This is the accessible text file for GAO report number GAO-09-499T 
entitled 'Financial Regulation: Review of Regulators' Oversight of Risk 
Management Systems at a Limited Number of Large, Complex Financial 
Institutions' which was released on March 19, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 


Before the Subcommittee on Securities, Insurance, and Investments, 
Committee on Banking, Housing, and Urban Affairs, U.S. Senate: 

United States Government Accountability Office: 

For Release on Delivery: 
Expected at 2:30 p.m. EDT:
Wednesday, March 18, 2009: 

Financial Regulation: 

Review of Regulators' Oversight of Risk Management Systems at a Limited 
Number of Large, Complex Financial Institutions: 

Statement of Orice M. Williams, Director: 
Financial Markets and Community Investment: 


GAO Highlights: 

Highlights of GAO-09-499T, a testimony to the Subcommittee on 
Securities, Insurance and Investments, Committee on Banking, Housing, 
and Urban Affairs, U.S. Senate. 

Why GAO Did This Study: 

Financial regulators have an important role in assessing risk 
management systems at financial institutions. Analyses have identified 
inadequate risk management at large, complex financial institutions as 
one of the causes of the current financial crisis. The failure of the 
institutions to appropriately identify, measure, and manage their risks 
has raised questions not only about corporate governance but also about 
the adequacy of regulatory oversight of risk management systems. 

GAO’s objectives were to review (1) how regulators oversee risk 
management at these institutions, (2) the extent to which regulators 
identified shortcomings in risk management at certain institutions 
prior to the summer of 2007, and (3) how some aspects of the regulatory 
system may have contributed to or hindered the oversight of risk 
management. GAO built upon its existing body of work, evaluated the 
examination guidance used by examiners at U.S. banking and securities 
regulators, and reviewed examination reports and work papers from 2006-
2008 for a selected sample of large institutions, and horizontal exams 
that included additional institutions. 

In January 2009, GAO designated the need to modernize the financial 
regulatory system as a high risk area needing congressional attention. 
Regulatory oversight of risk management at large, financial 
institutions, particularly at the holding company level, should be 
considered part of that effort. 

What GAO Found: 

The banking and securities regulators use a variety of tools to 
identify areas of risk and assess how large, complex financial 
institutions manage their risks. The banking regulators--Federal 
Reserve, Office of the Comptroller of the Currency (OCC), and the 
Office of Thrift Supervision (OTS)—and securities regulators—Securities 
and Exchange Commission (SEC) and the Financial Industry Regulatory 
Authority (FINRA)—use somewhat different approaches to oversee risk 
management practices. Banking examiners are assigned to continuously 
monitor a single institution, where they engage in targeted and 
horizontal examinations and assess risks and the quality of 
institutions’ risk management systems. SEC and FINRA identify areas of 
high risk by aggregating information from examiners and officials on 
areas of concern across broker-dealers and by monitoring institutions. 
SEC and FINRA conduct discrete targeted and horizontal examinations. 
The banking regulators focused on safety and soundness, while SEC and 
FINRA tended to focus on compliance with securities rules and laws. All 
regulators have specific tools for effecting change when they identify 
weaknesses in risk management at institutions they oversee. 

In the examination materials GAO reviewed for a limited number of 
institutions, GAO found that regulators had identified numerous 
weaknesses in the institutions’ risk management systems before the 
financial crisis began. For example, regulators identified inadequate 
oversight of institutions’ risks by senior management. However, the 
regulators said that they did not take forceful actions to address 
these weaknesses, such as changing their assessments, until the crisis 
occurred because the institutions had strong financial positions and 
senior management had presented the regulators with plans for change. 
Regulators also identified weaknesses in models used to measure and 
manage risk but may not have taken action to resolve these weaknesses. 
Finally, regulators identified numerous stress testing weaknesses at 
several large institutions, but GAO’s limited review did not identify 
any instances in which weaknesses prompted regulators to take 
aggressive steps to push institutions to better understand and manage 

Some aspects of the regulatory system may have hindered regulators’ 
oversight of risk management. First, no regulator systematically looks 
across institutions to identify factors that could affect the overall 
financial system. While regulators periodically conducted horizontal 
examinations on stress testing, credit risk practices, and risk 
management for securitized mortgage products, they did not consistently 
use the results to identify potential systemic risks. Second, primary 
bank and functional regulators’ oversee risk management at the level of 
the legal entity within a holding company while large entities manage 
risk on an enterprisewide basis or by business lines that cut across 
legal entities. As a result, these regulators may have only a limited 
view of institutions’ risk management or their responsibilities and 
activities may overlap with those of holding company regulators. 

View [hyperlink,] or key 
components. For more information, contact Orice Williams at (202) 512-
8678 or 

[End of section] 

Mr. Chairman and Members of the Subcommittee: 

I appreciate the opportunity to participate in today's hearing on 
regulators' oversight of risk management at large, complex, financial 
institutions. As you know, financial regulators have a role in 
assessing the risk management systems at the financial institutions 
they supervise. This oversight is a responsibility of both federal 
regulatory agencies, including the Federal Reserve System (Federal 
Reserve), the Office of the Comptroller of the Currency (OCC), the 
Office of Thrift Supervision (OTS), and the Securities and Exchange 
Commission (SEC), and of self -regulatory organizations, such as the 
Financial Industry Regulatory Authority (FINRA). Several significant 
analyses of the current financial crisis, which has threatened the 
stability of the financial system and led to the insolvency of some 
large U.S. financial institutions, have identified inadequate risk 
management at large financial institutions as one of the causes of the 
crisis.[Footnote 1] Major institutions across the financial sector-- 
Lehman Brothers, Washington Mutual, and Wachovia--have failed or been 
rescued at the last moment by mergers and acquisitions, and the factors 
that led to these failures such as poor underwriting standards for 
mortgages and a lack of understanding of the risks posed by some 
structured products, as well as the failures themselves, have led to 
instability of the financial system in the United States. The failures 
of these institutions to appropriately identify, measure, and manage 
their risks have raised serious questions about the adequacy of the 
regulators' oversight of risk management. Moreover, these failures 
raise a number of questions about what lessons can be learned from the 
current crisis that should be considered as Congress and the 
Administration begin to rethink the current financial regulatory 

My statement today focuses on our review of regulators' oversight of 
risk management systems at a limited number of large, complex financial 
institutions (initiated at the request of Chairman Reed) as well as our 
past work on the federal regulatory system. Specifically, I will 
discuss (1) how regulators oversee risk management at large financial 
institutions, (2) the extent to which regulators identified 
shortcomings in risk management at selected institutions prior to the 
beginning of the financial crisis in the summer of 2007, and (3) how 
some aspects of the regulatory system may have contributed to or 
hindered the oversight of risk management. 

To prepare for this testimony, we built upon our existing body of work 
on regulatory oversight of risk management.[Footnote 2] We evaluated 
the examination guidance used by examiners at the Federal Reserve, OCC, 
OTS, and SEC. We also conducted a literature review to identify good 
risk management practices. We identified and used as criteria The 
Committee of Sponsoring Organizations of the Treadway Commission's 
(COSO) Enterprisewide Risk Management--Integrated Framework and several 
analyses of risk management as they relate to the current financial 
crisis including the Institute of International Finance's (IIF) Final 
Report of the IIF Committee on Market Best Practices: Principles of 
Conduct and Best Practice Recommendations and the Senior Supervisor 
Group's Observations on Risk Management Practices During Recent 
Turbulent Times. Finally, for the the period 2006-2008, we reviewed the 
authorities under which the regulators exercise oversight of risk 
management, examination reports, and workpapers supporting these 
reports for a small number of large financial institutions that we 
selected. The results cannot be projected to the universe of large 
complex institutions but rather provide examples of risk management 
oversight at the selected institutions. In this regard, I note that the 
statutory authority providing for GAO audits of the federal bank 
regulators generally prohibits GAO from disclosing regulatory nonpublic 
information identifying an open bank. Therefore, we will not disclose 
the banking institutions included in our study or detailed information 
obtained from the examinations or interviews with the examination 

We conducted this work from December 2008 to March 2009 in accordance 
with generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient 
evidence to provide a reasonable basis for our findings and conclusions 
based on our audit objectives. We believe that the evidence obtained 
provides a reasonable basis for our findings and conclusions based on 
our audit objectives. 

In Summary: 

The Federal Reserve, OCC, OTS, and SEC maintain continuous contact with 
large, complex institutions, using a risk-based examination approach 
that aims to identify areas of risk and assess these institutions' risk 
management systems but the approaches of banking and securities 
regulators varies somewhat across regulators. The banking regulators 
(Federal Reserve, OCC, and OTS) use a combination of supervisory 
activities, including informal tools and examination-related activities 
to assess the quality of risk management. For example, bank examiners 
review the activities, products, and services that an institution 
engages in to identify risks and then through continuous monitoring and 
targeted examinations assess how the institution manages those risks. 
Banking examiners use the information they gather to assign a rating 
that, among other things, includes an assessment of the quality of the 
institutions' risk management systems including its governance and 
policies. The Federal Reserve and OCC have detailed risk assessment 
frameworks or processes. Both OCC and the Federal Reserve conduct a 
number of targeted examinations. SEC's and FINRA's risk management 
assessment of broker-dealers primarily relies on discrete targeted 
examinations to determine whether institutions are in compliance with 
regulatory rules and securities laws. Generally, all the regulators 
look at risk management at the institutional level, but they also 
perform horizontal examinations--coordinated supervisory reviews of a 
specific activity, business line, or risk management practice across a 
group of peer institutions. When bank regulators identify weaknesses in 
risk management at an institution, they have a number of informal and 
formal supervisory tools they can use for enforcement and to effect 
change.[Footnote 3] Similarly, SEC and FINRA have specific tools for 
effecting risk management improvements that are used when institutions 
are not in compliance with specific rules or regulations. 

In the examination materials we reviewed, we found that regulators had 
identified numerous weaknesses in the institutions' risk management 
systems prior to the beginning of the financial crisis; however, 
regulators did not effectively address the weaknesses or in some cases 
fully appreciate their magnitude until the institutions were stressed. 
For example, 

* Some regulators found that institutions' senior management oversight 
of risk management systems had significant shortcomings, such as a lack 
of a comprehensive means to review enterprisewide risks, yet some 
regulators gave the institutions satisfactory assessments until the 
financial crisis occurred. 

* Regulators identified other risk management weaknesses, such as the 
testing and validation of models used to assess and monitor risk 
exposures and price complex instruments. For example, some regulators 
found that institutions had not tested the assumptions in models used 
to evaluate risks--such as the likelihood of a borrower to default-- 
but, for at least one institution, examiners did not prohibit the 
institutions from using untested models nor did they change their 
overall assessment of the institutions' risk management program based 
on these findings. 

* In a 2006 review, the Federal Reserve found that none of the large, 
complex banking institutions it reviewed had an integrated stress 
testing program that incorporated all major financial risks 
enterprisewide, nor did they test for scenarios that would render them 

In these instances, regulators told us that they did not fully 
appreciate the risks to the institutions under review or the 
implications of the identified weaknesses for the stability of the 
overall financial system. One regulator told us it was difficult to 
identify all risk management weaknesses until these systems became 
stressed by the financial crisis. 

Some aspects of the regulatory system may have hindered regulators' 
oversight of risk management. One is that no regulator systematically 
and effectively looks across all large, complex financial institutions 
to identify factors that could have a destabilizing affect on the 
overall financial system. As a result, both banking and securities 
regulators continue to assess risk management primarily on an 
individual institutional level. Even when regulators perform horizontal 
examinations across institutions in areas such as stress testing, 
credit risk practices, and the risks of structured mortgage products, 
they do not consistently use the results to identify potential systemic 
risks. In addition, in 2005, when the Federal Reserve implemented an 
internal process to evaluate financial stability issues related to 
certain large financial institutions, it did not consider risks on an 
integrated basis and, with hindsight, we note that it did not identify 
in a timely manner the severity of the risks that ultimately led to the 
failure or near failure of some of these institutions and created 
severe instability in the overall financial system. Another aspect of 
the regulatory system that hinders regulators' oversight of risk 
management, by creating areas of overlap or limiting their view of risk 
management, comes from primary bank and functional regulators--such as 
the regulator of a broker-dealer--overseeing risk management at the 
level of a legal entity within a holding company that owns a number of 
subsidiary entities. While these regulators focus on depositories or 
broker-dealers, large financial institutions manage risks on an 
enterprisewide basis or by business lines that cut across legal 
entities. To the extent that a primary bank or functional regulator 
concentrates on the risks of a legal entity within an enterprise, the 
regulator will have a limited view of how the enterprise as a whole 
manages risk. On the other hand, if the regulator reviews risks outside 
the legal entity, it may be duplicating the oversight activities of 
other regulators including the holding company regulator. Finally, when 
a financial institution manages risks such as market risk across the 
depository and broker dealer, the primary bank and broker-dealer 
regulators may be performing duplicative oversight of certain functions 
as well. 


Financial institutions need systems to identify, assess, and manage 
risks to their operations from internal and external sources. These 
risk management systems are critical to responding to rapid and 
unanticipated changes in financial markets. Risk management depends, in 
part, on an effective corporate governance system that addresses risk 
across the institution and also within specific areas of risk, 
including credit, market, liquidity, operational, and legal risk. 
[Footnote 4] The board of directors, senior management (and its 
designated risk-monitoring unit), the audit committee, internal 
auditors, and external auditors, and others have important roles to 
play in an effectively operating risk-management system. The different 
roles that each of these groups play represent critical checks and 
balances in the overall risk-management system. 

Since 1991, the Congress has passed several laws that emphasize the 
importance of internal controls including risk management at financial 
institutions and the Committee of Sponsoring Organizations of the 
Treadway Commission (COSO) has issued guidance that management of 
financial institutions could use to assess and evaluate its internal 
controls and enterprisewide risk management. 

* Following the savings and loan crisis in the 1980s, the Federal 
Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) 
strengthened corporate governance in large U.S. banks and thrifts. 
FDICIA required management to annually assess its system of internal 
control over financial reporting and the external auditors to attest to 
management's assertions. The corporate governance model established 
under FDICIA emphasized strong internal control systems, proactive 
boards of directors, and independent, knowledgeable audit committees. 

* During 1992, and with a subsequent revision in 1994 COSO issued its 
Internal Control - Integrated Framework. The COSO Framework set out 
criteria for establishing key elements of corporate governance, 
especially the "tone at the top." The framework also set forth the five 
components of an effective system of internal control: control 
environment, risk assessment, control activities, information and 
communication, and monitoring. 

* With the failures of Enron and WorldCom, Congress passed the Sarbanes-
Oxley Act of 2002 (SOX) which required managements of public companies 
to assess their systems of internal control with external auditor 
attestations, though the implementation for smaller public companies 
has been gradual and is not yet complete. Under section 404 of SOX, the 
SEC required that management identify what framework it used to assess 
the system of internal control over financial reporting. Though it did 
not mandate any particular framework, the SEC recognized that the COSO 
Framework satisfied the SEC's own criteria and allowed its use as an 
evaluation framework. 

* In 2004, COSO issued Enterprise Risk Management - Integrated 
Framework (ERM Framework), though it is not a binding framework for any 
particular entity or industry. The ERM Framework, which encompasses the 
previous internal control framework, establishes best practices and 
expands the criteria and tools that management can use to assess 
whether it has an effective risk management system. The framework 
encourages the board of directors and senior management, in their 
corporate governance roles, to set the risk appetite of the entity, 
which is the amount of risk the entity is willing to accept in its 
overall strategy. Management further sets risk objectives to achieve 
the entity's goals and sets risk tolerances to ensure that the risk 
appetite is not exceeded. 

Regulators also have a role in assessing risk management at financial 
institutions. In particular, oversight of risk management at large 
financial institutions is divided among a number of regulatory 
agencies. The Federal Reserve oversees risk management at bank holding 
companies and state member banks that are members of the Federal 
Reserve System; OTS oversees thrift holding companies and thrifts; SEC 
and FINRA oversee risk management at SEC-registered U.S. broker- 
dealers; and OCC oversees risk management at national banks. 

The Federal Reserve and OTS have long had authority to supervise 
holding companies. The Federal Reserve's authority is set forth 
primarily in the Bank Holding Company Act of 1956, which contains the 
supervisory framework for holding companies that control commercial 
banks. OTS's supervisory authority over thrift holding companies is set 
forth in the Home Owners Loan Act. In the Gramm-Leach-Bliley Act of 
1999 (GLBA), Congress expanded the range of permissible holding company 
activities and affiliations and also set forth restrictions and 
guidance on how those companies should be supervised. However, Congress 
did not clearly express the aims of holding company supervision. GLBA 
authorizes the Federal Reserve and OTS to examine the holding company 
and each subsidiary in order to: (a) inform the regulator of "the 
nature of the operations and financial condition" of the holding 
company and its subsidiaries; and (b) inform the regulator of the 
financial and operational risks within the holding company system that 
may threaten the safety and soundness of the holding company's bank 
subsidiaries and the systems for monitoring and controlling such risks; 
and (c) monitor compliance with applicable federal laws. On the other 
hand, GLBA specifies that the focus and scope of examinations of 
holding companies and any of their subsidiaries shall "to the fullest 
extent possible" be limited to the holding company and "any subsidiary 
that could have a materially adverse effect on the safety and soundness 
of a depository institution subsidiary" due to the size, condition or 
activities of the nonbank subsidiary or the nature or size of 
transactions between that subsidiary and the banking subsidiary. In our 
work over the years, we have encountered a range of perspectives on the 
focus of holding company examinations, some of which emphasize the 
health of the depository institution as the primary examination focus 
and some of which look more expansively to the holding company 
enterprise under certain conditions. 

