Relating to the Board’s Oversight Function With Respect to Risk Management January 15, 2013
The Review Committee of the Board of Directors of JPMorgan Chase & Co. was established pursuant to the May 23, 2012 resolution of the Board, which authorized the Review Committee to oversee the investigation by the Firm’s Task Force into the trading losses of the Chief Investment Office (“CIO”) and to report to the Board on the Review Committee’s findings and recommendations. This report is based on the Review Committee’s independent investigation and analysis of the circumstances resulting in the CIO trading losses and its review of the Report of the JPMorgan Chase & Co. Task Force Regarding 2012 CIO Trading Losses, dated January 15, 2013. The Review Committee and its outside counsel examined records of the Board and its committees and other internal records of the Firm and interviewed Board members and members of management in connection with preparing this report.
The Review Committee submits this report relating to the Board’s oversight function with respect to risk management. The Board has the responsibility to oversee management in its performance of risk management functions. The Board discharges those responsibilities in the first instance by assigning primary responsibility to the Risk Policy Committee.
The ability of the Board or its committees to perform their oversight responsibilities depends to a substantial extent on the relevant information being provided to them on a timely basis. In this case, the information communicated to the Risk Policy Committee, at least until late April or early May 2012, did not suggest any significant problems in the CIO which required close attention from the Committee. Because the risks posed by the positions in the synthetic credit portfolio were not timely elevated to the Risk Policy Committee as they should have been, or to the Board, the Board and the Risk Policy Committee were not provided the opportunity to directly address them. The Board and the Risk Policy Committee had the reasonable expectation that such information would be appropriately elevated as part of the extensive risk management system in place at the Firm. In light of these facts and the information made available to them, the Review Committee concluded that the Board and the Risk Policy Committee discharged their duties with respect to the oversight of the Firm and the CIO. The Task Force report extensively examined the role of management in connection with the losses suffered by the CIO. The Review Committee concurs in the substance of that report.
In this report, the Review Committee analyzes how the practices and processes of the Board and its committees could be enhanced to strengthen the Firm’s overall risk management function and the oversight of that function. The recommendations which this report makes do not imply that practices or processes in place in 2012 fell below the standard required of directors or caused the CIO losses. Further, some of the recommendations reflect practices already followed by the Board or the Risk Policy Committee or put in place by them or management prior to the issuance of this report.
The Review Committee has given particular attention in this report to the role of the Risk Policy Committee. In recent years, the Risk Policy Committee has met approximately eight times per year, in conjunction with the regularly scheduled meetings of the Board. The meetings lasted approximately two to three hours. The agendas were established early in the year by the Chairman of the Committee and the Firm’s Chief Risk Officer (“CRO”), with the expectation that other issues would be added as they arose in the course of the year. The Chairman typically met with the CRO the day before each Risk Policy Committee meeting for at least an hour to go over the agenda and the materials for the meeting, and they also frequently spoke by telephone and exchanged emails to prepare for meetings. The chief risk officers of the Investment Bank, the Consumer Bank, and the Commercial business typically attended all meetings of the Risk Policy Committee, while the chief risk officers of the other lines of business and CIO generally attended only meetings at which their units were on the agenda until March 2012, when, at the direction of the CRO, they also began to attend all meetings of the Committee. Other senior officers of the Firm, including the Chief Financial Officer and the General Counsel, and heads of the lines of business attended Risk Policy Committee meetings from time to time.
The Committee members received substantial amounts of written materials a few days before the meetings. These materials included a monthly liquidity overview for the Firm and a report showing the Firm’s performance against its risk appetite parameters and other risk and loss tolerances. The regular materials also included detailed reports in a standard form (entitled “Risk Management: General Market Discussion”) regarding the Investment Bank, the Commercial Bank, and the Consumer business (but generally not Treasury & Securities Services, Asset Management, or CIO), plus an appendix of supporting data that included reporting on Firmwide and business-specific risk metrics. The appendix contained, among other things, graphs showing measurements of value at risk (“VaR”) over the preceding 12 to 20 months for the entire Firm, and specifically for the Investment Bank, Retail Financial Services, and CIO. The appendix also included the results of various stress tests on a Firmwide basis and for specific lines of business and CIO, as well as economic and allocated capital for each of the Firm’s six lines of business and for the Corporate Sector, which included CIO.
