Guess Which Agency ERM Program Just Got Called into Question?
The Board of Governors of the Federal Reserve System has been called out for less-than-ideal enterprise risk management.
According to a new Government Accountability Office report, the board “has not finalized and implemented its enterprise risk management (ERM) framework, and as a result, it may have limited ability to manage risks across the Large Institution Supervisory Coordinating Committee (LISCC) program.”
It’s a problem, the watchdog notes, because it increases the risk of regulatory capture, which occurs when a regulator is influenced by private interests, including the industry it’s regulating, instead of the public. In this case, it means that the controls to prevent the nation’s largest banks (LISCC members include Bank of America, BNY Mellon, Barclays, Citigroup, Credit Suisse, Deutsche Bank, Goldman Sachs, JPMorgan Chase, Morgan Stanley, Prudential, State Street, UBS, and Wells Fargo) from having undue influence on their regulators could be on shaky ground and the Board wouldn’t necessarily know it.
The Board began drafting an ERM framework earlier this year, something the Office of Management and Budget (OMB) suggests should be standard practice for federal agencies. Elements remain missing, though, including risk identification and assessment, the report notes.
There are also weaknesses in some internal controls, particularly those designed to monitor the independence of staff. The same goes for conflict-of-interest and ethics policies. For example, while the Board says it has policies to prevent the “revolving door” of former Fed employees to the banking industry and back, it doesn’t collect the employment data needed for effective implementation.
In all, the GAO recommends six actions:
- Include a component to identify and assess regulatory capture risks in the ERM framework.
- Finalize and implement program-wide guidance for LISCC Reserve Banks on implementing LISCC policies.
- Monitor and regularly assess LISCC policies.
- Streamline conflict-of-interest disclosure reviews.
- Collect and store data on where employees work before and after Fed employment.
- Periodic self-assessment of LISCC ethics programs, policies and procedures.
In its response, the Fed says its taking steps to “refine the LSCC program” and that its improvements include the areas addressed by the GAO report. It points out the report does not identify any actual instances of regulatory capture.
It just goes to show that ERM is a challenge for everyone, including those who regularly oversee others’ ERM efforts. Remember that it’s not enough to have an ERM plan. It needs to be properly executed and include all the essential steps including risk identification, assessment, mitigation, implementation, monitoring and audit.
If an outside party looked at your ERM program today, how would it stack up? If you’re not confident in the answer to that question, now is the time to re-examine your approach to ERM. It’s not about optics, but it is about making sure your institution is aware of potential risks and actively managing them.