Regulators Hone Risk Management Focus, Experts React

by Edith Orenstein

Risk management was at the core of two recent regulatory announcements — one leading (the launch of COSO’s ERM Update) and one lagging (the Joint Final Rule on Risk Retention).

The release of the Joint Final Rule on Risk Retention by federal banking agencies and the SEC, coming two days after the announcement by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) of the launch of its project to update its 2004 Enterprise Risk Management Framework, marked further progression in the regulatory and private sector’s response to the financial crisis and changing risk management approaches.

We asked leading risk management experts to share their thoughts on the potential implications.

COSO’s Update of its ERM Framework

Jim DeLoach, managing director at Protiviti, notes: “As we look back since the COSO ERM framework was issued in 2004, we see a period in which the initial years were focused largely on getting financial reporting controls right and then a period of time during which the marketplace was hit by the financial crisis when the “poster child” for risk management – the financial services industry – lost its bragging rights.  The financial crisis teed up the need for emphasis on board risk oversight. During this 10-year period, we have seen some -- but not much -- progress in terms of implementing ERM. For these reasons, it’s a good time for COSO to revisit the ERM framework. “

Olga Kasparova, a Director with Deloitte & Touch LLP says, “Lessons learned from the last financial downturn have led to significantly increased focus and expectations around enterprise risk management from a variety of stakeholders, including regulators,” adds Kasparova, noting, “In the last few years alone, there have been a number of changes in practices around risk management, including regulatory guidance around concepts such as risk appetite, risk aggregation and reporting, and risk culture.”

Kasparova says the COSO ERM Framework provides a strong foundation for building an effective risk management program, but notes that increasing complexity in the business environment since 2004, particularly in the financial services industry, points to a need to take a look at updating the 2004 COSO guidance.

Kasparova cites the following regulatory guidance as examples of the recent emphasis on risk:

Risk Appetite

Risk Aggregation and Reporting Risk Culture Referencing COSO’s recent update of its Internal Control framework, slated to supersede COSO’s 1992 Internal Control framework on Dec. 15, 2014, Kasparova adds, “We believe COSO’s update of the ERM framework is very timely… As companies continue to focus on managing risk across all facets of the business (not just internal control) an updated ERM Framework will be very useful.”

Pam Martin, managing director, KPMG notes, “Requirements for strengthened risk management in the financial services sector in response to the financial crisis, including recommendations from the Financial Stability Board, Section 165 of the Dodd-Frank Act, and heightened expectations of the Office of the Comptroller of the Currency, led to requirements that generally, financial institutions with over $50 billion in assets were required to strengthen their risk management infrastructure and governance.”

Looking ahead to potential new guidance that may emanate from COSO, Martin adds: “For the larger financial services firms, it should not require them to change their structures – the regulatory bar has been raised so significantly coming out of the financial crisis, those firms have been required to enhance their risk management framework significantly already.”

She adds regulators have incorporated stress testing into the overall supervisory process, and,”A big part of stress testing includes the firms’ capital management plans, which includes an assessment of risk management practices around the capital allocation process. Firms must demonstrate that they have the ability to assess risk and assign capital.

“The financial crisis was a bit of a wake-up call for regulatory authorities and industry as a whole, that the industry’s risk management practices were not as strong as many thought,” Martin says, adding, “Post-crisis, there has been an increased strengthening of risk management, across all regulatory bodies.”

In response to the question, “Who ‘owns’ the ERM function, Martin says: “It’s the risk committee and the board,” noting that Federal Reserve Board requirements, and Section 165 of the Dodd-Frank Act require a Chief Risk Officer (CRO) reporting jointly to the board and the CEO. “One thing the regulators look at … is that the CRO has ‘stature’ within the company. That’s why they require the CRO to report jointly to the board and the CEO.

Professor Mark Beasley, Director of the ERM Initiative at North Carolina State University and a former member of the COSO board, explains the difference between ERM and risk management in the video below.


Asked to reflect on COSO’s recent announcement of its project to update its 2004 ERM Guidance, Beasley observed, “The speed of change and complexity of the global business environment is exponentially escalating the volume and sophistication of emerging risks that may impact an organization's core business model and its ability to achieve its strategic objectives. At the same time, expectations that organizations need to enhance their risk oversight capabilities continue to evolve along with expectations for greater levels of accountability for risk management, as illustrated by the recently released Joint Final Rule on Risk Retention.”

“As senior executives and boards of directors respond to the rapidly evolving risk landscape and increasing expectations for more effective risk oversight ownership” continued Beasley, “they are in need of up-to-date and relevant principles to shape their organization's approach to overseeing evolving risks affecting their core business drivers.” He termed COSO’s recent announcement as a direct response to this need, noting that an updated ERM framework, “has the potential to provide tremendous value in helping organizations think through those elements most critical to effective and robust enterprise-wide risk oversight in light of today's risk environment.”

Joint Final Rule on Risk Retention

Moving to the Joint Final Rule on Risk Retention, KPMG Martin observed, “There has been a great deal of commentary as to whether the risk retention rule has had a dampening effect on the securitization market I think the effects have been widely known for a long time, I don’t think the finalization of that rule will require any firm to change their overall strategy, it was telecast so widely in advance.”

Phoebe Moreo, a Partner at Deloitte & Touch, LLP shared her thoughts on particular points of focus in the Joint Final Rule.In the banking community, the recent SEC release on risk retention creates a challenge for those who are sponsors of securitizations, calling for constant monitoring of securities retained under the rule and increased disclosures to a widening circle of investors in addition to the many disclosure and tracking requirements already required for securitizations under Basel III, the LCR rule and the qualified mortgage/ability to repay rules.”

Protiviti’s DeLoach observes, “The Joint Final Rule is a positive development in our view, because it incents sponsors to ensure the assets underlying securitization transactions are high quality, otherwise they will incur a portion of any resulting losses from default.”

Moreo continues, “The final rule does not require a fair value calculation if risk retention is in the form of an eligible vertical slice, but it does if risk retention is in the form of an eligible horizontal slice.  Such fair value information is to be as of the closing date of the transaction and provided to investors in written form “a reasonable time period” prior to the sale of the ABS securities.  The final rule also allows for the sponsor to utilize a range of fair values, however the disclosure of how such fair values are derived is extensive.”

The bottom line, Moreo says, is that “Large bank sponsors will need to have systems in place to track retained ABS securities and have policies and procedures in place to make sure the restrictions on sales, financing and hedging are being followed.  As the rules on index hedging are complex they will also need the ability to track the securities making up indices used in their hedging programs to ensure they are not inadvertently hedging their retained ABS securities.”

Looking at the two risk management developments announced last week - companies clearly need to manage risk, and the sophistication of their risk management systems will likely vary with the sophistication of the underlying types of transactions and complexity of how the business is operated.