TABLE OF CONTENTS

Enterprise Risk Management (ERM) is a process designed to help management effectively deal with risks to achieving an entity’s objectives. ERM integrates risk management with existing management processes, identifies future events that can have both positive and negative effects, and evaluates effective strategies for managing the organization’s exposure to those possible future events. It aligns strategy, people, processes, technology, and knowledge with a strategic emphasis and an enterprise-wide application.¹

The FDIC has a number of committees and groups that contribute to the FDIC’s overall ERM efforts. Further, the FDIC established the Office of Enterprise Risk Management (OERM) to be responsible for ensuring that the Corporation has a risk management program in place and operational for all divisions and offices. OERM specifically focuses on risks internal to the FDIC while external risk management is the primary responsibility of other divisions and offices throughout the Corporation.

EVALUATION OBJECTIVE

Our objective was to assess:

• the extent to which the FDIC has implemented an ERM program consistent with applicable government-wide guidance and
• OERM’s implementation of FDIC Circular 4010.3, FDIC Enterprise Risk Management Program, dated September 25, 2006.

Appendix I describes in detail our objective, scope, and methodology.

BACKGROUND

COSO’s report, Enterprise Risk Management – Integrated Framework, (September 2004), defines essential components, suggests a common language, and provides direction and guidance for ERM. Notably, ERM requires an entity to take a “portfolio” view of risk that examines the entire organization, from the enterprise level, to a division or subsidiary, to the level of a single business unit’s processes. As shown in Figure 1, ERM consists of eight interrelated components, which are integral to the way management runs the enterprise. The components are linked and serve as criteria for determining whether ERM is effective.

Internal control is encompassed within, and is an integral part of, ERM. ERM is broader than internal control, expanding and elaborating on internal control to form a more robust conceptualization focusing more fully on risk. History of Internal Control and ERM at the FDIC In May 1996, the FDIC Board of Directors (FDIC Board) created the Office of Internal Control Management (OICM) to act as the corporate oversight manager for risk management and internal control. OICM’s responsibilities included developing and implementing cost-effective programs to evaluate and strengthen internal controls, establishing guidelines and providing training related to internal controls, assisting program managers in identifying significant weaknesses and promoting timely and cost-effective corrective action, and establishing guidelines for a standard visitation program to effectively assess the condition of significant FDIC activities.

Figure 1: COSO ERM Framework Source: COSO ERM Integrated Framework, dated September 2004

In March 2004, the FDIC Chief Financial Officer (CFO) proposed that OICM’s office name be changed to OERM to better reflect industry risk management best practices and OICM’s focus and initiatives at the time, particularly working with Information Technology (IT) security initiatives and serving as risk managers for several high-profile IT projects. In May 2004, the prior Chairman and the FDIC Board approved changes to the FDIC Bylaws to reflect the name change and revisions to the powers and duties of OICM.

According to the FDIC Bylaws, the Director, OERM, is responsible for administering the enterprise-wide risk management program that monitors and manages risk by maintaining partnerships with FDIC divisions and offices, providing training, and addressing internal control deficiencies. In addition to implementing a comprehensive ERM program, OERM is responsible for facilitating the annual assurance statement process, conducting program evaluations of the FDIC’s major business lines, serving as a liaison to OIG and United States Government Accountability Office (GAO) auditors, providing staff support to the FDIC Audit Committee, and monitoring audit follow-up and resolution activities. OERM’s ERM policy (Circular 4010.3) states that the FDIC emphasizes guidance provided by COSO and references the ERM Framework.

OERM’s staffing consists of 13 employees, including a Director, an Assistant Director, 3 Senior Management Analysts (CG-15), 5 Senior Management Analysts (CG-14), 1 Management Analyst (CG-11), 1 Secretary, and 1 Student Intern. OERM’s total budget for 2007 is about $2.2 million.

In addition, the FDIC has about 57 employees² assigned to divisional and office risk management/internal review units that perform internal control-related work for their respective division and office directors. These units may coordinate their efforts with OERM, but do not report to OERM. Appendix II provides detailed information about each of the division and office risk management/internal review units.

Legal and Regulatory Requirements

The Congress has long recognized the importance of strong internal control and enacted a number of related laws and requirements, including the following:

• Budget and Accounting Procedures Act of 1950 (BAPA), which required executive agencies, excluding government corporations, to establish and maintain systems of accounting and internal controls;
• Federal Managers’ Financial Integrity Act of 1982 (FMFIA), which amended the Accounting and Auditing Act of 1950 (imbedded in BAPA) by requiring executive agencies to establish a continuous process for internal control assessment and improvement and to publicly report on the status of efforts by signing annual statements of assurance regarding their internal controls and accounting system;
• Chief Financial Officers Act of 1990 (CFO Act), which required government corporations to prepare statements on internal accounting and administrative control systems consistent with the corresponding requirements of the FMFIA;
• Government Performance and Results Act of 1993 (GPRA), which required agencies, including the FDIC, to set strategic and performance goals, and measure performance toward the goals; and
• Federal Financial Management Improvement Act of 1996 (FFMIA), which identified internal control as an integral part of improving financial management systems. This statute does not, however, apply to the FDIC.

The FMFIA required the Comptroller General to establish internal control standards and the Office of Management and Budget (OMB) to issue guidelines for agencies to follow in assessing internal control. The Comptroller General issued Standards for Internal Control in the Federal Government in 1983, identifying five standards for internal control. In 1999, the Comptroller General revised and reissued the internal control standards.

OMB issued Circular A-123, Internal Control Systems, in October 1981 in anticipation of FMFIA becoming law. In December 2004, OMB released a revised Circular A-123, Management’s Responsibility for Internal Control, to provide updated internal control standards and new specific requirements for conducting management’s assessment of the effectiveness of internal control over financial reporting. The revision also emphasizes the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities and requires agencies to annually evaluate and report on the control and the financial management systems that protect the integrity of federal programs. Additional requirements for financial management systems are contained in OMB Circular A-127, Financial Management Systems, which expands upon the notion of agency accounting systems per FMFIA.

The FDIC considers Circular A-123 as setting forth “best practices” and has stated that, so long as the FDIC complies with the applicable FMFIA provisions on internal control, the Corporation will have complied with Circular A-123.

EVALUATION RESULTS

FDIC Committees and Groups that Contribute to Internal Risk Management

The FDIC has a number of internally-focused committees and groups that help to keep the FDIC Board, Chairman, Audit Committee, and senior-most executives informed of management operations and internal risks facing the Corporation and aid them in their decision-making. Taken collectively, these committees and groups and associated reports and briefings provide a comprehensive means for managing internal risk and establishing transparency.

