Remarks by Governor Susan Schmidt Bies
At the University of Connecticut School of Law, Connecticut Law Review Symposium, Hartford, Connecticut
October 21, 2004
Enterprise Perspectives in Financial Institution Supervision
Thank you for inviting me to speak at your conference honoring Phillip I. Blumberg. I certainly wish to join you in congratulating him on publication of the new edition of The Law of Corporate Groups. Dean Blumberg speaks of the inadequacy of the traditional concept of separate corporate juridical personality when applied to the modern reality of large multinational corporations that have holding companies and subsidiaries around the globe. He makes the case that the promotion of corporate accountability requires an enterprise-wide view of the multinational firm. The concept of an enterprise-wide view of business organizations resonates with me as a Federal Reserve Governor who has particular responsibility for banking regulation and supervision. I would posit that moving from an entity or functional view to an enterprise-wide view of the consolidated entity improves the parent organization's accountability for the activities of its constituent subsidiaries and divisions around the world.
Today, I would like to briefly discuss some issues related to the entity, function, and enterprise perspectives of an organization. I will start by considering these issues from the point of view of a regulator and then look at how corporate risk management is improving by moving toward an enterprise perspective.Regulatory Perspectives on Entity, Function, and Enterprise Supervision
As banking organizations have expanded their business lines and grown in scale and geographic reach, many of the traditional forms of business organization have been modified. Financial holding companies may now have multiple tiers of subsidiaries, some of which may have different primary regulators. While the trend has been to merge bank subsidiaries--a result in part of the easing of legal restrictions on interstate banking in the late 1990s--many organizations now have both state and federal supervisors. As large U.S. banks have expanded their international operations, they have also become subject to supervision in their host countries. And as foreign banking organizations, in a continuing expansion of their presence in the United States, have established branches of their home country banking entities and acquired regional and large U.S. banks that are separate legal entities, they, too have become subject to additional supervision. And the emergence of new forms of financial instruments has also affected the corporate structure, in that entities established to transfer and fund assets may or may not be consolidated for accounting purposes, depending on their structure. In short, the structure of large financial firms has become much more complex and varied over time and is increasingly reflecting the business strategy of the organization.
Banking supervision at the Federal Reserve has long taken a consolidated view of risk management and internal controls, a focus that the 1999 passage of the Gramm-Leach-Bliley Act (GLBA) reinforced. Under GLBA, the Federal Reserve, as umbrella supervisor of banking organizations, has a special responsibility to determine whether bank holding companies are operated in a safe and sound manner so that their financial condition does not threaten the viability of affiliated depository institutions. Consolidated oversight of bank holding companies, and in particular the subset of bank holding companies that have elected financial holding company status in order to engage in a broader range of activities, is important because the risks associated with those activities can transcend legal entities and business lines. That is, risks in one entity can have an impact on another entity or functional area--and ultimately on the enterprise as a whole. Supervisory oversight at the bank holding company level is particularly critical because public disclosure and market discipline are exerted largely at the consolidated level. Therefore, the regulatory constraints imposed at the bank holding company level can be the most binding on the organization.
Financial institution supervision in the United States generally is determined by type of charter--state or federal--and Federal Reserve membership. The dual banking system of state and federal banks has encouraged innovation and is an important contributor to the strength and flexibility of the U.S. financial system. However, supervision by charter can create an uneven playing field for competitors that offer similar services but are subject to different regulatory requirements.
Supervision by function can ensure that competitors have a similar regulatory environment. But functional supervision has a weakness common to entity supervision. That is, business processes are often designed without regard to management organization or legal entity. This is becoming more common as technology is used to integrate varied activities and internal control systems are used to aggregate information across business lines. Thus, a supervisor that focuses on one part of the business process may not understand how activities earlier or later in the process flow may affect internal controls and risk exposures.
Further, as we have seen in some notable public enforcement actions taken in the last couple of years, supervision of only a portion of the organization can leave gaps in risk coverage. Organizations that are run by business line, including risk management and compliance, can miss inherent conflicts of interest between lines of business. Thus, individuals can be motivated to support their line of business without due regard for the increased risk or potential for compliance failure that their actions create in other parts of the organization.
In today's regulatory environment, the focus is increasingly on supervision of the full enterprise. An example is the Federal Reserve's umbrella supervision of financial and bank holding companies in the United States. Another is the consolidated supervision of financial institutions operating in the European Union resulting from implementation of the new Basel II capital accord. Enterprise supervision certainly provides a more integrated view of risks and internal controls. But the umbrella supervisor is still challenged if the supervisors of entities or functions have different prudential supervision frameworks. In this case, the umbrella supervisor, to be effective, must assess the gaps and inconsistencies in the supervisory process.An Enhanced Framework for Looking at the Consolidated Banking Organization:
The New Bank Holding Company Rating System
As the activities of banking organizations have increased in complexity over time, the focus of the Federal Reserve's supervision of bank and financial holding companies has moved from historical analyses of financial condition on a separate legal entity basis toward more forward-looking assessments of the adequacy of risk management and financial factors of the consolidated organization. While the supervision of holding companies has been evolving, the rating system has not changed. To replace the BOPEC bank holding company rating system, which has served the Federal Reserve System well for twenty-five years, a proposal has been issued for comment to move to a new rating system that encompasses ratings for risk management, financial strength, and the impact of nondepository legal entities on affiliated depository institutions; a composite rating; and a depository institution rating. The proposed new rating system was published for comment in July of this year, and the system is expected to become effective in January 2005. The proposed bank holding company rating system is expected to (1) better emphasize risk management and the importance of the control environment; (2) introduce a more comprehensive, more adaptable framework for analyzing and rating financial factors based on the unique structure of each holding company; and (3) for the first time, provide an explicit framework for rating the impact of the nondepository entities of a holding company on its affiliated depository institutions. This new structure will better align the bank holding company rating system with our current supervisory practices.
