What's new

P1.T1.20.5. Risk management governance: regulatory responses and best practices

Nicole Seaman

Director of FRM Operations
Staff member
Learning objectives: Explain changes in corporate risk governance that occurred as a result of the 2007-2009 financial crisis. Compare and contrast best practices in corporate governance with those of risk management. Assess the role and responsibilities of the board of directors in risk governance.


20.5.1. The global financial crisis (GFC) of 2007 to 2009 engendered regulatory responses to corporate risk governance. Below are summarized ten key developments. The first Sarbanes-Oxley (SOX) occurred prior to the GFC but is listed for context. The others are grouped naturally into three responses: Basel III and BCBS, Dodd-Frank, and the European response.

I. Prior to the GFC, Sarbanes-Oxley (SOX) required that the CEO and CFO affirm the accuracy of financial disclosures.​
Basel III and BCBS:
II. Basel III (BIII) was a direct response to the GFC. BIII limited core Tier 1 capital to common equity and retained earnings. BIII also imposed new ratios for short-term liquidity (ie, LCR) and long-term liquidity (ie, NSFR).​
III. Basel III designed a macroprudential overlay that included a 3.0% leverage ratio; countercyclical capital buffer (CCCB; aka, CCyB); and total loss-absorbing capital (TLAC) standards applicable to G-SIBs.​
IV. The Basel III framework was revised again in 2016 with the Fundamental Review of the Trading Book (FRTB; aka, part of Basel IV) which included enhanced disclosure requirements.​
V. The Basel Committee on Banking Supervision (BCBS) issued Corporate Governance Principles for Banks which--in addition to identifying the importance of an independent risk management function--defines roles for the board, board risk committees, senior management, CROs and internal auditors​
VI. The 2010 Dodd-Frank Act strengthened the regulatory reach of the Fed; ended too-big-too-fail (TBTF); launched overhaul of derivatives markets; introduced the Volcker Rule; created the Consumer Financial Protection Bureau (CFPB).​
VII. The Dodd-Frank Act also instituted a new approach to scenario analysis and stress testing that included: a top-down approach with macroeconomic scenarios unfolding over several quarters; a focus on the effects of macroeconomic downturns on a series of risk types, including credit risk, liquidity risk, market risk, and operational risk; an approach that is computationally demanding, because risk drivers are not stationary, as well as realistic, allowing for active management of the portfolios; a stress testing framework that is fully incorporated into a bank’s business, capital, and liquidity planning processes; and an approach that not only looks at each bank in isolation but across all institutions. This allows for the collection of systemic information showing how a major common scenario would affect the largest banks collectively.​
The European response:
VIII. For banks in Europe, the Supervisory Review and Evaluation Process (SREP) introduced three new principles to banking supervision: (i) A forward-looking emphasis on the sustainability of each bank’s business model, including during conditions of stress; (ii) An assessment methodology based on best practices within the banking industry, and (iii) An expectation that every bank will ultimately operate under the same standards.​
IX. The two key components of SREP are (i) the internal capital adequacy assessment process (ICAAP) and (ii) the internal liquidity adequacy assessment process (ILAAP). The ICAAP incorporates scenario analysis and stress testing; it outlines how stress testing supports capital planning. The ILAAP incorporates potential losses from asset liquidations and increased funding costs during stressful periods.​
X. European banks with assets of EUR 30 billion and above must run European Banking Authority (EBA) stress tests. These stress tests are run at the consolidated banking group level (insurance activities are excluded). Two supervisory macroeconomic scenarios covering a three-year period are provided by the regulator: a baseline scenario and an adverse scenario​

In regard to the above list of regulatory responses to the GFC, which of the following statements is TRUE?

a. The Basel III events (i.e., II to IV) are incorrectly summarized
b. The Dodd-Frank Act is (i.e., VI and VI) is incorrectly summarize
c. The European regulatory response to the GFC (i.e., VIII to X) is incorrectly summarized
d. All three responses (Basel III, the Dodd-Frank Act, and the European regulatory response) are correctly summarized

20.5.2. GARP explains that "risk management must be implemented across the entire enterprise under a set of unified policies and methodologies. (This is called enterprise risk management ...). The infrastructure of risk management, which includes both physical resources and clearly defined operational processes, must be up to the task of an enterprise-wide scope." However, it is a difficult and daunting task to evaluate the fitness of a firm or bank's risk management system. Among the following features, indicators or characteristics, which is MOST LIKELY to signify that the firm is serious about its risk management process?

a. The firm's risk manager(s) is a well-compensated member of the executive staff with compelling career opportunities
b. At least one-third of executive compensation plans consist of stock options, or in the case of private firms, phantom stock options
c. The board has quantified the firm's agency costs and can show that agency costs are within a quantifiable confidence interval, or at least below an upper numeric bound
d. The board's audit committee reports to the board's risk management committee and every member of the board is also a member of the board's risk management committee

20.5.3. Each of the following is a responsibility of the board of directors EXCEPT which is not?

a. Assess the fundamental risks and rewards engendered in the firm's business strategy
b. Ascertain whether any major transaction undertaken by the firm is consistent with the authorized risk and associated business strategies
c. Ensure each board member (i.e., all board members) has day-to-day involvement in the firm's risk-taking activities and can analyze the firm's financial condition
d. Assess whether the firm has put an effective risk management system in place that enables it to further its strategic objectives within the confines of its risk appetite

Answers here:
Last edited by a moderator: