In a March 2016 GARP Risk Intelligence article, Risk Governance: Across the Three Lines, authors from KPMG commented on the U.S. Office of the Comptroller of the Currency’s Heightened Standards for large financial institutions and delivered a call to action: “It’s time for banks to deploy risk governance frameworks across three lines of defense.”
A primary focus of OCC standards is the role of independent risk management, defined as “ . . . any organizational unit within the bank that has responsibility for identifying, measuring, monitoring or controlling aggregate risks.” The use of the term “aggregate” in this context could be viewed as provocative, given the financial industry’s poor track record in this area.
Indeed, regulatory concern is such that in January 2013 the Basel Committee on Banking Supervision issued BCBS 239, “Principles for effective risk data aggregation and risk reporting,” which included this observation: “Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately . . . Some banks were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices.”