Achieving Heightened Standards Within Principled Regulatory Guidance
Craig Lane
Managing Director
Basel & Strategic Programs
BMO Financial Group
Global Association of Risk Professionals
November 2014
2
The views expressed in the following material are the
author’s and do not necessarily represent the views of
the Global Association of Risk Professionals (GARP),
its Membership or its Management.
Comments in the presentation are the speaker’s own
and not those of his employer.
3 | © 2014 Global Association of Risk Professionals. All rights reserved.
BMO Snapshot
BMO (for Fiscal 2013)
$16.2B in revenue
$537B in assets
$4.2B in net income
45,500 employees
12MM customers
BIII Common Equity T1 Capital: 9.9%
US BHC (BMO Financial Corp)
Founded 1882, top 25 Bank
$178.7B in assets
600 retail branches
Wealth management, Capital Markets
Primarily upper Midwest with material
presence in FL and AZ
14,500 employees
Senior debt A3/A+ rated
BMO 2013 Annual Report
https://www.bmoharris.com/us/about/newsroom/bank-facts
FQ1’14 Average
BMO North American Footprint
4 | © 2014 Global Association of Risk Professionals. All rights reserved.
Opening Remarks
This presentation is intended to assist on any number of programs addressing
principled regulatory guidance but focuses on one emerging item – OCC Heightened
Standards for Large Banks.
BMO’s US operation continues to seek achievement of Strong ratings across a
number of its risk functions.
― This presentation describes the Bank’s approach that works well for the unique structure and
risks for the organization.
― This approach for another financial institutions may offer a different level of success.
― Purpose of the presentation is to provide the overview of BMO’s approach and allow the audience
members to make assessments on applicability to your institution’s approach.
“Principled” approach in this context denotes level of detail.
― Heightened Standards is considered by the banking community to be prescriptive in several
areas.
― The contrast being made in this presentation is lack of specificity. The Proposed Rule seeks
objectives versus other regulation such as Dodd-Frank or Sarbanes-Oxley where requirements
down to the task-level are mandated.
5 | © 2014 Global Association of Risk Professionals. All rights reserved.
Topics
Regulatory Environment
Program Approach
Challenges & Observations
6 | © 2014 Global Association of Risk Professionals. All rights reserved.
Topics
Regulatory Environment
7 | © 2014 Global Association of Risk Professionals. All rights reserved.
Regulatory Guidance Issued To Establish Principles
While media and legitimate industry attention has been paid to the most burdensome
of detailed regulatory and legislative requirements, occasionally regulators release
guiding principles:
Apr 2011: Joint US Supervisory Guidance on Model Risk Management
Jan 2013: Basel Principles for Effective Risk Data Aggregation and Risk Reporting
Aug 2013: Federal Reserve Capital Planning at Large Bank Holding Companies: Supervisory
Expectations and Range of Current Practice
Jan 2014: OCC Draft Notice of Proposed Rulemaking on Heightened Expectations
Sep 2014: Establishing Heightened Standards for Certain Large Insured National Banks
OCC Heightened Standards deviates from previous detailed rules (SOX, Dodd-Frank)
In contrast to most regulations this is thirty-three pages.
New content substantially less than other regulations.
Input from embedded examiners but centrally written.
Rule has two major principles
− Risk governance framework, and
− Board composition and responsibilities.
Challenge: How does an institution develop stronger framework and practices
in the absence of specific rules and requirements?
OCC Comptroller Curry RMA GCOR Conference May 8, 2014
8 | © 2014 Global Association of Risk Professionals. All rights reserved.
Canadian Environment More Principle Approach
Although mirroring the spirit of US rules (SOX, Dodd-Frank), Canadian regulations often
not as voluminous as US counterparts.
Canada has one main banking supervisor which streamlines supervisory coverage.
The marketplace is an oligopoly with six major banks
Principle-based rules allows for dialogue between supervisor and institution to understand
interpretation.
Regulator monitors best practices and apply among impacted institutions. Banks can carefully engage
in dialogue for the improvement of the system.
Exams are more often conducted within an environment of horizontal reviews.
Substantial reliance is placed on the 3rd line of defense to make representations.
