Following the financial crisis, the Office of the Comptroller of the Currency (OCC)1 developed a set of 5 ‘‘heightened expectations’’ to enhance their supervision and strengthen the governance and risk management practices of large national banks.

  1. The first expectation, often referred to as preserving the sanctity of the charter, maintains that one of the primary fiduciary duties of an institution’s board of directors is to ensure that the institution operates in a safe and sound manner.
  2. The second expectation generally requires large institutions to have a well-defined personnel management program that ensures appropriate staffing levels, provides for orderly succession, and provides for compensation tools to appropriately motivate and retain talent that does not encourage imprudent risk taking.
  3. The third expectation pertains to risk appetite (or tolerance) and involves institutions defining and communicating an acceptable risk appetite across the organization, including measures that address the amount of capital, earnings, or liquidity that may be at risk on a firm-wide basis, the amount of risk that may be taken in each line of business, and the amount of risk that may be taken in each key risk category monitored by the institution.
  4. The OCC also expects institutions to have reliable oversight programs as stated in the fourth expectation, including the development and maintenance of strong audit and risk management functions. This expectation involves institutions comparing the performance of their audit and risk management functions to the OCC’s standards and leading industry practices and taking appropriate action to address material gaps.
  5. The fifth expectation focuses on the board of directors’ willingness to provide a credible challenge to bank management’s decision-making and thus requests independent directors to acquire a thorough understanding of an institution’s risk profile and to use this information to ask probing questions of management and to ensure that senior management prudently addresses risks.

Description of the OCC’s Guidelines Establishing Heightened Standards

The proposed Guidelines consist of three parts:

  • Part I provides an introduction to the Guidelines, explains its scope, and defines key terms used throughout the Guidelines.
  • Part II sets forth the minimum standards for the design and implementation of a Bank’s risk governance framework (henceforth referred as “Framework”).
  • Part III provides the minimum standards for the board of directors’ (henceforth referred as “Board”) oversight of the Framework.

Part I: Introduction

Under the proposed Guidelines, the OCC would expect a Bank to establish and implement a Framework that manages and controls the Bank’s risk taking. The Guidelines establish the minimum standards for the design and implementation of the Framework and the minimum standards for the Board to use in overseeing the Framework’s design and implementation.

  • If a Bank has a risk profile that is substantially the same as its parent company, the Bank may use its parent company’s risk governance framework to comply with the Guidelines.
  • The Bank would need to develop its own Framework if the parent company’s and Bank’s risk profiles is not substantially the same.

Part II: Standards for the Risk Governance Framework

Part II of the proposed Guidelines sets out minimum standards for the design and implementation of a Bank’s Framework. Under paragraphs A. and B., a Bank should establish and adhere to a formal, written Framework that covers the following risk categories: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk.

The Framework should appropriately cover risks to the Bank’s earnings, capital, liquidity, and reputation that arise from all of its activities, including risks associated with third-party relationships. Independent risk management should be responsible for the design of the Framework, and for ensuring it comprehensively covers the Bank’s risks. Independent risk management should also review and update the Framework at least annually, and as often as needed to address changes in the Bank’s risk profile caused by internal or external factors or the evolution of industry risk management practices. The Board or its risk committee would be responsible under this proposal for approving the Framework.

Roles and responsibilities

The Guideline sets out the proposed roles and responsibilities for the organizational units that are fundamental to the design and implementation of the Framework. These units are front line units, independent risk management, and internal audit. They are often referred to as the three lines of defense.

  1. Role and responsibilities of front line units.
    1. organizational unit within the Bank that: (i) Engages in activities designed to generate revenue for the parent company or Bank; (ii) Provides services, such as administration, finance, treasury, legal, or human resources, to the Bank; or (iii) Provides information technology, operations, servicing, processing, or other support to any organizational unit covered by these Guidelines

The design and implementation of the audit plan is an important element of internal audit’s role and responsibilities under the Framework. Internal audit should maintain a complete and current inventory of all of the Bank’s material businesses, product lines, services, and functions and assess the risks associated with each.

This inventory and assessment will form the basis of the audit plan. The audit plan should rate the risk presented by each front line unit, product line, service, and function. This includes activities that the Bank may outsource to a third party.

