10/20/16 - Federal Reserve Spells Out Risk Management Requirements for Smaller Institutions
Home > News & Insights > Insights & Publications

10/20/16 - Federal Reserve Spells Out Risk Management Requirements for Smaller Institutions

The Federal Reserve Board earlier this year issued comprehensive risk management rules for institutions beneath the $50 billion asset threshold, and its exam teams are now beginning to focus on elements of the guidance.

The board’s supervisory letter (SR 16-11) is aimed at a different segment of the banking market from that covered by the heightened standards that the Office of the Comptroller of the Currency put forth in 2014, which applied to national banks with more than $50 billion of consolidated assets. An attachment to the letter acknowledges varying expectations for community banks, regional banks, and foreign banks.

But the Federal Reserve’s supervisory letter is evidence that, regardless of complexity or geographical reach, banks of all sizes are under pressure to substantially strengthen their governance and risk management. Banks that have not already prepared for these tougher expectations may find meeting the new standards a substantial hurdle.

Summary of Expectations

The Federal Reserve’s SR 16-11 provides a clear road map for banks to organize and operate risk management frameworks, with four key elements supervisors will focus on when reviewing the frameworks.

1. Board and senior management oversight

The institution’s board of directors is expected to approve policies establishing risk tolerances and periodically review risk limits to make sure that changes in the operating environment, markets, and strategy (e.g., new products or markets) are reflected in the limits and risk appetite.

Senior management must have a clear understanding of the risks inherent in the institution’s business and market environment, and stay informed of changes in strategy, operating environment, and markets that affect the risk profile. That expectation includes a process to assess and understand the risks arising from new products or initiatives. Senior management should also ensure that staff overseeing business and risk management has the experience and knowledge to appropriately manage the risks intrinsic to the business model.

The letter emphasizes the importance of information systems in risk management — and specifically calls on firms to assess whether information systems and controls are keeping pace with new products and risks as they are introduced into the business. The guidance makes clear that boards and senior management must take an active role in assessing and managing risk across the enterprise.

2. Policies, procedures, and limits

The board must approve an institution’s overall business strategy and policy framework, and senior management must develop and implement policies and procedures that are consistent with the risks the institution faces. Examiners will assess whether policies, procedures, and limits are appropriate given the risks, and in line with the institution’s strategy. They will also look for accountability and clear lines of authority.

The effectiveness of the policies, procedures, and limits should be reviewed regularly, and with greater frequency depending on changes to the business model, market, or operating environment. Potential gaps should be escalated to senior management and the board.

3. Risk monitoring and management information systems

Monitoring and reporting of risk information are crucial elements of the supervisory guidance. Examiners will try to determine whether the right audience is receiving the right information to understand the institution’s activities and key risk exposures, and make sure they are aligned with policy limits and the institution’s strategy. In collecting and conveying risk information, a firm must maintain the right balance of clarity and detail, but nonetheless communicate the complexity of the issues associated with the institution’s activities and exposures.

Supervisors expect that institutions will regularly review key assumptions, data sources, models, and procedures used in measuring and monitoring risks to ensure they are appropriate and reliable given the business activities and risk profile of the institution. Supervisors will look for evidence of these reviews during the supervisory process.

4. Internal controls

Like other supervisory guidance, the letter focuses on institutions’ internal-control structures, which the Federal Reserve views as critical for reliable financial and regulatory reporting, safeguarding of assets, and compliance with rules, regulations, and institutional policies. Senior management is responsible for the internal-control structure. Testing of the structure by an independent third party is expected, with results reported directly to the board of directors (or a designated committee).

Supervisors will look for answers to the following questions about the institution’s internal-control structure:

  • Is it appropriate for the type and level of risks the institution faces?
  • Are there clear lines of authority and accountability for risk management and for monitoring adherence to policies, procedures, and limits?
  • Are the control functions independent and objective?
  • Does the structure’s organization reflect actual operating practices?
  • Is reporting accurate, reliable, and timely?
  • Are internal controls and information systems adequately tested and reviewed?
  • Are the board (or committee) and senior management responsible for developing and implementing an effective system of internal controls?