With many years of designing programs within the bounds of principled guidance of home
regulators (OSFI), US Risk Management enters the Heightened Expectations program
leveraging its comfort and experience and is sharing some of its approaches here.
9 | © 2014 Global Association of Risk Professionals. All rights reserved.
Heightened Standards
Timing
Guidelines apply to banks >$50B which must comply no later than 18 months from issuance date
(May 2016).
Covered banks between $750B and $100B have 6 months to comply with Guidelines.
Covered banks over $750B must comply by Nov 10, 2014 (60 days from issuance date).
Guidelines provide the OCC an ‘opt-in’ clause for any bank’s whose operations are complex
enough to require compliance.
Replaces
No longer “Getting To Strong” or “Heightened Expectations”.
Banks are not determined on being ‘Strong’ but rather compliance to the guideline.
− Individual functions still maintain the criteria. For example capital adequacy, controls, management are
all still evaluated on ‘weak’, ‘fair’, ‘strong’, ‘etc’.
This is not replacing nor intended to conflict with the Fed Enhanced Prudential Standards applied
to Foreign Banking Operations
10 | © 2014 Global Association of Risk Professionals. All rights reserved.
First & Second Line of Defense - Definition
First Line of Defense: Front Line Unit
“Any organizational unit or function thereof…that is accountable for one of several enumerated
risks and that either
−Engages in activities designed to generate revenue or reduce expenses…”
−Provides operational support or servicing to any organizational unit or function..in the delivery of products
or services to customers; or
−Provides technology services to any organizational unit or function covered by these guidelines.”
Functions can be split between Front Line and not Front Line. For example, the part of
Finance focused on expense reduction would be a front line unit requiring oversight by
Independent Risk Management but the part of Finance providing oversight to enterprise-wide
policies on preparing the company’s financial statements would not be a front line unit.
Risks can transfer if, for example, a portfolio of accounts is moved from part of the bank to
another then the part of the bank that is now managing the accounts is designated a Front Line
Unit even if it did not originate the portfolio.
Second Line of Defense: Independent Risk Management
“Any organizational unit within the bank that has responsibility for identifying, measuring,
monitoring, or controlling aggregate risks.”
The Board (or risk committee) reviews and approves the Framework, and appointment/removal of
Chief Risk Executive.
CRE should have unrestricted access to the Board of Directors.
11 | © 2014 Global Association of Risk Professionals. All rights reserved.
First & Second Line of Defense - Responsibilities
Front Line Unit
Assess material risks associated with their activities.
Adhere to a set of written policies that include front line unit risk limits.
Establish and adhere to procedures and processes necessary to ensure compliance with
the aforementioned written polices.
Adhere to all applicable policies, procedures, and processes established by independent risk
management.
Develop, attract, and retain talent and maintain appropriate staffing levels and adhere to talent
management processes and compensation and performance management programs.
Second Line of Defense
Primary responsibility for design of a Framework commensurate with the bank’s size,
complexity, and risk profile that meets the Guidelines.
Should identify and assess, on an ongoing basis, the bank’s material aggregate risks and
use such risk assessments as the basis for determining if actions need to be taken to strengthen
risk management or reduce risk given changes in risk profile.
Establish and adhere to enterprise policies that include concentration risk limits.
Establish and adhere to procedures and processes necessary to ensure compliance with the
aforementioned policies and to ensure front line units meet Guidelines.
Communicate to the CEO and the Board or risk committee significant instances where a front line
unit is not adhering to the Framework or not meeting the Guidelines.
12 | © 2014 Global Association of Risk Professionals. All rights reserved.
Third Line of Defense
Audit
Maintain a risk-based audit plan that considers emerging risks and issues.
Report conclusions and material issues to the Audit Committee.
− Reports of any material issues should include root cause and,
− Determination of the effectiveness of front line units and independent risk management in identifying and
resolving issues in a timely manner.
On an annual basis, assess the design and effectiveness of the risk governance framework
for appropriateness to the size, complexity, and risk profile of the bank.
Communicate significant instances of noncompliance with the framework.
Maintain a quality assurance program that ensures audit’s policies, procedures, and processes
comply with applicable regulatory and industry guidance and appropriate to the bank’s risk profile
and update to internal and external risk factors and emerging risks.
