Sarbanes Oxley Act

• SOX created stricter legal requirements for boards, senior management, as well as both external and internal auditors. Some of the important aspects of SOX are:
  • CEOs and CFOs must ensure that reports filed with the SEC are accurate for publicly traded firms.
  • CEOs and CFOs must affirm that disclosures provide a complete and accurate presentation of their company’s financial conditions and operations.
  • CEOs and CFOs are also responsible for internal controls, including their design and maintenance.
  • Firm officers should disclose any significant deficiencies in internal controls, as well as any fraudulent activities related to individuals who have a material role in the control systems, to external auditors, the internal audit function, and the firm’s audit committee.
  • The effectiveness of a firm’s reporting procedures and controls must be reviewed annually.
  • The names of board audit committee members should be disclosed. These individuals are expected to:
    • Understand accounting principles,
    • Be able to comprehend financial statements, and
    • Have experience with internal audits and understand the functions of the audit committee.

The Post-Crisis Regulatory Response

• The 2007-2009 global financial crisis was directly tied to risk management failures. The crisis itself was triggered by the downward turn in the real estate market. Before the crisis, there was a booming market for mortgage-backed securities that were traded by leading financial institutions. Lenders engaged in unsound practices by extending mortgages to unqualified individuals and encouraging homeowners to take on more debt than they could handle. Investment banks securitized these loans into complex asset-backed securities, which found their way into the mainstream credit market. The financial institutions responsible for originating and trading these structured instruments, as well as the rating agencies used to assess them, failed to accurately appraise their value and risk.

• Risk management at many financial institutions was compromised as executive management pursued greater absolute returns instead of risk-adjusted returns. The decline in underwriting standards, the breakdown in oversight, and a reliance on complex credit instruments came to characterize the credit markets. This eventually led to the failure of numerous financial institutions. Although originating in the US, the crisis affected banking and economic activity all around the world. It was systemic in nature and global in scope.
• The events of 2007-2009 highlighted that the corporate governance regulations adopted earlier in the decade were not adequate. Neither the regulation of Sarbanes-Oxley nor the principle-based light touch approach in Europe were able to avert the crisis in the banking and securities industries. The absence of executive accountability and the failure of internal corporate oversight were seen as major contributors to the crisis and the resulting loss of confidence in the banking system.
• The Basel III Accord was a direct response to the crisis and focused on injecting greater systemic resiliency in the banking system. Basel III focuses on both firm-specific risk and systemic risk.
• Basel III raises capital quality by limiting core Tier 1 capital to common equity and retained earnings, which provide loss absorption unlike other forms of hybrid debt. Basel III also imposes new ratios for short-term and long-term liquidity, such as the 30-day Liquidity Coverage Ratio (LCR) and the one-year net stable funding ratio (NSFR). The NSFR helps to counter pro-cyclicality because it is designed to ensure banks lessen their dependence on wholesale short-term funding.
• Basel III has also designed a macroprudential overlay intended to reduce systemic risk and lessen procyclicality. The macroprudential overlay consists of five elements:
  • A leverage ratio of 3%,
  • A countercyclical capital buffer,
  • Total loss-absorbing capital (TLAC) standards that apply to global systemically important banks (G-SIBs),
  • Systemically important markets and infrastructures (SIMIs); in the case of OTC derivatives, the Basel Committee is pushing the market to move as many trades as possible through centralized clearing and trade reporting, and
  • Capturing systemic risk and tail events in risk modeling and stress testing.
• In October 2010, BCBS issued several principles designed to improve corporate governance in the banking industry. These principles addressed the duties of the board and the qualification of board members, as well as the importance of an independent risk management function. These principles were revised in 2015 and the revised guidance report defines roles of the board and the board risk committees, senior management, CROs, and internal auditors. These principles are summarized in the table in the next four pages.

