NERA's Independent Risk and Regulatory Reviews for Financial Companies

Capabilities and Services

Financial company regulations, as well as formal and informal regulatory guidance, often require or strongly urge periodic reviews of corporate risk management processes and metrics. These reviews must be performed by qualified independent parties. Within a cost-conscious financial corporation, it may be difficult to maintain truly qualified individuals who are fully independent of both the relevant business line and the developers of risk processes and metrics. Furthermore, even independent internal staff that may be qualified from an academic or business experience perspective can have difficulty understanding the true intent of rules and regulators’ most current interpretations.

For example, all US financial holding companies with over $1 billion in gross trading assets and liabilities are subject to the Federal Reserve’s "Market Risk Rule" (MRR). This rule enumerates not only quantitative model-based market risk capital requirements, but also requires a number of key risk management processes. In January 2009, the Federal Reserve released SR Letter 2009-011, which reiterates and provides new details on expectations with respect to compliance with the MRR. A key requirement as emphasized in the SR Letter requires, "each subject banking organization to perform an independent review of its market-risk measurement and management systems at least annually." The scope of the required annual review is comprehensive. The SR Letter notes, "This requirement is not limited to VaR and stress-testing processes; the review should incorporate the full array of systems, processes, and reporting used in the risk measurement and management of covered positions."

For financial firms with significant trading operations, meeting the MRR annual review requirement is not a trivial task. Furthermore, the ability of internal staff to perform an appropriately independent review is constrained, as those assessing systems must be "independent of the activity which the system is used to assess, those who designed the system, and those who utilize the system in a risk-management capacity."