12 CFR § 1239.11 - Risk management.
(a) Risk management program -
(1) Adoption. Each regulated entity's board of directors shall approve, have in effect at all times, and periodically review an enterprise-wide risk management program that establishes the regulated entity's risk appetite, aligns the risk appetite with the regulated entity's strategies and objectives, addresses the regulated entity's exposure to credit risk, market risk, liquidity risk, business risk and operational risk, and complies with the requirements of this part and with all applicable FHFA regulations and policies.
(3) Risk management program requirements. The risk management program shall include:
(i) Risk limitations appropriate to each business line of the regulated entity;
(ii) Appropriate policies and procedures relating to risk management governance, risk oversight infrastructure, and processes and systems for identifying and reporting risks, including emerging risks;
(iii) Provisions for monitoring compliance with the regulated entity's risk limit structure and policies relating to risk management governance, risk oversight, and effective and timely implementation of corrective actions; and
(iv) Provisions specifying management's authority and independence to carry out risk management responsibilities, and the integration of risk management with management's goals and compensation structure.
(b) Risk committee. The board of each regulated entity shall establish and maintain a risk committee of the board of directors that assists the board in carrying out its duties to oversee the enterprise-wide risk management program at the regulated entity.
(1) Committee structure. The risk committee shall:
(i) Be chaired by a director not serving in a management capacity of the regulated entity;
(ii) Have at least one member with risk management experience that is commensurate with the regulated entity's capital structure, risk appetite, complexity, activities, size, and other appropriate risk-related factors;
(iii) Have committee members that have, or that will acquire within a reasonable time after being elected to the committee, a practical understanding of risk management principles and practices relevant to the regulated entity;
(iv) Fully document and maintain records of its meetings, including its risk management decisions and recommendations; and
(v) Report directly to the board and not as part of, or combined with, another committee.
(2) Committee responsibilities. The risk committee shall:
(i) Periodically review and recommend for board approval an appropriate enterprise-wide risk management program that is commensurate with the regulated entity's capital structure, risk appetite, complexity, activities, size, and other appropriate risk-related factors;
(c) Chief Risk Officer. -
(2) Organizational structure of the risk management function. The CRO shall head an independent enterprise-wide risk management function, or unit, and shall report directly to the risk committee and to the chief executive officer.
(3) Responsibilities of the CRO. The CRO shall be responsible for the enterprise-wide risk management function, including:
(i) Allocating risk limits and monitoring compliance with such limits;
(ii) Establishing appropriate policies and procedures relating to risk management governance, practices, and risk controls, and developing appropriate processes and systems for identifying and reporting risks, including emerging risks;
(iii) Monitoring risk exposures, including testing risk controls and verifying risk measures; and
(iv) Communicating within the organization about any risk management issues and/or emerging risks, and ensuring that risk management issues are effectively resolved in a timely manner.
(4) The CRO should have risk management expertise that is commensurate with the regulated entity's capital structure, risk appetite, complexity, activities, size, and other appropriate risk related factors.
(5) The CRO shall report regularly to the risk committee and to the chief executive officer on significant risk exposures and related controls, changes to risk appetite, risk management strategies, results of risk management reviews, and emerging risks. The CRO shall also report regularly on the regulated entity's compliance with, and the adequacy of, its current risk management policies and procedures, and shall recommend any adjustments to such policies and procedures that he or she considers necessary or appropriate.