We concluded that more could be done to institutionalize how these various entities interrelate and support ERM and to ensure the continuity of the Corporation’s risk management efforts in the event of changes in leadership and/or senior management. As discussed below, many of these committees and groups are responsible for managing or monitoring specific internal corporate operations or functions such as major capital investments, system development efforts, or human capital initiatives that have the potential to present risks to the Corporation. While many of these committees have charters that specifically establish their purpose, membership, regular meetings, and reporting responsibilities, we did not see a clear articulation of how these committees and groups interact to support ERM in the Corporation. The FDIC’s CFO indicated that such interactions do occur and are understood by FDIC managers, but acknowledged that such interactions could be better documented.

Figure 2 presents our understanding of the committees and groups involved in keeping the FDIC Board, Chairman, Audit Committee, and senior FDIC executives, such as the Chief Operating Officer (COO) and the CFO, aware of management operations and internal risks facing the Corporation and aiding them in their decision-making.³ A brief discussion of each committee or group follows the figure. Figure 2 is not exhaustive and there may be other groups involved in internal risk management. In addition, Figure 2 does not include the committees and groups responsible for monitoring external risks facing the Corporation.

Operating Committee: Chaired by the COO, membership is comprised of the FDIC Chairman, Vice Chairman, Deputies to the Chairman and Vice Chairman, and directors of all divisions and offices. This Committee, which is scheduled to meet biweekly, serves as a briefing forum to ensure that Committee members are informed of issues concerning the Corporation.

Corporate Investment Advisory Group: Chaired by the CFO, membership includes Division of Finance (DOF), Division of Insurance and Research (DIR), and Division of Resolutions and Receiverships (DRR) directors, who review cash flow projections for each FDIC fund and provide advice to the CFO concerning (1) investment strategies in light of economic and market conditions, (2) appropriate levels of liquidity for each fund, and (3) purchase strategies for funds to be invested in Treasury securities. This Group meets quarterly.

Savings Plan Committee: This Committee is chaired by the CFO and includes the Director, DIR; Deputy General Counsel (Corporate Operations); Associate Director, Human Resources Branch, Division of Administration (DOA); and a representative from the National Treasury Employee’s Union. The Committee considers issues related to the administration of the Corporation’s 401(k) plan, including the performance of the plan’s investment options.

Customer Advisory Committee: Co-chaired by the DOA and DOF Directors and includes a senior staff member from each division and office. This committee considers administrative matters of interest to FDIC management.

Human Resources Committee: Includes executives from FDIC Divisions and focuses on developing and evaluating human capital strategies with corporate-wide impact. The FDIC established this Committee to integrate strategic human capital planning into the Corporation’s planning, budgeting, and investment processes. This Committee meets weekly.

Executive Review Board: Through this Board, the COO, CFO, and other members who might be appointed make recommendations to the FDIC Chairman on all matters affecting managers and executives, including compensation, benefits, incentives, and performance management.

Chairman’s Diversity Advisory Council: Through this Council, individuals throughout the FDIC promote and support a diverse environment, facilitate employee communication with management regarding diversity concerns, and provide input to the Director, Office of Diversity and Economic Opportunity (ODEO), on recommendations for changes in policies and procedures that foster diversity objectives.

Diversity Steering Committee: Chaired by the Director, ODEO, membership consists of deputy directors for Division of Information Technology (DIT) and Division of Supervision and Consumer Protection (DSC) and the Deputy General Counsel, Legal Division. This Committee promotes and supports diversity initiatives.

Alternative Dispute Resolution Steering Committee: The Committee is comprised of representatives from every office and division designated to oversee corporate-wide alternative dispute resolution (ADR) policies, procedures, and programs and to assist in the design and implementation of new ADR processes. This Committee meets quarterly and also prepares for the FDIC Board an annual report on the uses of ADR throughout the Corporation.

Capital Investment Review Committee (CIRC): Co-chaired by the CFO and Chief Information Officer (CIO), membership consists of the Deputy to the Chairman, directors for DIR, DSC, DRR, DOF, and DOA, and the General Counsel. The committee meets quarterly and provides a systematic management review process to support budgeting for the Corporation’s capital investments (defined as initiatives with a total capital outlay in excess of $3 million) and to ensure regular monitoring and proper management of these investments.

Chief Information Officer Council: Chaired by the CIO, members include executive representatives from DSC, DRR, DIR, DOF, DOA, Legal, DIT, and Corporate University (CU) as well as a representative of the COO. This Council, which normally meets monthly, advises the CIO on all aspects of adoption and use of information technology at the FDIC and supports the CIRC in its management and monitoring of the limited set of major IT investments.

Project Management Office: This office was established as a result of DIT’s 2005 Transformation effort and resides within DIT’s Business Administration Branch. The office provides a number of critical functions to support the selection, management, oversight and analysis of a broad inventory of IT projects.

Corporate Data Sharing Steering Committee: Membership is comprised of representatives from all divisions, the COO’s office, and the CFO’s office. This Committee sets the strategic direction for corporate data planning, management, and use.

Information Technology Committee: Chaired by the Director, DIT, this Committee includes members from the CFO’s Office and all divisions and reviews new IT initiatives and makes recommendations concerning the new initiatives to the CIO Council.

Website Advisory Committee: This Committee includes representatives from OPA, the Legal Division, DIR, DSC, DRR, DIT, and the COO’s Office, and advises the Chief Web Officer on issues and corporate policies regarding the FDIC’s Web page.

Audit Committee: This Committee is chaired by the Vice Chairman and includes the Director, Office of Thrift Supervision, and the Deputy to the FDIC Chairman. The FDIC’s formal rules indicate that the Audit Committee is responsible for reviewing results of completed GAO and OIG audits and evaluations, requesting audit follow-up, if necessary, and submitting recommendations with respect to the audit reports to the Chairman’s office and the FDIC Board.

OERM: Serves as liaison to the OIG and GAO staff working on audits of FDIC operations, provides staff support to the FDIC Audit Committee and select programs managed by other FDIC organizations, and coordinates preparation of the FDIC’s Annual Performance and Accountability Report (Annual Report).

GAO and OIG issue audit and evaluation reports and present the results of their reviews of FDIC programs, operations, and functions to the Audit Committee. In addition to program operation and functional audits, the GAO annually audits the FDIC’s financial statements. The OIG’s business plan includes an annual evaluation of the FDIC’s Information Security Program, as required by the Federal Information Security Management Act (FISMA).

Division and Office internal review units have their own internal risk management programs with activities such as regional and office reviews, annual risk assessments, internal control reviews, risk management reviews, and IT and business process reviews. Appendix II contains details on the resources and types of risk management activities for the divisions and offices.

Suggestion for Management

As discussed, the FDIC has a number of internally-focused committees and groups that collectively contribute to internal ERM and good corporate governance. More could be done, however, to institutionalize how these entities interact to manage internal risks facing the Corporation and for the purpose of preserving continuity in the event of senior management changes. Accordingly, we suggest that the Chairman’s Office, in coordination with the COO and the CFO, articulate and document how the various committees and groups interrelate in managing internal risk.