The General Market Discussion reports to the Risk Policy Committee did not include a separate section relating to CIO until March 2012, when changes were made to the template for the reports. Those changes also resulted in the removal of the reporting of the Firmwide and CIO VaR, which appeared in the materials for the meetings up to and including January 17, 2012 (for the period through December 2011), but not in the materials for the March 20 and April 17, 2012 meetings. As noted below, a written presentation from CIO at the March 20 meeting of the Risk Policy Committee included a VaR calculation for the synthetic credit portfolio as of March 6, 2012. The March 20 meeting of the Risk Policy Committee also included a presentation on market risk limits, which described Firmwide VaR excessions in 2011 and a temporary increase in CIO’s VaR limit in 2011 for reasons unrelated to the synthetic credit portfolio. CIO exceeded its VaR limit at several points in the period January 16 to January 26, 2012, which caused a breach in the overall Firm VaR limit. These excessions, and the change in the VaR model for the synthetic credit portfolio under which the excessions ceased, were not reported to the Risk Policy Committee.1 The reports for the March 20, 2012 and April 17, 2012 meetings noted that a reduction in CIO’s VaR limit was under review. None of the General Market Discussion reports signaled a problem with CIO’s synthetic credit portfolio.2
In addition to the reports prepared according to the standard templates, materials for the Risk Policy Committee meetings included, over the course of the year, reports on specific subjects and areas. These included, for example, reports on the Firm’s risk appetite framework, concentration risk, model risk and validation governance, country risk, market risk, and operational risk, as well as reports on specific businesses and sectors of the Firm. The Risk Policy Committee and Audit Committee met jointly to receive reports on the risk management control environment for the Firm and for specific lines of business. The Risk Policy Committee and Audit Committee also had a joint meeting each year with representatives of the Office of the Comptroller of the Currency (“OCC”) and the Federal Reserve Bank of New York, and they received annual reports of examinations by the OCC and the Federal Reserve Bank’s reports of inspections.3
Presentations relating specifically to CIO generally were made once a year to the Risk Policy Committee. The presentations did not address the synthetic credit portfolio in detail and did not point out any significant risks posed by it. A presentation by CIO to the Risk Policy Committee in December 2010 stated that “CIO [takes] positions tactically to complement the core investment portfolio” and that an example of this purpose was “a synthetic (or derivative) credit position established in 2008 to protect the Firm from the anticipated impact of a deteriorating credit environment.”4 The presentation stated these positions reached a maximum VaR of $125 million in early 2009 and had “since been de-risked to a current VaR level of approximately $55m, with some risk reduction anticipated.” The report stated that CIO’s “[t]actical credit strategies,” which included both cash and derivative positions, had contributed approximately $2.8 billion in “economic value” from inception, with an average annualized return on equity of 100%.5
CIO also made an annual presentation to the Audit Committee on the control environment in CIO. Following this presentation to the Audit Committee in July 2011, the Audit Committee reported to the Board that the CIO’s presentation stated that the overall control environment and business processes of CIO remained strong. In connection with its December 13, 2011 meeting, the Risk Policy Committee received a report prepared for it and the Audit Committee on the Firm’s Risk Management Control Environment, which covered Firmwide risk management as well as risk management for the lines of business and CIO. That report addressed, among other things, risk management priorities for 2012, the status of responses to regulatory-driven initiatives, risk technology issues and initiatives, issues with model risk governance, and the status of control assessment issues (including matters requiring attention (“MRAs”) identified by regulators) and action plans to address them. These reports did not raise issues with regard to under-resourcing or other deficiencies in the risk management function in CIO, or a lack of appropriate risk limits or compliance with risk limits at CIO.
The Review Committee also made inquiry into the interaction between incentive compensation and risk management. As provided by the charter of the Risk Policy Committee, the Committee or the Chairman of the Committee met at least once a year with the Compensation Committee. At a joint meeting on December 13, 2011, the two committees and the CRO met with the Firm’s Director of Human Resources and addressed, among other things, the interaction between incentive compensation and risk management, and the involvement of risk executives in the incentive compensation process. They also reviewed an outline of the Firm’s overall performance assessment and compensation process for material risk takers, which included risk officers’ involvement in the determination of appropriate risk-adjusted performance metrics and participation in incentive pool allocation discussions in their lines of business. The Committees also reviewed the Firm’s clawback provisions for members of the Operating Committee and approximately 600 Tier I employees.
