Written by Lee Byrne on Monday September 8, 2014
The Office of the Comptroller of the Currency (OCC), the primary regulatory agency for national banks and Federal savings associations in the US, has provided final guidance on higher standards for risk management in larger banks.
At a time when our desks are already burdened by a plethora of news and regulatory updates, this Guidance caught my eye because it seeks to build upon the aims of the Dodd-Frank Act and provides an update by a key regulator on measures to enhance risk management. It also includes helpful direction on the delicate subject matter of board member training.
The OCC believes that the final Guidelines strengthen the financial system by placing the focus of management and the Board on risk management practices and governance. While they may at first glance be limited in scope only to US insured national banks, insured Federal savings associations and insured Federal branches of a foreign bank with average total consolidated assets equal to or greater than $50 billion, the OCC reserves the authority to apply these requirements to firms that have an average total consolidated assets of less than $50 billion (if the OCC determines that its operations are highly complex or otherwise present a heightened risk). This appears sufficiently flexible to cover any size firm!
The Guidelines are extremely helpful as they outline the minimum standards required for the design and implementation of a firm’s risk governance framework and the minimum standards that must be met by the Board in providing oversight to the framework’s design and implementation.
The section on ‘Board of Directors Training and Evaluation’ sets out when and how frequently board members should be provided with training on regulatory matters as well as how to benchmark individual performance (which can present a difficult operational and personal challenge.)
The Guidelines confirm that there should be a formal, ongoing training program for all directors. Note that they expect ‘all’ directors and not just independent board directors to be trained. Sensible I know, but the challenge here (which is confirmed in the supporting OCC statement and which is frequently voiced during my training workshops by risk and compliance professionals around the world) suggests that it remains a common area of consternation and is one that is often met with some polite ‘kickback’ by senior management and the Board.
The guidelines state that ongoing training should be provided to all directors and that this should consider the directors’ knowledge and experience and the covered bank’s risk profile. Furthermore that it should cover:
Consistent with the risk based approach that should be applied to all risk operations and training, the OCC states that it is expected that the training program should be tailored to the director’s needs, experience, and education. Accordingly, the final Guidelines provide more flexibility to covered banks to focus the training program on material topics and “appropriate” areas, and banks retain discretion in directing the frequency, scope, and selecting the provider of training under the final Guidelines.
So how will this be assessed? Aside from reviewing records that should be retained to support and demonstrate this activity, OCC examiners will evaluate each director’s knowledge and experience as demonstrated in their written biography and during discussions with examiners.
We have been warned!
Thank you. Your comment is awaiting moderation and should appear on the site shortly.
Required fields are not completed, please ensure all required fields (*) have been filled in properly.
You can leave the name empty should you wish to remain Anonymous.
Help and support
Alternatively contact us on: +44(0)121 362 7534 / firstname.lastname@example.org (Course information)
or +44(0)121 362 7533 / email@example.com (Enrolled learners)
or +44(0)121 362 7747 / firstname.lastname@example.org (Membership)
or +44(0)121 362 7657 / email@example.com (Assessment)
or +44 (0) 121 362 7503 / firstname.lastname@example.org (End Point Assessment)