GAO Grades Regulatory Agencies on Risk Management Supervision
It’s no secret that poor risk management at large financial institutions, including at the board level, helped bring about the last financial crisis.
Since then regulatory agencies have developed new policies and procedures to address risk management and other weaknesses. Recently the U.S. Government Accountability Office (GAO) investigated banking agencies’ supervision of large banks and released a report: Regulators Improved Supervision of Management Activities but Additional Steps Needed.
As you probably guessed from the title, the GAO found that supervision has improved and updated policies and procedures generally follow leading best practices. One small criticism was that “regulators could do a better job informing institutions of potential emerging problems.”
The GAO offered four recommendations, two for the Fed and two for the FDIC, on what can be done to address this.
Let’s take a look.
Recommendation #1: The Director of the Division of Risk Management Supervision of FDIC should update policies and procedures on communications of supervisory recommendations to institutions to provide more complete information about the recommendation, such as the likely cause of the problem or deficient condition, when practicable.
FDIC’s Response: The sample the GAO reviewed pre-dates current procedures for written communications for examiners and is not an accurate representation. The FDIC believes current policy fulfills the GAO’s recommendation.
Recommendation #2: The Director of the Division of Supervision and Regulation of the Board of Governors of the Federal Reserve System should update policies and procedures on communications of supervisory concerns to institutions to provide more complete information about the concerns, such as the likely cause (when practicable) and potential effect of the problem or deficient condition.
Fed Response: The Fed will “consider ways to update its policies and procedures.”
Recommendation #3: The Director of the Risk Management Supervision Division of FDIC should take steps to improve the completeness and accuracy of MRBA [matters requiring board attention] data in its supervisory recommendations tracking system, in particular, by developing a structure that allows examiners to record MRBAs at progressively granular levels (from a broad level such as examination area to more specific levels including concern type).
Response: The FDIC agreed that its supervisory recommendation tracking system needs accurate data on MRBA data and that its system should be able to “further categorize MRBAs at the point of entry,” including the ability to track MRBAs progressively. The FDIC will spend the rest of 2019 planning enhancements and the next year implementing them.
Recommendation #4: The Director of the Division of Supervision and Regulation of the Board of Governors of the Federal Reserve System should update policies and procedures to incorporate specific factors for escalating supervisory concerns.
Fed Response: The board will consider whether there are specific factors Federal Reserve staff should consider when escalating supervisory concerns.
The GAO’s report provides a reminder of important best practices for risk management even though it’s focused on examiners and not financial institutions.
- The GAO makes it clear that risk management is not a backwards-looking activity. Avoiding problems means more than being aware of emerging risks. It requires understanding the cause of them.
- It emphasizes the importance of documenting board discussions and approvals, demonstrating due diligence. A financial institution’s board of directors should be heavily involved in risk management, and those actions and decisions need to be recorded.
- Finally, it’s important to have documentation and procedures to ensure different individuals, areas, and departments make uniform decisions. Much like a financial institution has underwriting guidelines to ensure consistent lending practices, policies and procedures in other areas reduce the risk of inconsistencies, redundancies, noncompliance, and guesswork by outlining specific practices.
As risk management evolves, make sure your institution and its policies and procedures keep up with best practices. There’s always room for improvement.