Heightened Risk Standards: Focus on Risk Frameworks, Processes, and Controls

Governance

• Reclarification of roles, responsibilities, and accountability for all three lines of defense.
• Talent management, covering skills development, recruitment, succession planning, and compensation/performance programs.
• Stature afforded risk functions (e.g., autonomy, empowerment, visibility).

Key Ten Regulatory Challenges of 2024

• Risk Standards
• Risk Sustainability
• Data

Risk Framework

• Risk appetite approved by the Board, including company’s risk culture and quantitative risk statements (measured against earnings or capital). Risk appetite clearly connected to the risk assessment programs.
• Data governance, quality, and utility of risk limits, set and measured (with clear metrics/limits) at enterprise, concentration, and front-line unit levels. Clear transparency and escalation reporting to management/board of risks and of early warning of elevated risk.
• Communication, and periodic review and monitoring, of the risk appetite and the enterprise, concentration, and front-line unit risk limits.

Internal Controls

• Content and quality of the controls inventory (e.g., right/key controls, quality of controls).
• Adequacy/coverage/effectiveness of controls testing (including timeliness to remediate identified gaps).
• Integration of control testing with risk assessments, and demonstration of actions taken (e.g., enhancements) based on failures and/or risk assessments.

Data Management

• Deficiencies in data, data outputs, or reporting (e.g., data quality, timeliness, accuracy, traceability, metrics, models).
• Data management, including access controls; practices related to collection, retention, disposal; third-party governance/agreements; and reporting capabilities at the lines of business and enterprise levels.
• Ability to train, recruit, and retain, skilled talent resources to identify, measure, manage data risk management processes.

Issues Management

• Completeness and quality of issues inventory.
• Governance over the issues management lifecycle (e.g., planning, implementation, closure).
• Identification and resolution of issues (distributed across the three lines and across risk tiering) and associated testing, critical challenge, and validation of sizing, mitigation, and resolution.
• Demonstration and validation of sustainability.

Change Management

• Processes for identifying, managing, challenging, approving, and monitoring changes due to new products, activities, processes, and technologies.
• Evidence of sustainable processes and effective risk coverage, including metrics.
• Periodic review and changes in the risk management framework to reflect industry developments and changes to the company’s risk profile as a result of internal and external factors (e.g., new products, M&A, negative news, systems changes, regulatory changes).

FRB

Supervision and Regulation Report

Operational risk identified as a supervisory priority or 2024 for banking entities of all sizes; specific areas include governance and controls, third party management, novel activities, and fintechs.

FRB Reports: Supervision and Regulation; Financial Stability

OCC

2024 Bank Supervision Operating Plan

Risk-based supervision will focus on:

• Change management, where change to leadership/staffing, operations, risk management frameworks, and business activities are “significant”.
• Operations, including products, services, third-party relationships with unique, innovative, or complex structures (e.g., AI, fintechs).
• Incident response, data recovery, threat detection/remediation, third-party controls, and maintenance of IT assets inventory related to cybersecurity.

Fall 2023 Regulatory Agendas: Key Federal Banking Agencies

Semiannual Risk Perspective

One of four key risk themes, operational risk is deemed to be “elevated”; highlighted risks include:

• Innovative technologies and new products/services that change the operating environment as well as the relationship with legacy technologies.
• Management of third parties and other risks commensurate with size, complexity, and risk profile – more rigor to higher risk and critical activities – talent management for sufficient resourcing and subject matter expertise.
• Strong threat and vulnerability monitoring, and effective security controls, given increasing sophistication of cyber attacks and geopolitical tensions.

FDIC

2023 Risk Profile

“Operational risk remains one of the most critical risks to banks.”

n/a

SEC

2024 Examination Priorities

Information security (e.g., data privacy, access, cyber) and operational resiliency identified as key emerging risk areas. Attention to safeguarding data and assets; risk management/prevention; and event response. Specific attention to clearing agencies, and changes related to the standard settlement cycle.

Examinations: SEC 2024 Priorities