In addition to the provisions generally applicable to holding company 
supervision, GLBA also limits the circumstances under which both 
holding company regulators and depository institution regulators may 
examine functionally regulated subsidiaries of bank holding companies, 
such as broker-dealers. Gramm-Leach-Bliley permits holding company 
regulators to examine functionally regulated subsidiaries only under 
certain conditions, such as where the regulator has reasonable cause to 
believe that the subsidiary is engaged in activities that pose a 
material risk to an affiliated bank or that an examination is necessary 
to obtain information on financial and operational risks within the 
holding company system that may threaten an affiliated bank's safety 
and soundness. The examination authority of depository institution 
regulators permits the examination of bank affiliates to disclose fully 
an affiliate's relations with the bank and the effect of those 
relations on the bank. However, with respect to functionally regulated 
affiliates of depository institutions, Gramm-Leach-Bliley imposes the 
same restraint on the use of examination authority that applies to OTS 
and the Federal Reserve with respect to holding companies. That is, 
Gramm-Leach-Bliley instructs that bank and holding company supervisors 
generally are to limit the focus of their examinations of functionally 
regulated affiliates and, to the extent possible, are to reply on the 
work of primary bank and functional regulators that supervise holding 
company subsidiaries. An example of this situation would be where a 
holding company has a national bank or thrift subsidiary and a broker- 
dealer subsidiary. Under GLBA, the holding company regulator is to rely 
"to the fullest extent possible" on the work of primary bank and 
functional regulators for information on the respective entities. Also 
under GLBA, bank supervisors are similarly limited with respect to 
affiliates of the institutions they supervise. 

SEC's authority to examine U.S. broker-dealers is set forth in the 
Securities and Exchange Act of 1934. Under the 1934 act, SEC's 
examination authority over broker-dealers does not permit SEC to 
require examination reports on affiliated depository institutions, and 
if SEC seeks non-routine information about a broker-dealer affiliate 
that is subject to examination by a bank regulator, SEC must notify and 
generally must consult with the regulator regarding the information 
sought. Oversight of U.S. broker-dealers is performed by SEC's Division 
of Trading and Markets (Trading and Markets) and Office of Compliance, 
Inspections, and Examinations (OCIE). In addition, SEC delegates some 
of its authority to oversee U.S. broker-dealers to FINRA, a self- 
regulatory organization that was established in 2007 through the 
consolidation of NASD and the member regulation, enforcement and 
arbitration functions of the New York Stock Exchange. 

Under the alternative net capital rule for broker-dealers, from 2005- 
2008, SEC conducted a voluntary consolidated-supervised entity program 
under which five investment bank holding companies voluntarily 
consented to having SEC oversee them on a consolidated basis.[Footnote 
5] Today, no institutions are subject to SEC oversight at the 
consolidated level, but several broker-dealers within bank holding 
companies are still subject to the alternative net capital rule on a 
voluntary basis.[Footnote 6] 

Regulators Identify Areas of Risk and Examine Risk Management Systems, 
but Their Specific Approaches Vary: 

The Federal Reserve, FINRA, OCC, OTS, and SEC each identify areas of 
risk relating to the large, complex financial institutions they oversee 
and examine risk management systems at regulated institutions. However, 
the banking and securities regulators take different approaches. The 
banking regulators (Federal Reserve, OCC, and OTS) use a combination of 
supervisory activities, including informal tools and examination- 
related activities to assess the quality of institutional risk 
management systems and assign each institution an annual rating. SEC 
and FINRA aggregate information from officials and staff of the 
supervised institutions throughout the year to identify areas of 
concern across all broker-dealers. For those broker-dealers covered by 
the alternative net capital rule, SEC and FINRA emphasize compliance 
with that rule during target examinations. Under the CSE program, SEC 
continuously supervised and monitored the institutions in the program. 

Banking Regulators Use a Number of Supervisory Activities for Assessing 
Risk Management at Large, Complex Institutions: 

Banking regulators carry out a number of supervisory activities in 
overseeing risk management of large, complex financial institutions. To 
conduct on-site continuous supervision, banking regulators often 
station examiners at specific institutions. This practice allows 
examiners to continuously analyze information provided by the financial 
institution, such as board meeting minutes, institution risk reports/ 
management information system reports, and for holding company 
supervisors supervisory reports provided to other regulators, among 
other things. This type of supervision allows for timely adjustments to 
the supervisory strategy of the examiners as conditions change within 
the institution. Bank examiners do not conduct a single annual full- 
scope examination of the institution. Rather, they conduct ongoing 
examinations that target specific areas at the institutions (target 
examinations) and annually issue an overall rating on the quality of 
risk management.[Footnote 7] 

Each regulator had a process to assess risk management systems. While 
each included certain core components, such as developing a supervisory 
plan and monitoring, the approach used and level of detail varied. 

* The Federal Reserve's guidance consisted of a detailed risk 
assessment program that included an analytic framework for developing a 
risk management rating for holding companies. Unlike most bank 
regulatory examination guidance, this guidance is not yet publicly 
available. According to Federal Reserve officials, the primary purpose 
of the framework is to help ensure a consistent regulatory approach for 
assessing inherent risk and risk management practices of large 
financial institutions (the holding company) and make informed 
supervisory assessments. The Federal Reserve program for large complex 
banking organizations is based on a "continuous supervision" model that 
assigns a dedicated team to each institution. Those teams are 
responsible for completing risk assessments, supervisory plans, and 
annual assessments. The risk assessment includes an evaluation of 
inherent risk (credit, market, operational, liquidity, and legal and 
compliance) and related risk management and internal controls. The risk 
assessment is often the starting point for the supervisory plan as well 
as a supporting document for the annual assessment. 

The annual assessment requires the dedicated team to evaluate and rate 
the firm's risk management, its financial condition, and the potential 
impact of its non-depository operations on the depository institution. 
To apply the risk or "R" rating, the examiner must consider (1) board 
of director and senior management oversight; (2) policies, procedures, 
and limits; (3) risk monitoring and management information system; and 
(4) internal controls for each of the risk areas.[Footnote 8] The 
examiners then provide an overall "R" rating for the institution. 

* OCC's onsite examiners assess the risks and risk management functions 
at large national banks using a detailed approach that is similar to 
that used by the Federal Reserve's examiners. The core assessment is 
OCC's primary assessment tool at the institutional level. According to 
OCC's guidance, its examiners are required to assess the quality, 
quantity, and overall direction of risks in nine categories (strategic, 
reputation, credit, interest rate, liquidity, price, foreign currency 
translation, transaction, and compliance). To determine the quality of 
risk management, OCC examiners assess policies, processes, personnel, 
and control systems in each category. This risk assessment is included 
in the examination report that is sent to the bank's board of 
directors. OCC also provides a rating based on the bank's capital, 
asset quality, management, earnings, liquidity, and sensitivity to 
market risk (the CAMELS rating), all of which can be impacted by the 
quality of a risk management system. OCC's supervisory strategy or plan 
for targeted examinations is developed from this Risk Assessment 
System.[Footnote 9] Examiners can change a bank's ratings at any time 
if the bank's conditions warrant that change. Targeted examinations are 
a key component of OCC's oversight. Based on the materials we reviewed 
covering the last 2 years, OCC conducted 23 targeted examinations in 
2007 and 45 in 2008 at a large national bank. These examinations 
focused on specific areas of risk management, such as governance, 
credit, and compliance. 

