Today we continue our in-depth look at the enforcement action against Citigroup, because the case truly does raise a host of interesting audit and compliance issues. Our prior post looked at Citigroup’s struggles with data governance; now let’s examine how the bank needs to revamp its enterprise risk management.
The consent order from the Office of the Comptroller of the Currency includes a precise litany of what the regulator expects Citi to do for effective ERM. One thing the consent order doesn’t include, however, is a description of what Citi had previously done wrong with its ERM program — which actually makes this order more useful to everybody else. It reads more as a blueprint that any large organization could follow to build an ERM program, rather than a corrective action plan specific to Citi.
First, the order directs Citi to draft an ERM plan. That’s useful to any business still tinkering with enterprise risk management, because it’s a complex structure you’re trying to build. Indeed, most companies already dabble in ERM to some extent — but they might not call it by that name, or even understand that ERM is what they’re doing. They don’t manage risk in a disciplined, scalable way across the whole enterprise.
So the first thing OCC wants Citi to do is sit down and devise a strategy to implement ERM in that rigorous, scalable way. It’s what you should do, too.
OK, a written ERM plan is sensible enough. What should go into it? The OCC had thoughts about that question, too.
Recipe for an ERM Program
The OCC order specified 12 items that Citi’s ERM plan had to include. I flagged seven that struck me as particularly important:
- Enterprise-wide policies to improve the identification of growing, emerging, or otherwise material concentrations and idiosyncratic risks.
- A risk appetite framework that includes metrics that align to the top risks within each key risk area, including meaningful limits that reflect the board’s risk tolerances, tied to risk appetite metrics used by front-line units.
- A requirement that each front-line unit implement a comprehensive risk control self-assessment framework that includes: (i) a description of the scope of all operations; (ii) all significant risks associated with operations; (iii) specific controls for each identified risk; and (iv) an assessment of the controls, risk management, and compliance with the bank’s risk appetite and associated limits or thresholds.
- Documentation of the responsibility and accountability for risk management-related functions in each front-line unit and independent risk management unit, including procedures and processes that clearly define risk management-related roles and responsibilities for each unit, and that ensures compliance with enterprise-wide corporate policies, and laws and regulations.
- A program in each front-line unit and independent risk management unit to measure, monitor, aggregate, limit, and control risks consistent with the bank’s risk appetite statement.
- Written policies and procedures to ensure that independent risk management promotes effective oversight and control of risks that is appropriately independent of the related line of business; and that independent risk management has the requisite stature, authority, and resources, including sufficient staffing to provide such oversight and control.
- Policies and processes to ensure effective risk governance and oversight when lines of business are realigned or redesigned.
As you can see, a lot of this is about embedding thoughtful ERM policies and processes into the First Line of Defense business units; and then assuring that an independent risk management function in the Second Line of Defense has enough authority, resources, and tools to observe how those First Line risk management teams are performing.
That’s how a proper enterprise risk management function should work. The First Line of Defense has thoughtful policies and procedures to manage risk within its own operations, according to whatever risk appetite the board has endorsed. The Second Line of Defense includes a risk management function that can monitor the First Line, and then pull together risk data from across the whole enterprise to give senior management and the board a true picture of actual risk compared to desired risk. (Or, if your business only has an internal audit function, but not a risk management function; audit could serve this role.)
From Recipe to Ingredients
The above section skimmed through a lot of what the OCC wants to see in Citi’s ERM plan, and didn’t even recount all 12 elements that need to go into the document. So let’s underline a few important details.
First, consider where you would get a useful risk appetite framework for the whole enterprise and risk control self-assessment framework for individual business units (points B and C). Any number of consulting firms will be happy to help you identify the best framework for some suitably outrageous fee; or maybe you could devise your own framework from models you find online. Regardless, the framework helps your employees assess risks and controls in a disciplined way. That’s crucial, so invest the time to get this part right.
Second, define roles and responsibilities for risk teams in the First Line and the Second Line (point D). The chief risk officer partly acts as a check and balance against operational risk managers; he or she spends lots of time monitoring or testing risk management processes that happen in the First Line, to assure that First Line risk management keeps pace with evolving risk. Without consensus for who does what, the enterprise ends up either duplicating work; or ignoring new risks under the mistaken belief that it’s someone else’s responsibility; or giving mixed messages to senior management, who then make worse decisions — or making all three mistakes at once.
Third, think about the technologies and tools your risk management teams will use. Especially for highly acquisitive businesses (like Citigroup), you might have a collection of tech and tools that just accumulated over the years, without any greater logic to their existence than that. Your systems might call different things by the same name, or the same thing by different names; or use multiple data formats that can’t easily be consolidated; or whatever.
But when we see dry consent order lingo such as “develop and implement effective monitoring and testing measures,” we’re actually talking about finding technology that can bring useful information to executives. Do you want to rip out all the legacy IT systems in favor of one unified tech platform? Do you want to impose a new layer of IT on top of existing First Line tech, to bring useful data to the Second Line? Both ideas have their merits, as well as drawbacks that would make most people gouge out their eyes.
I can’t say which strategy is better for your business. Just understand that when we toss around these dull excerpts from regulatory settlements, that’s what those words truly mean in the modern enterprise.
And fourth, design your ERM policies and procedures to accommodate future change. That was OCC’s warning in Point G, “ensure effective risk governance and oversight when lines of business are realigned or redesigned.”
The need for flexibility has always been true, but the modern business landscape has several forces — low interest rates allowing more M&A deals; an increasingly regulated world; and disruptive events such as the pandemic — that make reorganization more likely. When your ERM program can’t bend and twist with those changes, it becomes a pointless, sclerotic structure unmoored from what truly threatens the business. Companies have enough of those structures already.
That’s enough for today’s post. Later this week we’ll have Part III of the Citigroup series: better board governance.