• The framework for handling market risk was revised in 2016 with the Fundamental Review of the Trading Book (FRTB). Disclosure requirements were enhanced to reflect a more comprehensive approach to describing and calculating risk, as well as to facilitate comparative risk analysis.
• Another response to the crisis was the Dodd-Frank Act, which was signed into law in July 2010. The Act’s 2,300 pages repaired regulation of the financial industry in the US, aimed at improving both consumer protection and systemic stability. Specifically, it attempted to address several issues:
  1. Strengthening the Fed – All the systemically important financial institutions (SIFIs), which are defined as bank holding firms with more than $50 billion of assets, are now regulated by the Fed and the Fed’s mandate now includes macroprudential supervision.
  2. Ending too-big-to-fail – Dodd-Frank proposed an end to “too-big-to-fail” by creating an orderly liquidation authority (OLA).
  3. Resolution plan – SIFIs are required to submit a so-called “living will” to the Fed and the FDIC laying out a corporate governance structure for resolution planning.
  4. Derivatives markets – The Act launched a transparency-focused overhaul of derivatives markets regulation with the aim of helping market participants with counterparty risk.
  5. The Volcker Rule – This is a prohibition on proprietary trading, as well as the partial or full ownership/partnership of hedge funds and private equity funds by banking entities.
  6. Protecting consumers – The Act created a Consumer Financial Protection Bureau (CFPB) to regulate consumer financial services and products.
  7. Stress testing – The Act instituted a new approach to scenario analysis and stress testing:
     1. A top-down approach with macroeconomic scenarios unfolding over several quarters;
     2. A focus on the effects of macroeconomic downturns on a series of risk types, including credit risk, liquidity risk, market risk, and operational risk;
     3. An approach that is computationally demanding, because risk drivers are not stationary, as well as realistic, allowing for active management of the portfolios;
     4. A stress testing framework that is fully incorporated into a bank’s business, capital, and liquidity planning processes; and
     5. An approach that not only looks at each bank in isolation, but across all institutions.
• A new approach to bank supervision, called the Supervisory Review and Evaluation Process (SREP), is taking hold for banks in Europe. The SREP introduces three new principles:
  1. A forward-looking emphasis on the sustainability of each bank’s business model, including during conditions of stress,
  2. An assessment methodology based on best practices within the banking industry, and
  3. An expectation that every bank will ultimately operate under the same standards.

  The internal capital adequacy assessment process (ICAAP) and the internal liquidity adequacy assessment process (ILAAP) are the two key components of SREP.

Best Practices In Corporate Governance

• The board of directors should consist of independent members in majority who have knowledge of the business.
• The board should consider the interest of the debt-holders along with the shareholders.
• Addressing conflicts of interest between management and shareholders lies at the heart of corporate board oversight. Such conflicts are referred to as agency problems. The board should have control over compensation schemes and deal with agency risks. Conflicts of interest are easily created, rendering agency risk a perennial governance challenge.
• The board should maintain independence from executive teams, and the CEO should not be the chairman of the board. Agency risks arising from tensions between the interests of CEOs and the interests of longer-term stakeholders provide an important rationale for the board’s independence from executive management.
• The board should try to introduce the position of a Chief Risk Officer (CRO). The CRO would be responsible for associating the corporate governance practices to the risk management activities of the firm.
• The board is also charged with overseeing executive management. If management assumes a given risk, the board must understand the type and magnitude of the threat posed should that risk come to fruition.

Best Practices In Risk Management

• The primary responsibility of the board of directors in risk governance is to assess the fundamental risks and rewards engendered in the firm’s business strategy. The board must proactively participate in strategic planning as well as outline the appropriate risk appetite. The board should ensure that business and risk management strategies are directed at economic rather than accounting performance.
• The board must ensure that the firm has an effective risk management program that is consistent with the fundamental strategic and risk appetite choices. Risk appetite is intimately related to business strategy and capital planning. Business planning must take risk management into consideration from the outset, and the matching of strategic objectives to risk appetite must be incorporated into the planning process.
• The board is also responsible for oversight and risk transparency. All major transactions must be approved by the board and the board should make sure that the transactions are under the prescribed risk limits and consistent with the authorized risk and associated business strategies. Equally important is a clear communication of risk appetite and risk position throughout the firm. It must ascertain whether any major transaction undertaken by the firm is similarly disclosed to managers and relevant stakeholders in both an adequate and compliant manner with internal rules and external regulations.
• The board should establish ethical standards. The board can set up an ethics committee which should ensure that such standards are implemented in practice.
• The board should ensure that the information about risk management is accurate and reliable. Board members must also arm themselves with additional knowledge, because they are required not only to ask tough questions but also understand the answers they are told.
• There should be separate risk committees and audit committees. The risk committee members should have an understanding of technical risk issues.
• The board must also evaluate the firm’s performance metrics and compensation strategy. It has the critical responsibility of making sure executives are compensated based on their risk-adjusted performance and that the incentives inherent in such compensation do not clash with shareholder interests.