Comparison of the FDIC’s Overall Internal ERM Efforts to the COSO ERM Framework

The FDIC has incorporated elements of several of the eight interrelated components outlined in COSO’s ERM Framework in the Corporation’s overall internal risk management activities. Specifically, the FDIC’s approach to risk management includes many of the principles encompassed in the Internal Environment, Objective Setting, and Control Activities components of COSO. However, we identified variances between the FDIC’s existing ERM program and the COSO ERM Framework and concluded that opportunities exist for FDIC to make additional enhancements to its ERM program by incorporating key principles of the COSO ERM Framework.

According to COSO, the internal environment influences how strategies and objectives are established; business activities are structured; and risks are identified, assessed, and acted upon. This component influences the design and functioning of control activities, information and communication systems, and monitoring activities. Internal environment factors include:

• an entity’s risk management philosophy;
• its risk appetite;
• oversight by the board of directors;
• the integrity, ethical values, and competence of the entity’s people;
• how management assigns authority and responsibility; and
• how management organizes and develops its people.

Internal Environment Factors at the FDIC

The FDIC practices or possesses many of the internal environment factors in everyday operations of the Corporation. For example:

• The FDIC has published mission statements, a corporate vision statement, and core values.
• Members of the FDIC Board participate in monthly Board Meetings and are engaged in FDIC operations through management reports and periodic meetings with FDIC executives.
• The FDIC Board has established committees to manage certain functions, and the FDIC has established a number of operational committees to evaluate risks and manage projects.
• The FDIC Board has also delegated authority to committees and FDIC executives to carry out corporate functions.
• The FDIC holds its executives accountable for achieving corporate goals and objectives and has tied employee pay to performance.
• FDIC employees are required to follow government-wide standards of ethical conduct and supplemental standards pertaining to FDIC employees.
• The FDIC established the CU to coordinate and facilitate high-quality, cost-effective learning and development consistent with corporate objectives, and the FDIC requires employees to take annual awareness training related to information security and privacy.

Opportunities to Enhance the FDIC’s Internal Environment

The FDIC may benefit from more explicitly addressing two factors in COSO’s internal environment component, namely the FDIC’s risk management philosophy and risk appetite. According to COSO, an entity’s risk management philosophy:

• is the set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities;
• reflects the entity’s values influencing its culture and operating style; and
• affects how enterprise risk management components are applied, including how risks are identified, the kinds of risks accepted, and how they are managed.

An entity’s risk management philosophy is reflected in virtually everything management does in operating the entity and is captured in policy statements, oral and written communications, and decision making. COSO states that, when the risk management philosophy is well developed, understood, and embraced by an entity’s personnel, the entity is positioned to effectively recognize and manage risk. Otherwise, there can be uneven applications of enterprise risk management across business units, functions, or departments.

Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of value. It reflects the risk management philosophy and, in turn, influences culture and operating style. An entity’s risk appetite is considered in strategy setting; guides resource allocation; and aligns organization, people, processes, and infrastructure. Entities can consider risk appetite (1) qualitatively, with categories of high, moderate, or low or (2) quantitatively, reflecting and balancing goals for growth, return, and risk. Protiviti®, Inc. reported that, in defining enterprise risk management, COSO set a standard for management to manage risk within the entity’s risk appetite, as understood and agreed by the board of directors, and that management considers risk appetite when defining objectives, formulating strategy, allocating resources, setting risk tolerances,⁴ and developing risk management capabilities.

In regard to risk appetite, the Director of OERM issued a November 2005 memorandum, Update on ERM in the FDIC, to division and office directors that discussed the link between “…risk appetite and reasonable assurance that the Corporation is in substantial compliance with any given requirement.” The memorandum stated that:

With respect to “risk appetite”, I believe it is fair to characterize the Corporation as being primarily a risk-averse organization, relative to both our external and internal responsibilities. Clearly, this is a positive characteristic, given that we should be good stewards and strive to lead by example relative to both our peer group and the institutions we supervise. At the same time, however, managing to perfection or maintaining a zero-tolerance working environment on all controls is usually not a preferred course of action and could be counter-productive, particularly relative to employee morale and our overall cost-effectiveness.

We do note that elements of the FDIC’s risk appetite are driven by law or regulation, such as the safety and soundness examination schedule, minimum institution capital levels, and limitations on investment options for the Deposit Insurance Fund. In other cases, the FDIC has imposed thresholds or limits, such as Maximum Efficiency, Risk-focused, Institution Targeted examination parameters or capital investment management oversight thresholds, which serve to establish risk appetite for discrete processes or functions.

Further, the FDIC Chairman has given speeches that describe the FDIC’s risk appetite in regard to external matters in the banking industry such as subprime and predatory lending, mortgage foreclosures, and capital requirements. Also in reference to external risk responsibilities, the FDIC issued its second quarter 2007 Letter to Stakeholders in August 2007, in which the Corporation reported its continued focus on monitoring the mortgage market and any negative impacts on borrowers and insured institutions, bringing unbanked and underbanked populations into the financial mainstream, and working with other regulators to issue final rules regarding capital requirements for banks.

However, beyond the above-mentioned memorandum from the Director, OERM, we did not see evidence of a formally articulated risk philosophy or risk appetite for the Corporation. As discussed previously, COSO notes this articulation is important in ensuring that an entity is positioned to effectively recognize and manage risk, define objectives, and allocate resources.

COSO states that objectives are set at the strategic level, establishing a basis for operational, reporting, and compliance objectives. Operational objectives, in particular, vary based on management’s choices about structure, performance, and risk and reflect preferences, judgment, and management style. Effective ERM does not dictate which objectives management should choose, but does help to ensure that management has a process that aligns strategic objectives with the entity’s mission and that ensures the chosen strategic and related objectives are consistent with the entity’s risk appetite.

Consistent with GPRA and related statutes, the FDIC defines its strategies and business objectives through the issuance of a strategic plan, an annual performance plan (APP), and a performance and accountability report (Annual Report). The FDIC also has implemented additional performance measurement processes in the form of Corporate Performance Objectives (CPOs) and balanced scorecards, as well as other performance metrics related to individual contracts and system development efforts. These measures cascade throughout the entity, divisional, and unit levels of the Corporation.

We recently issued an evaluation report⁵ that concluded the FDIC has developed and implemented multiple performance measurement processes and approaches that serve various stakeholder needs and that FDIC managers use to varying levels to manage and monitor program performance. Collectively, we found that the FDIC uses performance measures to make management decisions to improve programs and results. We also found that the FDIC assigns responsibility for meeting specific performance objectives and completing corporate initiatives to individual agency managers.

COSO notes that, as part of ERM, management not only selects objectives and considers how they support the entity’s mission, but also ensures that they align with the entity’s risk appetite. COSO also discusses establishing risk tolerances, which are acceptable levels of variation in the achievement of objectives. Entities use performance measures to ensure that actual results are within established risk tolerances. As discussed above, the FDIC has mechanisms in place for setting objectives and aligning them with its mission, and uses performance measurements to improve programs and results. However, with an established risk appetite, FDIC managers may be able to more readily establish objectives and measurements that are in keeping with the overall risk philosophy of the Board, Chairman, and other senior executives.