* Recently revised OTS guidance requires its examiners to review large 
and complex holding companies to determine whether they have a 
comprehensive system to measure, monitor, and manage risk 
concentrations, determine the major risk-taking entities within the 
overall institution, and evaluate the control mechanisms in place to 
establish and monitor risk limits. OTS's recently revised guidance on 
assessing risk management includes a risk management rating framework 
that is similar to the Federal Reserve's. It includes the same risk 
management rating subcomponents--governance/board and senior management 
oversight; policies, procedures, and limits; risk monitoring and 
management information systems, and internal controls--and criteria 
that the Federal Reserve applies to bank holding companies. However, 
OTS considers additional risk areas, such as concentration or systemic 
risk. Starting in 2007, OTS used a risk matrix to document the level of 
13 inherent risks by business unit. The matrix also includes an 
assessment of each unit's risk mitigation or risk management 
activities, including internal controls, risk monitoring systems, 
policies/procedures/limits, and governance. OTS began using the risk 
matrix to develop its supervisory plan. Based on our review of 
examination materials, OTS conducted targeted examinations on risk 
management in such areas as consumer lending and mortgage-backed 

In the last few years, the banking regulators have also conducted 
examinations that covered several large complex financial institutions 
on specific issues such as risk management (horizontal examinations). 
According to the Federal Reserve, horizontal examinations focus on a 
single area or issue and are designed to (1) identify the range of 
practices in use in the industry, (2) evaluate the safety and soundness 
of specific activities across business lines or across systemically 
important institutions, (3) provide better insight into the Federal 
Reserve's understanding of how a firm's operations compare with a range 
of industry practices, and (4) consider revisions to the formulation of 
supervisory policy. During the period of our review, the Federal 
Reserve completed several horizontal examinations on large, complex 
banking organizations, including stress testing and collateral 
management. According to Federal Reserve officials, examiners generally 
provide institutions with feedback that tells them generally how they 
are doing relative to their peers, and if any serious weaknesses were 
identified, these would be conveyed as well. With the Federal Reserve, 
OCC conducted a horizontal examination on advanced credit risk 
practices and OTS conducted a review across institutions for 
nontraditional mortgages and used the findings to issue supplemental 
guidance. According to an OCC official, the regulator uses the findings 
in horizontal reviews as a supervisory tool and to require corrective 
actions, as well as a means to discover information on bank practices 
to issue supplemental guidance. 

Securities Regulators' Approaches to Assessing Risk Management Revolve 
around Regularly Scheduled Targeted Examinations: 

SEC and FINRA generally assess risk management systems of large broker- 
dealers using discrete, but risk-focused examinations. The focus of SEC 
and FINRA oversight is on compliance with their rules and the 
Securities and Exchange Act of 1934. Although SEC and FINRA are in 
continuous contact with large, complex institutions, neither SEC nor 
FINRA staff conduct continuous onsite monitoring of broker-dealers that 
involves an assessment of risks. FINRA's coordinator program is 
continuous supervision, albeit not on site. According to SEC and FINRA, 
however, they receive financial and risk area information on a regular 
basis from the largest firms and those of financial concern through the 
OCIE compliance monitoring program, the FINRA capital alert program, 
and regular meetings with the firms. To identify risks, they aggregate 
information from their officials and staff throughout the year to 
identify areas that may require special attention across all broker- 
dealers. SEC and FINRA conduct regularly scheduled target examinations 
that focus on the risk areas identified in their risk assessment and on 
compliance with relevant capital rules and customer protection rules. 
SEC's internal controls risk management examinations, which started in 
1995, cover the top 15 wholesale and top 15 retail broker-dealers as 
well as a number of mid-sized broker-dealers with a large number of 
customer accounts. At the largest institutions, SEC conducts 
examinations every three years, while FINRA conducts annual 
examinations of all broker-dealers. According to Trading and Markets, 
the CSE program was modeled on the Federal Reserve's holding company 
supervision program, but continuous supervision was usually conducted 
off site by a small number of examiners, SEC did not rate risk 
management systems, nor use a detailed risk assessment processes to 
determine areas of highest risk. During the CSE program, Trading and 
Markets staff concentrated their efforts on market and liquidity risks 
because the alternative net capital rule focused on these risks and on 
operational risk because of the need to protect investors. According to 
OCIE, their examiners focused on market, credit, operational, legal and 
compliance risks, as well as senior management, internal audit and new 
products. Because only five investment banks were subject to 
consolidated supervision by SEC, SEC staff believed it did not need to 
develop an overall supervisory strategy or written plans for individual 
institutions it supervised; however, OCIE drafted detailed scope 
memorandums for their target examinations. While no institutions are 
subject to consolidated supervision by SEC at this time, a number of 
broker-dealers are subject to the alternative net capital rule. 

SEC and FINRA conduct horizontal or "sweep" examinations and, for 
example, have completed one for subprime mortgages. OCIE officials said 
that it had increased the number of these types of examinations since 
the current financial crisis began. Under the consolidated supervised 
entity program, Trading and Markets conducted several horizontal 
examinations aimed at discovering the range of industry practice in 
areas such as leveraged lending. 

Banking Regulators Have a Variety of Tools to Address Risk Management 

The banking regulators have developed guidance on how they should 
communicate their examination findings to help ensure that financial 
institutions take corrective actions. Bank regulators generally issue 
findings or cite weaknesses in supervisory letters or an annual 
examination report addressed to senior management of the financial 
institution. However, regulators also meet with institution management 
to address identified risk management weaknesses. Examples include: 

* After a target examination, the Federal Reserve, OCC, OTS each 
prepare supervisory letters or reports of examination identifying 
weaknesses that financial institutions are expected to address in a 
timely manner. In addition to issues or findings, the Federal Reserve 
and OCC supervisory letters provided a specific timeframe for the 
institution to send a written response to the bank regulator 
articulating how the institution planned to address the findings. In 
these instances, for the files we reviewed, the institutions complied 
with the timeframes noted in the supervisory letter. These letters may 
be addressed to the board of directors or the CEO or as we found, the 
senior managers responsible for the program. For example, a Federal 
Reserve Bank addressed a recent targeted examination on a holding 
company's internal audit function to the chief auditor of the holding 
company. Similarly, OCC addressed an examination of advanced risk 
management processes to a bank's chief credit officer. OTS also 
addressed some reports of target examinations to senior managers 
responsible for specific programs. 

* In their supervisory letters, OCC sometimes identifies "Matters 
Requiring Attention," which instruct the bank to explain how it will 
address the matter in a timely manner. In its supervisory guidance, 
matters requiring attention include practices that deviate from sound 
governance, internal control and risk management principles that may 
adversely impact the bank's earning or capital, risk profile, or 
reputation if not addressed.[Footnote 10] According to its guidance, 
OCC tracks matters requiring attention until they are resolved and 
maintains a record when these matters are resolved and closed out. OCC 
also includes recommendations to national banks in their supervisory 
letters. In addition, OCC will insert recommendations in their letters 
which are suggestions relating to how a bank can operate a specific 
program or business line more effectively. 

* After the beginning of the financial crisis, the Federal Reserve 
issued revised examination guidance in July 2008 that established three 
types of findings: matters requiring immediate attention, matters 
requiring attention, and observations. Previously, each of the 
individual Federal Reserve Banks had its own approach to defining 
findings. Matters requiring attention and observations are similar to 
related practices followed by OCC. For matters requiring immediate 
attention, the matter is considered more urgent. According to their 
guidance, matters requiring immediate attention encompass the highest 
priority concerns and include matters that have the potential to pose 
significant risk to the organization's safety and soundness or that 
represent significant instances of noncompliance with laws and 

* OTS examiners may list recommendations in the report, findings, and 
conclusions, but in the materials we reviewed examiners did not report 
these in a standard way. While members of the Board of Directors are 
required to sign the report of annual examination indicating that they 
have read the report, they are not required to submit a written 
response. The OTS Handbook Section 060 Examination Administration 
provides guidance on the use of "matters requiring board attention" or 
other lesser supervisory corrective actions that should be addressed in 
the examination correspondence. According to OTS, matters requiring 
board attention and corrective actions are also tracked in its 
regulatory action system for follow up. 

* For 2008, we reviewed one regulator's tracking report of matters 
requiring attention at one institution and found that only a small 
number of the 64 matters requiring attention relating to risk 
management and internal controls had been closed out or considered 
addressed by the end of January 2009. The examiners explained that some 
matters, such as institutions making adjustments to their technology 
framework can be time consuming. Another regulator told us that it does 
not track when institutions have implemented remedial actions. 

* Because the banking regulators are generally on site and continuously 
monitoring large, complex institutions, examiners told us that a 
significant part of their efforts to improve risk management systems 
were undertaken through regularly scheduled meetings with senior 
management. According to Federal Reserve and OCC officials, these 
meetings allow opportunities for examiners to followup with management 
concerning actions that they expect the financial institutions to 
implement. A Federal Reserve examiner explained that several meetings 
were held with officials at a holding company concerning an internal 
control matter in order to help ensure that the institution was 
addressing the issue. For its complex and international organizations 
program, OTS directs its examiners to use regular meetings with senior 
management and periodic meetings with boards of directors and any 
relevant committees to effect change. OTS guidance indicates that 
examiners' regular meetings with senior management are designed to 
communicate and address any changes in risk profile and corrective 
actions. OTS also views annual meetings with the Board of Directors as 
a forum for discussing significant findings and management's approach 
for addressing them. 