Internal Audit performed an audit of market risk and valuation practices for EMEA (Europe, Middle East, Africa) credit in CIO as of December 31, 2011, and issued its report on the audit on March 30, 2012. The audit examined the controls supporting market risk management and valuation practices for CIO’s investment credit portfolio and synthetic credit portfolio. The audit resulted in a rating of “Needs Improvement”6 based on, among other things, deficiencies in the valuation processes, the use of unapproved models in the calculation of risk,7 lack of appropriate documentation and cataloguing of risk measurement methodologies, the failure by CIO explicitly to measure portfolio sensitivity to certain risk measures, and the lack of a documented stress testing methodology such that Audit was unable to fully assess the stress testing framework and related scenario outputs. Consistent with Internal Audit’s standard practice, a summary of the audit findings and conclusions was provided to the Audit Committee, in connection with its meeting on April 17, 2012, but not to the Risk Policy Committee.
The Risk Policy Committee received a report regarding CIO at the Committee’s meeting on March 20, 2012. The CEO of CIO presented the report, and the new CRO of CIO also attended the meeting. The written presentation prepared by CIO for the meeting related primarily to CIO’s investment strategy and external factors affecting its activities. The written presentation also contained for the first time a one-page summary of various metrics for CIO’s investments and activities, as of March 6, 2012. This one-page summary included a small box that referenced certain stress and risk metrics for the synthetic credit portfolio (including a VaR calculation for the synthetic credit portfolio of $50.5 million as of that date), but these metrics did not effectively convey the risks of the portfolio, and they were not discussed at the meeting or explained in the written materials. This material did not meaningfully convey information useful to the Committee and did not flag the issues of increasing concern at CIO regarding the synthetic credit portfolio. Indeed, the synthetic credit portfolio was not raised by either the CIO CEO or CRO as a subject for discussion at the March 20, 2012 meeting.
Following the April 6, 2012 publication of the article in The Wall Street Journal regarding CIO, members of the Risk Policy Committee requested that the subject be addressed at the next meeting of the Committee (held on April 17, 2012). At that meeting, the chief risk officer of CIO gave a description of the history and status of the synthetic credit portfolio and described the attributes of the IG-9 index and how the purchase of that index was used to offset other positions. He said that the recent news reports were based on an inaccurate market perception that the portfolio was unhedged, and he reported that the risk was in fact balanced. The Firm’s Chief Financial Officer and CRO were also present at the meeting and, in response to questions from the Committee, said that this analysis was consistent with the information that they had received. The Firm’s CRO and the chief risk officer of CIO also described an ongoing post-mortem of the trades that included governance and market limits, and the Committee was assured that the matter was receiving appropriate attention from senior management of the Firm. No written materials accompanied this oral report regarding the synthetic credit portfolio.
Presentation of Information to the Risk Policy Committee
Our review of past practices and processes indicated that materials presented to the Risk Policy Committee did not always convey information that was useful to the Committee, or always convey it in a manner that was meaningful to the Committee. Rather, the Committee at times received non-contextualized data rather than having information distilled in a format meaningful and useful to the directors. Following the appointment of a new Firm CRO in January 2012, the Chairman of the Risk Policy Committee and the CRO discussed ways to improve the reports made to the Committee. Subsequently, management reports to the Committee have been made more focused and useful, and further efforts to improve the reports continue.
The Review Committee recommends that these efforts continue and, in particular, that the CRO work with members of the Risk Policy Committee to develop regular reporting templates that better organize and distill information that the Risk Policy Committee needs to perform its functions effectively. On occasion, materials provided to the Risk Policy Committee were originally prepared for internal staff meetings, where readers often have an ongoing and contextually-informed understanding of technical language and shorthand exposition. Reports to the Committee should always be drafted and presented from the vantage point of the Committee members reading the reports.
Both the Risk Policy Committee and the CRO should continue to work to ensure that issues that “keep management awake at night” are timely raised with the Committee and examined in appropriate detail. The revisions in the templates for the reports made as of the March 2012 meeting of the Risk Policy Committee included the addition of a summary of “Key Risk Topics” for each of the lines of business and CIO, but this reporting requirement did not result in the identification of the problems with the synthetic credit portfolio in the written materials for the Risk Policy Committee for either the March or April 2012 meetings of the Committee. Although a requirement that business managers and risk officers list the key risks they perceive is not a guarantee that all significant risks will be identified and reported, continued insistence on this requirement and continued engagement by the Committee with regard to such risks may help ensure that the requirement is treated seriously.