According to COSO, an event is an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives. Events with negative impact represent risks, which require management’s assessment and response. Events with positive impact represent opportunities, which management channels back into the strategy and objective-setting processes. When identifying events, management considers a variety of internal and external factors that may give rise to risks and opportunities, in the context of the full scope of the organization. Examples of external factors are economic, natural environment, political, and social. Examples of internal factors include infrastructure, personnel, process, and technology.

Event Identification Factors at the FDIC

As discussed later, the FDIC identifies potential external events through the Corporation’s external risk management activities performed principally through three divisions – DSC, DIR, and DRR – and the external risk committees identified later in Figure 4. In addition, the FDIC’s 2007 Annual Performance Plan includes a discussion of external factors, such as the economy’s performance at the national, regional, and local levels, which have an impact on the banking industry and the FDIC.

In regard to the FDIC’s internal ERM program, Circular 4010.3 states that each FDIC manager should (1) identify key activities within his or her area of responsibility that contribute to the accomplishment of the division/office and/or corporate mission and (2) seek to determine what impediments (risks) might threaten the ability to achieve success. The policy notes that key activities could be tied to CPOs or initiatives defined in the program’s balanced scorecard.

During the 2006 assurance statement process, OERM also requested divisions and offices to identify second-tier issues—areas of concern that did not rise to the level of a material weakness—in their assurance statements. The purpose of this exercise is to bring to light issues that previously may not have received attention because the focus of the assurance statement process was geared toward disclosing material weaknesses. Collectively, FDIC divisions and offices identified more than 60 issues. Examples of second-tier issues reported included topics such as Deposit Insurance Reform, the Contract Electronic File System, and curbing unfair and deceptive (lending) practices. OERM compiled the second-tier issues into a single list organized by division and office and provided the list to the Audit Committee in early 2007.

COSO notes that event identification needs to be robust, because it forms the basis for the risk assessment and risk response components. COSO also identifies examples of techniques and tools that may be used to facilitate event identification, such as:

• Event inventories: which are listings of potential events common to a specific industry or functional area,
• Facilitated workshops and interviews: usually of cross-functional teams regarding events that may affect achievement of entity or unit objectives,
• Process flow analysis: which involves mapping processes to identify potential events, and
• Loss event data tracking: which uses relevant data from past events to predict future occurrences.

COSO also discusses the importance of identifying interdependencies between events, categorizing potential events horizontally across an entity and vertically within operating units, and distinguishing events as either risks or opportunities. Doing so helps management develop an understanding of relationships between events, and provides information for assessing risks.

Although Circular 4010.3 provides high-level policy guidance for identifying key activities and associated risks, the Circular does not provide specific guidance for event identification, such as describing tools and techniques similar to those referenced by COSO above. Further, we confirmed that OERM has not issued specific guidance regarding the manner in which divisions and offices should identify events that could affect the achievement of strategic goals and objectives. We observed that divisions and offices conduct event identification processes to varying levels and degrees. For example:

• DIT is in the process of implementing the Control Objectives for Information and Related Technology (COBIT©) framework, an international IT controls and governance standard, which includes event identification efforts related to specific IT processes. DIT aligned its Accountability Units (AU)⁶ with the 34 COBIT© IT business processes, one of which is to assess and manage IT risks. For this process, DIT prepared a management control plan for 2007 and identified and ranked IT risks.
• The FDIC’s Legal Division meets annually with appropriate managers to identify new potential risks pertaining to individual AUs.
• DRR’s risk management program is integrated with the division’s annual planning cycle, and DRR uses its strategic plan to identify risk areas during the fourth quarter of each year to determine areas on which to focus internal review efforts for the upcoming year.
• DSC identifies risks annually based on and aligned with corporate initiatives.
• DOA identified eight functional areas for inclusion in its internal review program through consideration of emerging trends, consultation with OERM officials, known areas of high visibility and perceived risk, audit conditions, and DOA’s judgment.
• DOF identified risks within the management control plans⁷ developed for each of its accountability units.

COSO also stresses the importance of linking events and objectives, that is, identifying events that could prevent the achievement of objectives. In this regard, we interviewed officials from the Office of the Comptroller of the Currency (OCC) about the OCC’s Enterprise Governance Program.⁸ At the OCC, Enterprise Governance staff is responsible for facilitating the OCC strategic planning process. OCC executives hold an annual executive conference where executives identify strategic goals and objectives for the coming year. OCC executives also identify and assess risks associated with achieving strategic goals and objectives, and risk tolerances. Enterprise Governance staff document the results of the strategic planning and risk identification conference in a Strategic Risk Management Plan. An OCC Executive Committee monitors the plan during the year and meets quarterly to discuss plan status.

FDIC executives also hold an annual planning conference to develop CPOs and annual performance goals for the coming year, and we have observed that FDIC executives identify and discuss potential risks to achieving corporate objectives. However, this process is not as formal or well-documented as the OCC’s approach or as closely coordinated with the ERM program.

COSO notes that a risk assessment allows an entity to consider the extent to which potential events have an impact on the achievement of objectives. Management assesses events from two perspectives - likelihood and impact - and normally uses a combination of qualitative and quantitative methods. The positive and negative impacts of potential events should be examined, individually or by category, across the entity. Risks are assessed on both an inherent and a residual basis. Inherent risk is the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact. Residual risk is the risk that remains after management’s response to the risk.

The COSO ERM Framework notes that the risk assessment component is a continuous and iterative interplay of actions that take place throughout the entity. While managers responsible for business unit, function, process, or other activities develop a composite assessment of risk for individual units, entity-level management should consider risk from a “portfolio” perspective.

Risk Assessment Factors at the FDIC

• Circular 4010.3 includes the concept of identifying and analyzing exposure to risks from both external and internal sources, and cites as policy that management should evaluate the risks identified for key activities in terms of both the likelihood of occurrence and the potential impact. The circular offers OERM’s assistance to divisions and offices in regard to such evaluations.
• OERM’s guidance for assurance statements highlights the concept of risk assessment being a continuous interplay of actions in an organization by stating that the primary basis for providing assurance on issues should be management’s judgment based on knowledge gained from the daily operation of programs and systems and supplemented by results of internal reviews, audits, evaluations, and similar activities.
• OERM issued OERM Risk Manager Guidelines in 2005 for OERM staff who may be appointed to serve as risk managers on major IT projects. The guidelines include a discussion of risk assessment techniques, including assessing probability and impact.
• The FDIC’s Legal Division, OERM, and CU developed enterprise risk management training which was presented to Legal Division management in July and October 2006. The training included a discussion of using qualitative techniques in risk assessments through which the impact of risk is portrayed as high, medium, or low, and the likelihood of occurrence is demonstrated as significant, moderate, or low.