In addition to these tools, bank regulators' approval authorities 
related to mergers and acquisitions could be used to persuade 
institutions to address risk management weaknesses. For example, the 
Federal Reserve, OCC, and OTS are required to consider risk management 
when they approve bank or thrift acquisitions or mergers and could use 
identified weaknesses in this area to deny approvals. In addition, bank 
regulators have to approve the acquisition of bank charters and must 
assess management's ability to manage the bank or thrift charter being 

SEC's Oversight Tools Are Aimed at Addressing Violations: 

If SEC's OCIE or FINRA examiners discover a violation of SEC or FINRA 
rules, the institution is required to resolve the deficiency in a 
timely manner. OCIE developed guidance on deficiency letters for 
examinations. According to SEC and FINRA staff, because SEC or FINRA 
rules do not contain specific requirements for internal controls, 
problems with internal controls generally are not cited as 
deficiencies. However, weaknesses in internal controls can rise to such 
a level as to violate other FINRA rules, such as supervision rules. 
Deficiencies and weaknesses are followed up on in subsequent 
examinations. OCIE's compliance audits require institutions to correct 
deficiencies and address weaknesses. OCIE staff told us that if the 
institutions do not address deficiencies in a timely manner, they may 
be forwarded to the enforcement division. For example, OCIE staff was 
able to discuss limit violations with one firm and required the firm to 
change their risk limit system to significantly reduce their limit 
violations--indicating senior management was taking steps to better 
oversee and manage their risks. Under the consolidated supervised 
entity program, SEC's Trading and Markets relied on discussions with 
management to effect change. For example, Trading and Market staff told 
us that they had discussions with senior management that led to changes 
in personnel. 

Regulators Identified Weaknesses in Risk Management Systems before the 
Crisis but Did Not Fully Recognize the Threats They Posed: 

In the years leading up the financial crisis, some regulators 
identified weaknesses in the risk management systems of large, complex 
financial institutions. Regulators told us that despite these 
identified weaknesses, they did not take forceful action--such as 
changing their assessments--until the crisis occurred because the 
institutions reported a strong financial position and senior management 
had presented the regulators with plans for change. Moreover, 
regulators acknowledged that in some cases they had not fully 
appreciated the extent of these weaknesses until the financial crisis 
occurred and risk management systems were tested by events. Regulators 
also acknowledged they had relied heavily on management representations 
of risks. 

Some Regulators Identified Weaknesses in Risk Management Systems in a 
Limited Number of Institutions but Did Not Take Forceful Actions to 
Address Them until the Crisis Began: 

In several instances, regulators identified shortcomings in 
institutions' oversight of risk management at the limited number of 
large, complex institutions we reviewed but did not change their 
overall assessments of the institutions until the crisis began in the 
summer of 2007.[Footnote 11] For example, before the crisis one 
regulator found significant weaknesses in an institution's 
enterprisewide risk management system stemming from a lack of oversight 
by senior management. In 2006, the regulator notified the institution's 
board of directors that the 2005 examination had concluded that the 
board and senior management had failed to adequately oversee financial 
reporting, risk appetite, and internal audit functions. The regulator 
made several recommendations to the board to address these weaknesses. 
We found that the regulator continued to find some of the same 
weaknesses in subsequent examination reports, yet examiners did not 
take forceful action to require the institution to address these 
shortcomings until the liquidity crisis occurred and the severity of 
the risk management weaknesses became apparent. When asked about the 
regulator's assessment of the holding company in general and risk 
management in particular given the identified weaknesses, examiners 
told us that they had concluded that the institution's conditions were 
adequate, in part, because it was deemed to have sufficient capital and 
the ability to raise more. Moreover, the examiners said that senior 
management had presented them with plans to address the risk management 

In another example, other regulators found weaknesses related to an 
institution's oversight of risk management before the crisis. One 
regulator issued a letter to the institution's senior management in 
2005 requiring that the institution respond, within a specified time 
period, to weaknesses uncovered in an examination. The weaknesses 
included the following: 

* The lack of an enterprisewide framework for overseeing risk, as 
specified in the COSO framework. The institution assessed risks (such 
as market or credit risks) on an individual operating unit basis, and 
was not able to effectively assess risks institutionwide. 

* A lack of common definitions of risk types and of corporate policy 
for approving new products, which could ensure that management had 
reviewed and understood any potential risks. 

* An institutional tendency to give earnings and profitability growth 
precedence over risk management. 

In addition, the regulator recommended that senior management 
restructure the institution's risk management system to develop 
corporate standards for assessing risk. However, the regulator's 
assessment of the institution's risk management remained satisfactory 
during this period because senior management reported that they planned 
to address these weaknesses and, according to examiners, appeared to be 
doing so. Moreover, the examiners believed that senior management could 
address these weaknesses in the prevailing business environment of 
strong earnings and adequate liquidity. After earnings and liquidity 
declined during the financial crisis that began in 2007, the examiners 
changed their assessment, citing many of the same shortcomings in risk 
management that they had identified in 2005. 

At one institution, a regulator noted in a 2005 examination report that 
management had addressed previously identified issues for one type of 
risk and that the institution had taken steps to improve various 
processes, such as clarifying the roles and responsibilities of risk 
assessment staff, and shortening internal audit cycles of high-risk 
entities in this area. Later in 2007, the regulator identified 
additional weaknesses related to credit and market risk management. 
Regulatory officials told us that weaknesses in oversight of credit and 
market risk management were not of the same magnitude prior to the 
crisis as they were in late 2007 and 2008. Moreover, examiners told us 
that it was difficult to identify all of the potential weaknesses in 
risk management oversight until the system was stressed by the 
financial crisis. 

Some regulators told us that they had relied on management 
representation of risk, especially in emerging areas. For example, one 
regulator's targeted review risk relied heavily on management's 
representations about the risk related to subprime mortgages-- 
representations that had been based on the lack of historical losses 
and the geographic diversification of the complex product issuers. 
However, once the credit markets started tightening in late 2007, the 
examiners reported that they were less comfortable with management's 
representations about the level of risk related to certain complex 
investments. Examiners said that, in hindsight, the risks posed by 
parts of an institution do not necessarily correspond with their size 
on the balance sheet and that relatively small parts of the institution 
had taken on risks that the regulator had not fully understood. Another 
regulator conducted a horizontal examination of securitized mortgage 
products in 2006 but relied on information provided by the 
institutions. While the report noted that these products were 
experiencing rapid growth and that underwriting standards were 
important, it focused on the major risks identified by the firms and 
their actions to manage those risks as well as on how institutions were 
calculating their capital requirements. 

Regulators Identified Weaknesses in Models Used to Calculate Risk but 
May Not Have Acted on These Findings: 

Regulators also identified weaknesses in the oversight and testing of 
risk models that financial institutions used, including those used to 
calculate the amount of capital needed to protect against their risk 
exposures and determine the valuation of complex products. Regulators 
require institutions to test their models so that the institutions have 
a better sense of where their weaknesses lie, and OCC developed 
guidance in 2000 related to model validation that other regulators 
consider to be the standard. OCC's guidance states that institutions 
should validate their models to increase reliability and improve their 
understanding of the models' strengths and weaknesses. The guidance 
calls for independent reviews by staff who have not helped to develop 
the models, instituting controls to ensure that the models are 
validated before they are used, ongoing testing, and audit oversight. 
The process of model validation should look not only at the accuracy of 
the data being entered into the model, but also at the model's 
assumptions, such as loan default rates. 

Institutions use capital models as tools to inform their management 
activities, including measuring risk-adjusted performance, setting 
prices and limits on loans and other products, and allocating capital 
among various business lines and risks.[Footnote 12] Certain large 
banking organizations have used models since the mid-1990s to calculate 
regulatory capital for market risk, and the rules issued by U.S. 
regulators for Basel II require that banks use models to estimate 
capital for credit and operational risks. The SEC's consolidated 
supervised entity program allowed broker-dealers that were part of 
consolidated supervised entities to compute capital requirements using 
models to estimate market and credit risk. In addition, institutions 
use models to estimate the value of complex instruments such as 
collateralized debt obligations (CDOs).[Footnote 13] 

Regulators identified several weaknesses related to financial 
institutions' oversight and use of risk models: 

* One regulator found several weaknesses involving the use of models 
that had not been properly tested to measure credit risks, an important 
input into institutions' determinations of capital needed, but did not 
aggressively take steps to ensure that the firm corrected these 
weaknesses. In a 2006 letter addressed to the head of the institution's 
risk management division, the examiners reported deficiencies in models 
used to estimate credit risk, including lack of testing, a lack of 
review of the assumptions used in the models, and concerns about the 
independence of staff testing the models. The regulator issued a letter 
requiring management to address these weaknesses, but continued to 
allow the institution to use the models and did not change its overall 
assessment. Although the institution showed improvement in its 
processes, over time, in late 2007, examiners found that some of the 
weaknesses persisted. In late 2008, examiners closed the matter in a 
letter to management but continued to note concerns about internal 
controls associated with risk management. 