The proposed risk management and financial condition components are each supported by four subcomponents, which provide granularity and structure to their analysis. Specifically, the risk management component of the new system will include subcomponents that consider (1) the competence of the board of directors and senior management; (2) policies, procedures, and limits; (3) risk monitoring and management information systems; and (4) internal controls. These subcomponents will be evaluated in the context of the risks undertaken by, and inherent to, the banking organization and the overall level of complexity of the firm's operations. The analysis of financial factors will include subcomponents rating consolidated capital adequacy, the quality of the bank holding company's consolidated on- and off-balance-sheet assets and exposures, the quality and sustainability of earnings, and liquidity on both a consolidated company and a legal-entity basis.
The analysis of the impact of nondepository entities on the consolidated entity will incorporate an evaluation of both the risk management practices and financial condition of the non-depository entities. It may consider strategic plans, the impact of losses or control breakdowns, and legal and reputational considerations, as well as financial factors such as capital distributions, intragroup exposures, and consolidated cash flow and leverage. What I hope is evident from my brief description of the new bank holding company rating system is that the framework looks at risk management and financial factors at the legal entity level, at the level of functional activities across corporate entities, and at the consolidated, enterprise-wide level.The COSO Framework: Enterprise-Wide Risk Management for Corporations
The focus on oversight and risk management at each of the three levels of an organization--entity, functional unit, and enterprise--is not unique to the banking industry. In the context of business organizations in general, the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, has been engaged in a project to evaluate and improve enterprise risk management, or ERM. This effort culminated in the publication last month of an integrated framework for ERM. This framework may become a standard for enterprise risk management similar to the way the COSO Internal Control Framework has become the benchmark in its area.
For those of you not familiar with the new COSO framework, let me briefly explain that ERM is a discipline that an organization can use to identify events that may affect its ability to achieve its strategic goals and manage its activities consistent with its risk appetite. Such events include not only those that may result in adverse outcomes, but also those that give rise to opportunities. When implemented effectively by an organization, an ERM framework improves the quality and flow of information for decisionmakers and stakeholders, focuses attention on the achievement of organizational goals, and improves the overall governance of the organization.
ERM achieves these laudable objectives by looking within and across the business lines, functions, and activities of the organization as a whole to consider how one area of the organization may affect the risks facing the other business lines and functions--or the enterprise as a whole. The ERM approach contrasts markedly with the silo approach to risk management, which considers the risks of activities or business lines in isolation--a view similar to the traditional entity-based legal view of the corporation.
It is important to note that ERM does not replace, but rather builds on, the risk management and internal control practices at the entity and functional levels. Indeed, it is essential to retain risk management and internal control activities at the level of the individual business line or function because that is where the individuals who best understand the activities being conducted and where the key risks of those activities reside. The enterprise-wide approach supplements the business line- or function-specific view with a "big-picture," corporate-level view that encompasses all the firm's operations and views risk throughout the consolidated organization.
It is also important to emphasize the dynamic nature of ERM. ERM is truly effective only to the extent that it assesses changing risks when new business lines or activities or changes to existing activities are proposed. That is, ERM should function as a proactive, rather than reactive, mechanism to ensure that appropriate controls are in place before the product or activity begins and that the board of directors and senior management understand the nature of the new products or activities and their impact on the organization's risk profile. This can be accomplished, in part, through the new product approval process, which should include participation across the organization from credit risk, market risk, operations, accounting, legal, compliance, audit, and senior line management.
An integral part of a dynamic ERM structure is an enterprise-wide internal controls and compliance program, which considers not only the more readily quantifiable risks, such as credit and market risks, but also the less quantifiable legal and reputational risks with which this audience, by its training, is well acquainted. The enterprise-wide view is particularly important when products and activities cross business lines and management lines of responsibility. When business lines or managers share responsibility for internal controls and compliance, specific duties and chains of accountability need to be established at the entity or functional level and overseen by the chief risk officer.ERM as a Common Language
ERM provides an enterprise-wide view of risk and facilitates enterprise-wide compliance by creating a common risk management language that allows the firm's constituent business lines to better communicate about risk across functions. When ERM is implemented effectively, individuals working in the business line have a clear understanding of their roles in the overall risk-assessment and risk-management framework. Managers can look at the risks inherent in the businesses and processes they manage and establish risk measurement and management practices that reflect the risk appetite and strategic direction of the enterprise, as established by the board of directors. Communication of these practices to line managers and employees allows employees to gain a good sense of acceptable risks and have a process for communicating apparently unacceptable risk-taking to appropriate levels of management and to the compliance function.
