Risk Sustainability
Demonstrate “sustainability” of risk functions by embedding it across risk pillars, financial analysis, and business as usual
Proving sustainable processes
Regulators will expect evidence of the sustainability of risk management and governance processes, including the ability to address current and emerging risks, adequacy of resources (e.g., technology investment, skilled staffing), and a commitment to ethics and compliance.
Firms will need to demonstrate:
- Risk Culture: Credible firm culture and values (e.g., rewards for compliant behaviors and accountability, deterrents for misconduct), as well as a sound approach to assessing and monitoring risk culture.
- Risk Quantification and Integration: Abilities to ‘quantify risks previously qualitative’, as well as link (in a dynamic/integrated way) to risk monitoring, “outside-in” analyses (e.g., industry enforcement, negative news), and issues management.
- Business Changes: Evidence of sustainable processes and effective risk coverage, including metric-driven capacity models to determine resource needs during times of cost containment, growth, or changes in business and parallel run exercises for new model/tech adoption.
Issues and remediation:
Regulators will continue to evaluate firms’ management and remediation of issues, including their issues identification processes, adequacy and robustness of risk assessments, and associated actions, as well as effective challenge to issues management. In 2024, firms should expect regulators to focus on the following aspects of these areas:
- Issues Management: Scrutiny will focus on:
- The degree of issues self-identified by the business line as well as by the 2nd and 3rd lines, including the associated timing to size, mitigate, and resolve the issues.
- Deficiencies in data or reporting (e.g., data quality, timeliness, accuracy, board and management reporting) are quickly identified and appropriately remediated.
- Risk Assessment: Regulators will expect adequate and robust analysis of complaints, disputes, and claims information for systemic issues, as well as demonstration of actions taken based on the risk assessments (e.g., modification of products/services, enhancement of process controls, and clarifications to product terms or disclosures).
- Effective Challenge: Regulators will likewise look for:
- A continuous “loop” from issues management to risk assessment (inherent and residual)
- Quality assurance and review processes that demonstrate effective challenge of issues outcomes and remediation.
Climate sustainability risk
At the federal, state, and global levels, regulators (banking, capital markets, and insurance) continue to push forward with supervision of climate-related financial risk management and to put forth new rules and guidance, increasing the risk of divergence (e.g., federal vs state, federal vs global, state vs state) and challenging firms as they look to set sustainability priorities and/or execute on their commitments and transition plans. As the regulatory landscape evolves, regulators will be assessing:
Risk Management and Governance: Physical and transition risks will drive regulators to scrutinize:
- Processes for assessing, identifying, and managing emerging and material climate-related risks.
- Policies, procedures, and limits that reflect changing risk characteristics or firm activities.
- Strategic planning, board oversight, and management’s effectiveness, including roles, responsibilities, and applicable acumen or experience/expertise.
- Data, risk metrics, and modeling methodologies, including quantitative climate scenario analysis (such as outlined in the FRB Pilot Scenario Analysis) with clear objectives reflective of overall climate risk management strategy and adequate oversight, validation, and quality control standards.
Reporting: Climate risk information should be integrated with internal reporting, monitoring, and escalation processes, as well as effective risk data aggregation and external and regulatory reporting capabilities. The scope of reporting and disclosures may include:
- Strategy.
- Risk management.
- Governance.
- Scenario analysis.
- GHG emissions (Scopes 1, 2, 3).
Regulators will assess the accuracy and alignment of a firm’s reporting with its public statements, commitments, strategy, and products/services marketing (e.g., attention to risk of “greenwashing,” following through on commitments (including net zero), and tracking through transition plans).
What to Watch
Regulators are increasingly assessing the “sustainability” of firms’ internal culture and processes, issues management and remediation, and most visibly, climate-related sustainability risks. Key regulatory actions to watch will include:
- Supervision of “Persistent Weaknesses” at Banks: New OCC policies and procedures outlining supervisory or enforcement actions the agency may take against firms with “continuing, recurring, or increasing deficiencies over a prolonged period” and particularly when the firm has not made “sufficient progress” toward correcting deficiencies. Includes money penalties, remediation plans, and/or growth restrictions, or in certain cases, divestiture, and simplification.
- Climate Risk Disclosures: SEC climate risk disclosure rules for public companies, covering climate risk management, strategy, governance, and certain metrics related to financial statements and greenhouse gas (GHG) emissions. The rules are subject to wide-ranging debate and legal challenges are anticipated.
- Climate Scenario Analysis and Risk Management: A climate scenario analysis exercise, looking at multiple scenarios within physical and transition risk modules, conducted by the FRB throughout 2023 to help FRB “learn about large banking organizations’ climate risk management practices and challenges, and to enhance the ability of large banking organizations and supervisors to identify, measure, monitor, and manage these risks.”
- Final Principles for Climate-Related Financial Risk Management: Interagency guidance for large banks to identify, measure, monitor, and control climate-related financial risks. Identifies six principles and six specific risk areas.
Call to Action…
- Establish accountability across lines of defense: Hold each of the three lines of defense accountable for managing risk; investigate weaknesses in one line to possible weaknesses in the other two; voluntarily and timely self-disclose identified weaknesses and violations of laws and regulations; cooperate with investigations.
- Ensure consistency in reporting and disclosures: Adopt a uniform approach to both mandatory and voluntary reporting and disclosures; maintain transparency, accuracy, and consistency with actual strategies and activities across all reporting (financial and nonfinancial) and public-facing statements and/or disclosures.
- Operationalize sustainability and climate: Embed climate-related risks within the organization’s broader risk governance and risk management frameworks. Develop and implement robust processes for identifying, assessing, managing, and monitoring climate-related risks across all business areas and risk pillars.
- Reassess your risk culture: Establish an effective compliance program and foster a culture that deters misconduct and promotes ethics and compliance. Incentivize responsible behavior and involve employees by holding them accountable for the proper use of risk policies and to take ownership of the organization’s strategy. Enable employees to do what is required in terms of managing risks by clearly making the risk responses and the effects thereof visible within the organization.
- Show critical challenge of sustained change: Integrate critical challenge (e.g., escalation procedures, actions initiated, decisions made, and proof of altered/terminated paths based on risk determinations) into risk and governance frameworks; document root cause analysis and remediation; automate controls where possible; conduct ongoing monitoring and testing of sustained change.
Explore more
Regulatory Insights
A source for updates and perspectives on regulatory activity and issues
Read moreMeet our team
