Board of Governors of the Federal Reserve System

During recent years, the Federal Reserve has increasingly emphasized the importance of sound risk management processes and strong internal controls when evaluating the activities of the institutions it supervises. This greater emphasis reflects the view that properly managing risks has always been critical to the conduct of safe and sound banking activities and has become even more important as new technologies, product innovation, and the size and speed of financial transactions have changed the nature of banking markets. Accordingly, while an institution’s financial performance is an important indicator of the adequacy of management, it is essential that examiners give significant weight to the quality of risk management practices and internal controls when evaluating the management and overall financial condition of banking organizations.

Consistent with the greater emphasis given to risk management in Federal Reserve examination and supervisory policy statements, System examiners are instructed beginning in 1996 to assign a formal supervisory rating to the adequacy of an institution’s risk management processes, including its internal controls. This step is a natural extension of current procedures that incorporate an assessment of risk management and internal controls during each on-site, full-scope examination. The specific rating of risk management and internal controls should be given significant weight when evaluating management under the bank (CAMEL) and bank holding company (BOPEC) rating systems. Like the components of those systems, the risk management rating should be based on a five point numeric scale. Guidelines for assigning the rating are provided in the attachment, which also defines the five rating categories and the specific elements to be evaluated when determining which rating to assign.

The criteria for rating risk management draw heavily from previously issued statements and from other materials of the Federal Reserve, particularly SR 93-69 (Examining Risk Management and Internal Controls for Trading Activities of Banking Organizations), SR 95-17 (Evaluating the Risk Management and Internal Controls of Securities and Derivatives Contracts Used in Nontrading Activities), the Trading Activities Manual, and SR 95-22 dealing with ratings for U.S. offices of foreign banks. These documents emphasize the importance of an active role by an institution’s senior management and board of directors, adequate policies and limits, accurate and independent measurement procedures and assessments of risk, and strong internal controls.

A greater focus on risk management does not, of course, diminish the importance of reviewing capital adequacy, asset quality, earnings, liquidity, and other areas relevant to the evaluation of safety and soundness. Rather, the rating of the risk management process will bring together and summarize much of the analysis and many of the findings regarding an institution’s process for managing and controlling risks that are currently an important part of the examiner’s review of these individual areas. The formal rating is intended to highlight and incorporate both the quantitative and qualitative aspects of an examiner’s review of an institution’s overall process for identifying, measuring, monitoring, and controlling risk and to facilitate appropriate follow-up action.

As before, the overall profitability, asset quality, and capital adequacy of a bank or bank holding company should continue to influence the examiner’s assessment of management, but these indicators can to some extent be affected, either favorably or adversely, by factors outside management’s control. For this reason, the specific evaluation of the risk management process should be a primary factor when rating management, especially in the case of larger institutions whose activities and organizational structures require more formal and extensive procedures.

Examiners should apply this guidance flexibly to reflect appropriately each institution’s individual circumstances and the nature, scope, and complexity of its operations. Risk management ratings should be assigned for examinations and inspections commencing on or after January 2, 1996 to all state member banks and bank holding companies, regardless of their size. Guidelines and procedures for assigning the ratings are set forth in the attachment.

Examiners should discuss in a clear and straightforward manner in the appropriate open sections of the report the nature and severity of any problems or deficiencies found and the steps required to correct them, particularly if the risk management rating is less than satisfactory. Serious lapses or deficiencies in internal controls, including inadequate separation of duties, can constitute an unsafe and unsound practice and possibly lead to significant losses or otherwise compromise the financial integrity of the institution. If appropriate, the institution should be advised that the Federal Reserve will initiate supervisory actions if its failure to separate critical operational duties creates the potential for serious losses or if material deficiencies or situations that threaten the safe and sound conduct of its activities are not adequately addressed in a timely manner. Such supervisory actions may include formal enforcement actions against the bank or bank holding company, or its responsible officers and directors, or both, and would require the immediate implementation of all necessary corrective measures.

The approach outlined in this letter is generally consistent with procedures used to evaluate the U.S. offices of foreign banks under the branch and agency (ROCA) rating system, which evaluates an office’s risk management and operational controls. These guidelines for risk management do not alter the basic interagency bank (CAMEL) rating framework. However, the rapid pace of change in the financial services industry, including the advent of new technologies, financial innovation, globalization, and intensified competition all argue for greater emphasis on market risks, risk management processes, and internal controls in the supervisory evaluation and rating of financial institutions. In view of these considerations, the Federal Reserve will continue working with the other banking agencies to promote appropriate revisions to the bank rating system in order to highlight the importance of market risks and sound risk management processes and practices.

Please forward the attached guidelines to state member banks and bank holding companies in your District; a suggested transmittal letter is attached. Senior officers in charge of supervision are asked to ensure that supervisory personnel and examiners are fully informed of the procedures set forth in this letter. If you have any questions regarding this statement, please contact Messrs. Roger Cole (ext. 2618) or James Garner (ext. 2704).