ERM also promotes a consolidated vision of corporate goals, objectives, and strategies. Lines of business and functional areas have standards that are set at the enterprise level, standards against which the success of individual operations can be measured. Line managers and employees can articulate how they address specific objectives and goals in their business areas. The consolidated vision allows for greater synergies and the promotion of the goals, objectives, and strategies of the organization as a whole rather than the competition of parochial interests.
Finally, in the roll up from the individual business lines and functional areas, ERM produces entity-wide information that influences new or changed policies, business decisions, risk-response plans, and adjustments to incentives and internal capital allocations through a communication "feedback loop."ERM as a Mechanism for Better Disclosure
In addition to facilitating corporate communication and a common enterprise-wide vision, ERM can enhance external communications between an organization and its stakeholders. I would challenge business organizations to use the enhanced information that is produced by a successful ERM feedback loop as a vehicle for improving public disclosure of their risk management activities, including their use of financial tools for managing risk.
Before discussing how ERM can facilitate better risk management disclosure, it may be helpful to review some common risk management tools. Many businesses, including but certainly not limited to financial institutions, have increasingly used derivatives to manage their risk exposure to price fluctuations in currency, commodity, energy, and interest rate markets. Credit derivatives have also allowed financial firms to achieve a more diversified credit portfolio by acquiring exposure to borrowers with whom they do not have a lending relationship. Securitization has helped firms manage the risk of a concentrated exposure by transferring some of that exposure outside of the firm, thereby diversifying the firm's balance sheet.
In the legal arena, with which you are familiar, substantial progress has been made in standardizing legal agreements used in managing financial risk. This has helped to resolve issues related to the impact of bankruptcy or insolvency on transactions and netting contracts, reducing the potential for contractual disputes between market participants. These efforts are continuing through various industry groups, and the legal profession is making important contributions to improving the legal certainty of these instruments. Derivatives and other risk-transferring instruments have a salutary effect on the financial markets by facilitating more-liquid and more-efficient transfers of risk, creating the potential for greater economic efficiency through diversification benefits.
Innovation in financial risk management inevitably will continue. Improvements in technology, the quick pace of financial innovation, and evolving risk management techniques almost ensure that businesses will increasingly use nearly limitless configurations of products and services and sophisticated financial structures. While I have pointed out the positive aspects of these developments, there is concern that investors and other stakeholders will find it increasingly difficult to understand the risk positions of large, complex organizations that use these mechanisms to alter risk exposures. The point-in-time measurement of a company's balance sheet is insufficient to convey the full effects of credit-risk-transfer instruments, such as credit derivatives and securitizations, on the firm's risk profile. For example, moving assets off the balance sheet and into special-purpose entities in a securitization, with the attendant creation of servicing rights and high-risk residual interests retained by firms, generates its own risks and reduces transparency unless the firm takes additional steps to enhance disclosure.
To address these concerns, firm managers need to do their part to ensure that public reporting and disclosures clearly identify all significant risk exposures--both on- and off-balance-sheet exposures--and their effects on the company's performance and future prospects, keeping in mind, of course, the need to safeguard proprietary information. An ERM framework can produce information that supplements point-in-time accounting disclosures with a more robust description of the firm's risks and the compensating returns in various lines of business as well as a description of how the risk/reward tradeoffs of these business lines affect the volatility of earnings for the firm as a whole. Improved disclosure not only can provide more quantitative and qualitative information to the market and other stakeholders, but also help the market assess the quality of the risk oversight and make an informed judgment about the appropriateness of the organization's risk appetite and its strategic direction.
I would ask firms to answer the following questions about their public disclosures: Do investors have the information they need to accurately evaluate the financial position of the firm and the risks it takes? In addition to quantitative information, does the disclosure provide qualitative input as to the purpose of the transactions and how they reflect the risk appetite and strategic direction of the firm? Is the information provided in a manner that facilitates accurate assessments by investors? Disclosure is not a one-size-fits-all proposition. Instead, disclosure should be tailored to the activities and risks of the company and should tell the firm's "story." Better disclosure also reduces the legal and reputational risks that accompany market "surprises," as we have seen from recent experience. Working with risk managers and accountants, the legal profession is well positioned to help large corporations strike the correct tone and balance in their disclosures to the marketplace.Conclusion
The movement from an entity- or function-based approach to an enterprise-wide paradigm appears inevitable given the increasing complexity of corporations and the interrelatedness of business lines and their risks. Legal analysis, supervisory oversight, and firms' internal risk management and control systems likewise need to adopt an enterprise-wide focus. Enterprise-wide risk management provides a framework for achieving and maintaining this focus by establishing a common risk management language within the organization and by facilitating a framework for improved disclosure.