Opportunities to Enhance the FDIC’s Risk Assessments

FDIC Circular 4010.3 discusses the likelihood and impact of risk in the context of policy, but the circular does not indicate how risk assessments should be performed. OERM has not issued implementing procedures to specify how divisions and offices should be conducting risk assessments. Instead, Circular 4010.3 assigns responsibility for each division and office to establish its own risk assessment technique. Further, Circular 4010.3 focuses on division and office risk assessments for their respective organizations and does not address the principle of identifying and assessing risks that are common across the Corporation.

In this regard, we identified differences regarding how divisions and offices conducted risk assessment activities. Moreover, one division and one office representative expressed a desire for guidance from OERM regarding conducting risk assessments.

The COSO ERM Framework states that an entity need not use common assessment techniques across all business units and adds that the choice of techniques should reflect the need for precision and the culture of the business unit. However, COSO also states that although different methods may be used, they should provide sufficient consistency to facilitate the assessment of risks across the entity. Consistency would also facilitate developing an entity-wide risk portfolio. Finally, COSO notes that the time horizon used to assess risk should be consistent with the time horizon of the related strategy. Risk assessments may be:

• qualitative—such as risk rankings, risk maps, and risk questionnaires, or
• quantitative—such as probability-based techniques, stress testing, and scenario analyses.

As discussed earlier, OERM has requested divisions and offices to identify second-tier issues, which represents an improvement in the risk assessment process. However, OERM has not provided implementing guidance for prioritizing or assessing risk associated with second-tier issues, and we saw limited evidence that OERM or divisions and offices took steps to prioritize or perform risk assessments of second-tier issues. OERM’s predecessor organization, the OICM, issued the FDIC Internal Control and Risk Management Manual in 1998, which included guidance for performing risk assessments and risk assessment questionnaires for management’s use. As discussed in Appendix II, some FDIC organizations are still using some of the risk assessment techniques in the manual for their respective operations.

COSO provides that, having assessed relevant risks, management determines how it will respond. In considering its response, management assesses the effect on risk likelihood and impact, as well as costs and benefits, selecting a response that brings residual risk within desired risk tolerances. Management identifies any opportunities that might be available and takes an entity-wide view of risk, determining whether overall residual risk is within the entity’s risk appetite.

Circular 4010.3 provides possible risk mitigation strategies, including accepting a perceived low level of risk, developing additional controls, or instituting a process of independent testing to provide greater assurance that risks are mitigated to the extent necessary. In addition, in its guidance for the 2007 assurance statement process, OERM requested that divisions and offices provide a brief summary of any actions taken during 2007 to address second-tier issues identified during the 2006 assurance statement process.

We identified a good example where the FDIC identified and assessed risks, and developed mitigation strategies. The FDIC’s Deposit Insurance Reform Executive Risk Management Committee prepared a proposed list of risks associated with deposit insurance reform activities, titled, DI Reform – Risks Managed by DIRMT. The listing included a title and description of identified risks, a numerical ranking of the magnitude of the risk, and control strategies for each risk to either mitigate the risk or develop contingency plans to address the risk. The listing effectively documented the risk response strategy and assigned a risk owner for each risk.

OERM could do more in this area by providing guidance to divisions and offices on how they should respond to identified risks (such as the second-tier issues) and to provide training related to the various types of risk responses (avoiding, reducing, sharing, accepting) and the concept of residual risk.⁹

We noted that OERM’s guidance for assurance statements includes a statement that the non-material challenges reported for the year should be the primary (but not exclusive) basis for review initiatives planned by the respective division or office for the upcoming year. However, we did not see evidence that OERM evaluates the second-tier issues for commonality or aggregate effect across the Corporation. Taking such an enterprise-wide view may reveal that although business unit risks may be within the risk tolerances of the individual units, aggregate risks might exceed the risk appetite of the entity as a whole.

According to COSO, control activities occur throughout the organization at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, and segregation of duties.

The FDIC’s risk management program identifies the internal control standard related to control activities stating that management shall develop and implement policies, procedures, techniques, and mechanisms ensuring that management directives are carried out. Some key control activities cited in Circular 4010.3 include:

• Top level review of actual performance.
• Management reviews at the program activity level.
• Management of human capital.
• Controls over information processing.
• Physical control over valuable assets.
• Establishment and review of performance measures and indicators.
• Segregation of duties.
• Proper execution of transactions and events.
• Accurate and timely recording of transactions and events.
• Access restrictions to and accountability for resources and records.
• Appropriate documentation of transactions and internal controls.

In addition, the FDIC has established scorecard initiatives in some divisions, and other control activities are reflected in corporate documents such as the FDIC Bylaws, DSC regional director memoranda, and various manuals and circulars.

OERM’s guidance for preparing annual assurance statements requires divisions and offices to provide assurance on control activity-related areas of interest. For example, the 2006 assurance statement guidance requested that divisions and offices provide assurance on a number of items, including that:

• procedures were fully documented for all key activities,
• systems security was in substantial compliance with all relevant requirements,
• continuity of operations planning in all critical areas was sufficient to reduce risk to reasonable levels in the event of a disaster, and
• sufficient actions had been taken to minimize any negative impact associated with downsizing.

The COSO ERM Framework notes that control activities are an important part of the process by which an entity strives to achieve its business objectives. While Circular 4010.3 identifies key control activities in the context of the GAO’s Standards for Internal Control in the Federal Government, as is appropriate, the Circular does not address control activities in the context of ERM. In this regard, OERM could provide additional guidance or assistance to divisions and offices in:

• consistently linking corporate objectives to risk responses and to control activities;
• ensuring that control activities are designed to help ensure that strategic, operational, reporting, and compliance objectives are met; and
• evaluating control activities from a corporate-wide, or portfolio, perspective.

COSO states that information is needed at all levels of an organization to identify, assess, and respond to risks, and to otherwise run the entity and achieve its objectives. Information systems must provide information to appropriate personnel so that they can carry out their operating, reporting, and compliance responsibilities. But communication also must take place in a broader sense, dealing with expectations, responsibilities of individuals and groups, and other important matters. Further, personnel must have a means of communicating significant information upstream. COSO also provides that every enterprise identifies and captures a wide range of information relating to external as well as internal events and activities, relevant to managing the entity. Technology plays a critical role in enabling the flow of information in an entity, including information directly relevant to enterprise risk management.

Protiviti®, Inc. notes that reporting is integral to the information and communication ERM component because it drives transparency about risk and risk management throughout the organization to enable risk assessment, execution of risk responses and control activities, and monitoring of performance

The FDIC communicates information through a number of periodic reports for senior corporate managers pertaining to internal FDIC matters, such as:

• Quarterly CIRC reports on the status of capital investment projects (such as IT system development efforts);
• Semiannual Contract Assessment Reports that provide cost, milestone, and performance information on contracts valued at $5 million or greater;
• Quarterly Emergency Preparedness Reports;
• Quarterly CFO reports to the Board highlighting financial activities and results; and
• Quarterly Performance Summary on the status of CPOs and Annual Performance Goal exception reporting.