The reporting to the Risk Policy Committee should also identify significant anticipated future changes to the business, to the risk profile of the business, and to important internal models. Management should also regularly report to the Committee on significant model risk, from individual models and in the aggregate, and on compliance with Firm policy regarding approval and the governance of models. The Risk Policy Committee recently added the Firm’s model risk policy to the group of primary risk policies that the Committee reviews and approves, which the Review Committee believes was an appropriate step.
To further enhance its risk oversight function, the Risk Policy Committee should also continue to encourage the CRO, other Firm-wide risk personnel, and the CEOs and CROs of all lines of business to address existing or potential issues regarding the adequacy of the resources (human and technological) provided to risk management, including any such issues identified by regulators or Internal Audit.
Reports to the Risk Policy Committee on the oversight of the risk management activities in the Firm should include specific, regular, and systematic reporting on compliance with the Firm’s risk management policies. These reports should include, among other things, the review and setting of risk limits, the response to limit excessions, the independence and capabilities of risk management personnel, and the adequacy and approved status of models used.
The Firm’s risk management organization was recently reorganized, and several risk- related management committees were established or reconstituted, primarily as a result of the CIO experience. The Risk Policy Committee should work with the CRO to establish processes to ensure that the Risk Policy Committee’s work is coordinated with that of management committees overseeing risk-related activity and that the work of those committees is appropriately reported to the Risk Policy Committee.
Role and Responsibilities of the Risk Policy Committee
The mandate of the Risk Policy Committee has historically not been as well-defined as the mandates of other committees of the Board of Directors. The Review Committee recommends that the Risk Policy Committee and the Corporate Governance and Nominating Committee evaluate whether greater clarity can be achieved in defining the respective roles of the Audit Committee and Risk Policy Committee, to ensure both that matters are covered by an appropriate Board committee and that duplication of effort is minimized. Areas of overlap or uncertainty in the coverage of the two committees can give rise to the possibility that matters important to the work of one of the committees are only raised with the other. For example, the results of internal audits relating to the risk management function should be reported by the General Auditor to the Risk Policy Committee as well as the Audit Committee. Responsibility for oversight of operational and reputational risk management could also be more clearly allocated.
To guide its thinking as it delineates more precisely the respective roles and responsibilities of the Board committees, the Board may find it useful to articulate further, in broad terms, the fundamental purpose of each committee. Consistent with the categories of risks described in its current charter, the Risk Policy Committee is responsible for oversight of the management of risks that the Firm elects to take in deploying capital in pursuit of its business goals.8 The Audit Committee’s charter focuses on financial reporting, safeguarding the assets and income of the Firm, and ensuring compliance with laws, standards, plans, and policies.9 Although difficult to formulate in a way that would take into account all situations, the use of an organizing principle could help to define the allocation of responsibilities between the two committees in areas that might not otherwise be clear.
Although the Audit and Risk Policy Committees address issues of concern to both committees in their joint meetings, they should also ask the General Auditor and the CRO to consult regularly on the subject-matter of the materials presented to the respective committees to ensure that matters are appropriately reported and addressed.
The responsibilities of the Board and the Risk Policy Committee with respect to risk management will likely be significantly expanded as a result of the Dodd-Frank Act, which directs the Board of Governors of the Federal Reserve System to issue regulations imposing enhanced risk management standards on, among others, major bank holding companies.10 The proposed regulation (Regulation YY) issued pursuant to this statutory directive would impose substantial additional requirements on boards of directors and risk committees.11 While the final regulation has not yet been issued (and the proposed regulation has been the subject of significant public comment), the Board and the Risk Policy Committee will want to take account of these regulatory efforts in determining the Firm’s own practices and processes. The Board and the Risk Policy Committee already follow a number of the practices set forth in the proposed regulation, but Regulation YY would require review and approval by the board or risk committee of several additional processes, methodologies, tests, procedures, metrics, and limits, as well as decisions regarding new and continuing lines of business.
Responsibilities of Members of the Risk Policy Committee
In light of the increasing demands on the Risk Policy Committee and the increasing complexity of those demands, service on the Committee will probably require additional time from Committee members. The history of the Audit Committee in terms of increasing responsibility and time demands on its members likely serves as a harbinger for the Risk Policy Committee.
The Chairman of the Committee will necessarily take the lead and commit the most time, but the other members of the Committee should be prepared to shoulder some of the responsibilities in order to mitigate the burdens on the Chairman. In particular, the members of the Committee should get to know not only the Firm’s CRO but also the chief risk officers of all of the lines of business, so that the Committee can continuously evaluate their competency, independence, and reliability based on the Committee’s own assessment of their judgment, energy, and abilities. The level of involvement and commitment of all of the members of the Committee sends a signal to Firm employees of the importance of risk management to the Board and enhance communication of the Committee’s expectations.