* A horizontal review of credit risk models by the Federal Reserve and 
OCC in 2008 found a similar lack of controls surrounding model 
validation practices for assessing credit risks, leading to questions 
about the ability of large, complex institutions to understand and 
manage these risks and provide adequate capital to cushion against 
potential losses. For example, the review found that some institutions 
lacked requirements for model testing, clearly defined roles and 
responsibilities for testing, adequate detail for the scope or 
frequency of validation, and a specific process for correcting problems 
identified during validation. 

* Before the crisis, another regulator found that an institution's 
model control group did not keep a complete inventory of its models and 
did not have an audit trail for models prior to 2000. The examiners 
said that they did not find these issues to be significant concerns. 
However, they were subsequently criticized for not aggressively 
requiring another institution to take action on weaknesses they had 
identified that were related to risk models, including lack of timely 
review, understaffing, lack of independence of risk managers, and an 
inability or unwillingness to update models to reflect the changing 

* Other regulators noted concerns about pricing models for illiquid 
instruments, but made these findings only as the crisis was unfolding. 
For example, in a 2007 horizontal review of 10 broker-dealers' exposure 
to subprime mortgage-related products, SEC and FINRA examiners found 
weaknesses in pricing assumptions in valuation models for complex 
financial products. They found that several of these firms relied on 
outdated pricing information or traders' valuations for complex 
financial transactions, such as CDOs. In some cases, firms could not 
demonstrate that they had assessed the reasonableness of prices for 
CDOs. Another regulator noted in a 2007 targeted examination that 
although management had stated that the risk of loss exposure from 
highly rated CDOs was remote, the downturn in the subprime mortgage 
market could mean that they would not perform as well as similarly 
rated instruments performed historically. 

The Regulators Found That None of the Institutions We Reviewed Had 
Tested for the Effects of a Severe Economic Downturn Scenario: 

Because of the inherent limitations of modeling, such as the accuracy 
of model assumptions, financial institutions also use stress tests to 
determine how much capital and liquidity might be needed to absorb 
losses in the event of a large shock to the system or a significant 
underestimation of the probability of large losses. According to the 
Basel Committee on Banking Supervision, institutions should test not 
only for events that could lower their profitability, but also for rare 
but extreme scenarios that could threaten their solvency. In its 
January 2009 report, the Basel Committee emphasized the importance of 
stress testing, noting that it could (1) alert senior management to 
adverse unexpected losses, (2) provide forward-looking assessments of 
risk, (3) support enterprisewide communication about the firm's risk 
tolerance, (4) support capital and liquidity planning procedures, and 
(5) facilitate the development of risk mitigation or contingency plans 
across a range of stressed conditions.[Footnote 14] Moreover, the 
report noted that stress testing was particularly important after long 
periods of relative economic and financial calm when companies might 
become complacent and begin underpricing risk. 

We found that regulators had identified numerous weaknesses in stress 
testing at large institutions before the financial crisis. However, our 
limited review did not identify any instances in which an institution's 
lack of worst-case scenario testing prompted regulators to push 
forcefully for institutional actions to better understand and manage 
risks. A 2006 Federal Reserve horizontal review of stress testing 
practices at several large, complex banking institutions revealed that 
none of the institutions had an integrated stress testing program that 
incorporated all major financial risks enterprisewide, nor did they 
test for scenarios that would render them insolvent. The review found 
that institutions were stress testing the impact of adverse events on 
individual products and business lines rather than on the institution 
as a whole. By testing the response of only part of the institution's 
portfolio to a stress such as declining home prices, the institution 
could not see the effect of such a risk on other parts of its portfolio 
that could also be affected. The review was particularly critical of 
institutions' inability to quantify the extent to which credit exposure 
to counterparties might increase in the event of a stressed market risk 
movement. It stated that institutions relied on "intuition" to 
determine their vulnerability to this type of risk. It also found that 
institutions' senior managers were confident in their current practices 
and questioned the need for additional stress testing, particularly for 
worst-case scenarios that they thought were implausible. 

The 2006 review included some recommendations for examiners to address 
with individual institutions, and Federal Reserve officials told us 
that they met with institutions' chief risk officers to discuss the 
seriousness of the findings just before the crisis began. However, 
officials told us that the purpose of the review was primarily to 
facilitate the regulator's understanding of the full range of stress 
testing practices, as there was neither a well-developed set of best 
practices nor supervisory guidance in this area at the time. The 
regulatory officials also told us that these findings were used to 
inform guidance issued by the President's Working Group on assessing 
exposure from private pools of capital, including hedge funds.[Footnote 
15] However, this guidance focuses on testing the exposure to 
counterparty risks, such as from hedge funds, and not on testing the 
impact of solvency-threatening, worst-case scenarios. In hindsight, 
officials told us that the current crisis had gone beyond what they had 
contemplated for a worst-case scenario, and they said that they would 
probably have faced significant resistance had they tried to require 
the institutions to do stress tests for scenarios such as downgrades in 
counterparties' credit ratings because such scenarios appeared 

Other regulators raised concerns about stress testing at individual 
institutions, but we did not find evidence that they had effectively 
changed the firms' stress testing practices. In the materials we 
reviewed, one regulator recommended that the institution include worst- 
case scenarios in its testing. In a 2005 examination report, examiners 
noted a concern about the level of senior management oversight of risk 
tolerances. This concern primarily stemmed from lack of documentation, 
stress testing, and communication of firm risk tolerances and the 
extent to which these were reflected in stress tests. While the firm 
later took steps to document formal risk tolerances and communicate 
this throughout the firm, the recommendation related to stress testing 
remained open through 2008. 

Another regulator required institutions to show that they conducted 
stress tests of the institution's ability to have enough funding and 
liquidity in response to certain events, including a credit downgrade 
or the inability to obtain unsecured, short-term financing. In 
addition, institutions were required to document that they had 
contingency plans to respond to these events. The regulator said that 
it specifically required institutions to conduct stress tests such as 
those based on historical events including the collapse of Long-Term 
Capital Management or the stock market decline of 1987. However, 
regulatory staff told us that the liquidity crisis of 2008 was greater 
than they had expected. 

Regulators' Oversight of Institutions' Risk Management Systems 
Illustrates Some Limitations of the Current Regulatory System: 

In this and other work, we identified two specific shortcomings of the 
current regulatory system that impact the oversight of risk management 
at large, complex financial institutions. First, no regulator has a 
clear responsibility to look across institutions to identify risks to 
overall financial stability. As a result, both banking and securities 
regulators continue to assess risk management primarily at an 
individual institutional level. Even when regulators perform horizontal 
examinations across institutions, they generally do not use the results 
to identify potential systemic risks. Although for some period, the 
Federal Reserve analyzed financial stability issues for systemically 
important institutions it supervises, it did not assess the risks on an 
integrated basis or identify many of the issues that just a few months 
later led to the near failure of some of these institutions and to 
severe instability in the overall financial system. Second, although 
financial institutions manage risks on an enterprisewide basis or by 
business lines that cut across legal entities, primary bank and 
functional regulators may oversee risk management at the level of a 
legal entity within a holding company. As a result, their view of risk 
management is limited or their activities overlap or duplicate those of 
other regulators including the holding company regulator. 

Regulators Were Not Looking Across Groups of Institutions to 
Effectively Identify Risks to Overall Financial Stability: 

In previous work, we have noted that no single regulator or group of 
regulators systematically assesses risks to the financial stability of 
the United States by assessing activities across institutions and 
industry sectors.[Footnote 16] In our current analysis of risk 
management oversight of large, complex institutions, we found that, for 
the period of the review (2006-2008), the regulators had not used 
effectively a systematic process that assessed threats that large 
financial institutions posed to the financial system or that market 
events posed to those institutions. 

While the regulators periodically conducted horizontal examinations in 
areas such as stress testing, credit risk practices, and risk 
management for securitized mortgage products, these efforts did not 
focus on the stability of the financial system, nor were they used as a 
way to assess future threats to that system. The reports summarizing 
the results of these horizontal examinations show that the purpose of 
these reviews was primarily to understand the range of industry 
practices or to compare institutions rather than to determine whether 
several institutions were engaged in similar practices that might have 
a destabilizing effect on certain markets and leave the institutions 
vulnerable to those and other market changes, and that these conditions 
ultimately could affect the stability of the financial system. 

