On March 26, the Basel Committee on Banking Supervision (“Basel Committee”) published a Consultative Document in which it proposes a revised supervisory framework for measuring and controlling large counterparty exposures (“Proposal,” or “Exposure Framework”) of systemically important financial institutions (“SIFIs”). Comments on the Proposal are due by June 28, 2013.
Posts Tagged ‘Risk management’
On March 22, 2013, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB), and the Federal Deposit Insurance Corporation (FDIC) (collectively, the “bank regulators”) released their final guidance on leveraged lending activities.  The final guidance does not deviate significantly from the proposed guidance released last year on March 26, 2012, but does attempt to provide clarity in response to the many comment letters relating to the proposed guidance received by the bank regulators. The final guidance is the latest revision and update to the interagency leveraged finance guidance first issued in April 2001. 
The current public controversy notwithstanding, valuable governance lessons arise from JPMorgan Chase’s internal analysis of the highly public 2012 losses in its synthetic credit portfolio; the saga of the so-called “London Whale”. The internal JPMorgan analysis should not be confused with the March 15 report on the “Whale Trades” issued by the Senate Permanent Subcommittee on Investigations.  Neither should its credibility be undermined by the Subcommittee’s critical report.
JPMorgan’s primary findings were contained in an exhaustive report of the trading strategies and management activities that led to these losses, prepared by a management task force.  Additional findings and recommendations were included within a much shorter companion report prepared by the board’s Review Committee. This companion report concentrated on the board’s risk oversight practices.  To a certain extent, the “sizzle” was contained in the lengthier management task force report, with its focus on what happened, why it happened, and who was to blame for it happening. But from a governance perspective, the lessons for corporate America are in the companion report, with its focus on improving the process by which risk information is reported to the board. These governance recommendations are highly relevant today, because the broader fiduciary landscape has been dominated of late by concerns about the quality of board oversight of risk.
The NASDAQ Stock Market LLC (Nasdaq) recently filed with the Securities and Exchange Commission (SEC) a proposed rule  requiring listed companies to establish and maintain an internal audit function.  The SEC is soliciting comments on the proposed rule through March 29, 2013. 
Under the proposed rule, the internal audit function would be required to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control. In addition, new Rule 5645 would require the audit committee to:
- meet periodically with the company’s internal auditors (or other personnel responsible for this function); and
- discuss with the outside auditors the responsibilities, budget, and staffing of the company’s internal audit function.
Companies would be permitted to outsource their internal audit function to a third-party service provider other than their independent auditor. For companies that choose to outsource this function, Nasdaq has stated that the company’s audit committee maintains sole responsibility to oversee the internal audit function and may not allocate or delegate this responsibility to another board committee.
According to Nasdaq, the proposed rule is designed to:
As the banking industry emerges from the 2008 financial crisis, there is no question that it caused great strain on banks of all sizes. Hundreds of community banks failed, and the largest institutions were unable to continue operating without massive, unprecedented government intervention. This region in particular experienced the full impact of the crisis and the stress it placed on small institutions. A key ingredient in the market disruption was inadequate capital protection. Looking forward, it is important that the regulatory community arrive at a capital framework that is appropriate for the range and complexity of risks in today’s financial system.
As someone who served on the Treasury Department’s crisis response team in 2008, it became clear that the market was punishing firms and business models that took on too much risk without sufficient capitalization. Yet, upon returning recently to government service I have been surprised at what I see as a lack of progress towards constraining excessive leverage. Some policymakers point to advancements in the Basel III agreement, developed by the Basel Committee on Banking Supervision, which implements a global leverage ratio for the first time. However, I think that it is difficult to argue that achieving a Tier 1 leverage ratio of three percent my 2018 is significant reform, particularly as this leverage ratio requirement is not solely anchored in tangible common equity.
The second set of meetings in the World Affairs Council of Atlanta’s Global Strategic Leadership Forum series focused on the new challenges facing the boards of directors of contemporary global companies. Setting the stage for the Forum’s discussions was the recognition of the huge changes that have taken place as a result of globalization in tandem with the world financial crisis and economic slow-down. The premise of the Forum was that the expanding and complex issues facing global companies today require a re-examination of the wide set of risks generated by global expansion and the complicated and dynamic matrix of the regulatory environment. These developments have dramatically impacted the relationship between the board and the chief executive officer as they determine strategic direction for the company – a role that is increasingly becoming a joint responsibility.
The general consensus of the Forum’s participants was that in today’s business environment, a global company board needs to ask itself if it is doing all it can and should to evaluate the complicated new risks facing the company, while ensuring that the goals for growth and profitability remain a critical focus. Complicating this escalating level of risk are the increasingly onerous and complex regulatory frameworks, imposed not only by the United States, but by other sovereign jurisdictions. The Forum participants confirmed that many of these regulations have global reach and the Board of Directors has specific oversight responsibility, thus vastly increasing the amount of information that must be examined at the Board level.
The apparition of 2008 returns once more. Two recently released JP Morgan Chase (JPM) reports on the causes of the “London Whale” trading losses raise important questions about whether financial service firms can exorcise the spectral issues which were so central to the financial crisis. They read as if JPM and a key headquarters unit — the Chief Investment Office — had not learned a single lesson from the meltdown four years ago. And unfortunately, they suggest that, in our huge, complex financial institutions, major failures of organizational discipline and major losses are likely to recur, despite greater attention to risk management.
These reports — one from a company task force and a second from a review committee of the board — were overshadowed by two items announced the same day: the related news that the bank board had slashed CEO Jamie Dimon’s annual compensation in half — from $23 million in 2011 to $11.5 million in 2012 — because of his “Whale-related” failures, and that JPM had posted a record 2012 net income of $21.3 billion.
Following closely on the heels of Federal Reserve Governor Daniel K. Tarullo’s November 2012 speech, the Federal Reserve has proposed a tiered approach for applying U.S. capital, liquidity and other Dodd-Frank enhanced prudential standards, including single counterparty credit limits, risk management, stress testing and early remediation requirements, to the U.S. operations of foreign banking organizations with total global consolidated assets of $50 billion or more (“Large FBOs”). Most Large FBOs would have to create a separately capitalized top-tier U.S. intermediate holding company (“IHC”) that would hold all U.S. bank and nonbank subsidiaries. A Large FBO with combined U.S. assets of less than $10 billion, excluding its U.S. branch and agency assets, would not be required to form an IHC.
The IHC would be subject to U.S. capital, liquidity and other enhanced prudential standards on a consolidated basis. In addition, the Federal Reserve would have the authority to examine any IHC and any subsidiary of an IHC. Although the U.S. branches and agencies of a Large FBO’s foreign bank would not be required to be held beneath the IHC, they too would be subject to liquidity, single counterparty credit limits and, in certain circumstances, asset maintenance requirements. Large FBOs not required to form an IHC would also be subject to many of the new enhanced prudential standards.
This memorandum provides an overview of key aspects of the Federal Reserve’s proposal, which would become effective on July 1, 2015. We invite you to also read the accompanying diagrams and tables for a visual representation of these new requirements, available here. The comment period for the proposal ends on March 31, 2013.
In the aftermath of the financial crisis, companies and their boards have been grappling with new disclosure requirements related to board risk oversight in the United States, Canada, and Europe. Unfortunately, many organizations that have wanted to improve their risk management capabilities have attempted to implement a traditional form of what is generally known as enterprise risk management (“ERM”). Many companies that have tried the traditional ERM route have been disappointed with the results. Many of these ERM programs have focused on multiple workshops that ask participants to identify potentially negative events, assess their likelihood and consequence, log risks identified in “risk registers,” plot them on color-coded risk “heat maps” and report the top 10, 20 or 100 risks to the board. In most ERM programs, this exercise is repeated each year and the updated risk register results are reported to the board or a committee of the board. This approach to ERM has proven to be suboptimal at best, and has even proved “fatal” when companies completely missed entity-threatening risks. These poor results can be related to the fact that these initiatives miss the fundamental point of formalized risk management—increasing certainty that objectives, both strategic and value creating, as well as core foundation objectives like obeying laws and producing reliable financial statements, will be achieved with a tolerable level of risk to senior management and the board.
As boards of directors examine the risks that their companies face, corporate cybersecurity issues loom large. Forty-eight percent of directors (and 55 percent of general counsel) cited data security as their top concern in a recent study by Corporate Board Member/FTI Consulting. These numbers have roughly doubled since 2008, when only a quarter of directors and general counsel cited data security as a major concern. With revenues, intellectual property, business relationships and customer confidence potentially at stake, directors should consider whether their companies and management teams are adequately addressing the growing threat of cybersecurity in the new high-tech landscape.
Cybersecurity risk is a difficult and intimidating topic for corporate boards to consider. However, it is important to keep in mind that cybersecurity risk is only one of many areas of risk that are overseen by boards of directors and that, in most cases, the usual strategies and procedures for evaluating and managing risk can apply. Directors are not expected to be experts in this area and are entitled to rely upon management and outside experts for information and advice. Nonetheless, directors should request that management reports to the board on the steps the company is taking to mitigate cyber threats, and directors should consider whether the company is appropriately assessing its risks and devoting adequate resources to the issue. The business judgment rule remains the standard for evaluating decisions taken by a board in this area.