There are numerous requirements listed in the Guideline that the audit plan must follow. Some are listed below:


For the Framework to be effective, it is critical that independent risk management and internal audit have the stature needed to effectively carry out their respective roles and responsibilities. This stature is generally evidenced by the attitudes and level of support provided by the Board, CEO, and others within the Bank toward these units.

Strategic plan

The proposed Guidelines provides that the CEO should develop a written strategic plan with input from front line units, independent risk management, and internal audit. The Board should evaluate and approve the strategic plan and monitor management’s efforts to implement it a minimum of once a year.

Risk appetite statement

The proposed Guidelines provides that the Bank should have a comprehensive written statement that articulates the Bank’s risk appetite and serves as a basis for the Framework (henceforth referred as “Statement”). The Statement should include both qualitative components and quantitative limits.

Concentration and front line unit risk limits

The Guidelines provides that the Framework should include concentration risk limits and, as applicable, front line unit risk limits for the relevant risks in each front line unit to verify that these units do not create excessive risks.

Risk appetite review, monitoring, and communication processes

The proposed Guidelines provides that the Framework should require: (i) Review and approval of the Statement by the Board or the Board’s risk committee with a minimum of once per year, or a larger frequency; (ii) Initial communication and ongoing reinforcement of the Bank’s Statement throughout the Bank to confirm that all employees align their risk-taking decisions with the Statement; (iii) Independent risk management to monitor the Bank’s risk profile in relation to its risk appetite and compliance with concentration risk limits and to report such monitoring to the Board or the Board’s risk committee at least quarterly; (iv) Front line units and independent risk management to monitor their respective risk limits and to report to independent risk management once every quarter; and (v) When necessary due to the level and type of risk, independent risk management to monitor front line units’ compliance with front line unit risk limits, and to report any concerns to the CEO and the Board or the Board’s risk committee, at least quarterly.

Part III: Standards for Board of Directors

Part III of the proposed Guidelines sets out the minimum standards for the Bank’s Board in providing oversight to the Framework’s design and implementation.

Ensure an effective risk governance framework. Paragraph A. of Part III of the proposed Guidelines provides that each member of the Board has a duty to oversee the Bank’s compliance with safe and sound banking practices.

Provide active oversight of management. Paragraph B. of Part III of the proposed Guidelines addresses Board oversight of Bank management, and generally provides that the Board should provide a credible challenge to management. Specifically, the Board should actively oversee the Bank’s risk-taking activities and hold management accountable for adhering to the Framework.

Exercise independent judgment. Paragraph C. of Part III of the proposed Guidelines provides that each Board member should exercise sound, independent judgment.

Include independent directors. Paragraph D. of Part III of the proposed Guidelines provides that at least two members of a Bank’s Board should be independent, i.e., they should not be members of the Bank’s or the parent company’s management.

Provide ongoing training to independent directors. Paragraph E. of Part III provides that in order to facilitate that each member of the Board has the knowledge, skills, and abilities needed to meet the standards set forth in the Guidelines, the Board should establish and adhere to a formal, ongoing training program for independent directors.

Self-assessments. Paragraph F. of Part III of the proposed Guidelines provides that the Bank’s Board should conduct an annual self-assessment that includes an evaluation of the Board’s effectiveness in meeting the standards provided in Part III of the Guidelines.


Newsletter Author: Craig Unterseher

Newsletter Contact Person: Hamish Wynn, Janki A.Shah

DISCLAIMER: This blog is intended for general informational purposes only, does not take into account the reader’s specific circumstances, may not reflect the most current developments, and is not intended to provide advice on specific circumstances. Accenture disclaims, to the fullest extent permitted by applicable law, all liability for the accuracy and completeness of the information in this blog and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professional.

About Accenture

Accenture is a global management consulting, technology services and outsourcing company, with approximately 323,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world’s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$30.0 billion for the fiscal year ended Aug. 31, 2014. Its home page is

Copyright © 2015 Accenture. All rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture. This document is produced by Accenture as general information on the subject. It is not intended to provide advice on your specific circumstances.

If you require advice or further details on any matters referred to, please contact your Accenture representative

Regulatory Compliance Team

Accenture Regulatory Compliance Team, Finance & Risk Practice

View Profile

Submit a Comment

Your email address will not be published. Required fields are marked *