Chief Audit Executive should report directly to the CEO.
Same standards of attracting, developing, and retaining talent appropriate to fulfill role in the framework are required.
13 | © 2014 Global Association of Risk Professionals. All rights reserved.
CEO Responsibilities
CEO is responsible for development of a documented strategic plan with input from
front line units and independent risk management.
At least annually, Board should evaluate and approve and monitor management’s effort to
implement.
Strategic plan should cover a 3 year period and contain a comprehensive assessments of
risks that have or could have an impact during this period.
The bank should have a written statement that articulate a bank’s risk appetite and serves as a basis for the Framework.
Risk appetite defined as “aggregate level and types of risk the board and management are willing
to assume to achieve the bank’s strategic objectives and business plan, consistent with applicable
capital, liquidity, and other regulatory requirements.”
− Qualitative components include culture
− Quantitative limits incorporate sound stress testing and earnings, capital, and liquidity.
‹ Risk limits may be designed as thresholds, triggers or hard limits.
‹ Aggregated individual limits can exceed the bank’s risk appetite statement.
Review of the risk appetite statement by the board’s risk committee should be done
annually.
Communication of the appetite statement should be initially and ongoing reinforcement.
14 | © 2014 Global Association of Risk Professionals. All rights reserved.
Board Risk Committee Responsibilities
Require management to establish and implement an effective risk governance
framework.
Approve and subsequent “significant changes”
Actively oversee the bank’s risk-taking activities and hold management accountable for adhering to the framework.
Demonstrated by question, challenge, oppose management’s proposed action plans, and have an
understanding of the risk taking activities. Bringing in third-party expertise is permitted.
Review and approve the framework and risk appetite, and significant changes, at least annually
Review and approve a written talent management program the provides for development, recruitment and succession for the CEO, CRO, and Chief Auditor
Exercise independent judgment and credible challenge.
Independent judgment will be assessed, in part, based on a board member’s other responsibilities and
the extent to which they could be in conflict with the bank’s interests.
Maintain at least two independent directors.
Establish and adhere to ongoing training for all directors.
Conduct an annual self assessment to the guidelines.
16 | © 2014 Global Association of Risk Professionals. All rights reserved.
ERM Program Structure
The foundation of meeting Heightened Standards is a
solid program.
Regulators review US Risk Management along with
Compliance and AML as part of overall “Independent
Risk Management”. Audit is often included in this
definition.
Risk Stripes (horizontal rows) are aligned to both bank
and regulator organizational structures. Within US Risk
Management, each Stripe has a single accountable risk
professional that is responsible for ownership of the
framework.
Risk Themes are initiatives that cross all Risk Stripes
and include: Risk Appetite, Talent Management, Model
Risk, Technology, and Capital Management/Stress
Testing. Given the breadth of activities, there may be
more than one owner.
Supervisors assign a rating to each risk stripe which
rolls up to the Management rating and ultimately into
the legal entity composite rating.
Operational
Pricing
Liquidity
Interest Rate
Ris
k T
hem
es
Program
Office
Compliance
AML
Audit
Ind
ep
en
de
nt
Ris
k M
an
ag
em
en
t
Heightened Standards
“Enhancing Risk Management (ERM) Program”
Commercial Credit
Consumer Credit
17 | © 2014 Global Association of Risk Professionals. All rights reserved.
Inputs to Assessing Risk Stripe Performance
Ongoing Projects
Self
Assessments
Examiners
Annual Ratings
Inputs to Heightened Standards
Program from multiple sources
both within and outside the
bank.
Identified enhancement
opportunities with project
details and timelines shared
with examiners.
Supervisory
Reviews
Corporate Audit
Reports
Examiners
Review Criteria
External
Assessments
18 | © 2014 Global Association of Risk Professionals. All rights reserved.
Inputs Into Action
Gaps to requirements are
assessed for materiality and
remediated through projects and
specific milestones and activities
providing insight to activity.
The dashboard used to manage
the Program is used for Board
and Regulatory Reporting. There
is a single view on Program
progress.
R/Y/G status is provided by the
Program in almost all instances.
The importance is impartiality. Exceptions are programs where
separate governance is already
in place.
19 | © 2014 Global Association of Risk Professionals. All rights reserved.
Closure Process
Examiners are increasingly
scrutinizing the effectiveness of the
closure process
Closure process is key to integrity
of the Program Office The Program Office reviews projects that are
completed in only 1 of 4 categories (bold
outline)
This comprises about 2/3rds of all projects
Regulatory findings are closed through a
separate independent governance process
Audit findings are cleared through Corporate
Audit retest.
Technical model issues are resolved in a
forum of peer who can effectively challenge
Once the Bank closes a project, the
regulators can review.
Completed
Project
Regulatory
Findings
ERM
Program
Model
Related
Audit
Findings
Closed Project
Regulatory Review
20 | © 2014 Global Association of Risk Professionals. All rights reserved.
Program Process
Over 200 projects comprise the Heightened
Expectations program.
Not all projects are of equal weight or impact.
Program designed to complete majority of projects
by end of 2015. Sustainability & effectiveness is
defined when projects are implemented and
evidenced as integrated within business as usual
processes.
Projects not started include mostly technology but
can include projects dependent on adjacent
stakeholders not directly engaged on Heightened
Expectations program.
Progress reported to Board quarterly.
0
20
40
60
80
100
Oct-13
Nov-14
ERM Program
A documented aggregate rating is provided to Risk Management on a quarterly basis and the
individual risk stripes receive the rating within the annual supervisory cycle Challenge is understanding progress within a risk stripe between annual rating cycles.
The number of projects is expected to increase as the Bank reconciles capital plan
improvements to Heightened Expectation categories.
21 | © 2014 Global Association of Risk Professionals. All rights reserved.
Topics
Challenges & Observations
22 | © 2014 Global Association of Risk Professionals. All rights reserved.
Key Observations – Heightened Standards Program
The Heightened Expectations guidance, as drafted, is a change from many recent
rules which are significantly detailed.
Focus on themes: Risk Governance, Role of the Board, Risk Appetite, etc.
The institution should define it’s own criteria that it is comfortable supporting.
Develop criteria unique to each risk function. BMO has found that the multitude of
examiners’ handbooks for assessing risk functions are useful.
Implementing a strong credible closure process will provide significant credibility
to the bank’s Heightened Expectations program.
Providing a location for examiners’ review of evidence has helped maintain program credibility.
Following several years of 2nd line focus, regulators are shifting attention to 1st line
owned risk management activities. Business Units should expect to demonstrate
sound knowledge and practices as a proactive self regulating entity with ownership
over data management, AML, stress testing, risk appetite, risk reporting, etc.
23 | © 2014 Global Association of Risk Professionals. All rights reserved.
Key Observations – Principled Guidance
In Principled regulatory guidance, be comfortable with ambiguity and change.
Comparisons are made across institutions and examiners will encourage an
institution to improve functions based on practices they have observed elsewhere.
Seek a variety of inputs defining success criteria. While most inputs are within
influences (benchmarking, regulatory assessments, industry literature) can provide
objective viewpoints.
The resulting criteria must be those your institution finds most suitable for itself.
Environment will change in time and the project plan may be modified. Challenge your
institution if the project plan put in place is the right one.
Be assured, don’t ask examiners what should be done; it gives the impression that
the program has little direction.
Asking examiners for feedback on a defined course is considered appropriate.
Environment will change in time and the project plan may be modified. Challenge your
institution if the project plan put in place is the right one.
Leverage counterpart examiners’ feedback from horizontal reviews. Understand
their interest in the subject institution meeting stated objectives.
C r e a t i n g a c u l t u r e o f
r i s k a w a r e n e s s ®
Global Association of
Risk Professionals
111 Town Square Place
14th Floor
Jersey City, New Jersey 07310
U.S.A.
+ 1 201.719.7210
2nd Floor
Bengal Wing
9A Devonshire Square
London, EC2M 4YN
U.K.
+ 44 (0) 20 7397 9630
www.garp.org
About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make
better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies,
academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM®) and the Energy Risk Professional (ERP®)
Exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for
professionals of all levels. www.garp.org.
24 | © 2014 Global Association of Risk Professionals. All rights reserved.