Beginning in 2005 until the summer of 2007, the Federal Reserve made 
efforts to implement a systematic review of financial stability issues 
for certain large financial institutions it oversees and issued 
internal reports called Large Financial Institutions' Perspectives on 
Risk. With the advent of the financial crisis in the summer of 2007, 
the report was suspended; however, at a later time the Federal Reserve 
began to issue risk committee reports that addressed risks across more 
institutions. While we commend the Federal Reserve for making an effort 
to look systematically across a group of institutions to evaluate risks 
to the broader financial system, the Perspectives of Risk report for 
the second half of 2006 issued in April 2007 illustrates some of the 
shortcomings in the process. The report reviewed risk areas including 
credit, market, operational, and legal and compliance risk but did not 
provide an integrated risk analysis that looked across these risk 
areas--a shortcoming of risk management systems identified in reviews 
of the current crisis. In addition, with hindsight, we can see that the 
report did not identify effectively the severity and importance of a 
number of factors. For example, it stated that: 

* There are no substantial issues of supervisory concern for these 
large financial institutions. 

* Asset quality across the systemically important institutions remains 

* In spite of predictions of a market crash, the housing market 
correction has been relatively mild, and while price appreciation and 
home sales have slowed and inventories remain high, most analysts 
expect the housing market to bottom out in mid-2007. The overall impact 
on a national level will likely be moderate; however, in certain areas 
housing prices have dropped significantly. 

* The volume of mortgages being held by institutions--warehouse 
pipelines--has grown rapidly to support collateralized mortgage-backed 
securities and CDOs. 

* Surging investor demand for high-yield bonds and leveraged loans, 
largely through structured products such as CDOs, provided continuing 
strong liquidity that resulted in continued access to funding for lower-
rated firms at relatively modest borrowing costs. 

* Counterparty exposures, particularly to hedge funds, continue to 
expand rapidly. 

With regard to the last point, a Federal Reserve examiner stated that 
the Federal Reserve had taken action to limit bank holding company 
exposures to hedge funds. The examiner noted that although in hindsight 
it was possible to see some risks that the regulators had not 
addressed, it was difficult to see the impact of issues they had worked 
to resolve. 

When asked for examples of how the Federal Reserve had used supervisory 
information in conjunction with its role to maintain financial 
stability, a Federal Reserve official provided two examples that he 
believed illustrated how the Federal Reserve's supervisory role had 
influenced financial stability before the current financial crisis. 
First, the official said that the Federal Reserve had used supervisory 
information to improve the resilience of the private sector clearing 
and settlement infrastructure after the attacks on the World Trade 
Center on September 11, 2001. Second, it had worked through the 
supervisory system to strengthen the infrastructure for processing 
certain over-the-counter derivative transactions. Federal Reserve 
officials noted that financial stability is not the sole focus of 
safety and soundness supervision and that several mechanisms exist in 
which regulation plays a significant role with other areas of the 
Federal Reserve in assessing and monitoring financial stability. 
Federal Reserve regulators indicated that other Federal Reserve 
functions often consulted with them and that they provided information 
to these functions and contributed to financial stability discussions, 
working groups, and decisions both prior to and during the current 

In October 2008, the Federal Reserve issued new guidance for 
consolidated supervision suggesting that in the future the agency would 
be more mindful of the impact of market developments on the safety and 
soundness of bank holding companies. The new guidance says, for 
instance, that the enhanced approach to consolidated supervision 
emphasizes several elements that should further the objectives of 
fostering financial stability and deterring or managing financial 
crises and help make the financial system more resilient. The guidance 
says that two areas of primary focus would be: 

* activities in which the financial institutions play a significant 
role in critical or key financial markets that have the potential to 
transmit a collective adverse impact across multiple firms and 
financial markets, including the related risk management and internal 
controls for these activities, and: 

* areas of emerging interest that could have consequences for financial 
markets, including, for example, the operational infrastructure that 
underpins the credit derivatives market and counterparty credit risk 
management practices. 

Primary Bank and Functional Regulators May Limit Their Oversight of 
Risk Management to Specific Legal Entities Such As Depository 
Institutions or Broker-Dealers: 

Some regulators have noted that the current practice of assessing risk 
management at the level of a depository institution or broker-dealer 
did not reflect the way most large, complex institutions manage their 
risks. Regulators noted that financial institutions manage some risks 
enterprisewide or by business lines that cross legal entity boundaries. 
The scope of regulators' supervisory authorities does not clearly 
reflect this reality, however. As set forth in the Gramm-Leach-Bliley 
Act, various regulators can have separate responsibilities for 
individual components of a large, complex financial institution. In 
addition, GLBA generally restricts the focus of holding company 
examinations to the holding company and any subsidiary that could have 
a materially adverse effect on the safety and soundness of an 
affiliated bank. OCC examiners told us that it was difficult for them 
to assess a bank's market risk management because OCC focused on the 
national bank's activities, while the financial institution was 
managing risk across the bank and the broker-dealer. The examiners said 
that in some cases the same traders booked wholesale trades in the bank 
and in the broker-dealer and that the same risk governance process 
applied to both. Thus, both the primary bank regulator and the 
functional regulator were duplicating each other's supervisory 
activities. In addition, if initial transactions were booked in one 
entity, and transactions designed to mitigate the risks in that 
transaction were booked in another legal entity, neither regulator 
could fully understand the risks involved. While effective 
communication among the functional and primary bank regulators could 
address this limitation, securities regulators told us that they shared 
information with the Federal Reserve but generally did not share 
information with OCC. 

OCC examination materials show that examiners sometimes assessed risks 
and risk management by looking at the entire enterprise. In addition, 
OCC examiners often met with holding company executives. In previous 
work, we noted the likelihood that OCC's responsibilities and 
activities as the national bank regulator overlap with the 
responsibilities and activities of the Federal Reserve in its role as 
the holding company regulator. We found in this review that this 
overlap continued to exist; however, we also continued to observe that 
OCC and the Federal Reserve share information and coordinate activities 
to minimize the burden to the institution. 

Securities regulators face similar challenges in assessing risk 
management at broker-dealers. In a number of past reports, we have 
highlighted the challenges associated with SEC's lack of authority over 
certain broker-dealer affiliates and holding companies.[Footnote 17] 
FINRA officials also cited two examples of limitations on their efforts 
to oversee risk management within broker-dealers. First, they noted 
that FINRA's regulatory authority extended only to U.S. broker-dealers 
and that related transactions generally are booked in other legal 
entities. FINRA noted that the riskiest transactions were usually 
booked in legal entities located offshore. FINRA also noted that often 
inventory positions booked in the U.S. broker-dealer might hedge the 
risk in another affiliated legal entities. From time to time, FINRA has 
requested that the U.S. broker-dealer move the hedge into the broker- 
dealer to reduce the amount of the losses and protect the capital base 
of the broker-dealer. An SEC official noted that to take advantage of 
certain capital treatment the transaction and the hedge would both need 
to be booked in the broker-dealer. Second, FINRA officials noted that 
their view was limited because market risk policy is set at the holding 
company level. 

In closing, I would like to reiterate a number of central themes that 
have appeared often in our recent work. While an institution's 
management, directors, and auditors all have key roles to play in 
effective corporate governance, regulators--as outside assessors of the 
overall adequacy of the system of risk management--also have an 
important role in assessing risk management. The current financial 
crisis has revealed that many institutions had not adequately 
identified, measured, and managed all core components of sound risk 
management. We also found that for the limited number of large, complex 
institutions we reviewed, the regulators failed to identify the 
magnitude of these weaknesses and that when weaknesses were identified, 
they generally did not take forceful action to prompt these 
institutions to address them. As we have witnessed, the failure of a 
risk management system at a single large financial institution can have 
implications for the entire financial system. 

Second, while our recent work is based on a limited number of 
institutions, examples from the oversight of these institutions 
highlight the significant challenges regulators face in assessing risk 
management systems at large, complex institutions. While the painful 
lessons learned during the past year should bolster market discipline 
and regulatory authority in the short term, history has shown that as 
the memories of this crisis begin to fade, the hard lessons we have 
learned are destined to be repeated unless regulators are vigilant in 
good times as well as bad. Responsible regulation requires that 
regulators critically assess their regulatory approaches, especially 
during good times, to ensure that they are aware of potential 
regulatory blind spots. This means constantly reevaluating regulatory 
and supervisory approaches and understanding inherent biases and 
regulatory assumptions. For example, the regulators have begun to issue 
new and revised guidance that reflects the lessons learned from the 
current crisis. However, the guidance we have seen tends to focus on 
the issues specific to this crisis rather than on broader lessons 
learned about the need for more forward-looking assessments and on the 
reasons that regulation failed. 