Interagency Alignment on Risk Management

The release of SR 16-11 makes clear that, though standards will depend to some extent on the size and complexity of the organization, regulators are now aligned in issuing stiff requirements for banks of all sizes to maintain a comprehensive, robust risk management framework.

Key similarities between OCC Heightened Standards and SR 16-11


OCC Heightened Standards

Supervisory Guidance — SR 16‑11


“… board of directors should actively oversee the covered bank’s risk-taking activities ….”

“The board of directors has the responsibility for establishing the level of risk that the institution should take.”

Limit Setting

“… set limits at levels that take into account appropriate capital and liquidity buffers and prompt management and the board of directors to reduce risk before the covered bank’s risk profile jeopardizes the adequacy of its earnings, liquidity, and capital.”

“… periodically reviews risk exposure limits to align with changes in the institution’s strategies, address new activities and products, and react to changes in the industry and market conditions.”


“Identify and communicate to the Chief Executive Officer and the board of directors or the board’s risk committee:

(i) Material risks and significant instances where independent risk management’s assessment of risk differs from that of a front line unit …”

“… communication channels should allow for adverse or sensitive findings to be reported directly to the board of directors or to the relevant board committee.”


“The board of directors should establish and adhere to a formal, ongoing training program for all directors. This program should consider the directors’ knowledge and experience and the covered bank’s risk profile.”

“The board of directors should take steps to develop an appropriate understanding of the risks the institution faces, through briefings from experts internal to their organization and potentially from external experts.”

of Duties

“Internal audit maintains independence from front line units and independent risk management ….”

“Serious lapses or deficiencies in internal controls, including inadequate segregation of duties, may warrant supervisory action, including formal enforcement action.”

Getting Started

A first step in meeting the requirements of SR 16-11 is assessing the current risk management framework and adjacent capabilities to determine strength, weaknesses, and gaps. Banks should specifically assess:

  • Organizational structure
  • Key risk policies and procedures
  • Risk appetite statement and limits
  • Risk-data aggregation
  • Risk reporting

The assessment’s results should serve as a road map and project plan guiding implementation of an appropriate framework that reflects organizational goals, regulatory deadlines, and other priorities. Banks that undertake assessments and planning now will help themselves:

  • Meet the new standards for risk management within a reasonable time frame
  • Manage regulators’ expectations
  • Avoid regulatory findings

How Promontory can help

Promontory has extensive knowledge of SR 16-11 and the OCC’s heightened standards, as well as of best practices in risk management. We have assessed risk management frameworks and led implementation efforts at institutions of all sizes and complexities. We help clients design and implement capabilities that match the level of complexity of their organization, meet or surpass regulatory expectations, and scale over time.
Other services include:



ERM Framework and Governance

  • Designing an organizational structure for enterprise risk management
  • Developing or enhancing the risk-governance framework, including policies and procedures
  • Enhancing governance arrangements for risk management, including board engagement

Enterprise Risk Identification

  • Developing sound approaches and frameworks for risk identification
  • Designing processes to leverage the risk-identification framework for modeling, stress testing, and other analysis

Risk Appetite and Limit Setting

  • Developing or refining an enterprisewide risk appetite framework, including the statement itself
  • Designing a framework for limits and tolerances
  • Developing or enhancing modeling in support of limit measurement, monitoring, and management

Model Risk Management

  • Implementing enhanced frameworks for model risk and model development and related standards
  • Validating models used for ERM, capital planning, and stress testing

Risk Assessment, Stress Testing, and Reporting

  • Designing risk-assessment frameworks for individual risks (e.g., credit) and enterprisewide risk (e.g., economic capital)
  • Implementing stress-testing frameworks, including scenario analysis
  • Developing level-specific risk reports (e.g., business unit, executive management, and board)

Contact Promontory

Please contact Promontory to discuss your current risk management program and how we can help.

William Lang
Managing Director
+1 212 542 6790

David Samuels
Managing Director
+1 212 542 6776