The Board Audit Committee

• An effective audit committee is essential to the directors’ oversight of the firm. Regulatory, legal, compliance, and risk management activities all fall under the purview of the audit committee. An audit provides the board with independent verification of whether the firm is doing what it claims to be doing.
• The committee must assess not only the veracity, but also the quality of the firm’s financial reporting, compliance, internal control, and risk management processes. The members of the audit committee should have sufficient financial literacy of accounting standards and methods, financial statements preparation and interpretation, and internal controls.
• The audit committee should coordinate with the management and should maintain effective communication to address issues. Members cannot be afraid to challenge management and ask hard questions when needed.
• The audit committee should try to make the operations more effective and efficient.

Risk Advisory Director

• Risk advisory director is a board member and a specialist in risk matters who improves the overall efficiency and effectiveness of the risk committee and the audit committee.
• Risk advisory director attends audit meetings to provide support to the members.
• Risk advisory director often attends meetings of the risk committee and provides independent views on risk reporting by the management.
• Risk advisory director meets members of management on a regular basis.
• Risk advisory director observes how the business is being conducted by the management.
• Risk advisory director provides knowledge of best practices of corporate governance and risk management, with respect to the policies, methodologies and infrastructure.
• Risk advisory director furnishes solid academic insights on the risk profiles of important business aspects and also on the risks linked to the business model.
• Risk advisory director should examine the interface between corporate governance and risk management in detail.
• Risk advisory director should review and analyze the following:
  • Risk management policies, methodologies and infrastructure
  • Financial statements, and accounting principles, judgements and estimates, along with off-balance sheet financing
  • Risk management reports of the firm
  • Business strategies and other changes that influence risk
• Risk advisory director should also review and analyze:
  • Appropriate risk reporting for different audiences
  • Corporate governance practices
  • Audits of policy and compliance to standards, including liaison with internal and external auditors
  • Risk management practices of competitors and the industry
  • Related party transactions
  • Internal controls of the firm to mitigate risks

Board Risk Management Committee

• Risk management committee reviews the identification, measurement, tracking and controlling of risks. Any issues which are related to operational risk are referred to the audit committee for review.
• Risk management committee approves credit facilities above pre-specified margins. These are documented and approved by the board.
• Risk management committee monitors credit and investment portfolios of the firm with respect to credit, market and liquidity risks, along with portfolio composition and economic scenario.
• Risk management committee facilitates proper communication with internal auditors, external auditors and the management teams.

Risk Appetite And Business Strategy

• There should be a logical relationship between the risk appetite and the business strategy of the firm. The implementation of risk appetite induces some restrictions on the business strategy of the firm.
• The board should supervise the management in developing business strategy. The downside risks of any business strategy should be considered.
• The board should approve the risk appetite of the firm on an annual basis. This risk appetite is based on a set of broad, yet clearly defined, risk metrics (e.g., the total interest rate risk assumed by the bank).
• The firm’s senior risk committee should be empowered by the board to implement and oversee the risk appetite framework.
• Under the board’s authority, the senior risk committee determines the limiting parameters for financial (e.g., credit and market) and nonfinancial risk (e.g., business risk and operational risk) undertaken by the firm. Sub-committees may be established to handle each type of risk independently.
• After setting risk ceilings, the senior risk committee should then report back to the board risk committee with recommendations regarding the total risk deemed prudent.
• Optimal risk governance requires the ability to link risk appetite and limits to specific business practices. Accordingly, appropriate limits need to be developed for each business as well as for the specific risks associated with the business (as well as for the entire portfolio of the enterprise). Most institutions set two types of limits:
  • Tier 1 limits are specific and often include an overall limit by asset class, an overall stress-test limit, and a maximum drawdown limit.
  • Tier 2 limits are more generalized and relate to areas of business activity as well as aggregated exposures categorized by credit rating, industry, maturity, region, and so on.
• These limits should be designed such that the probability of exceeding them during the normal course of business is low. Limit determination needs to take the business unit’s historical behavior into account and to aim for a figure that gives the business unit a margin for error.
• Standards for the metrics employed by risk limits are proposed by the CRO and approved by the internal risk committee. Limits should be complemented with metrics like VaR and ES.
• Once set, risk limits must be closely monitored to verify compliance. Of all the types of risks, market risk is the most time-sensitive and thus requires continual monitoring. To monitor market risk limits effectively, the daily valuation of asset positions is imperative. Profit and loss statements should be prepared outside of the bank’s trading department and submitted to executive management. Stress tests and scenario analysis should be done to ascertain the impact of material changes to market and credit risk on the bank’s earnings.
• To ensure integrity, data must be reconciled with entries in the bank’s official books and their format must facilitate risk measurement, such as with VaR methodologies for calculating market or credit risk.
• Procedures covering the treatment of acceptable limit exceptions and unacceptable violations should be documented properly and made clear to managers as well as traders. The variance between a portfolio’s actual volatility and that predicted under the bank’s risk measurement methodology should be evaluated on a regular basis.

