OCC BULLETIN 2015-48
Subject: Risk Assessment System
Date: December 3, 2015
To: Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties
Description: Updated Guidance
The Office of the Comptroller of the Currency (OCC) has updated its guidance regarding its risk assessment system (RAS). These updates are reflected in the “Bank Supervision Process,” “Community Bank Supervision,” “Federal Branches and Agencies Supervision,” and “Large Bank Supervision” booklets of the Comptroller’s Handbook and internal guidance for examiners. Other Comptroller’s Handbook booklets will be updated as they are revised.
The OCC’s updated RAS guidance is one of the agency’s responses to the recommendations in “An International Review of OCC’s Supervision of Large and Midsize Institutions” (International Peer Review report) and supports the agency’s mission of ensuring a safe and sound federal banking system. In its response to the International Peer Review report,1 the OCC noted that the Uniform Financial Institutions Rating System (CAMELS)2 definitions include sufficient flexibility to consider forward-looking elements and also that the agency would update the RAS to emphasize how CAMELS and the RAS complement each other.
The updated RAS guidance
Clarifying the Relationship Between RAS and CAMELS
Supervision by risk focuses on evaluating risk, identifying existing and emerging problems, and ensuring that bank management takes corrective action before problems compromise the bank’s safety and soundness. The RAS provides the framework to measure, document, and communicate the OCC’s conclusions about the quantity of risk, quality of risk management, aggregate risk, and direction of risk for the eight risk categories.3
The RAS is structured in the OCC’s examination procedures to evaluate separately the quantity of risk and the quality of risk management. The quantity of risk reflects the level of risk assumed in the course of doing business. The quality of risk management assesses whether the bank’s risk management systems are capable of identifying, measuring, monitoring and controlling that amount of risk. This structure is intended to allow examiners to identify and take action on emerging risks in a timely manner, before such risks materialize in a bank’s financial performance.
The revised guidance reiterates and clarifies that the RAS provides both a current (aggregate risk) and a prospective (direction of risk) view of a bank’s risk profile that examiners incorporate when assigning CAMELS ratings. The CAMELS rating system refers to the primary risk categories that examiners consider within each component area, as well as the quality of risk management practices. The component ratings should reflect the level of supervisory concern reflected in the RAS assessment, particularly with risk management practices. Additionally, examiners consider their assessments of risk management practices for each of the risk categories when assigning the management component rating. When the RAS and the rating system are used in this manner, they provide a holistic view of the bank’s condition and support planned activities and supervisory findings.
Revised Definition of Banking Risk
Risk was previously defined in terms of impact to current or anticipated earnings or capital for the risk categories of credit, interest rate, liquidity, price, operational, and compliance. For strategic and reputation risks, consideration was given to potential changes in franchise or enterprise value.
The revised guidance applies a single definition of risk to all categories. Risk is defined as “the potential that events will have an adverse effect on a bank’s current or projected financial condition and resilience.” Under this broader definition, financial condition includes impacts from diminished capital and liquidity. Capital in this context includes potential impacts from losses, reduced earnings, and market value of equity. Resilience recognizes the bank’s ability to withstand periods of stress.4
Expansion of Quality of Risk Management Assessment
The revised guidance expands the assessment categories for quality of risk management—strong, satisfactory, and weak—to four, with a new assessment category of “insufficient” between satisfactory and weak. “Insufficient” indicates the presence of deficient practices (concerns) that have the potential to adversely affect the bank’s condition if not corrected. These concerns preclude a satisfactory assessment but do not support a finding that risk management is weak. The expansion of the assessment categories for quality of risk management is intended to better stratify and communicate concerns. This expansion is also applicable to other assessments examiners may provide, including audit and internal control.
Expansion of Strategic and Reputation Risk
Previously, the OCC assessed only the aggregate level and direction of strategic and reputation risks. The revised guidance expands the assessment of strategic and reputation risks to include both quantity of risk and quality of risk management. Although measuring the quantity of these risks remains difficult, the revised guidance provides a means to better assess and communicate efforts to control these risks.
Strategic risk is a key risk faced by banks and remains a top concern for the OCC. Similarly, the OCC has long considered reputation risk to be an important factor that can affect the safety and soundness of its supervised institutions. Examiners consider the presence of risk in a bank’s activities when determining whether the risks a bank assumes are effectively managed, controlled, and consistent with safe and sound banking practices, not as a basis for prohibiting banks from engaging in permissible activities.
Please contact the appropriate supervisory office or Large Bank examiner-in-charge.
Jennifer C. Kelly
1 OCC News Release 2014-75, “OCC Announces Actions to Respond to International Peer Review Recommendations” (May 28, 2014).
2 CAMELS is an acronym that represents the ratings from six component areas: capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk. Evaluations of the component areas take into consideration the institution’s size and sophistication, the nature and complexity of its activities, and its risk profile.