January 30, 2020

Banks’ Enhancements in Risk Management Provide a Prudential Backstop in this Deregulatory Cycle

Alexander Dill

Recent bipartisan amendments to the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) in 2018, the loosening of Volcker rule provisions in August 2019, discussed in the Journal’s November issue, and the final rules issued in October 2019 that reduce regulatory obligations by tiering bank holding companies (BHCs) and designated nonbank financial institutions by size and risk have led to no small amount of controversy. Dodd-Frank had originally imposed enhanced prudential standards, which include liquidity, stress testing, and resolution planning requirements, among other things, on firms with $50 billion or more in consolidated assets to safeguard the financial system against systemic risk. The 2018 and 2019 changes have removed or lightened these obligations by raising this threshold significantly. The October rules go beyond Congress’s 2018 bipartisan amendment that set the threshold at $250 billion by reducing requirements for banking and designated firms with assets up to $700 billion. In Fed Governor Lael Brainard’s view, the October rules weaken the protections put in place in 2010 before they have been tested through a full economic cycle.

Whatever one’s view of these changes to the 2010 regulatory framework, one should not overlook the significant enhancements that banks have made to their risk management systems, either in response to Dodd-Frank rulemaking and supervisory expectations or as a matter of good corporate practice in the aftermath of the global financial crisis of 2007-9 (GFC). Shortly after the onset of the crisis, large, complex financial institutions had already begun to bolster processes and procedures for identifying, assessing, monitoring, and controlling risk. Enhancements banks have made to date should continue to promote financial stability as the deregulatory cycle runs its course and will provide important protections in the next financial crisis that will inevitably occur. Faulty risk management practices during the subprime mortgage bubble prepared the ground for the liquidity and credit crisis that began in late summer 2007. The government eventually spent billions of dollars in bailing out financial conglomerates that had created highly risky capital structures by bulking up on long-term, illiquid subprime assets funded by cheap, runnable short-term debt.

This article discusses three aspects of the reforms in banks’ risk management. First, beginning in the 1990s banking agency supervisors increasingly focused on firms’ corporate governance systems and practices to manage the risks arising from their business model. Second, the GFC fundamentally changed policymakers’ relatively sanguine view of firms’ ability to manage their own risks, accelerating the long-term trend in banking agencies’ increasing supervisory expectations regarding the risk management function. Examiners’ newfound skepticism regarding a bank’s internal control environment represents a paradigm shift that can be expected to outlast the current deregulatory cycle. The agencies now expect the large banks to think strategically and systematically about effective firm-wide management of their volatile basket of risks, an expectation most recently reflected in 2017 and 2018 guidance by the Federal Reserve Board (FRB). Finally, banks’ and nonbank financial firms’ own experience in the GFC incentivized them to significantly upgrade the risk management function by endowing it with senior executive status, independence, and necessary resources.

Decades-Long Trend in Supervisory Focus on Banks’ Risk Management Function

First, the crisis significantly accelerated a long-term trend of bank supervisors to look increasingly to banks’ systems of corporate governance and risk management practices to ensure their bank’s safety and soundness. In former Governor Daniel Tarullo’s words, bank regulation over the last three decades changed from relying on general rules toward an individualized “supervisory approach”. The agencies have continually raised expectations for banking firms to develop sophisticated risk management systems to identify, assess, and reduce risks or exit a business if necessary.

Regulators had little choice but to rely increasingly on bank’s ability to manage their complex mixture of market, credit, operational, and, increasingly, compliance risks. In turning from a reliance on regulatory, “rules-based”, approach to a “supervisory approach”, the banking agencies stressed the importance of a particularized, granular examination of individual banks. Bank capital regulation was necessary but not sufficient to ensure the prudential operation of a banking institution. The “supervisory” regime gained impetus from the rise of the multiservice BHC conglomerate in the 1980s and 1990s. In 1991, only one US-based BHC had over 500 subsidiaries. By the third quarter of 2011, the four most complex banking firms had over 2,000 subsidiaries. Moreover, regulators increasingly imposed legal obligations on financial holding companies. As Howell Jackson of Harvard Law School has observed, these often took the form of guarantees of regulated subsidiaries’ obligations in order to transfer front-line supervisory responsibility from governmental agencies to the holding companies.

By the 1990s, regulators had formalized their increasing emphasis on corporate governance and management quality by requiring bank examiners to place particular emphasis on the ability of senior bank executives to manage their banks’ complex set of risks. For this reason, in addition to the individual management component of a CAMELS rating, special consideration is given to this component in assigning a bank’s overall composite CAMELS rating. Further, bank management’s ability to identify, measure, monitor, and control risk a critical element in each of the other five CAMELS components.