Heads of the lines of business should also continue to report at meetings of the Risk Policy Committee. In its interactions with these executives, the Risk Policy Committee should continue to make clear that they are key elements of a successful risk management system, that they are expected to manage their businesses with due regard to sound risk management principles, and that they must respect the independence of risk management personnel and devote sufficient technological and human resources to the risk management functions in their businesses. To the extent the Risk Policy Committee has concerns about the performance of any of the business heads with regard to risk management, those concerns should continue to be conveyed to those business heads as well as to the CRO, the CEO, and the Compensation Committee.
Reporting Lines and Independence of Risk Management Personnel
Although risk management is an important part of the business responsibilities of senior management, risk management is a control function and as such must be independent and perceived as independent in the Firm. Risk management personnel must have appropriate compensation and stature, so that they are taken seriously by the Firm’s employees.
The Review Committee believes that it is appropriate for the Firm’s CRO to continue to report directly to the Chief Executive Officer.12 However the CRO’s role as a control function requires that the CRO be independent, and the Board and the Risk Policy Committee must ensure that the CRO has the ability to function independently. It is important for the CRO to have a clearly defined and understood independent responsibility to keep the Risk Policy Committee timely informed, so as to alert the Committee to potential problems and to provide it with the information needed to enable it to perform its oversight functions effectively. While this concept is present in the charter of the Risk Policy Committee, the Review Committee recommends that the Corporate Governance and Nominating Committee consider charter revisions to more clearly spell out the responsibility of the CRO to the Board, through the Risk Policy Committee.
In order to assure and enhance the continued independence of the CRO, the Risk Policy Committee should be consulted on any decisions regarding the removal of the CRO or the appointment of a new CRO. The Corporate Governance and Nominating Committee should also consider revisions to the charter of the Risk Policy Committee to require the concurrence of the Risk Policy Committee in such decisions. Currently, the Compensation Committee determines the compensation of the Firm’s CRO without being required to consult the Risk Policy Committee. The Review Committee recommends that the Compensation Committee should consult with the Risk Policy Committee during its process of determining the CRO’s compensation.
The Chairman of the Risk Policy Committee or the Committee itself frequently meets with the CRO in executive sessions. The Review Committee recommends that the Risk Policy Committee or the Chairman meet with the CRO in executive session in connection with each of the Committee’s meetings. The CRO should continue to be encouraged to report promptly to the Chairman or the Committee regarding significant risk issues that come to the CRO’s attention, as well as any such issues that are raised in meetings or other communications of the Firm’s Operating Committee or Firmwide Risk Committee. It is important that the Risk Policy Committee be confident that the CRO understands the Committee’s expectations with respect to the role of the CRO, the independence of the CRO, and the information the Committee expects to be communicated to it. The Committee should take steps to ensure that the CRO makes the Committee aware of what the CRO has conveyed to his direct reports regarding his expectations of them.
The chief risk officers of the lines of business and the other senior risk personnel should regularly present reports at Risk Policy Committee meetings, raise any major concerns with the Committee, and actively engage with the members of the Committee. These individuals are key implementers of the Firm’s risk management system, and active and frequent interaction with the Risk Policy Committee will enhance their sense of independence, as well as impose further discipline in the identification, reporting, and management of risk. As noted above, continued active communication and familiarity with the chief risk officers of the lines of business should be a key responsibility of members of the Risk Policy Committee.
Enhancing the quality of the written materials and presentations to the Risk Policy Committee should make the meetings of the Committee more efficient and useful. Written materials that focus on the matters of most importance to the Committee will make the meetings more productive and enhance the effectiveness of the Committee’s oversight function. The Risk Policy Committee may also wish to consider whether its meeting agendas can be streamlined in certain areas. In addition, the Committee should consider whether the increasing number of items for which it has responsibility (and which require time for discussion) makes it desirable to increase still further the length and/or frequency of its meetings. Any such increase would also require consideration of the appropriate scheduling of meetings to minimize interference with other Board or committee meeting obligations.
External Assistance to the Risk Policy Committee
The charter of the Risk Policy Committee provides that the Committee has authority to retain external advisors or consultants as it deems necessary. While the primary source of information and expertise for the Committee will necessarily come from management and particularly the CRO, the Committee might consider retaining an outside adviser for assistance if faced with issues of particular complexity or if an independent perspective beyond the CRO’s seems appropriate.
