By James Hamilton, J.D., LL.M.
With the advent of Gramm-Leach-Bliley and the concomitant repeal of the Glass-Steagall Act, financial institutions are composed of banking and securities components under the principle of functional regulation. Risk management across the entire enterprise has assumed great importance since no one wants one component of the organization to pull down the whole edifice. In addition, as complex derivatives instruments evolve and new technologies emerge, noted Federal Reserve Board Governor Susan Schmidt Bies, it is critical that financial institutions implement successful enterprise risk management procedures in order to determine the amount of risk they are willing to accept and ensure that they have the appropriate controls in place to limit risk.
In my view, Gov. Bies is one of the most articulate voices on enterprise risk management in the regulatory arena. In recent remarks before the American Bankers Association annual conference, she said that a sound enterprise risk management system has a number of specific components, including enhanced risk response and the alignment of the financial institution’s risk appetite with its strategies. The system must also identify and manage multiple and cross-enterprise risks.
The Federal Reserve expects organizations to have in place an infrastructure that can identify, monitor, and effectively control the risks they face in complying with applicable regulations and codes of conduct. While this can be a daunting task, acknowledged Gov. Bies, the institution must understand compliance risk across the entire organization and evaluate the risks and controls annually. In order to avoid having a program that operates on autopilot, continued Ms. Bies, a financial institution must continuously reassess its risks and controls. If compliance is seen as a one-off project, she reasoned, an organization faces the risk that its compliance program will not keep up with changes. Importantly, the board of directors also needs to ensure that the organization has a top-to-bottom compliance culture that is well communicated by senior management.