The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
For release on delivery 8:30 A.M., M.S.T. (11:30 A.M. E.D.T.) April 30, 1996 Remarks by Susan M. Phillips Member, Board of Governors of the Federal Reserve System at The 74th Annual Meeting of the Bankers' Association for Foreign Trade Tucson, Arizona April 30, 1996 The Importance of Risk Management and Internal Controls in a Global Business Good morning. I am pleased to be here to address the Banker's Association for Foreign Trade. This association has a long history of working with supervisory agencies to promote prudent banking practices. Today, I would like to discuss the challenges that both supervisors and bankers face in ensuring proper risk management and internal controls in today's global banking and business environment. I applaud this association's efforts to make bank supervision a more cooperative process. In my experience, effective bank supervision always has required effective interchange between the banking community and the supervisory agencies. More often than not, banks and supervisors are in agreement about the challenges facing the industry, and each can gain additional perspective from the other. Indeed, a banker recently commented to me that he no longer views the examination process as an adversarial one. In fact, senior managers at his institution have come to rely on the input provided by the examination process. Bank examinations obviously will never be a consulting service — and appropriately so, as they focus on the supervisory goals of safety and soundness. Nevertheless, I am hopeful that the perceived adversarial nature of bank supervision will continue to diminish over time. Our mutual concerns are certainly apparent in the context of risk management and internal controls. Technological and financial innovation is spawning new and increasingly complex ways for banks and other institutions to take risks. This, in turn, places pressure on bank management to contain and manage these risks. Clearly, your challenges in responding to rapid changes in technology are our challenges as well. Supervisors must adapt their current regimes to recognize and take advantage of advances in risk measurement and management and to ensure that banks have adequate internal control processes in place to manage risk. All aspects of our supervisory process are undergoing changes in response to advances in risk management and industry innovation, including capital adequacy guidelines, the examination and surveillance process, and efforts to promote more public disclosure and appropriate accounting conventions. Let me begin describing some of these changes by placing my remarks on risk management and internal controls in the appropriate context. Supervisors and regulators of financial institutions have a common objective of ensuring that the institutions they supervise do not become a source of systemic risk. Additional objectives vary depending on particular statutory and regulatory mandates. For example, U.S. bank and thrift regulators have the objective of protecting depositors and the deposit insurance fund. To achieve these objectives, bank supervisory programs employ a number of tools including capital adequacy guidelines and evaluations of the adequacy of management, earnings and liquidity. For its part, the Federal Reserve has always stressed capital and sought nearly a decade ago to develop and promote capital standards that acknowledged changing practices within the banking system and that were more sensitive to a bank's credit risk profile. This work has continued as the U.S. banking supervisory agencies, working with our G-10 colleagues and numerous banking groups, have initiated efforts to incorporate market risks into our current risk-based capital guidelines. Recognizing the increasing pace of change and 3 level of sophistication in the area of risk management, a central theme in this initiative is the use of an institution's own internal risk measures in assessing regulatory capital. Specifically, the approach adopted by the Basle Committee on Banking Supervision for determining minimum capital adequacy for the trading activities of internationally active banks will permit institutions to use their own internal value at risk (VAR) measures, subject to certain constraints required by the Committee. Use of this internal measurement approach requires firms to meet a number of "qualitative" standards on risk management and would have to be supplemented with a rigorous program of model validation and stress testing. An important element of qualitative standards is minimum criteria for an independent review of the risk measurement system by the bank's own internal auditing process. Supervisors will also evaluate the model's effectiveness and its adherence to regulatory standards. The Federal Reserve has been the principal advocate internationally of using internal models. We believe this route provides incentives to promote sound risk management while minimizing supervisory intrusion that might impede innovation in financial risk measurement. Using daily VAR figures alone to determine a capital charge is not perfect, however. Appropriate translations must be made from a daily risk measure to a long-term consistent capital charge for market risk. Supervisors are also increasing their emphasis on the entire process of how a bank manages its risk. Indeed, the risk management process is becoming as important as the quality of the assets that make up an institution's balance sheet at any point in time. This is particularly true for those institutions that are very active in capital markets and whose portfolios of assets change materially from day to day, and even from moment to moment. As a result, the Federal Reserve has heightened its focus on the risk management process over the past few years. At the Federal Reserve, the review of management now formally includes an assessment of risk management and internal controls. Supervisory expectations of risk management practices may vary significantly depending on the size and complexity of the institution's activities and whether it is internationally active. Large banks, for example, will normally be expected to have more formal policies, procedures, limits, and management information systems than smaller banks. They also should have more sophisticated measures of the risks they take. Supervisory efforts with regard to risk management are perhaps nowhere better seen than in efforts made to strengthen the risk management of derivatives. For example, shortly after the Group of Thirty issued its study on derivatives activities of dealer institutions in mid-1993, the Federal Reserve and the OCC issued consistent guidance to their banks on sound risk management practices for trading and derivatives activities. These guidelines were followed later by similar sound practice papers issued internationally in joint statements by the Basle Committee on Bank Supervision and the International Organization of Securities Commissions (IOSCO). I mention this joint issuance because it demonstrates the enhanced international cooperation of the supervisors of banks and securities firms. About a year ago, the Federal Reserve again issued a statement on the topic, but oriented that time to end-users. 5 All of these sound practice statements emphasize the same principles of risk management: • active oversight by an institution's board of directors and senior management -- "corporate governance" to use a current cliche; • clear policies, procedures, and limits; • comprehensive risk measurement, monitoring, and reporting systems; • and finally, adequate internal controls and audit procedures. It is important to note that these principles are fundamental and reflect basic practices that well-run institutions have applied to traditional banking and securities activities for years. It is not surprising that what is good for derivatives risk management applies to other aspects of bank management. To a large extent, the current focus on risk management represents an application of tried and true fundamentals to new activities and financial instruments, using new risk measurement capabilities. As representatives of some of the world's most internationally active banks, you are well aware that supervisors of financial institutions in different countries use different methods to ensure that the institutions they supervise follow sound risk management processes. Some depend on outside auditors, while others take a more direct and active role. Securities and commodities regulators place significant oversight responsibilities with selfregulatory organizations as well as external auditors. In the United States, banking supervisors have historically relied heavily on annual full-scope examinations. The Federal Reserve is now placing increased emphasis on reviewing processes during the examinations of banking institutions. Federal Reserve 6 examiners have long evaluated the quality of risk management practices, including internal controls. They have also taken the quality of risk management into account in determining the overall adequacy of bank management. However, in a typical bank examination, our examiners spend a great deal of time reviewing individual credits in the loan portfolio. Major credits are typically reviewed one by one, and other elements of the portfolio are sampled. While the examination of individual credits and groups of credits may remain the mainstay of the examination process, the focus is becoming less on events and more on management and control processes, especially for large banks. If the bank's own processes for managing risk are adequate, examiners will test fewer transactions. Given the substantial volumes of daily transactions, the growing complexity of financial instruments, and the global reach of our large banks, focusing more on a bank's process of identifying, managing and controlling all risks would seen to be the most appropriate supervisory approach. At the Federal Reserve, this recent supervisory focus on risk management first surfaced in our 1993 guidance to examiners on trading and derivatives activities. The impetus for this guidance was derivatives but, in retrospect, it was a simple application of longstanding supervisory principles to a rapidly growing banking activity. This guidance was subsequently expanded and formalized in the Trading Activities Manual issued early in 1994, which provided examiners with the tools necessary to evaluate risk management systems for the full range of risks associated with trading activities. In the international arena, under the supervisory rating system for the U.S. operations of foreign banking organizations adopted in 199S, the Federal Reserve intensified its consideration of k 7 management processes by requiring that individual ratings be assigned to the risk management and operational controls of U.S. branches and agencies of foreign banking organizations. In late 1995, both the Federal Reserve and Comptroller of the Currency announced major efforts to examine the risk management capabilities of each of the institutions that they supervise. The intention is to formalize assessments of risk management and internal controls in a supervisory rating for all institutions. The Federal Reserve now will assess the risk management at every state member bank and bank holding company as part of the management evaluation process. The risk management rating assigned by Federal Reserve examiners will range from 1 to 5, with 1 designating "strong" risk management and 5 signifying an "unsatisfactory" rating. This risk management rating will not alter the application of the CAMEL rating (which as you know is the supervisory equivalent of a report card, and the basis on which most supervisory actions are taken). It will be used, rather, as a foundation for determining the overall management component rating assigned under the CAMEL system. In assigning the risk management rating, examiners will be considering the same principles set forth in the G-30 study and the BIS/IOSCO communique. This more structured approach to the evaluation of risk management should facilitate better communication of examination conclusions about the risk management process of banks and bank holding companies. We anticipate, as well, that it will foster continued improvements at the institutions we supervise. 8 While we intend to retain our examination focus on loan quality and underwriting standards, over time our supervisory activities will increasingly focus on the risk management process and less on statistical balance sheet analysis. It is important to note, however, that the current emphasis on risk management is not a replacement for, but rather a complement to, other traditional examination techniques. Consequently, resources will continue to be devoted to traditional examination techniques, such as the assessment of the quality of loans and investments and the evaluation of the adequacy of capital. I believe the increased emphasis on risk management represents progress in supervisory thinking in the same way that the increased use of sophisticated internal models to manage risk is a step in the right direction for the banking industry. However, notwithstanding such gains, there remains no substitute for effective internal controls. Barings demonstrated this fact. Comprehensive internal controls are essential to the safe and sound operation of financial institutions. Weaknesses in internal controls will be given significant consideration by the Federal Reserve in assigning a rating to risk management. I believe, however, that internal controls should be important to banks on a purely risk/reward basis. Given recent, highly visible problems, banks should be self-motivated to maintain adequate internal controls completely independent of prompting by supervisors. Bank management, not examiners, must be the principal source for detecting and deterring unsound practices through adequate internal controls and operating procedures. Often, however, there is a tendency by both management and supervisors to focus on the "high-tech" aspects of risk management — the modeling and measurement aspects of complex instruments and their interrelationships. But state-of-the-art risk models 9 are useless if banks do not monitor and control the activities of individuals who are in positions to create large losses. Internal risk measurement models only assess the risks of the positions entered into the system. The concept of "internal controls" embraces not only tracking the positions you have, but ensuring that these are your positions. The reviews conducted to date on Barings and Daiwa clearly point the finger at fundamental breakdowns in several relatively simple, "low-tech" elements of risk management. While supervisors and bankers face the challenges of utilizing appropriately new risk management techniques, significant challenges remain in applying the "basics" to new products and activities, and making certain they are fully implemented in all offices of a global bank. By now, the fundamental elements of an effective internal control system, including the appropriate segregation of duties, should be self-evident. While these concepts are more common sense than rocket science, they seem nevertheless, to be overlooked often or at least not enforced in practice. From a supervisory perspective, there is a clear need for supervisors to ensure that once serious deficiencies in internal controls are identified, relevant books and records are reconciled and verified in an expeditious and thorough manner and appropriate follow-through procedures are followed. Notwithstanding the growing intrinsic motivations for banks to adopt effective internal control systems, the supervisor's role in overseeing internal control systems is likely to increase as internal control systems become more effective in mitigating risk. In addition to the incentive to reduce the chances for significant losses, two recent trends have created even stronger arguments for augmenting internal controls: cost cutting and increased merger activity. As pressure mounts to increase bank profitability 10 through further cost cutting, the temptation can arise to make cuts in areas considered to be costly for the bank. Because an effective internal control regime can greatly reduce the potential for large losses, the payoff potential should more than justify the cost. The increase of bank merger activity can create situations where, at least temporarily, internal controls are in disarray as two disparate systems are integrated. Mergers, therefore, must take place with a high level of attention to internal controls, especially during the transition phase, so that risk exposures do not escape management's attention. But my goal today is not simply to deliver another message from a supervisor concerning the importance of risk management and internal controls. By now, you have no doubt heard similar views from other supervisors. Rather, I want to make the point that we are entering a new era where both the supervisors and the supervised share a common goal. It would seem that little controversy remains over the importance of risk management and internal controls. In conclusion, efforts by the Federal Reserve and other supervisory agencies to expand the review of a bank's risk management process and internal controls is critical, particularly in the case of large, internationally active institutions and those with material holdings of derivatives and other complex instruments. Any risk management system implemented by management must be part of an overall culture within the organization that emphasizes the identification and management of risk, including internal controls. Investment in proper controls can guard against large, perhaps even franchise-endangering, losses. Our examiners will be devoting more attention to reviewing a bank's processes and controls, whether they relate to new products or to traditional lending activities. Although 11 our goal is to ensure that risk management practices are commensurate with risks, we want to encourage all institutions to keep current with new techniques for improving their management of risks, both at home and abroad. Thank you.