The Chairman’s office has taken steps to make sure that the Chairman and the FDIC Board Members receive appropriate management reports in a format and level of detail that enhances understanding. The Chairman’s office is developing a secure electronic repository to house FDIC Board and Chairman-level reports to improve management report delivery and availability. With regard to providing information to employees, the FDIC communicates information to staff in various ways, including:

• Posting on the FDIC’s internal Web site performance information such as the CPOs, summary of year-to-date cumulative results on the accomplishment of the CPO goals, and APPs.
• DSC’s balanced scorecard is available to all DSC staff and provides detailed information about strategic objectives and performance targets to provide a comprehensive view of business operations at the national, regional, and territory level.
• DOF’s balanced scorecard is available to FDIC employees and presents performance measurement information about DOF operations, strategies, and initiatives.
• DOA and DOF encouraged their staff to participate in the 2008 corporate-wide planning and budget process by submitting potential new projects, performance objectives, and initiatives for 2008.

Annual Assurance Statement Process: As discussed earlier, OERM issues annual assurance statement guidance to divisions and offices that includes instructions for providing assurance on internal control objectives (for purposes of external reporting) and disclosing non-material challenges (second-tier issues) requiring management’s attention (for purposes of internal reporting). OERM indicated that division and office disclosure of second-tier issues is a positive step, because it affords management the opportunity to devote resources to address those issues and to better plan risk management activities.

OERM internal reporting on ERM activities could be enhanced. For example,

• While OERM briefs executive management and produces a bi-weekly Audit Status report, we identified no further examples of ERM reporting from OERM to the Chairman’s Office or the FDIC Board.
• While OERM briefs executive management and produces a bi-weekly Audit Status report, we identified no further examples of ERM reporting from OERM to the Chairman’ OERM discontinued the practice of providing monthly status reports to executive management in 2005, based on a corporate-wide initiative to streamline reporting.
• While OERM briefs executive management and produces a bi-weekly Audit Status report, we identified no further examples of ERM reporting from OERM to the Chairman’ OERM has also discontinued its practice of periodically meeting with internal control liaisons from FDIC divisions and offices to discuss internal control and ERM issues. Several liaisons indicated that these meetings were helpful and allowed the liaisons to share ideas with their counterparts in other divisions and offices. Several liaisons indicated that they would like to resume meeting on a quarterly or some other periodic basis.

OERM Assurance Statement: OERM officials stated that they are not required to prepare an assurance statement regarding OERM’s controls and activities because OERM compiles the division and office annual assurance statements and preparing its own would constitute submitting an assurance statement to itself. OERM officials also stated that other offices such as CFO and COO do not prepare assurance statements. We note that divisions and offices address their assurance statements to the Chairman, not OERM. Thus, submitting an assurance statement would not constitute OERM reporting to itself. We also note that OERM has other responsibilities in addition to facilitating the assurance statement process, including:

• the FDIC’s ERM Program,
• internal control reviews and program evaluations of the FDIC’s business lines,
• monitoring audit follow-up and resolution activities,
• Audit Committee activities,
• maintaining the audit tracking system,
• serving as risk managers for major IT projects, and
• the Post-Project Review program.

Without submitting an assurance statement, OERM has not provided the Chairman with documentation supporting positive assurance that the ERM program and other OERM program responsibilities are effective and efficient, have sufficient internal controls, follow relevant laws and regulations, or are supported by documented procedures.

Financial Management Systems Assurance: Opportunities also exist for the FDIC to improve external reporting of ERM activities. The FDIC Chairman’s assurance statement in the Corporation’s 2005 and 2006 Annual Reports indicates that the FDIC can provide reasonable assurance that the objectives of FMFIA Section 2 (internal controls) and Section 4 (financial management systems) have been achieved.¹⁰ However, OERM has not developed agency-wide procedures regarding Section 4 assurances and reporting, and we were unable to confirm the basis or support for the Section 4 assertion related to financial management systems.

Government corporations, including the FDIC, are required by the CFO Act to prepare an annual management report that is consistent with agency statements on internal accounting and administrative control systems, as provided in FMFIA. The FMFIA also gives the Director, OMB, authority to issue implementing guidelines. OMB has done so in Circulars A-123, Management’s Responsibility for Internal Control and A-127, Financial Management Systems. The FDIC has concluded that it is not required to comply with these circulars but relies on OMB’s guidance to achieve compliance with the underlying statutory requirements.

According to A-123, FMFIA Section 4 requires an annual statement on whether the entity’s financial management systems conform to government-wide requirements. These government-wide requirements are set forth in part in OMB Circular A-127, section 7, which, among other things, requires agencies to have financial management systems that meet various requirements, including the ability to:

• Provide timely and useful financial information, including internal and external reporting requirements, and ensuring the integrity of financial data through monitoring;
• Produce financial information required to measure program, financial, and financial- management for budget program-management and financial statement presentation; and
• Prepare, execute, and report on the agency’s budget in accordance with OMB instructions.

Section 7 of A-127 also states that financial management systems shall be maintained to ensure efficiency and effectiveness and be clearly and currently documented per applicable guidance. These systems shall include a system of internal controls that ensure that resource use complies with applicable laws, regulations, and policies; that resources are safeguarded; and reliable data is produced and reported. Lastly, users of the systems are to be adequately trained and appropriately supported.

Moreover, under section 9.a.3 of A-127, agencies shall ensure that “appropriate reviews” of their financial management systems are conducted. These reviews must comply with policies for (1) reviews of internal control in accordance with OMB guidance for purpose of FMFIA and Circular A-123; (2) reviews of conformance of financial management systems with Circular A-127, section 7, in accordance with OMB’s FMFIA guidance; and (3) reviews of systems and security reviews under OMB Circular A-130, Management of Federal Information Resources. Lastly, section 9.a.4 requires agencies to issue, update, and maintain agency-wide financial management directives to reflect policies defined in the Circular (A-127).

In implementing either Circulars A-123 or A-127, OMB has provided agency heads with much discretion, since the Circulars do not contain any detailed process by which agency heads are to make their Section 4 assurances. Further, A-127 does not define or describe what is meant by “appropriate review.” In any case, agencies are required to have financial management directives that address A-127’s provisions.

We have not identified any OERM or FDIC written procedures on how the Section 4 assurance statement is to be supported and reported upon. Additionally, although we note that legal analyses have been prepared for Circulars A-123 and A-127, these analyses have not specifically addressed the issue of support for the statements of assurance, including the effect of reviews conducted under A-127, section 9. OERM and the CFO told us that there is no one specific document or review that would constitute the support or basis for the FDIC’s assurance statement regarding FMFIA Section 4 reporting. Instead, OERM stated that the basis for the Chairman’s Section 4 assertion consists of many things taken together in regard to the FDIC’s core financial management system – New Financial Environment (NFE) and other systems that interface with NFE, including:

• GAO’s Audit of the FDIC’s Financial Statements – the audit work and the results of the audit;
• FISMA reviews and reports, including security self-assessments and the OIG’s annual FISMA evaluation;
• FDIC internal control reviews; and
• The FDIC’s system development life cycle processes.

