One question we hear a lot is: who really owns the risk management framework in a bank? Is it the Chief Risk Officer? Is it so fundamental that it is a shared responsibility among the whole executive or senior leadership team? And who owns the risk, and what does that mean?
The Federal Reserve rang in the new year by issuing useful proposed guidance that consolidates and clarifies their expectations regarding the responsibilities for risk management within large financial institutions. It presents a comprehensive treatment across the three lines of defense, going beyond the well-trodden second and third lines (Independent Risk Management – IRM – and Independent Audit) and elucidating the risk management roles in the business lines where the first line of defense resides. In addition it clarifies the responsibility of the executive management team in managing the overall
US supervisory agencies, Federal Reserve and OCC alike, have spent considerable energy on pinning down expectations on the second and even third lines of defense while being lighter on specifics of the responsibilities of the first line, beyond the high level view that it should ‘own the risk’. Similarly, while the Federal Reserve and OCC have articulated expectations for a risk management framework deployed across three lines of defense, prior statements have been unclear about who is responsible for that framework. This guidance puts flesh on the bones of the ‘three lines of defense’ skeleton. Since it is likely that the final version of this proposed guidance will be close to this version, now is the time for the covered banks to look closely at the roles and responsibilities in their risk management frameworks.