Decreasing
  • Stable
  • Increasing

Composite Risk: Application and Impact of Risk Management

As discussed in the author’s previous article, composite or residual risk is the result of inherent risk from business activities after risk management measures are applied. This is a portrayal of the impact that risk management efforts have on a bank’s risk profile, tying directly to the relative effectiveness or ineffectiveness of these efforts.

As a rule of thumb, Strong risk management does not eliminate risk, but it typically reduces or mitigates inherent risk, resulting in a lower composite risk profile. Acceptable risk management typically controls and maintains existing risk levels. Weak risk management typically exacerbates or increases inherent risk, generally resulting in a higher level of composite risk.

From a risk trend perspective, which involves the prospective direction of risk, the application of risk management would also be a factor in any related assessment. For example, persistently problematic risk management weaknesses would typically contribute to an increasing risk trend.

Overall Risk and Risk Management

The influence of each risk stripe on a bank’s overall inherent and composite risks as well as prospective trending differs based on the relative significance of the bank’s current and future activities. Similarly, the relative strengths or weaknesses in a bank’s risk management efforts for salient risk categories can also significantly influence an examiner’s assessment of the bank’s overall risk management.

Conclusion

The approaches a banker and bank examiner take when assessing risk and risk management are rooted in different perspectives. The banker has a vertical perspective, with intimate knowledge and understanding of the bank’s specific strategy, risk profile, and related risk management practices. The examiner, however, has a horizontal perspective, one concerned with the risk environment and risk management practices of the bank and its peers. Of course, it is important to remember the banker and examiner have aligned interests, with both wanting to promote the bank’s safe and sound condition. Overall, a bank’s ability to successfully deliver on the four elements of sound risk management will help examiners determine whether the bank is operating in a safe and sound manner.

From an ongoing supervision perspective, communication and transparency between bankers and examiners are key. In addition to information gathered in the examination and offsite monitoring processes, ongoing discussions between bankers and examiners aid examiners in understanding a bank’s risk profile in real time. These interactions also provide opportunities for examiners to share information with bankers on regulatory guidance and industry best practices. The Federal Reserve strives to maintain an open dialogue with supervised institutions to ensure transparency for all parties and to hear the bankers’ perspectives.

It is in this spirit that Vice Chair for Supervision Michelle W. Bowman of the Federal Reserve Board noted, “Transparency promotes fairness, as regulated entities and the public can better understand why and how our actions further our goals.”13 It is only through the practice of transparency that a bank’s risk exposure and the risks to the banking system can be properly and consistently assessed by both examiners and bankers. As former Federal Reserve Board Chair Alan Greenspan once remarked, “Indeed, better risk management may be the only truly necessary element of success in banking.”14

  • *This article follows up on a previous article by William Mark, “Risk Is Our Business: A Supervisory Perspective on the Dynamics of Risk and Risk Management,” which explored the dynamics of risk and risk management and explained how examiners assess a bank’s risk position to determine the adequacy of its risk management. That article appeared in the Second Release 2024 of Community Banking Connections and is available at www.cbcfrs.org/Articles/2024/R2/risk-is-our-business.
  • 1 Charles Evans’s March 25, 2019, speech at the Credit Suisse Asian Investment Conference, Hong Kong, “Revisiting Risk Management in Monetary Policy,” is available at www.chicagofed.org/publications/speeches/2019/revisiting-risk-management.
  • 2 See Supervision and Regulation (SR) letter 16-11, “Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less Than $100 Billion,” available at www.federalreserve.gov/supervisionreg/srletters/sr1611.htm.
  • 3 CAMELS refers to the supervisory rating framework that federal and state bank regulators use in communicating an assessment of a bank’s condition. Examiners assign a composite rating on a scale of 1 to 5 and six component ratings: capital (C), asset quality (A), management (M), earnings (E), liquidity (L), and sensitivity to market risk (S). To be considered satisfactory, a bank needs to receive a CAMELS composite rating of no less than 2.
  • 4 See SR letter 96-38, “Uniform Financial Institutions Rating System,” available at www.federalreserve.gov/boarddocs/srletters/1996/sr9638.htm.
  • 5 See SR letter 95-51, “Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies,” available at www.federalreserve.gov/boarddocs/srletters/1995/sr9551.htm, as well as SR letter 16-11.
  • 6 See SR letter 95-51.
  • 7 See Christine Harper, “Goldman’s Cohn Says Firms Burned by Poor Controls, Not Products,” Bloomberg, September 25, 2011, available at www.bloomberg.com/news/articles/2011-09-25/goldman-s-cohn-says-companies-burned-by-poor-risk-management-not-products.
  • 8 See SR letter 16-11.
  • 9 See SR letter 16-11.
  • 10 See section 1001.1 of the Commercial Bank Examination Manual, available at www.federalreserve.gov/publications/files/cbem.pdf.
  • 11 See section 1001.1 of the Commercial Bank Examination Manual.
  • 12 See William Mark, “Risk Is Our Business: A Supervisory Perspective on the Dynamics of Risk and Risk Management.”
  • 13 Vice Chair for Supervision Bowman’s February 5, 2025, speech at the Kansas Bankers Association Government Relations Conference, “Bank Regulation in 2025 and Beyond,” Topeka, KS, is available at www.federalreserve.gov/newsevents/speech/bowman20250205a.htm.
  • 14 Alan Greenspan’s October 5, 2004, speech at the American Bankers Association Annual Convention, “Banking,” New York, is available at www.federalreserve.gov/boarddocs/speeches/2004/20041005/default.htm.

System Outreach

The Federal Reserve System provides various resources for training, services, and more.

Learn more »

Policy and Guidance

Connect to various Federal Reserve resources, including SR and CA Letters, regulations, request for comment on rulemaking proposals, the latest Federal Reserve System speeches, and more.

Learn more »

Subscribe

Community Banking Connections is a quarterly Federal Reserve System publication available electronically or in print.

Learn more »

Feedback

We want to hear from you! Please share with us any comments, suggestions, or topics that you would like to see on our website or in our publications.

Learn more »