Communications with Regulators and Regulatory Matters
The Risk Policy Committee meets with regulators annually regarding the regulators’ reports of examination. The Chairman of the Committee also communicates occasionally with regulators. The Review Committee recommends that the members of the Committee take steps to engage in more frequent informal meetings with the regulators in order to understand better the regulators’ concerns about the Firm and its risk management policies and practices. These informal meetings would also be useful for the regulators to appreciate the Committee’s active interest in understanding the regulators’ concerns.
The Risk Policy Committee currently receives the annual reports of examination by the OCC and the Federal Reserve Bank of New York. These reports include, among other things, MRAs and matters requiring immediate attention identified by the regulators. The Risk Policy Committee received reports on the progress and status of the Firm’s responses to the MRAs, but this reporting could be more frequent and more informative as to MRAs that relate to subjects within the scope of the Risk Policy Committee’s responsibilities. Recently, the Chairman of the Committee and the CRO added to the regular reports to the Risk Policy Committee reports on the status of responses to relevant MRAs and internal audits, and they are continuing to refine and improve the templates for those reports. The Committee should assure itself that MRAs relating to risk management issues have been promptly and appropriately satisfied. In addition, it should be alert to the possibility that a deficiency in one area of activity may be found in other areas of the Firm.
Role of Internal Audit
The CIO trading losses were in part caused by CIO’s failure to establish appropriate risk limits and to review limits on a regular basis. Although Internal Audit has covered certain aspects of the risk management function in its audits, the Review Committee recommends that Internal Audit more systematically include the risk management function in its audits. This function includes, among others, the required periodic review and setting of risk limits, the response to limit excessions, the independence of risk management personnel, and compliance with the Firm’s risk management policies. Carrying out these functions will require Internal Audit to add persons with risk management experience to its staff, a process that is underway. When audits done by Internal Audit relate in whole or in part to risk management functions, the results should be provided to the Risk Policy Committee as well as the Audit Committee.
Role of the Compensation Committee
The Compensation Committee should make clear to senior management that it expects compensation of employees to be determined after a robust discussion of their performance, including adherence to applicable control standards and promotion of a Firm-first attitude. This discussion should include the active participation of control persons in both risk and finance. In addition, as noted above, the Compensation Committee should consult with the Risk Policy Committee during its process of determining the compensation of the Firm’s CRO.
1. Under the Market Risk Management policy in effect at that time, the Chief Risk Officer was required to report all material limit excesses to the Chairman of the Risk Policy Committee.
2. There was an oral presentation regarding the synthetic credit portfolio at the April 17, 2012 meeting of the Risk Policy Committee, as discussed below.
3. The Chairman of the Audit Committee, Laban Jackson, also met separately with regulators from time to time.
4. December 14, 2010 CIO Presentation to the Directors Risk Policy Committee, p. 6.
6. Internal Audit assigns ratings of “Satisfactory,” “Needs Improvement,” or “Inadequate” in its audits.
7. The audit was as of December 31, 2011 and did not consider the new VaR model for the synthetic credit portfolio, which was approved by the Model Risk Group in January 2012.
8. The charter of the Risk Policy Committee currently provides that the Committee “is responsible for oversight of the CEO’s and senior management’s responsibilities to assess and manage the corporation’s credit risk, market risk, interest rate risk, investment risk, liquidity risk and reputational risk, and is also responsible for review of the corporation’s fiduciary and asset management activities.” The charter does not include operational risk, although it requires that the Risk Policy Committee approve and annually review the Operational Risk Management policy, among other primary risk policies. The Committee also receives reports on operational risk matters from time to time.
9. The Audit Committee’s charter provides:
“The purpose of the Audit Committee is to assist Board oversight of:
• The independent registered public accounting firm's qualifications and independence
• The performance of the corporation's internal audit function and independent registered public accounting firm
Management's responsibilities to assure that there is in place an effective system of controlsreasonably designed to:
• Safeguard the assets and income of the corporation
• Assure the integrity of the corporation's financial statements
• Maintain compliance with the corporation's ethical standards, policies, plans and procedures, and with laws and regulations.”
10. 12 U.S.C. § 5365.
11. “Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies,” 77 Fed. Reg. 594, 623 (Jan. 5, 2012).
12. Regulation YY would require that the chief risk officer report directly to both the chief executive officer and the risk committee. 12 C.F.R. § 252.126(d)(3).