We noted that GAO’s financial statement audit report (Federal Deposit Insurance Corporation Funds’ 2006 and 2005 Financial Statements, dated February 2007, GAO-07-371) omitted mention of financial management systems under FMFIA, and we confirmed with GAO that the scope of its financial statement audit did not include FMFIA Section 4 (financial management systems) reporting. While some elements of the FISMA review and internal control reviews performed by FDIC divisions and offices may touch upon financial management system aspects, such as information security, we concluded that support for Section 4 reporting was undocumented, indirect, and fragmented and could be improved.

Given the statutory nature of the FDIC’s Annual Report¹¹, there should be adequate support behind the Chairman’s statements of assurance regarding FMFIA Sections 2 and 4. To help ensure the adequacy of such support, the FDIC should develop and document procedures that consider the provisions of OMB’s Circulars A-123 and A-127 and other relevant authorities, in general, and the following topics, in particular:

• what financial management systems reviews should be performed,
• the organization(s) responsible for the reviews,
• what supporting documentation is needed for the assurance statement, and
• to whom and in what manner or form the results of financial management system reviews should be reported.

A more clearly defined process for Section 4 reporting would also help ensure that the Director, OERM, has sufficient information for determining whether any weaknesses identified in the financial systems reviews need to be reflected in the Chairman’s assurance statement and/or warrant reporting for purposes of OMB Circulars A-123 and Circular A-127.

According to COSO, ongoing monitoring occurs in the normal course of management activities. The scope and frequency of separate evaluations depends primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. ERM deficiencies are reported upstream, with serious matters reported to top management and the board.

Examples of monitoring of internal operations through ongoing management activities include:

• periodic reports to the COO, CFO, FDIC Chairman, and FDIC Board, detailing the use of delegated authority by FDIC staff;
• budget variance analyses and mid-year budget review; and
• assignment of oversight managers and technical monitors to procurement efforts.

Examples of separate evaluations of internal operations at the FDIC include:

• audits and studies of FDIC programs, operations, and financial statements from the GAO;
• audits and evaluations of programs and operations conducted by the OIG; and
• internal control reviews and program reviews conducted by division and office internal review units.

OERM Monitoring Activities: OERM indicated that it has conducted reviews and studies in areas such as:

• performing quality assurance work to ensure the data integrity of the Office of Diversity and Economic Opportunity case processing systems and completeness of case files,
• assisting the Privacy Program Manager in developing aspects of a privacy program,
• analyzing the number of management reports submitted to the FDIC Board and Chairman’s Office, and
• reviewing DOF and DIR procedures for updates required by the implementation of Deposit Insurance Reform.

OERM also has one staff member who participates in DSC regional office reviews with DSC’s Internal Control and Review Section and performs internal control reviews of DSC operations. For example, OERM provided internal control review reports related to determining: whether a regional office’s published policies were current and complete; how another regional office utilized DSC Scorecard information, and how the regional office managed the accuracy of Corporate Human Resources Information System staffing tables and salary cost allocations to corporate programs.

Under the FDIC Bylaws, OERM also has responsibility for conducting program evaluations of the Corporation’s business lines (DSC, DIR, DRR) as contemplated under GPRA. In this regard, we recommended in a recent report¹² that OERM take steps to add greater independence and structure to its program evaluation efforts, such as developing an annual evaluation schedule, defining the scope and methodology of procedures performed, and reporting recommendations for program improvements.

OERM also has desk officers who are assigned to each division and office throughout the FDIC. The desk officers indicated that they are involved in monitoring certain second-tier issues through frequent communication with their respective divisions and offices. OERM does not formally document its reviews but predominantly uses informal communication channels. The COSO ERM framework allows that many aspects of enterprise risk management are informal and undocumented, yet are regularly performed and highly effective. However, in this regard, COSO also states that an appropriate level of documentation usually makes evaluations more effective and efficient.

Finally, although the CFO indicated that he is responsible for overseeing OERM, we did not see a formal program or process for monitoring OERM’s implementation of ERM. Such oversight should ensure that OERM implements ERM infrastructure and the basic components of COSO’s ERM Framework and that the ERM program delivers risk management information that is useful and actionable.

The FDIC’s overall ERM program varies in some respects from what is recommended by COSO. Although organizations have latitude and flexibility in implementing ERM to meet specific needs, the FDIC may wish to take action to more closely align corporate practices with the COSO framework and thereby maximize the effectiveness and efficiency of the various risk management activities currently in place throughout the Corporation.

1. We recommend that the Chairman further study variances between the FDIC’s overall internal ERM efforts and the COSO ERM Framework as discussed in this report and take steps to address the variances where it will add value to the FDIC’s ERM program. Areas for potential focus include:
   • Defining and communicating the Corporation’s risk appetite and ensuring that corporate objectives are aligned with that appetite.
   • Establishing and documenting corporate-wide processes for identifying, assessing, and responding to internal risks.
   • Establishing effective channels for OERM to communicate risk management information throughout the organization, such as through periodic status reports and meetings with divisional risk management/internal review units.
   • Identifying the process for monitoring the implementation of ERM through ongoing activities or separate evaluations of division and office risk management programs and OERM’s enterprise risk management program.
2. We recommend that the Director, OERM, take necessary steps to develop and issue an annual assurance statement to the Chairman related to the ERM program and other OERM responsibilities.
3. We recommend that the Director, OERM, coordinate with the Legal Division to review section 4 reporting requirements to determine the FDIC’s reporting responsibilities.
4. Based on the results of recommendation 3, we recommend that the Director, OERM, issue guidance for FMFIA section 4 reporting and the work required to support an assertion on financial management systems.

Structure of the FDIC’s Internal ERM Program

The COSO ERM Framework notes that organizations implement ERM differently, but indicates there are common broad-based steps taken by entities that have successfully implemented ERM, such as conducting a current state risk assessment, developing an entity-wide ERM vision, and ensuring capability development, which includes defining roles and responsibilities; policies, processes, tools, techniques, information flows and technologies; and competencies. These capabilities are also collectively known as the ERM Infrastructure. Table 1 presents some common elements of ERM infrastructure.

The FDIC’s Bylaws state that the Director, OERM, is responsible for administering the enterprise-wide risk management program that monitors and manages risks by maintaining partnerships with the divisions and offices, providing training, and addressing internal control deficiencies. Among other things, the Bylaws provide that the Director, OERM, shall:

• develop policies and procedures for the development, maintenance, and evaluation of a comprehensive ERM program;
• design and implement corporate-wide ERM training programs;
• conduct outreach activities to explore best practices found in public and private sectors;
• conduct corporate internal control reviews; and
• serve as the risk manager for certain large IT projects that fall under the CIRC.

In addition, the Position Description for the Director, OERM, includes the following duties:

• designing OERM’s governance model for internal risk;
• establishing policies and procedures to manage enterprise-wide internal risk;
• developing an integrated risk management program for the FDIC that entails identifying, prioritizing, measuring, monitoring, and managing/controlling the most material internal control and operating/other risks facing the Corporation;
• developing risk quantification techniques that facilitate appropriate risk/reward choices across the organization;
• implementing a consistent risk management framework across FDIC business areas and developing, implementing, and measuring the effectiveness of appropriate risk mitigation strategies; and
• developing and providing appropriate briefing material to the Chairman and Board.

In general, more needs to be done if the Corporation wants to establish an ERM infrastructure as envisioned in the Bylaws and the Position Description for the Director, OERM, particularly in the areas of defining roles and responsibilities, developing procedures and guidance, and developing corporate-wide ERM training programs.

The CFO told us that he is responsible for overseeing OERM; however, the FDIC has chosen not to formally establish roles and responsibilities for overseeing the internal ERM Program, specifically the roles that the FDIC Chairman, the FDIC Board, and the Audit Committee should play. Such oversight could help ensure that OERM implements ERM infrastructure and the basic components of COSO’s ERM Framework and that the ERM program delivers risk management information that is useful and actionable.

Chairman and Board: The COSO ERM Framework notes that the Chief Executive Officer (CEO) is ultimately responsible and should assume ownership of ERM. This includes seeing that all components of ERM are in place. The CEO generally fulfills this duty by:

• providing leadership and direction to senior managers, including developing the entity’s risk management philosophy, risk appetite, and culture, and
• meeting periodically with senior managers to gain knowledge of risks inherent in operations, risk responses, control improvements required, and the status of ERM efforts under way.

The COSO ERM Framework notes that the Board provides important ERM oversight by:

• knowing the extent to which management has established effective ERM;
• being aware of, and concurring with, the entity’s risk appetite;
• reviewing the entity’s risk portfolio and considering it against the entity’s risk appetite; and
• being apprised of the most significant risks and whether management responds appropriately.

Neither the Bylaws nor the FDIC’s ERM policy specifies the role of the Chairman or the FDIC Board in implementing or overseeing internal ERM. Further, the Director, OERM, stated that the FDIC Board does not have a role in internal ERM because the Board’s focus is on external risks facing the Corporation. We believe that the Chairman and the FDIC Board should have clearly-defined roles in ERM as suggested by the COSO ERM Framework. We also note that the COSO approach is consistent with what the FDIC expects of boards of directors for FDIC-supervised financial institutions. Specifically, an FDIC corporate governance presentation for new bank directors states that board member responsibilities include identifying the risk profile for the institution and establishing a risk appetite and risk framework within which to identify, measure, monitor, and control the risks of the institution.

Audit Committee: The COSO ERM Framework notes that it is not uncommon for oversight responsibility for ERM to be assigned to the audit committee. COSO notes that with its focus on internal control over financial reporting, and possibly a broader focus on internal control, the audit committee already is well positioned to expand its responsibility to overseeing ERM.

OMB Circular A-123 also encourages agencies to consider establishing a Senior Management Council to assess and monitor deficiencies in internal control. Such councils generally recommend to the agency head which reportable conditions are deemed to be material weaknesses to the agency as a whole and may be responsible for (1) overseeing the timely implementation of corrective actions related to material weaknesses and (2) determining when reportable conditions or material weaknesses have been corrected.

The FDIC established an Audit Committee as a Standing Committee to the Board. The delegation of authority establishing the FDIC Audit Committee includes, among other things, the following responsibilities:

• overseeing the Corporation’s financial reporting and internal controls,
• reviewing and approving management’s annual plan for compliance with the CFOA, and
• assessing the sufficiency of the Corporation’s internal control structure.

OERM’s Circular 4010.3 does not address whether the Audit Committee plays a role in overseeing ERM or internal control program efforts. OERM’s Web site does indicate that the Audit Committee reviews and discusses OERM activities and we have observed this on occasion. Accordingly, considering the Audit Committee for a broader oversight role would be consistent with the COSO ERM Framework, OMB Circular A-123, and Audit Committee practices.

OERM’s Role and Responsibilities: As discussed throughout this report, we identified variances between the requirements for the OERM Director’s position as outlined in the FDIC Bylaws and the day-to-day operations of OERM. Many of OERM’s efforts relate to serving in an audit liaison capacity and monitoring the status of on-going audits and corrective actions taken in response to audit recommendations. Secondarily, we observed that OERM provides assistance to other divisions and offices as needed to work on special projects, such as the Privacy Program developed by DIT and the Deposit Insurance Reform initiative.

The OERM Director and OERM staff described much of their risk management efforts as consisting of meetings and/or briefings with division and office staff on specific topics of interest. Thus, much of our understanding of OERM’s risk management efforts is based on testimonial evidence as opposed to documentary evidence. Nevertheless, the CFO and COO indicate that they are pleased with OERM’s contribution to risk management and key internal initiatives. Given the differences between the Bylaws description of OERM responsibilities and OERM’s actual efforts, we are suggesting that the FDIC reconcile the two to promote a common understanding of OERM’s risk management role and responsibilities.

OERM has issued high-level policy related to ERM, but OERM could do more to provide detailed procedures and guidance related to methodologies, models, and systems that divisions and offices should use in identifying, assessing, mitigating, and reporting risk information. For example, Circular 4010.3 sets forth policy¹³ related to implementing an ERM Program, stating that every FDIC operating and policy area should possess the following fundamental requirements:

• current and documented procedures,
• reasonable controls incorporated into those procedures,
• employees trained in the proper execution of their duties, and
• supervisors and managers who are both empowered and held accountable.

Further, the policy indicates that each manager should

• identify key activities within his or her area of responsibility,
• seek to determine what impediments (risks) might threaten the ability to achieve success,
• evaluate the impediments in terms of likelihood of occurrence and potential impact, and
• take actions as deemed necessary to mitigate risk.

Further, OERM issues guidance to divisions and offices annually related to preparing assurance statements on the adequacy of internal and management/financial system controls. OERM has also issued guidelines to OERM staff serving as risk managers on CIRC projects.

However, OERM has not issued implementing procedures or guidance to assist divisions and offices in implementing ERM. According to OERM, it is up to individual division and office managers to decide how best to implement ERM. As presented in Appendix II, we saw differences in divisions’ and offices’ ERM programs. Most were still using traditional “accountability unit” approaches which are based on functional areas, as opposed to the identification, assessment, and mitigation of risks emanating from strategic objectives.¹⁴ Further, one division and one office expressed a need for guidance from OERM. With clear, uniform guidance, OERM could increase consistency in FDIC divisions and offices’ approach to internal ERM.

In our view, Circular 4010.3 does not meet the level of detailed procedures contemplated in the Bylaws, the Position Description for the OERM Director, or the COSO ERM Framework. Moreover, OMB Circular A-123 notes that agency management should have a clear, organized strategy with well-defined documentation processes that cont