Print ArticleInside the Fed’s Revisions to Risk Management Guidance
by Allison Lamb, Manager, Supervisory Oversight, Board of Governors of the Federal Reserve System; Margaret Angeloff, Supervisory Financial Analyst, Board of Governors of the Federal Reserve System; Richard Wilson, Principal Examiner, Federal Reserve Bank of Cleveland; and Lori Calhoun, Senior Examiner, Federal Reserve Bank of Cleveland
Supervision and Regulation (SR) letter 16-11, “Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less Than $50 Billion,” was issued on June 8, 2016, and is applicable for all examinations and inspections of community banking organizations. This article provides an overview of SR letter 16-11 in a question-and-answer format to provide institutions with additional perspective on the Federal Reserve’s update of this guidance, which was previously issued under SR letter 95-51, “Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies.”
SR letter 16-11 updates the Federal Reserve’s supervisory guidance for assessing risk management at supervised institutions with less than $50 billion in total consolidated assets, and it more clearly establishes applicability to savings and loan holding companies (SLHCs) and the U.S. operations of foreign banking organizations (FBOs). The SR letter also reaffirms the Federal Reserve’s long-standing supervisory approach that emphasizes the importance of prudent risk management and an institution’s ability to identify, measure, monitor, and control the risk of its activities. Moreover, the SR letter updates risk categories and clarifies risk management principles outlined in SR letter 95-51. Principles of sound management should apply to the entire spectrum of risks facing an institution, including, but not limited to, credit, market, liquidity, operational, compliance, and legal risks.
Why did the Federal Reserve update its risk management guidance?
The Federal Reserve periodically reviews its existing supervisory guidance to assess whether the guidance is still relevant and effective. The Board of Governors of the Federal Reserve System (Board) completed a policy review of the supervision programs for community and regional banking organizations to make sure that these programs and related supervisory guidance reflect current banking practices and risks. The policy review noted that the risk management principles presented in SR letter 95-51 remain fundamentally sound and applicable, but updates were needed to reflect industry and regulatory changes to primary risk definitions and nomenclature since the guidance was issued over 20 years ago.
To which institutions does SR letter 16-11 apply?
SR letter 16-11 applies to financial institutions supervised by the Federal Reserve with total consolidated assets of less than $50 billion. This includes state member banks; bank holding companies; SLHCs, including insurance and commercial SLHCs; and FBOs with combined U.S. assets of less than $50 billion. This represents a change from SR letter 95-51, which did not limit applicability based on asset size and did not explicitly cover SHLCs and FBOs. SR letter 16-11 partially supersedes SR letter 95-51, which remains applicable to state member banks and bank holding companies with $50 billion or more in total consolidated assets until superseding guidance is issued for these institutions. As a result, SR letter 95-51 no longer applies to institutions with total consolidated assets of less than $50 billion.
What modifications were made to the risk categories?
With respect to risk categories, two modifications were made. Compliance risk is more clearly differentiated as a standalone core risk element and is no longer a subcategory of legal risk. Compliance risk is defined as the risk of regulatory sanctions, fines, penalties, or losses resulting from failure to comply with laws, rules, regulations, or other supervisory requirements applicable to a financial institution. This change provides a clearer distinction from legal risk, which addresses risks that arise outside the regulatory arena, such as contracts and litigation.
Reputational risk was removed as a standalone core risk category. This change recognizes that reputational risk is a secondary risk that results from control gaps in one or more of the primary risk categories. A root cause analysis can be performed to identify the underlying drivers for reputational risk and pinpoint the issue more appropriately to a primary risk category such as credit, market, liquidity, operational, compliance, or legal.
What modifications were made to the risk definitions?
SR letter 16-11 also clarifies operational, market, and legal risk definitions. The definition of operational risk was updated to more closely align with the Basel Committee’s definition of operational risk. The market risk definition was updated to include risk from adverse movements in commodity prices. Last, legal risk was updated to include legal sanctions as a potential action against an institution.
Additionally, the risk rating definitions originally introduced by SR letter 95-51 are now retained in the Commercial Bank Examination Manual, the Banking Holding Company Supervision Manual, and the Examination Manual for U.S. Branches and Agencies of Foreign Banking Organizations from the Federal Reserve. It’s important to note that, although SR letter 16-11 does not restate the Federal Reserve risk rating definitions, these definitions remain in effect.
What risk management concepts were updated?
The guidance updates risk management concepts such as noting that an institution’s board of directors should establish risk tolerances for the institution’s significant activities. Periodic reviews of tolerance limits should ensure that risk exposure limits align with changes in the institution’s strategies, address new activities and products, and react to changes in the industry and market conditions. Moreover, the revised guidance highlights the interrelationship of risks and how institutions should employ information systems that provide a consolidated and integrated view of risk.
How does the guidance clarify responsibilities of the institution’s board of directors versus senior management?
The revised guidance presents greater distinction and clarification between the roles and responsibilities of an institution’s board of directors versus those of senior management. In particular, the SR letter reinforces the responsibilities of the board of directors for providing oversight and direction; senior management is responsible for risk identification and management of vulnerabilities as well as the establishment and maintenance of effective risk information systems to facilitate ongoing measurement and reporting. This is a clarification from SR letter 95-51, which previously blended risk management responsibilities of the institution’s board of directors and senior management. In addition, an effective system of internal controls was clarified as the responsibility of both the institution’s board of directors and senior management.
Is the guidance in SR letter 16-11 based on a company’s asset size?
Consistent with SR letter 95-51 and the Federal Reserve’s overall supervisory approach, the guidance in SR letter 16-11 is scalable to an institution’s size and complexity. An institution’s risk management processes are expected to evolve in sophistication, commensurate with the institution’s asset growth, complexity, and risk. SR letter 16-11 elaborates on risk management attributes of community and regional banking organizations.
Will the scope of supervisory inspections or examinations change as a result of SR letter 16-11?
SR letter 16-11 does not substantially change the scope of supervisory reviews. The SR letter does not materially change the principles of SR letter 95-51 or the approach to inspections and examinations. Therefore, modifications to inspection or examination procedures will be limited to highlighting compliance risk as a core risk category, distinguishing the roles and responsibilities of an institution’s board of directors and senior management, and more clearly evaluating risk tolerances, the interrelationship of risks and risk categories, and consolidated risk reporting.
Does SR letter 16-11 result in any changes to supervisory ratings?
The issuance of SR letter 16-11 does not result in any changes to supervisory ratings and is consistently aligned with existing applicable supervisory rating frameworks, including CAMELS/C(R), RFI/C(D), and ROCA. CAMELS/C(R) stands for capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk, which are factors used to rate financial institutions. C(R) indicates composite/risk management. RFI/C(D) indicates risk management, financial condition, impact/composite (depository institution). ROCA is a system used to rate risk management, operational controls, compliance, and asset quality.
What is the effective date of SR letter 16-11?
SR letter 16-11 was effective on the date of issue, which was June 8, 2016.
In summary, SR letter 16-11 reflects the Federal Reserve’s emphasis on the importance of prudent risk management and provides updated guidance to align with current industry practices and the Federal Reserve’s supervisory approach for institutions with total consolidated assets less than $50 billion.
Back to top