Role Of The Chief Risk Officer

• The CRO is usually a member of the risk committee and is responsible for the design of the firm’s risk management program. CRO is also responsible for risk policies, analysis approaches, and methodologies, as well as the risk management infrastructure and governance inside the organization.
• The bank’s senior risk committee delegates the power to make day-to-day decisions to the CRO. This includes the ability to approve risks exceeding preset limits imposed on the various business activities, provided these exceptions remain within the bounds of the overall board approved limits.
• CROs should also report directly to the CEO, maintain a seat on the board risk committee, and have a voice in approving new financial instruments and lines of business.
• The CRO should bring any situation that potentially compromises the bank’s risk appetite guidelines or its risk policy to the attention of management at all levels and to the board. The CRO communicates the board’s views to management and distributes this information throughout the entire organization.

Compensation Committee – Incentives And Risk-taking

• Compensation should be aligned with risk-adjusted return on capital. It should incentivize employees to take calculated, rather than reckless, risks.
• In many jurisdictions, regulations require public firms to establish an independent and dedicated board compensation committee to set executive compensation. Such regulation is driven by concerns over the ability of CEOs to persuade board members to compensate themselves and other executives at the expense of shareholders.
• Compensation committee should design the compensation schemes that are aligned with the long-term objectives of the shareholders, and not based on short-term profits, as it is quite easy for the management to manipulate short-term amounts without showing long-term risks.
• After the crisis, in September 2009, the G-20 countries called on their respective central bank governors and finance ministers to establish an international framework to promote financial stability, including a reform of compensation practices. In an endorsement of the FSB’s implementation standards, the G-20 recommendations included:
  • The elimination of multi-annual guaranteed bonuses;
  • The incorporation of executive downside exposure through the deferral of certain compensation, the adoption of share-based remuneration to incentivize long-term value creation, and the introduction of clawback provisions that require reimbursement of bonuses should longer-term losses be incurred after bonuses are paid;
  • Limitations on the amount of variable compensation granted to employees relative to total net revenues;
  • Disclosure requirements to enhance transparency; and
  • Affirming the independence of the committees responsible for executive compensation oversight to ensure their alignment with performance and risk.
• Share-based compensation aims to align the respective interests of executives and shareholders. Theoretically, occupying the same boat as other shareholders should curb excessive executive risk-taking. However, one must also bear in mind that share ownership can also encourage risk-taking because while potential shareholder gains are infinite, losses are limited to their investment. One remedy for this dilemma could be to turn employees into the bank’s creditors by introducing restricted notes or bonds tied to compensation schemes.

Coordination Between Structures

Interdependence Of Organizational Units In A Bank

• The various units in a firm are interdependent, for example, this figure shows the interdependence of these units in a bank:
  1. Senior management
  2. Risk management
  3. Finance and operations
  4. Business line

Assessing The Bank’s Audit Function

• The internal audit function of a bank should ensure the set-up, implementation, and efficacy of risk management/governance. Internal auditors are responsible for:
  1. Reviewing monitoring procedures,
  2. Tracking the progress of risk management system upgrades, assessing the adequacy of application controls in generating and securing data, and
  3. Affirming the efficacy of vetting processes.
• Best practices also call for the internal audit function to review documentation relating to compliance and to compare this with the standards stipulated in the regulatory guidelines. It should also offer its opinion on the reliability of any VaR reporting framework.
• For market risk, bank auditors should:
  1. Review the vetting process pertaining to the derivative valuation models used by both the front office and the back office.
  2. Validate any significant changes to the risk quantification process as well as the range of risks analyzed by the various risk measurement models.
  3. Inspect the reliability of information systems as well as the validity and completeness of the data on which market risk metrics are computed.
  4. Validate market risk models by back testing investment strategies.
  5. Evaluate the soundness of risk management information systems (also called risk MIS) used in the quantification of risk throughout the enterprise.
  6. Analyze assumptions pertaining to volatility, correlations, and other parameter estimates.
  7. Ensure the veracity of the market databases used to generate VaR parameters.
• While subject to auditor review, however, the implementation of risk management must remain separate from the auditing function. As a basic principle, auditor independence from the underlying activity is essential to ensure confidence in any assurances or opinions rendered by the auditors to the board, and this applies equally to the risk management function and its associated processes. Unless this independence is maintained, conflicts of interest could compromise the quality of both risk management and audit activity and seriously jeopardize risk governance.