GFC’s Reversal of Pre-Crisis Assumptions Governing Banks’ Ability to Manage their Own Risks

A second change reinforced and accelerated this long-term trend in bank supervision. The GFC fundamentally changed the governing assumptions of market participants concerning the functioning of the financial markets. Prior to the crisis, policymakers globally had adopted a largely market-based approach to regulating and supervising banks and other financial institutions. They assumed that firms were self-regulating and that markets were self-correcting. Bank management knew their unique risks and how to manage these risks better than any banking agency examiner. Fed Governor Kohn summarized this view, which he termed the “Greenspan doctrine,” at Jackson Hole in 2005. By allowing institutions to diversify risk, to choose their risk profiles more precisely, and to improve the management of the risks they decide to take on, they made institutions more robust. The US’s bipartisan deregulation of OTC derivatives in 2000 in the Commodity Futures Modernization Act of 2000 and the UK’s ‘light-touch’ philosophy of supervision institutionalized the market-based ethos.

The GFC overturned the consensus that was embodied in the Greenspan doctrine. It converted financial regulators into severe skeptics regarding firms’ incentives and ability to prudently manage their own risks. The change in regulatory philosophy occurred on both the regulatory front and in enhanced supervisory expectations.

Dodd-Frank’s Regulatory Requirements

Dodd-Frank codified the new regulatory approach in several ways. A panoply of provisions, implemented in rulemaking, either directly or indirectly are designed to enhance the banks’ risk management function. Directly impacting it is Section 165’s requirement of risk committees and credit risk officers (CROs), with enterprise-wide authority, independence, and credibility.

More indirectly, Dodd-Frank requires rigorous forward-looking stress testing and resolution plans, or “living wills”, that require BHCs to revamp and restructure corporate operations to reduce the impact on financial markets of their wind down. These rules are enterprise-wide in scope, requiring risk officers to conduct risk assessments in connection with capital planning (stress testing) and in determining corporate restructuring measures to demonstrate the feasibility of orderly liquidations (living wills).

The risk committee must approve and periodically review the risk management policies of a BHC’s global operations and oversee the operation of the global risk management framework. Such a framework must correspond to the firm’s size, risk profile, and complexity and, at a minimum, include five elements. See 12 C.F.R. 252.33.

First, Dodd-Frank mandates policies and procedures for risk management governance, procedures, and infrastructure for global operations. Second, it requires processes and systems to implement and monitor compliance with these policies and procedures. Third, risk committees must include liquidity risk management requirements that specify, in granular detail, the parameters of required liquidity risk management pertaining to contingency planning and event management, risk limits, testing, and types of acceptable collateral for counterparties.

Fourth, the risk committee must be an independent board committee with sole, exclusive responsibility for risk management policies for global operations and oversight of the global risk management framework. It must report directly to the board of the BHC and receive and review quarterly reports from the BHC CRO. It must have a written charter approved by the full board and hold quarterly meetings. Finally, at least one member of the risk committee must be experienced in identifying, assessing, and managing risk exposures of large, complex firms. The committee chair must be an independent director.

Post-Crisis Supervisory Approach

The change in supervisory expectations will likely be more lasting and potentially more far-reaching, which should go far in compensating for the deregulatory tiering of BHCs, which includes the risk committee and CROs, into progressively lighter regulatory baskets as they decrease in amount of assets and risk profile.

Policymakers globally, under the aegis of the Basel Committee on Banking Supervision, have adopted a more prescriptive regulatory framework and a more invasive supervisory approach toward firms’ internal governance practices that reflects the fundamental change in assumptions regarding banks’ risk management capabilities. This more invasive approach is reflected in the FRB’s recently issued guidance on board effectiveness and the role and accountability of senior and line management. The risk management guidance details many the technical elements of an effective risk management framework that the firms are expected to adopt. See 82 Fed. Reg. 37219 (Aug. 9, 2017) and 83 Fed. Reg. 1351 (Jan. 11, 2018).

This change in supervisory philosophy is also reflected in enforcement actions. In 2018, the FRB took the unprecedented action of publicly chastising the former CEO and board chairman of a global systemically important bank for prioritizing sales quotas over risk controls. It put a cap on the firm’s growth based on assets, which is yet to be lifted, until its risk management capabilities catch up to its risk appetite. See FRB, Letter to John Stumpf (Feb. 2, 2018).

FRB Guidance on the Risk Management Function

The FRB opines that the overall objective of a bank’s risk management function is to provide an objective assessment of the firm’s risks and to ensure that business strategies are in alignment with its risk appetite, as determined by the board. The FRB’s guidance covers three areas: (1) risk appetite and risk limits; (2) risk identification, measurement, and assessment; and (3) risk reporting.

Risk appetite and risk limits. Risk management should assess whether the bank’s risk appetite appropriately encompasses its material risks and whether it is consistent with the capacity of the bank’s risk management framework. The bank should have adequate resources and a risk management infrastructure in order to achieve this end. Further, risk management should determine whether enterprise-wide risk limits align with the company’s risk appetite across the full set of its risks. It should also ensure that clear, relevant, and current risk limits apply to specific risk types, business lines, legal entities, jurisdictions, geographical areas, concentrations, and products or activities that correspond to the firm’s risk profile.

Risk identification, measurement, and assessment. Risk management is tasked with identifying and measuring current and emerging risks within and across business lines and by legal entity or jurisdiction. It should conduct risk identification and assessment on an ongoing basis to reflect changes in exposures, business activities, the broader operating environment, and regulatory expectations. Risk management should have access to information about all the company’s risk exposures while not relying on business line information exclusively. Moreover, it should aggregate risks across the entire firm and assess them relative to the firm’s risk appetite. It should also assess risks and risk drivers within and across business lines and risk types.

Risk reporting. Risk management should provide accurate, concise, and timely risk reports to the board and senior management that convey material risk data and assessments and aggregate risks within and across business lines. Reports should include information on current and emerging risks, adherence to risk limits, and the firm’s ongoing strategic, capital, and liquidity planning processes.

Chief Risk Officer

The FRB emphasizes the importance of the independence, authority, and stature of the CRO. To this end, the CRO should inform the board if this is not the case. Also, the CRO must report directly to the board’s risk committee and be included in key decisions relating to strategic planning and other areas of executive decision making. To ensure independence, the CRO should establish clearly defined roles, responsibilities, and reporting lines, and determine whether risk management has sufficient staffing and authority to identify and escalate material risk management and control deficiencies.

Internal Controls

Two principles govern internal controls. First, a banking institution should demonstrate that its system of internal controls aligns with its size, operations, activities, risk profile, strategy, and risk appetite. The operational business line management is responsible for developing and maintaining an effective internal control system. Second, the banking institution should evaluate and test the effectiveness of the internal controls on an ongoing basis following a risk-based approach. It should establish management information systems that detect weaknesses and escalate serious matters to all relevant parties, including the board.

Banks’ Post-Crisis Incentives to Enhance their Own Risk Management Practices

Third, the GFC incentivized banking institutions of their own accord to manage their large, increasingly complex basket of risks by enhancing the risk management function and its status and authority within the corporate hierarchy. Following the crisis, robust, firm-wide risk management practices and corporate governance became a strategic and competitive business necessity that would help preserve shareholder value, a change that is likely to continue in light of market volatility that has become a permanent feature of the financial system. Furthermore, the FRB’s risk management guidance generally aligns with the post-crisis incentives of banking firms to establish a meaningful internal risk control environment. The alignment of private incentives with regulatory expectations is not the case with other financial regulation, such as anti-money laundering law, which directly impedes banks’ revenue-generating business strategies involving deposits and other payment services. The FRB guidance also serves as a template for those firms not covered thereby.

Findings from a survey of global financial conglomerates in 2008 by the Senior Supervisors Group (SSG), financial market supervisors from several countries with advanced financial markets, help to substantiate such an alignment of business incentive and regulatory mandates and expectations. Early in the crisis, firms began reporting material write-downs concentrated in US subprime MBS-related debt, particularly in business lines specializing in warehousing, structuring, and trading of subprime-backed CDOs. The SSG divided these firms into better and more poorly performing firms based on their risk management practices. The risk management practices of the better performing firms mirror several best practice standards of the FRB’s guidance issued in 2018.

The better performing firms shared quantitative and qualitative information effectively across business lines and were thus capable of identifying sources of significant risk early in the crisis. They reduced exposures and hedged their risk positions while it was still practical and not prohibitively expensive. They had previously adopted rigorous internal processes requiring critical judgment and discipline in valuations of complex or potentially illiquid assets and developed in-house expertise in order to carry out independent assessments. They sought to apply these asset valuations consistently across their enterprise. They incentivized discipline in balance sheet growth by charging business lines for contingent liquidity exposures. Management in the better performing firms also had more adaptive risk management processes and systems, allowing them to rapidly alter assumptions to reflect current market conditions. They relied on wide range of risk measures to gather more information and different perspectives on same exposures.


The financial crisis, despite the great damage it caused to the US and global economy and to millions of livelihoods, has had the salutary effect of turning the risk management function into a critical component of banks’ corporate governance and macro-prudential regulation. Its new, post-crisis status can be expected to outlast the current deregulatory cycle and continue to provide meaningful protections against emerging risks to financial stability.

Alexander C. Dill

University of California Los Angeles School of Law

Alexander C. Dill is Lecturer in Law, University of California Los Angeles School of Law and Lecturer, Financial Mathematics Program, University of Chicago. He may be reached at (347)-685-9889 or by email at dill@law.ucla.edu. This article draws upon his recently published book and an op-ed on this subject. See Alexander Dill, Bank Regulation, Risk Management, and Compliance (Routledge 2019) and “Banks have learnt their lesson on risk management,” Financial Times (December 16, 2019), at https://www.ft.com/content/cf30bc50-1c2c-11ea-81f0-0c253907d3e0.