Finally, I would like to briefly discuss how our current regulatory 
framework has potentially contributed to some of the regulatory 
failures associated with risk management oversight. The current 
institution-centric approach has resulted in regulators all too often 
focusing on the risks of individual institutions. This has resulted and 
in regulators looking at how institutions were managing individual 
risks, but missing the implications of the collective strategy that was 
premised on the institution's having little liquidity risk and adequate 
capital. Whether the failures of some institutions ultimately came 
about because of a failure to manage a particular risk, such as 
liquidity or credit risks, these institutions often lacked some of the 
basic components of good risk management--for example, having the board 
of directors and senior management set the tone for proper risk 
management practices across the enterprise. The regulators were not 
able to connect the dots, in some cases because of the fragmented 
regulatory structure. While regulators promoted the benefits of 
enterprisewide risk management, we found that they failed to ensure 
that all of the large, complex financial institutions in our review had 
risk management systems commensurate with their size and complexity so 
that these institutions and their regulators could better understand 
and address related risk exposures. 

This concludes my prepared statement. I would be pleased to answer any 
questions that you may have at the appropriate time. 

Staff Contributions and Acknowledgments: 

For further information about this testimony, please contact Orice M. 
Williams on (202) 512-8678 or at Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this statement. Individuals making key 
contributions to this testimony include Barbara Keller, Assistant 
Director; Nancy Barry, Emily Chalmers, Clayton Clark, Nancy Eibeck, 
Kate Bittinger Eikel, Paul Thompson, and John Treanor. 

End of section] 


[1] Senior Supervisors Group, Observation on Risk Management Practices 
during the Recent Market Turbulence, March 6, 2008; The President's 
Working Group on Financial Markets, Policy Statement on Financial 
Market Developments, March 13, 2008; Financial Stability Forum Report 
of the Financial Stability Forum on Enhancing Market and Institutional 
Resilience, April 7, 2008; and Basel Committee on Banking Supervision: 
The Joint Forum, Cross-sectoral review of group-wide identification and 
management of risk concentrations, April 2008. Institute of 
International Finance, Final Report of the IIF Committee on Market Best 
Practices: Principles of Conduct and Best Practice Recommendations-- 
Industry Response to the Market Turmoil of 2007-2008, July 2008. 

[2] GAO, Financial Market Regulation: Agencies Engaged in Consolidated 
Supervision Can Strengthen Performance Measurement and Collaboration, 
[hyperlink,] (Washington, D.C.: 
Mar. 15, 2007); Risk-focused Bank Examinations: Regulators of Large 
Banking Organizations Face Challenges, [hyperlink,] (Washington, D.C.: Jan. 24, 
2000); Risk-Based Capital: Regulatory and Industry Approaches to 
Capital and Risk, [hyperlink,] (Washington, D.C.: July 20, 
1998); Financial Derivatives: Actions Taken or Proposed Since May 1994, 
GAO/GGD/AIMD-97-8 (Washington, D.C.: Nov. 01, 1998) [hyperlink,]; and Financial 
Derivatives: Actions Needed to Protect the Financial System, 
[hyperlink,], (Washington, 
D.C.: May 18, 1994). 

[3] Informal enforcement actions include commitment letters, memoranda 
of understanding, and for bank regulators safety and soundness plan. 
Formal actions are authorized by statute, are generally more severe, 
and are disclosed to the public. Formal actions include consent orders, 
cease and desist orders and formal written agreements, among others. 

[4] Credit risk is the potential for financial losses resulting from 
the failure of a borrower or counterparty to perform on an obligation. 
Market risk is the potential for financial losses due to the increase 
or decrease in the value or price of an asset or liability resulting 
from broad movements in prices, such as interest rates, commodity 
prices, stock prices, or the relative value of currencies (foreign 
exchange). Liquidity risk is the potential for financial losses due to 
an institution's failing to meet its obligations because of an 
inability to liquidate assets or obtain adequate funding. Operational 
risk is the potential for unexpected financial losses due to inadequate 
information systems, operational problems, and breaches in internal 
controls, or fraud. Legal risk is the potential for financial losses 
due to breaches of law or regulation that may result in heavy penalties 
or other costs. 

[5] 17 C.F.R. § 240.15c3-1. 

[6] Bear Stearns was acquired by JPMorgan Chase, Lehman Brothers 
failed, Merrill Lynch was acquired by Bank of America, and Goldman 
Sachs and Morgan Stanley have become bank holding companies. 

[7] Depository institutions receive what is known as a CAMELS rating. 
The CAMELS rating is defined as Capital Adequacy-C, Asset Quality-A, 
Management-M, Earnings-E, Liquidity-L, and S-Sensitivity to Market 
Risk. The Federal Reserve issues what is known as a RFI/C(D) rating. It 
is defined as Risk Management-R, Financial Condition-F, Potential 
impact of the parent company and nondepository subsidiaries on the 
subsidiary depository institutions-I, Composite Rating-C and Depository 
Institution-D. The D rating subcomponent is the primary banking rating. 
In late 2007, OTS changed its guidance related to the CORE 
competencies--Capital, Organization, Relationship, and Earnings. In a 
rule finalized on January 1, 2008, OTS changed the "R" to Risk 

[8] According to Federal Reserve documentation, Board of Director and 
Senior Management Oversight evaluates the adequacy and effectiveness of 
its understanding and management of risk inherent in the BHC's 
activities, as well as the general capabilities of management. It also 
includes considerations of management's ability to identify, 
understand, and control the risk undertaken by the institution, to hire 
competent staff, and to respond to change in the institution's risk 
profile or innovations in the banking sector. Policies, Procedures, and 
Limits evaluates the adequacy of policies, procedures, and limits given 
the risk inherent in the activities of the consolidated organization 
and the organization's stated goals and objectives. The analysis may 
include a consideration of the adequacy of the institution's accounting 
and risk-disclosure policies and procedures. Risk monitoring and 
management information system reviews the assumption, data, and 
procedures used to measure risk and the consistency of these tools with 
the level of complexity of the organization's activities. Internal 
controls and audits are evaluated relating to the accuracy of financial 
reporting and disclosure and the strength and influence, within the 
organization, of the internal audit team. The analysis will include a 
review of the independence of control areas from management and the 
consistency of the scope coverage of the internal audit team with the 
complexity of the organization. 

[9] The Risk Assessment System is the assessment framework of the nine 
categories of risk and the risk management systems. 

[10] OCC Memorandum, Matters Requiring Attention, August 8, 2005. 

[11] OTS does not have specific risk-based or leverage capital 
requirements for thrift holding companies but does require them to hold 
adequate capital pursuant to capital maintenance agreements. 

[12] Economic capital models measure risks by estimating the 
probability of potential losses over a specified period and up to a 
defined confidence level using historical loss data. See [hyperlink,] Risk-Based Capital: Bank 
Regulators Need to Improve Transparency and Overcome Impediments to 
Finalizing the Proposed Basel II Framework (Washington, D.C.: February 
15, 2007). 

[13] In a basic CDO, a group of loans or debt securities are pooled and 
securities are then issued in different tranches that vary in risk and 
return depending on how the underlying cash flows produced by the 
pooled assets are allocated. If some of the underlying assets 
defaulted, the more junior tranches--and thus riskier ones--would 
absorb these losses first before the more senior, less-risky tranches. 
Many CDOs in recent years largely consisted of mortgage-backed 
securities, including subprime mortgage-backed securities. 

[14] Basel Committee on Banking Supervision, Consultative Document: 
Principles for Sound Stress Testing Practices and Supervision. (Basel, 
Switzerland: January 2009). 

[15] See President's Working Group, Agreement Among PWG and U.S. Agency 
Principals on Principles and Guidelines Regarding Private Pools of 
Capital, February 22, 2007. The information from this horizontal review 
was later used in 2008 to analyze risk management practices after the 
crisis began in the Senior Supervisors Group Observations on Risk 
Management Practices During the Recent Market Turbulence. 

[16] GAO, Financial Regulation: A Framework for Crafting and Assessing 
Proposals to Modernize the Outdated U.S. Financial Regulatory System, 
[hyperlink,] (Washington, D.C.: 
Jan. 8, 2009); Financial Regulation: Industry Changes Prompt Need to 
Reconsider U.S. Regulatory Strategy, [hyperlink,] (Washington, D.C.: Oct. 6, 2004) 
and Long-Term Capital Management, Regulators Need to Focus More 
Attention on Systemic Risk, [hyperlink,] (Washington, D.C.: Oct. 29, 

[17] [hyperlink,] and 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink,]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink,] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 

To Report Fraud, Waste, and Abuse in Federal Programs: 


Web site: [hyperlink,]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: