Notice2022-20728
Self-Regulatory Organizations; the Options Clearing Corporation Notice of Filing of Proposed Rule Change by the Options Clearing Corporation Concerning a Risk Management Framework and Corporate Risk Management Policy
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
September 26, 2022
Issuing agencies
Securities and Exchange Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 185 (Monday, September 26, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 185 (Monday, September 26, 2022)]
[Notices]
[Pages 58409-58425]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-20728]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-95842; File No. SR-OCC-2022-010]
Self-Regulatory Organizations; the Options Clearing Corporation
Notice of Filing of Proposed Rule Change by the Options Clearing
Corporation Concerning a Risk Management Framework and Corporate Risk
Management Policy
September 20, 2022.
Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934
(``Exchange Act'' or ``Act''),\1\ and Rule 19b-4 thereunder,\2\ notice
is hereby given that on September 6, 2022, the Options Clearing
Corporation (``OCC'') filed with the Securities and Exchange Commission
(``SEC'' or ``Commission'') the proposed rule change as described in
Items I, II, and III below, which Items have been prepared by OCC. The
Commission is publishing this notice to solicit comments on the
proposed rule change from interested persons.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
---------------------------------------------------------------------------
I. Clearing Agency's Statement of the Terms of Substance of the
Proposed Rule Change
OCC files this proposed rule change to adopt a revised Risk
Management Framework (``RMF'') as well as a new Corporate Risk
Management Policy (``CRMP''). The RMF and CRMP are provided as in
Exhibits 5A and 5B of File No. SR-OCC-2022-010. The RMF and CRMP would
replace the current OCC Risk Management Framework Policy (``RMF
Policy''). These documents are being submitted without marking to
improve readability and are being submitted in their entirety as new
rule text. The RMF Policy, provided as Exhibit 5C of File No. SR-OCC-
2022-010, is submitted entirely in strikethrough text to indicate its
retirement. In addition, OCC submits corresponding changes to its
Clearing Fund Methodology Policy, Collateral Risk Management Policy,
Default Management Policy, Margin Policy, Model Risk Management Policy,
Recovery and Orderly Wind-Down Plan, and Third-Party Risk Management
Framework (``TPRMF'') (collectively, the ``OCC Risk Policies'') to
update any reference to the RMF Policy to refer instead to the proposed
RMF. The OCC Risk Policies are provided as Exhibits 5D-5J of File SR-
OCC-2022-010. OCC submitted Exhibits 5D through 5I subject to a
confidential treatment request under SEC Rule 24b-2.\3\
---------------------------------------------------------------------------
\3\ 17 CFR 240.24b-2.
---------------------------------------------------------------------------
The proposed rule change does not require any changes to the text
of OCC's By-Laws or Rules. All terms with initial capitalization that
are not otherwise defined herein have the same meaning as set forth in
the OCC By-Laws and Rules.\4\
---------------------------------------------------------------------------
\4\ OCC's By-Laws and Rules can be found on OCC's website:
<a href="https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules">https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules</a>.
---------------------------------------------------------------------------
II. Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Change
In its filing with the Commission, OCC included statements
concerning the purpose of and basis for the proposed rule change and
discussed any comments it received on the proposed
[[Page 58410]]
rule change. The text of these statements may be examined at the places
specified in Item IV below. OCC has prepared summaries, set forth in
sections (A), (B), and (C) below, of the most significant aspects of
these statements.
(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Change
(1) Purpose
OCC maintains various documents designed to define a comprehensive
framework for managing OCC's various risks, including financial risks,
legal, and operational risks. OCC's RMF Policy serves as an umbrella
document describing OCC's framework for managing risk at a high level.
As required by SEC Rule 17Ad.22(e)(3)(i), OCC routinely reviews its
policies and procedures for potential improvements, such as providing
more comprehensive descriptions and definitions as well as making the
documents more clear, internally consistent, and well organized. Based
on its routine review of the existing RMF Policy, OCC believes it
should replace its current RMF Policy with two, more detailed
documents. By making this change, described in detail below, OCC
intends to enhance the clarity and transparency of its overall risk
management framework. The change to OCC's documents will not affect
OCC's members or other market participants. Rather, it is intended to
better describe and strengthen OCC's internal risk management
processes.
Background
OCC proposes to amend its existing RMF Policy \5\ by establishing
the RMF and CRMP. OCC believes the revised documents enhance the
clarity and transparency of its overall risk management framework and
once approved, OCC plans to make the RMF and CRMP publicly available on
its website (<a href="http://www.theocc.com">www.theocc.com</a>). OCC believes the proposed revised RMF
would continue to provide a foundation to support and describe the risk
management policies, procedures, and systems that make up OCC's sound
risk management framework.
---------------------------------------------------------------------------
\5\ See Exchange Act Release No. 34-82232 (Dec. 7, 2017), 82 FR
58662 (Dec. 13, 2017) (File No. SR-OCC-2017-005).
---------------------------------------------------------------------------
In undertaking this revision of the RMF Policy, OCC is seeking to
present its approach to risk management more clearly. The RMF Policy
presents detailed information about OCC's second line functions, while
also summarizing information about other risk management functions at
OCC. OCC believes that the proposed RMF presents a clear summary of
OCC's overall approach to risk management across its three lines of
defense and, if necessary, its planning for recovery and wind-down.
Consistent with the presentation of OCC's risk management across its
three lines of defense, the RMF would refer to the CRMP, which would
contain the detail behind OCC's second line corporate risk management
program. OCC believes this is consistent with its approach to providing
detailed information about its various functions in documents that
stand separate from, but support and provide detail about the risk
management activities summarized in, its proposed RMF.\6\
---------------------------------------------------------------------------
\6\ For example, the RMF addresses risks managed by OCC's first
line of defense through supporting policies and procedures,
including, among other rule-filed policies, the Margin Policy,
Collateral Risk Management Policy, Liquidity Risk Management
Framework, and the Default Management Policy.
---------------------------------------------------------------------------
The proposed RMF would provide an overview of risk management at
OCC. The proposed RMF introduces the categories of risk OCC faces and
then explains how OCC manages these risks. The proposed RMF includes an
overview of OCC's risk universe, descriptions of risk management
practices across OCC's three lines of defense model, a discussion of
how OCC is also prepared, if necessary, with tools to manage both
recovery and orderly wind-down, and the requirement to escalate
exceptions to and deviations from OCC's risk management frameworks and
policies to OCC's Corporate Risk Management and Compliance departments.
The proposed CRMP would support the proposed RMF by explaining in
greater detail OCC's risk management activities related to the second
line of defense corporate risk management program. The proposed CRMP
would explain that the OCC Corporate Risk Management department
(``Corporate Risk''), formerly referred to as the Enterprise Risk
Management department (``ERM''),\7\ evaluates risks that may affect
OCC's ability to perform the functions detailed in the proposed RMF. As
discussed below, the proposed CRMP would provide an overview of the
activities overseen by Corporate Risk to identify, measure, monitor,
manage, report, and escalate risks. Certain of this information is
currently included in the RMF Policy, but OCC believes, consistent with
other areas of risk managed by OCC, the details about its corporate
risk management program should reside in the proposed CRMP. Other
information would be new, including sections to describe Corporate
Risk's risk monitoring, risk treatment, and risk escalation and
training processes. Exhibit 3 to File No. SR-OCC-2022-010 summarizes
the proposed reorganization of the RMF Policy into the RMF and CRMP.
---------------------------------------------------------------------------
\7\ As part of the proposed rule change, OCC would reflect that
OCC has renamed its ERM department as Corporate Risk and make
conforming changes throughout the OCC Risk Policies. In addition to
functions specific to enterprise risk monitoring, Corporate Risk
includes other functions such as Model Risk Management and Third-
Party Risk Management.
---------------------------------------------------------------------------
Proposed Changes to Risk Management Framework Policy
The proposed revisions to the RMF Policy are designed to present
OCC's approach to risk management more clearly. For example, the RMF
Policy currently presents detailed information about both the financial
and corporate risk management functions at OCC. OCC proposes to adopt a
new RMF to more clearly describe its overall risk framework. OCC also
proposes to adopt a new CRMP to describe its approach to corporate risk
management in more detail. The proposed changes to the current RMF
Policy are discussed in detail below.
Purpose Section
The purpose section of the RMF Policy would be replaced with
purpose and introduction sections of the new RMF and CRMP,
respectively. These sections would be revised to reflect the
reorganization of content in the RMF Policy in the new RMF and CRMP,
focusing on the purpose and intent of each of the newly proposed
documents. For example, the purpose of the proposed RMF would be to:
(i) describe how OCC manages risk while providing efficient and
effective clearing and settlement services to the markets it serves;
(ii) explain how OCC's governance model and three lines of defense
facilitate risk management; and (iii) address OCC's ability to employ
recovery tools and facilitate an orderly wind-down. The purpose of the
proposed CRMP would be to describe OCC's corporate risk management
approach, including activities to identify, measure, monitor, manage,
report, and escalate risks to inform decision-making.
Context for Risk Management Framework and Risk Management Philosophy
OCC proposes to delete the Context for Risk Management Framework
and Risk Management Philosophy sections of the RMF Policy from the
proposed RMF. OCC believes these sections provide history and
background
[[Page 58411]]
information about OCC and its purpose in the financial markets, but do
not contain rules of OCC. Additionally, OCC believes the information
presented in the Risk Management Philosophy section serves as an
additional purpose section and that all items highlighted in this
section are covered in the proposed RMF or CRMP. For example, OCC's
approach relative to risk appetite is mentioned in the Risk Management
Philosophy section but is covered in more comprehensive detail in the
CRMP.
Risk Appetite Framework and Tolerance
The RMF Policy describes OCC's risk appetite framework, including
descriptions of OCC's use of a risk universe, risk appetites,\8\ and
risk tolerances.\9\ The RMF Policy also describes the use of Key Risks
\10\ and Risk Sub-categories to define the universe of risks faced by
OCC and the Risk Appetite Statements \11\ assigned to such risks. OCC
proposes to relocate this information to the Risk Governance section of
the proposed CRMP. However, an overview of OCC's risk universe would be
retained in the RMF, including a description of the main risk
categories and that, pursuant to the CRMP, these categories are broken
down to risk-subcategories and risk statements, as described below,
which comprise OCC's risk universe that OCC manages through the three
lines of defense model to maintain effective clearing and settlement
operations.
---------------------------------------------------------------------------
\8\ Risk appetites are qualitative articulations of the amount
of risk OCC is willing to accept and establish expectations for
OCC's risk management.
\9\ Risk tolerances are qualitative or quantitative measures
that help inform whether risks are within risk appetites.
\10\ The RMF Policy defines Key Risk to mean risk that is
related to the foundational aspects of CCP clearing, settlement, and
risk management services.
\11\ The RMF Policy defines Risk Appetite Statement to mean a
statement that expresses OCC's judgment, for each of OCC's Key
Risks, regarding the level of risk OCC is willing to accept related
to the provision of CCP services.
---------------------------------------------------------------------------
The proposed CRMP would state that the establishment and
maintenance of OCC's risk universe, risk appetites, risk tolerances,
and risk rating scales is facilitated by Corporate Risk and used across
OCC to create a transparent means to manage risk. The proposed CRMP
would also state that Corporate Risk establishes the risk universe,
which organizes OCC's risks into the following three layers to classify
and aggregate risks:
<bullet> Risk categories, which are the highest-level groups of
risk aggregation;
<bullet> Risk sub-categories, which further classify risks within
risk categories into detailed groups; and
<bullet> Risk statements, which are descriptions of the drivers,
events, and consequences of risks.
The terms ``risk categories,'' ``risk sub-categories,'' and ``risk
statements'' essentially represent the Key Risks, Sub-categories, and
Definitions that are discussed in the current RMF Policy. OCC believes
the proposed terms better describe the elements that comprise OCC's
risk universe and the relationship between them.
Risk categories, sub-categories, appetites, and tolerances would
continue to be reviewed on at least an annual basis. Under the current
RMF, Key Risks are approved by OCC's Board and risk appetites for Key
Risks are set by the business departments responsible for those risk in
cooperation with ERM. Under the proposed CRMP, the risk universe would
be owned and approved by the Chief Risk Officer (``CRO'') and provided
to the Management Committee. OCC believes the Chief Risk Officer, who
is responsible for OCC's corporate risk management function, is the
officer best situated to manage the risk universe. Changes to the RMF
to reflect any changes to risk categories would continue to require
Board approval. In addition, the Board or the Risk Committee, if the
Board has delegated the Risk Committee such authority,\12\ would
ultimately be responsible for approving risk appetites, which establish
the type and amount of risk OCC is willing to accept. OCC believes that
the Board or Risk Committee are best positioned to approve risk
appetites because of their oversight role with respect to OCC's risk
management. Additionally, the Board or Risk Committee would continue to
be responsible for approving risk tolerances.
---------------------------------------------------------------------------
\12\ The Board has approved such delegation of authority to the
Risk Committee. See Exchange Act Release No. 94988 (May 26, 2022);
87 FR 33535 (June 2, 2022) (File No. SR-OCC-2022-002).
---------------------------------------------------------------------------
The proposed CRMP would also provide additional details around the
internal governance process for reviewing and approving risk
categories, appetites, and tolerances and for monitoring risk
tolerances. For example, the proposed CRMP would state that at least
every twelve months, Corporate Risk determines whether updates to the
risk universe are necessary to better align risk categories, sub-
categories, and statements with OCC's clearance, settlement and risk
management services. The proposed CRMP would require that risk category
and sub-category updates are approved by the CRO while risk statements
are approved by Corporate Risk management. The proposed CRMP would
further provide that the Management Committee and Board are then
notified of updates to risk categories and sub-categories.
The proposed CRMP would state that at least every twelve months,
risk appetites are established at a risk sub-category level and
presented by the CRO to the Management Committee for recommendation to
the Board or Risk Committee for approval. The proposed CRMP would
require that Risk Owners manage the level of risk exposure posed by a
process against risk appetites.\13\ The proposed CRMP would state that
Corporate Risk monitors risks to identify breaches of risk appetite.
The proposed CRMP would also provide that risk appetite breaches are
escalated by the CRO to the Management Committee, Risk Committee, and
Board. The proposed CRMP would state that Risk Owners, with input from
relevant business areas, develop and execute risk treatment plans to
reduce risks that exceed OCC's risk appetites.\14\ The proposed CRMP
would state that at least every twelve months, Corporate Risk and Risk
Owners review risk appetites and, where necessary, make adjustments to
align with OCC's clearance, settlement and risk management services.
The proposed CRMP would state that the CRO reviews and presents changes
to risk appetites to the Management Committee for recommendation to the
Board for approval. OCC proposes to remove the more general risk
appetite statement definitions (i.e., no appetite, low appetite,
moderate appetite, and high appetite), which are currently described in
the RMF Policy, and would instead use more detailed qualitative risk
appetite statements for each risk sub-category following the governance
process described above.
---------------------------------------------------------------------------
\13\ The proposed CRMP defines ``Risk Owner'' to mean an
employee with the accountability and authority to manage the risk.
\14\ The proposed CRMP would state that risk treatment is the
process to manage a risk through avoidance, mitigation,
transference, or acceptance.
---------------------------------------------------------------------------
With respect to risk tolerances, the proposed CRMP would state that
Risk Owners are responsible for managing applicable risks within
established tolerances and developing risk treatment plans to resolve
breaches of risk tolerance. The proposed CRMP would require that risk
tolerance breaches are escalated by the CRO to the Management
Committee, Risk Committee, and Board. The proposed CRMP would state
that at least every twelve months, Corporate Risk and Risk Owners
review risk tolerances and, where necessary, make adjustments to align
with OCC's services. The proposed
[[Page 58412]]
CRMP would state that the CRO reviews and presents changes to risk
tolerances to the Management Committee for recommendation to the Board
for approval. As discussed below in connection with the monitoring of
key risk indicators, the CRO would also monitor and report risk,
including risk tolerance breaches, to the Board at each regularly
scheduled meeting. OCC notes that it also proposes to change the
reporting cadence to align with the timing of Board meetings to reflect
that Board meetings typically, but do not always, occur on a quarterly
schedule.\15\
---------------------------------------------------------------------------
\15\ See, e.g., Exchange Act Release No. 94988, 87 FR at 33539
(updating cadence of certain Board reporting to reflect that such
reporting occurs at regular Board meetings).
---------------------------------------------------------------------------
The proposed CRMP would also introduce the concept of risk rating
scales, which provide an assessment of risk from an impact and
likelihood perspective consistently across OCC. The proposed CRMP would
state that OCC's risk rating scales rate the magnitude of impact an
event will have on a process and the likelihood an event will occur.
The proposed CRMP would state that the impact risk rating scale
considers operational, internal financial, external financial, legal
and regulatory, and reputational impacts. The proposed CRMP would state
that the likelihood risk rating scale considers a 10-year financial
cycle and yearly corporate planning activities. The proposed CRMP would
state that these risk rating scales are used to measure inherent and
residual risk at a risk statement level. The proposed CRMP would state
that inherent risk is the level of risk exposure posed by a process
absent any controls to reduce the likelihood or severity of an event.
The proposed CRMP would state that residual risk is the level of risk
exposure posed by a process or activity after the application of
controls or other risk-mitigating factors. The proposed CRMP would
state that at least every twelve months, Corporate Risk and Risk Owners
perform a review of the risk rating scales. The proposed CRMP would
state that the CRO reviews and approves changes to the risk scales. The
proposed CRMP would state that the Management Committee and Board are
notified of changes to the risk rating scales.
OCC believes the proposed CRMP would provide a more comprehensive
overview of OCC's risk governance framework and would include changes
intended to improve certain processes therein. The proposed CRMP would
provide additional details around the internal governance process for
reviewing and approving risk categories, appetites, and tolerances and
for monitoring risk tolerances and would describe OCC's risk rating
scale process. The proposed changes would also improve the governance
process for the risk universe by allowing the CRO to modify risk
categories as needed, with oversight of Management Committee, the Risk
Committee and the Board, and provide the Board or Risk Committee with
more direct responsibility for setting the appetites for those risks.
Risk Management Governance
OCC proposes to relocate the Risk Management Governance section of
the current RMF Policy to a new Governance section of the proposed RMF
with certain modifications. OCC proposes to update the description of
the responsibilities of the Board, which are generally already
addressed in the Board of Directors Charter and Corporate Governance
Principles (``Board Charter''),\16\ which is filed with the Commission
as a rule of OCC.\17\ The proposed RMF would state that the Board is
responsible for advising and overseeing management. The proposed RMF
would state that pursuant to the OCC Board of Directors Charter and
Corporate Governance Principles, the CRO presents a review of the RMF
to the Board for approval at least annually. The proposed RMF would
state that the Board may delegate the oversight of specific risks to
Board-level committees (``Committees'').\18\ The proposed RMF would
state that the Board may form or disband committees, including
subcommittees to manage specific risks, as it from time to time deems
appropriate, and may delegate authority to one or more designated
members of such committees. The proposed RMF would state that the
responsibilities of Board committees regarding managing risks are
outlined in committee charters.
---------------------------------------------------------------------------
\16\ The Board Charter can be found on OCC's public website:
<a href="https://www.theocc.com/about/corporate-information/board-charter">https://www.theocc.com/about/corporate-information/board-charter</a>.
\17\ See, e.g., Exchange Act Release No. 84473 (Oct. 23, 2018),
83 FR 54385 (Oct. 29, 2018) (File No. SR-OCC-2018-012).
\18\ The Board has delegated oversight of specific risks to
Committees through the Committee Charters. For example, the Board
has delegated oversight of OCC's financial, collateral, risk model
and third-party risk management processes to the Risk Committee. See
Exchange Act Release No. 94988, 87 FR at 33539 (File No. SR-OCC-
2022-002).
---------------------------------------------------------------------------
OCC also proposes to update the description of the responsibilities
of the Management Committee and working groups in the new RMF. The
proposed RMF would state that OCC's Management Committee supports the
management and conduct of its business in accordance with policy
directives from the Board. The proposed RMF would state that the
Management Committee includes officers \19\ responsible for ensuring
that its actions and decisions are consistent with OCC's mission, Code
of Conduct, Rules and By-Laws, policies, procedures, and general
principles of sound corporate governance. The proposed RMF would state
that the CRO is a member of the Management Committee and reports to the
Risk Committee. The proposed RMF would state that the Management
Committee may form and delegate authority to subcommittees and working
groups of employees to conduct certain of its activities. The proposed
RMF would state that subcommittees and working groups are responsible
for reporting and escalating information as may be appropriate. This
would replace the current description in the RMF Policy, which
primarily relates to the committee's role and responsibilities in
reviewing and recommending changes to OCC's risk universe, including
risk appetites and tolerances, and escalating breaches of such to the
Board. These responsibilities would now be addressed in the proposed
CRMP (as discussed in the Risk Appetite Framework and Tolerance section
above).
---------------------------------------------------------------------------
\19\ The proposed RMF would state that The Management Committee
may include, but is not limited to the following officers: Executive
Chairman, Chief Executive Officer, Chief Operating Officer, Chief
Financial Risk Officer, Chief External Relations Officer, Chief Risk
Officer, Chief Audit Executive, Chief Compliance Officer, Chief
Financial Officer, Chief Human Resources Officer, Chief Information
Officer, Chief Security Officer, Chief Legal Officer and General
Counsel, Chief Clearing and Settlement Services Officer, and Chief
Regulatory Counsel.
---------------------------------------------------------------------------
The Governance section of the proposed RMF would also be updated to
include a description of the responsibilities of OCC employees. The
proposed RMF would state that OCC considers risk management during
employee recruitment, development, training, and succession planning.
The proposed RMF would state that OCC recruits and retains personnel
with appropriate risk management knowledge, skills, and competencies.
The proposed RMF would state that OCC also identifies successors for
designated officers based on knowledge and experience. The proposed RMF
would state that OCC provides internal and external development
opportunities including required training related to risk, compliance,
security, conflicts of interest, escalation of concerns, and the OCC
Code of Conduct. The proposed RMF would state that OCC provides outlets
for employees to anonymously report concerns that are reviewed by
[[Page 58413]]
OCC's Compliance, Human Resources, and Legal departments.
Identification of Key Risks
The RMF Policy currently contains an Identification of Key Risks
section that defines OCC's Key Risks and provides a brief description
of OCC's policies and procedures for managing each of those Key Risk
and their respective Risk Sub-Categories. OCC proposes to replace the
Identification of Key Risks section with a new OCC Risk Management
section of the proposed RMF, which would be reorganized to focus on the
three lines of defense model currently described in the RMF Policy and
describe the types of risks managed by each line of defense. The new
OCC Risk Management section of the RMF would: (i) restate existing
content of the RMF; (ii) introduce new content not currently contained
in OCC's RMF Policy; and (iii) delete certain aspects of the RMF
Policy. The changes are discussed in detail below.
The proposed RMF would state that OCC employs a three lines of
defense model. The proposed RMF would state that the model clarifies
ownership and accountability and enhances communication for
expectations around risk management throughout the organization. The
proposed RMF would state that the first line of defense maintains
policies, procedures, processes, and controls established for day-to-
day risk management. The proposed RMF would state that the second line
of defense evaluates and provides effective challenge to the first line
by executing critical analysis to identify process limitations and
recommending changes to relevant policies, procedures, processes,
systems, and controls. Lastly, the proposed RMF would state that the
third line of defense is an internal audit function that reviews and
provides objective assurance to the first and second lines. The
proposed RMF would state that OCC employees report to members of the
Management Committee. Consistent with the OCC Employee Code of Conduct,
employees are expected to escalate risk information through their
reporting line or to other members of management. The proposed RMF
would state that risks identified at OCC are reported to the Management
Committee and Board consistent with relevant charters and policies.
First Line of Defense
The proposed RMF would state that the risk inherent in OCC's
clearing and settlement services is managed by the first line of
defense, which is responsible for owning and managing risks by
maintaining policies, procedures, processes, systems, and controls that
manage relevant risks. The proposed RMF would state that the first line
of defense is comprised of OCC's operational business units, including
Financial Risk Management (``FRM''), Business Operations, Information
Technology, and Corporate Finance, and also includes corporate
functions such as human resources and project management. The proposed
RMF would state that the first line of defense is also accountable for
maintaining internal controls, control self-testing, and implementing
corrective action to address control deficiencies. The proposed RMF
would state that the first line of defense maintains policies and
associated procedures that detail the processes and controls
implemented across business units which are used to execute risk
management related to the clearing and settlement services detailed
below.
Membership Standards
The proposed RMF would state that Membership standards are
established by the Board and risk managed by OCC's Business Operations,
FRM and Information Technology in accordance with OCC's TPRMF. The
proposed RMF would state that OCC has risk-based clearing membership
standards to manage the risks arising from Clearing Members. The
proposed RMF would state that these requirements include applicable
registrations, net capital requirements, creditworthiness, adequate
operational capabilities, and maintaining qualified personnel. The
proposed RMF would state that the Risk Committee reviews these
standards to ensure OCC provides fair and open access to clearing and
settlement services. The proposed RMF would state that Clearing Members
that fail to meet the membership standards face the possibility of
consequences up to and including suspension.
Credit
The proposed RMF would state that OCC's credit risk is managed by
Business Operations, FRM, and Corporate Finance. The proposed RMF would
state that OCC is exposed to credit risk based on its role as guarantor
of cleared contracts. The proposed RMF would state that OCC has credit
risk related to Clearing Members and manages this exposure by
collecting margin and Clearing Fund resources based on a Clearing
Member's risk profile. The proposed RMF would state that OCC also faces
credit risk from other financial institutions that facilitate payment,
clearing, and settlement activities (e.g., clearing banks, custodians,
and linked financial market utilities). The proposed RMF would state
that FRM monitors its credit risk related to Clearing Members and
financial institutions consistent with the TPRMF. The proposed RMF
would state that FRM analyzes the creditworthiness of each financial
institution, in addition to other information that could impact the
financial institution's ability to facilitate payment, clearing, and
settlement services.
Clearing Fund
The proposed RMF would state that OCC's Clearing Fund is managed by
FRM and Business Operations. The proposed RMF would state that OCC
maintains a Clearing Fund comprised of high-quality liquid assets to
cover its credit risk exposure from Clearing Members in accordance with
OCC's confidential Clearing Fund Methodology Policy and Chapter X of
OCC's Rules. The proposed RMF would state that FRM uses stress tests to
project the Clearing Fund size necessary to maintain prefunded
financial resources to cover losses arising from the default of the two
Clearing Member Groups that would potentially cause the largest
aggregate credit exposure to OCC in extreme but plausible market
conditions. The proposed RMF would state that FRM also uses stress test
results to determine the sufficiency of the Clearing Fund size and
determine whether to issue calls for additional collateral or perform
an intra-month Clearing Fund resizing. The proposed RMF would state
that FRM reviews the adequacy of its Clearing Fund models through
sensitivity analysis and an analysis of its parameters and assumptions.
The proposed RMF would state that FRM reports the results of Clearing
Fund model reviews to the Board.
Margin
The proposed RMF would state that OCC's margin is managed by FRM
and Business Operations. The proposed RMF would state that FRM utilizes
a risk-based margin methodology to calculate Clearing Member margin
requirements in accordance with OCC's confidential Margin Policy and
Chapter VI of OCC's Rules. The proposed RMF would state that FRM
calculates margin daily for Clearing Member accounts. The proposed RMF
would state that Intra-day margin calls may also be made for accounts
incurring significant losses. The proposed RMF would state that FRM
reviews the adequacy of its margin models through sensitivity analysis,
backtests, and an analysis of its
[[Page 58414]]
parameters and assumptions. The proposed RMF would state that FRM
reports the results of margin model reviews to the Board.
Collateral
The proposed RMF would state that OCC's collateral risk is managed
by Business Operations, Corporate Finance, and FRM in accordance with
OCC's confidential Collateral Risk Policy and OCC Rules 604 and 1002.
The proposed RMF would state that OCC requires its Clearing Members to
deposit collateral as margin and Clearing Fund. The proposed RMF would
state that OCC limits acceptable assets to those with low credit,
market, and liquidity risks, and employs other risk mitigation tools,
including collateral concentration limits. The proposed RMF would state
that FRM applies risk-based haircuts and Business Operations revalues
collateral daily to ensure margin and Clearing Fund requirements are
met.
Default Management
The proposed RMF would state that OCC's default management risk is
managed by FRM in accordance with OCC's confidential Default Management
Policy and Chapter XI of OCC's Rules. The proposed RMF would state that
in the event of a Clearing Member default, OCC takes timely action to
contain losses and liquidity pressures and continue to meet its
obligations. The proposed RMF would state that OCC closes open
positions in an orderly manner, which may include performing auctions,
utilizing liquidation agents, or applying hedges. The proposed RMF
would state that Margin and Clearing Fund deposits of the defaulting
Clearing Member are used to offset these losses, followed by other
financial resources. The proposed RMF would state that OCC performs
default testing with the participation of designated Clearing Members
and other stakeholders to evaluate its processes and systems, including
close-out processes.
The newly proposed Membership Standards, Credit, Clearing Fund,
Margin, Collateral, and Default Management sections of the RMF would
effectively replace the Credit Risk Management Framework section of
OCC's RMF Policy and refer to the same OCC Risk Policies currently
maintained by OCC (and described in the RMF) to address such risks and
which are currently filed with the Commission as rules of OCC (e.g.,
the Margin Policy,\20\ Clearing Fund Methodology Policy,\21\ Collateral
Risk Management Policy,\22\ Default Management Policy,\23\ and TPRMF
\24\).
---------------------------------------------------------------------------
\20\ See, e.g., Exchange Act Release No. 82355 (Dec. 19, 2017),
82 FR 61058 (Dec. 26, 2017) (File No. SR-OCC-2017-007).
\21\ See, e.g., Exchange Act Release No. 83735 (July 27, 2018),
83 FR 37855 (Aug. 2, 2018) (File No. SR-OCC-2018-008).
\22\ See, e.g., Exchange Act Release No. 82311 (Dec. 13, 2017),
82 FR 60252 (Dec. 19, 2017) (File No. SR-OCC-2017-008).
\23\ See, e.g., Exchange Act Release No. 82310 (Dec. 13, 2017),
82 FR 60265 (Dec. 19, 2017) (File No. SR-OCC-2017-010).
\24\ See, e.g., Exchange Act Release No. 90797 (Dec. 23, 2020),
85 FR 86592 (Dec. 30, 2020) (File No. SR-OCC-2020-014).
---------------------------------------------------------------------------
Liquidity
The proposed RMF would state that OCC's liquidity risk is managed
by FRM and Corporate Finance. The proposed RMF would state that OCC
manages its liquidity risk in accordance with its confidential
Liquidity Risk Management Framework by maintaining a reliable and
diverse set of committed resources and liquidity providers,
establishing a contingent funding plan to collect additional resources,
and performing stress testing that covers a wide range of scenarios
that include the default of the Clearing Member Group that would
generate the largest aggregate liquidity obligation in extreme but
plausible market conditions. The proposed RMF would state that FRM also
tests the sufficiency of its resources by forecasting daily settlement
under normal and stressed market conditions and compares these results
to the liquid resources maintained. The proposed RMF would state that
FRM reports the results of these reviews to the Board. The new
Liquidity section of the proposed RMF would replace the Liquidity Risk
Management Framework section of the current RMF Policy and would
summarize and refer to OCC's Liquidity Risk Management Framework as the
governing document for managing OCC's liquidity risks while removing
certain summary information that is more specifically addressed in the
Liquidity Risk Management Framework.\25\
---------------------------------------------------------------------------
\25\ See, e.g., Exchange Act Release 89014 (June 4, 2020), 85 FR
35446 (June 10, 2020) (File No. SR-OCC-2020-003).
---------------------------------------------------------------------------
Settlement
The proposed RMF would add a new section specifically discussing
settlement risk (which is currently addressed indirectly in the
Operational Risk section of the RMF Policy). The proposed RMF would
state that OCC's settlement risk is managed by Business Operations in
accordance with Chapters V and IX of OCC's Rules. The proposed RMF
would state that OCC uses clearing banks to facilitate settlements on
at least a daily basis. The proposed RMF would state that OCC issues
instructions to clearing banks to debit or credit the account of a
Clearing Member, and correspondingly debit or credit OCC's account,
with a specific dollar amount by a specified time. The proposed RMF
would state that settlement finality occurs when a clearing bank
confirms the settlement instruction or is silent past the applicable
deadline.
Custody and Investment
The proposed RMF would state that OCC's custody and investment risk
is managed by its Corporate Finance department, Business Operations,
and FRM in accordance with OCC Rules 604 and 1002(b). The proposed RMF
would state that OCC holds its own and its Clearing Members' assets at
settlement and custodian banks, as well as at other financial market
utilities. The proposed RMF would state that OCC requires settlement
and custodian banks to meet minimum financial and operational
requirements. The proposed RMF would state that OCC complies with
applicable customer protection and segregation requirements for the
handling of customer funds. The proposed RMF would state that OCC
maintains working capital and non-invested Clearing Member cash in
accounts that minimize delays in access to funds. The proposed RMF
would state that OCC maintains accounts at the Federal Reserve to
custody funds. The proposed RMF would state that OCC invests in
instruments with minimal credit, market, and liquidity risks. The new
Custody and Investment section of the proposed RMF would effectively
replace the Investment Risk section of the RMF Policy, which also
discusses OCC's use of Federal Reserve bank accounts and the investment
of funds not held at the Federal Reserve.
General Business
The proposed RMF would state that OCC's general business risk is
managed by Corporate Finance, Information Technology, Business
Operations and Financial Risk Management. The proposed RMF would state
that Corporate Finance performs financial planning and analysis,
reviews operating budgets and fee structures, and reviews business
performance. The proposed RMF would state that OCC maintains liquid net
assets funded by equity sufficient to cover potential general business
losses and comply with financial resource requirements in accordance
with its confidential Capital
[[Page 58415]]
Management Policy.\26\ Furthermore, the proposed RMF would state that
Information Technology reviews OCC's ability to maintain its critical
services under a range of scenarios, including adverse market
conditions. The proposed RMF would state that Business Operations and
Financial Risk Management also perform assessments to determine if
potential new business opportunities fit within OCC's models and risk
management systems. The new General Business section of the proposed
RMF would replace the General Business Risk section (and in part, the
Reputational Risk section) of the current RMF Policy, continue to refer
to OCC's Capital Management Policy as the governing document for
managing OCC's general business risks, and remove certain summary
information that is more specifically addressed in OCC's Capital
Management Policy.\27\
---------------------------------------------------------------------------
\26\ See, e.g., Exchange Act Release 88029 (Jan. 24, 2020), 85
FR 5500 (Jan. 30, 2020) (File No. SR-OCC-2019-007).
\27\ See id.
---------------------------------------------------------------------------
Technology
The proposed RMF would state that OCC's technology risk is managed
by OCC's Information Technology. The proposed RMF would state that OCC
uses technology solutions to manage risk and facilitate clearing and
settlement by utilizing systems that have adequate levels of
availability, security, resiliency, integrity, and adequate, scalable
capacity based on their criticality. The proposed RMF would state that
Information Technology manages technology risk by utilizing a
structured technology delivery approach that provides for consistency
and establishes responsibilities and requirements. The proposed RMF
would state that Information Technology monitors and evaluates
technology performance in part based on service levels related to data
integrity, system availability, data timeliness, and data quality to
manage technology risk. The proposed RMF would state that to achieve
these service levels, Information Technology manages OCC's efforts
across technology incidents, changes, configurations, system capacity,
and evaluates system recoverability through disaster recovery testing.
The Technology section of the proposed RMF, along with the Security
section (discussed below), are intended to replace the Operational
Risk--Information Technology section of the RMF Policy. These general
details in the RMF would replace more specific information concerning
OCC's quality standards program, cybersecurity program, and system
functionality and capacity.\28\
---------------------------------------------------------------------------
\28\ OCC intends to include a detailed discussion of these
aspects of its operational risk management in a new Operational Risk
Management Framework document, which is currently being finalized by
OCC and will be filed with the Commission when it is complete.
---------------------------------------------------------------------------
Legal
The proposed RMF would state that OCC's legal risk is managed
through efforts across OCC that are advised by OCC's Legal department
(``Legal''). The proposed RMF would state that OCC manages its legal
risk by establishing, implementing and enforcing written documents that
are reasonably designed to provide a well-founded, clear, transparent,
and enforceable legal basis for each aspect of OCC's activities in all
relevant jurisdictions and comply with applicable legal and regulatory
requirements. The proposed RMF would state that in order to manage
legal risk across OCC, employees are required to consult with Legal on
legal and regulatory matters, including but not limited to
interpretation of laws and regulations applicable to OCC, including
OCC's Rules and By-Laws, legal claims against OCC, government or
regulatory requests or inspections, and matters that may be the subject
of a proposed rule change filing. The Legal section of the proposed RMF
would replace, in part, the Legal Risk section of the RMF Policy,
including by replacing a specific sub-section discussing OCC's
maintenance of contracts with more general requirements that OCC
establish, implement, and enforce written documents, including legal
agreements, and maintain documents that are reasonably designed to
provide a well-founded, clear, transparent, and enforceable legal basis
for each aspect of OCC's activities, which would include any contracts
regarding the material aspects of OCC's clearing, settlement, and risk
management activities as discussed in the RMF Policy.
Second Line of Defense
The proposed RMF would state that OCC's second line of defense
includes compliance, corporate risk, third-party risk, model risk
management, security, and business continuity. The proposed RMF would
state that the second line has no operational authority or
responsibility for the first line to prevent conflicts of interest. The
proposed RMF would state that the second line provides objective
analysis to identify potential enhancements and improvements to first
line processes to help ensure compliance with applicable laws and
regulations and prudent risk management. The proposed RMF would state
that second line management reports to Board committees and has the
authority to escalate information to the first line, Management
Committee, and the Board. Additionally, the proposed RMF would state
that second line management provides reports to the Board at least
quarterly at its scheduled meetings.
Compliance
The proposed RMF would state that OCC's Compliance department
(``Compliance'') oversees OCC's management of compliance risk by
adhering to applicable rules and regulations, policies, procedures,
processes, controls, and standards of conduct. The proposed RMF would
state that Compliance manages compliance risk by establishing processes
to prevent, detect, respond to, and report on compliance risk. The
proposed RMF would state that Compliance supports and assesses the
management of compliance risk through advising, monitoring, reporting,
testing, and training activities and maintains mechanisms for reporting
unethical or fraudulent behavior or misconduct. The Compliance section
of the proposed RMF would replace the Regulatory Compliance section of
the RMF Policy and reframe this section based on the Compliance
department's role in helping OCC manage compliance risk.
Corporate Risk
The proposed RMF would state that Corporate Risk evaluates
enterprise risk by identifying, measuring, monitoring, managing,
reporting, and escalating risks to inform decision-making in accordance
with the CRMP. The proposed RMF would state that Corporate Risk
evaluates enterprise risk to provide an understanding of inherent and
residual risks as compared against Board-approved levels.
Third-Party Risk
The proposed RMF would state that OCC's Third-Party Risk Management
business unit evaluates risks posed to OCC by third parties by
identifying, measuring, monitoring, managing, reporting, and escalating
risks as described in the TPRMF. The proposed RMF would state that
Third-Party Risk Management aggregates information about the risks
presented by third parties based on their relationships to OCC. The new
Third-Party Risk section of the proposed RMF would replace the Third-
Party Monitoring Program section of the RMF Policy and remove certain
[[Page 58416]]
details which are more comprehensively addressed in the TPRMF.\29\
---------------------------------------------------------------------------
\29\ See supra note 24.
---------------------------------------------------------------------------
Model Risk Management
The proposed RMF would state that Model Risk Management performs
independent model validation, evaluates model parameters and
assumptions, assesses mitigating factors, and provides effective and
independent challenge throughout OCC's model lifecycle in accordance
with its confidential Model Risk Management Policy. The proposed RMF
would state that Models are governed and independently assessed and
certified to determine adequate performance. The proposed RMF would
state that this includes model testing and performance monitoring
(e.g., backtesting, sensitivity analysis). The new Model Risk
Management section of the proposed RMF would replace the Model Risk
section of the RMF Policy. This new section of the RMF would focus on
Model Risk Management's role in helping OCC manage model risk and would
remove certain details that are more comprehensively addressed in the
Model Risk Management Policy.\30\
---------------------------------------------------------------------------
\30\ See, e.g., Exchange Act Release No. 82785 (Feb. 27, 2018),
83 FR 9345 (Mar. 5, 2018) (File No. SR-OCC-2017-011).
---------------------------------------------------------------------------
Security
The proposed RMF would include new rule text stating that OCC's
Security department (``Security'') manages information, physical, and
personnel security risk to safeguard the confidentiality, integrity,
and availability of corporate information systems and data assets
implemented and maintained by Information Technology. The proposed RMF
would state that Security employs a risk-based methodology and controls
to manage information governance, system resiliency, and cyber
security. In addition, the proposed RMF would state that Security
maintains policies and procedures that require appropriate protective
controls and event detection via security monitoring. The proposed RMF
would state that Security evaluates its processes and controls through
internal and external testing, scanning for threats and
vulnerabilities, and benchmarking against industry standards.
In addition, the proposed RMF would incorporate an existing portion
of the RMF Policy concerning IT risk assessments conducted by Security
prior to the procurement, development, installation and operation of IT
services and systems, including the triggers that may change IT risks
at OCC.\31\ Cross-references found in the RMF Policy to procedures that
outline IT risk assessments at a procedural level would be removed. OCC
does not believe that identifying the underlying procedure is necessary
for understanding the process at a policy level.
---------------------------------------------------------------------------
\31\ This discussion would replace the IT Risk Assessment
section of the current RMF Policy. OCC intends to include a detailed
discussion of its IT risk assessment in a new Operational Risk
Management Framework document, which is currently being finalized by
OCC and will be filed with the Commission when it is complete.
---------------------------------------------------------------------------
Business Continuity
The proposed RMF would state that Business Continuity maintains a
business continuity program that establishes OCC's plan for maintaining
backup and recovery capabilities that are sufficiently resilient and
geographically diverse to address both internal and external events
that could impact OCC's operations.\32\
---------------------------------------------------------------------------
\32\ The Business Continuity section of the RMF would replace
the Business Continuity Program section of the current RMF Policy.
OCC intends to include a detailed discussion of its Business
Continuity Program in a new Operational Risk Management Framework
document, which is currently being finalized by OCC and will be
filed with the Commission when it is complete.
---------------------------------------------------------------------------
Third Line of Defense
The proposed RMF would state that OCC's third line of defense
consists of Internal Audit. Internal Audit is independent and reports
directly to the Audit Committee of the Board (``Audit Committee'') to
ensure this independence; the Audit Committee oversees the activities
performed by Internal Audit in accordance with the Audit Committee
Charter. The proposed RMF would state that Internal Audit has no
responsibility for first- or second-line functions. The proposed RMF
would state that Internal Audit designs, implements, and maintains an
audit program that provides the Management Committee and Audit
Committee independent and objective assurance related to the quality of
OCC's risk management, governance, compliance, controls, and business
processes in accordance with the confidential Internal Audit Policy.
The proposed RMF would state that Internal Audit issues independent
reports to the first and second line as well as the Audit Committee and
Board. This section of the RMF would replace a discussion of the third
line of defense in OCC's current RMF Policy and would remove certain
details that are more comprehensively addressed in the Internal Audit
Policy.\33\
---------------------------------------------------------------------------
\33\ Such details include requirements related to the diversity
and skills of Internal Audit personnel and the external standards of
professionalism pursuant to which Internal Audit performs its
functions.
---------------------------------------------------------------------------
Risk Management Practice
The RMF Policy currently contains a Risk Management Practice
section that describes OCC's three lines of defense model and
Enterprise Risk Assessment program. As discussed above, OCC would
relocate the discussion of its three lines of defense model to the new
RMF. In addition, OCC proposes to relocate the discussion of its
Enterprise Risk Assessment program to the new CRMP. OCC also proposes
to relocate the Risk Reporting section of the RMF Policy to the CRMP.
Additionally, OCC would eliminate the specific Compliance Risk
Assessment section of the RMF Policy.
Enterprise Risk Assessment and Scenario Analysis Program
The RMF Policy currently describes the Enterprise Risk Assessment
process conducted by the first line and Corporate Risk. The RMF Policy
provides that Enterprise Risk Assessments shall analyze Inherent
Risk,\34\ the quality of risk management, and Residual Risk \35\ of the
sub-categories of Key Risks and use analysis of Residual Risk in
conjunction with metrics related to risk tolerances to develop a risk
profile and determine whether a Key Risk is within its risk appetite.
The RMF Policy also requires that Corporate Risk's analysis of Residual
Risk be provided to the Management Committee and Board (or committee
thereof) to inform them on the quantity of risk in a certain functional
area or business area, and provide a mechanism to prioritize risk
mitigation activities.
---------------------------------------------------------------------------
\34\ The RMF Policy defines ``Inherent Risk'' to mean the
absolute level of risk exposure posed by a process or activity prior
to the application of controls or other risk-mitigating factors.
\35\ The RMF Policy defines ``Residual Risk'' to mean the level
of risk exposure posed to a process or activity after the
application of controls or other risk-mitigating factors.
---------------------------------------------------------------------------
The proposed CRMP would revise this description to more accurately
and completely describe the risk assessment, monitoring, and reporting
processes conducted by Corporate Risk. The proposed CRMP would state
that enterprise risk assessments are a quarterly activity where the
control environment is evaluated to determine its effectiveness in
preventing or mitigating inherent risks identified to arrive at a
residual risk rating for each risk statement. The proposed CRMP would
state that Corporate Risk (and not Compliance, as specified in the RMF
Policy) maintains an inventory of all
[[Page 58417]]
business processes, risks, and associated controls in a database used
by OCC to manage Enterprise Governance, Risk and Compliance. The CRMP
would state that Corporate Risk uses data from a variety of sources
(e.g., risk events, Internal Audit findings, security risk assessments
and observations, third-party observations, control design assessments,
management control self-testing results, and business impact analyses)
to rate the impact and likelihood of a risk and assess the quality of
the control environment. The proposed CRMP would state that enterprise
risk assessments are conducted through workshops across the first and
second lines of defense and are supplemented by including information
from emerging risk surveys (top-down), process-based risk assessments
(bottom-up), and enterprise technology assessments. The proposed CRMP
would state that quarterly, the results of the enterprise risk
assessment (the levels of residual risk) are aggregated and provided to
the CRO for approval and presented to the Management Committee and
Board by the CRO. The CRMP would also elaborate on the use of residual
risk, risk tolerances, and risk ratings and associated reporting as
discussed in the Risk Governance section of the proposed CRMP and would
also provide details on Corporate Risk's risk monitoring and risk
treatment activities in new sections of the CRMP (as discussed further
below).
The RMF Policy also describes OCC's Scenario Analysis Program,
which is an industry-standard method of identifying operational risks
that may not be otherwise captured by the Enterprise Risk Assessment
program. Pursuant to the RMF Policy, Corporate Risk and the first line
design simulations of potential business disruptions, and business unit
staff shall use such simulations to identify risks that may not have
been previously uncovered or identify weaknesses in current controls.
Corporate Risk includes the potential risks identified through the
Scenario Analysis Program in its analysis of, and reporting on, the
quantity of risk within a certain Key Risk and whether the Key Risk is
within its risk appetite.
OCC proposes to relocate the discussion of its Scenario Analysis
Program to the CRMP with revisions designed to more accurately and
completely describe the scenario analysis process. The proposed CRMP
would state that operational scenario analysis is the process of
leveraging OCC subject matter expertise to identify potential
operational risks and assess the potential outcomes of stressed
operations. The proposed CRMP would state that operational scenarios
consider both internal and external scenarios that may impact OCC's
ability to perform its clearance, settlement and risk management
services. The proposed CRMP would state that Corporate Risk, through
workshops with the first and second lines of defense, designs
operational scenarios utilizing available information (e.g., annual
top-risk survey conducted by Corporate Risk, Management Committee
recommendation, enterprise risk assessments). The proposed CRMP would
state that the workshops are designed to identify risks that may not
have been previously uncovered or weaknesses in current controls. The
proposed CRMP would state that operational scenarios are used to assess
the potential that future extreme but plausible business disruptions
may impact OCC's clearance, settlement and risk management services and
are inputs in OCC's target capital requirements and recovery and wind-
down planning. The proposed CRMP would state that Risk Owners use
scenarios to identify new and existing risks and identify weaknesses in
current controls. The proposed CRMP would state that Corporate Risk
includes potential risks identified through operational scenario
analysis when analyzing and reporting across risk categories and sub-
categories.
Risk Reporting
The proposed CRMP would contain a revised Risk Reporting section.
The proposed CRMP would state that risk reporting provides a view of
OCC's risks to facilitate risk management and inform decision-making.
The proposed CRMP would state that Corporate Risk reports risks based
on its risk identification, measurement, and monitoring activities to
assist in the understanding of the risks OCC faces and whether these
risks are being managed within OCC's risk tolerances and appetites. The
proposed CRMP would state that quarterly, the CRO reports risks (e.g.,
risk appetite or risk tolerance breaches, material operational risk
events, summary of risk acceptances, and risk mitigation) to the
Management Committee, Board, and relevant Board committees.
Compliance Risk Assessment
OCC proposes to remove a section of the RMF Policy specifically
dedicated to the Compliance Risk Assessment program. This section
currently provides a brief discussion of the Compliance department's
program used to identify and measure the risks faced by OCC regarding
regulatory compliance and prioritize the testing and training
activities associated with such risks. OCC believes this section is
appropriately addressed in the Compliance section of the proposed RMF
(discussed in detail above), which provides that Compliance manages
compliance risk by establishing processes to prevent, detect, respond
to, and report on compliance risk and assesses the management of
compliance risk through advising, monitoring, reporting, testing, and
training activities and maintains mechanisms for reporting unethical or
fraudulent behavior or misconduct. This would include the activities
performed by Compliance in the Compliance Risk Assessment program.
Control Activities
OCC proposes to eliminate the Control Activities section of the RMF
Policy, which describes certain activities performed by OCC's
Compliance department relating to the maintenance of business process
and control inventories and annual training of OCC staff. This would be
replaced by more general descriptions of Compliance's responsibilities
under the proposed RMF. As discussed above, the RMF would more
generally describe the department's responsibilities for the management
of compliance risk, including by: (i) establishing processes to
prevent, detect, respond to, and report on compliance risk; (ii)
assessing the management of compliance risk through advising,
monitoring, reporting, testing, and training activities; and (iii)
maintaining mechanisms for reporting unethical or fraudulent behavior
or misconduct. Additionally, as noted above, the proposed CRMP would
transfer responsibility for maintaining OCC's inventory of all business
processes, risks, and associated controls from Compliance to Corporate
Risk.
Policy Exceptions and Violations
OCC proposes to replace the Policy Exceptions and Violations
sections in the current RMF Policy with a new Risk Acceptances and
Deviations section in the RMF. The RMF would require that risk
acceptances,\36\ including exceptions to OCC's risk management
frameworks and policies, shall be escalated to Corporate Risk in
accordance with the CRMP. In addition, the RMF would
[[Page 58418]]
require that deviations from OCC's risk management frameworks and
policies shall be escalated to Compliance in accordance with the Policy
Governance Policy (``PGP'').\37\ By including this generally applicable
provision in the RMF, OCC would no longer include this information in
each individual policy and procedure. Policy exceptions would continue
to be escalated as part of OCC's risk acceptance process and policy
violations would be escalated as part of OCC's PGP document deviation
risk event process. The proposed change would allow OCC to remain
consistent with this practice in its policies and procedures without
requiring each to have its own individual Policy Exceptions and
Violations sections that would need to be updated as OCC's process for
escalating exceptions and deviations develops and matures.
---------------------------------------------------------------------------
\36\ As discussed in more detail below with respect to the
proposed Risk Treatment section of the CRMP, acceptance is a risk
treatment method that may be used to acknowledge when the cost or
complexity of avoiding, mitigating, or transferring the risk exceeds
the potential impact (e.g., OCC accepts a risk temporarily and
implements short-term mitigants, knowing that a long-term solution
is planned).
\37\ OCC proposes to use the term ``deviation'' rather than
``violation'' as found in the current RMF Policy to align with the
terminology used in the PGP.
---------------------------------------------------------------------------
Other Deleted Sections of the RMF Policy
Project Management, Budgeting, and Training Changes
OCC proposes to delete from its rules certain sections of the RMF
Policy related to project management, corporate planning and budgeting,
and Human Resources and Compliance Training and Policies. OCC believes
that these sections deal with policies and practices that are
administrative in nature and do not constitute material aspects of the
operation of the facilities of OCC.\38\ OCC would not maintain these
details in the RMF or CRMP; however, OCC would continue to maintain and
update these details when necessary in other internal policies,
procedures, or OCC documentation maintained for such purposes.
---------------------------------------------------------------------------
\38\ Section 19(b)(1) of the Exchange Act requires a self-
regulatory organization (``SRO'') such as OCC to file with the
Commission any proposed rule or any proposed change in, addition to,
or deletion from the rules of such SRO. See 15 U.S.C. 78s(b)(1).
Section 3(a)(27) of the Exchange Act defines ``rules of a clearing
agency'' to mean its (1) constitution, (2) articles of
incorporation, (3) bylaws, (4) rules, (5) instruments corresponding
to the foregoing and (6) such ``stated policies, practices and
interpretations'' (``SPPI'') as the Commission may determine by
rule. See 15 U.S.C. 78c(a)(27). Exchange Act Rule 19b-4(a)(6)
defines the term ``SPPI'' to include (i) any material aspect of the
operation of the facilities of an SRO and (ii) statements made
generally available to membership of, to all participants in, or to
persons having or seeking access to facilities of an SRO that
establishes or changes certain standards, limits, or guidelines. See
17 CFR 240.19b-4(a)(6). Rule 19b-4(c) provides, however, that an
SPPI may not be deemed to be a proposed rule change if it is: (i)
reasonably and fairly implied by an existing rule of the SRO or (ii)
concerned solely with the administration of the SRO and is not an
SPPI with respect to the meaning, administration, or enforcement of
an existing rule the SRO. See 17 CFR 240.19b-4(c).
---------------------------------------------------------------------------
Risk Universe
Finally, OCC proposes to remove the RMF Policy's Appendix: OCC's
Key Risks with CCA, PFMI, and Reg SCI Mapping. The proposed CRMP would
require that Corporate Risk continue to maintain the risk universe, and
OCC has included its risk categories in Section II of the proposed RMF
but proposes that the additional detailed documentation and mapping be
maintained internally by Corporate Risk. OCC believes it may need to
update the mapping and risks, as well as how OCC defines them,
dynamically based on business and market factors. OCC believes by
following the governance outlined in the proposed CRMP, proper scrutiny
will be given to any revisions to this information. Moreover, OCC
believes that the policies and processes maintained by OCC to
establish, maintain, review and update its risk universe, which
reflects the universe of risks that OCC must monitor and manage,
constitute material aspects of the operation of the facilities of OCC,
but the risk universe itself is the output of those processes and
simply lists those risks that OCC has identified pursuant to the
requirements of the RMF Policy (and the proposed CRMP).
New Sections in the RMF and CRMP
OCC proposes to add new sections to its RMF and CRMP to describe
certain aspects of its risk management framework and approach to
enterprise risk management, which are discussed in detail below.
RMF: Recovery and Orderly Wind-Down Plan
The proposed RMF would include a new section discussing OCC's
Recovery and Orderly Wind-Down Plan. The proposed RMF would state that
in the event of extreme financial, operational, or general business
stress, Corporate Risk maintains a confidential Recovery and Orderly
Wind-Down Plan which details the departments responsible for executing
the plan. The proposed RMF would state that OCC employs a set of
recovery tools in the event of severe financial, operational, or
general business stress, to continue to provide critical clearing and
settlement services. The proposed RMF would state that should OCC's
recovery efforts be unsuccessful or if, based on facts and
circumstances, it is determined that its recovery tools would be
insufficient, OCC has a wind-down plan that provides for the orderly
resolution of the firm.
CRMP: Risk Monitoring
The CRMP would introduce a new section to describe Corporate Risk's
Risk Monitoring process, including key risk indicator monitoring and
operational risk even monitoring. The proposed CRMP would state that
Corporate Risk and Risk Owners monitor internal and external risks to
determine whether OCC's risk management practices continue to operate
effectively. The proposed CRMP would state that the information
gathered during this monitoring is used to inform enterprise risk
assessments.
Key Risk Indicator Monitoring
The proposed CRMP would state that key risk indicators (``KRIs'')
are qualitative or quantitative metrics designed to identify changes to
risks. The proposed CRMP would state that Corporate Risk and Risk
Owners utilize KRIs to measure and monitor levels of risk against risk
appetite and risk tolerances. The proposed CRMP would state that KRIs
are established at a risk sub-category level. KRIs include three
thresholds: green, amber, and red. The proposed CRMP would state that
green indicates a low risk of breaching tolerance, amber indicates a
moderate risk of breaching tolerance, and red indicates a breach of
tolerance. The proposed CRMP would state that amber and red thresholds
are points of escalation to the CRO, Management Committee, and the
Board.
The proposed CRMP would state that Risk Owners, in collaboration
with Corporate Risk, develop KRIs by considering business (e.g.,
process and controls) and regulatory requirements. The proposed CRMP
would state that Corporate Risk facilitates identifying, modifying, and
reviewing KRIs with a designated Management Committee member, including
defining and reviewing the risk tolerance and risk thresholds for the
KRI. The proposed CRMP would state that KRIs that breach the red
threshold result in the development and execution of risk treatment
plans by Risk Owners. The proposed CRMP would state that Corporate Risk
reports against red, amber, and green thresholds to the CRO and
Management Committee on a quarterly basis and to the Board at each
regularly scheduled meeting.
Operational Risk Event Monitoring
The proposed CRMP would state that an operational risk event is an
event which results in a financial loss or an adverse impact to OCC or
its ability to deliver its services. The proposed CRMP would state that
such events arise from
[[Page 58419]]
failed or inadequate internal processes, people, systems, or exposure
to external events. The proposed CRMP would state that Risk Owners are
responsible for identifying, assessing, and escalating operational risk
events. The proposed CRMP would provide that Corporate Risk is
responsible for ensuring that material operational risk events, as well
as identified trends, are reported to the CRO and Management Committee
on a quarterly basis and to the Board at each regularly scheduled
meeting. The proposed CRMP would state that Risk Owners perform root
cause analysis and enhance or develop processes that would reduce the
impact or likelihood of similar events occurring in the future. The
proposed CRMP would state that Risk Owners are responsible for
escalating operational risk events causing serious and extended
disruptions in production operations. The proposed CRMP would state
that risk events that have a major or extreme impact to OCC's ability
to perform its clearance, settlement and risk management services are
immediately reported to the Management Committee and Board.
CRMP: Risk Treatment
The CRMP would introduce a new section to describe OCC's risk
treatment process, which is the process by which Risk Owners manage
risk exposures by utilizing risk treatment methods to remain within
risk appetites and tolerances. The proposed CRMP would state that risk
treatment methods are implemented by Risk Owners and include the
decision to mitigate, avoid, transfer, or accept an identified risk.
The proposed CRMP would state that mitigation is a risk treatment
method where controls including policies, procedures, processes, and
systems can be implemented to manage a risk within established risk
appetites and tolerances (e.g., OCC creates a procedure to document a
process including implementing controls to mitigate a risk).
The proposed CRMP would state that avoidance is a risk treatment
method that may be used when controls are ineffective at preventing or
mitigating a risk within approved risk appetites or tolerances (e.g.,
OCC does not onboard a clearing member due to poor financial health).
The proposed CRMP would state that transference is a risk treatment
method where risks are moved to a third-party usually through the
purchase of insurance (e.g., fraud, general liability, and employment
insurance). Insurance covered would be coordinated by the Corporate
Finance team, with involvement from other first and second line
stakeholders, and subject to review by the Management Committee and the
Board.
The proposed CRMP would state that acceptance is a risk treatment
method that may be used to acknowledge when the cost or complexity of
avoiding, mitigating, or transferring the risk exceeds the potential
impact (e.g., OCC accepts a risk temporarily and implements short-term
mitigants, knowing that a long-term solution is planned). The proposed
CRMP would state that Corporate Risk evaluates risk acceptances
submitted by Risk Owners. The proposed CRMP would state that any risks
presented for acceptance that are outside of risk appetite or risk
tolerance must be approved by the Management Committee annually. The
proposed CRMP would state that Corporate Risk reports on risks accepted
above approved risk appetite or risk tolerance to the CRO, Management
Committee, and Board.
CRMP: Risk Escalation, and Training
The proposed CRMP would also describe Corporate Risk's process for
escalating risks to the CRO, Management Committee, and Board and
training employees about risk to support risk management and decision-
making.
Escalation
The proposed CRMP would state that OCC employees are responsible
for escalating risks through timely identification and reporting. The
proposed CRMP would state that in accordance with OCC's Employee
Handbook and Policy Governance Policy, OCC employees are expected to
escalate risks through their reporting line, OCC's internal working
groups, or to the Management Committee. The proposed CRMP would state
that quarterly, Corporate Risk, through the CRO, escalates breaches of
risk appetites and risk tolerances to the Management Committee, Board,
and relevant Board committees. The proposed CRMP would state that
escalation occurs (i) consistent with obligations established in the
Management Committee Charter, Board Charter, Board Committee Charters,
policies, and procedures, or (ii) anytime through the CRO directly to
the Board.
Training
The proposed CRMP would state that OCC employees are trained to
promote a culture of risk and control awareness. The proposed CRMP
would state that Corporate Risk collaborates with other OCC departments
to create and disseminate training to enable accountability, empower
decision-making, promote risk awareness, and detail escalation. The
proposed CRMP would state that this training promotes awareness of
OCC's regulatory requirements, policies, procedures, processes,
controls, and standards of conduct.
Conforming Changes to OCC Risk Policies
Finally, OCC proposes to update other OCC Risk Policies to be
consistent with the proposed RMF. Specifically, OCC would update
references to the RMF Policy, including the summary of the RMF Policy
in the Recovery and Orderly Wind-Down Plan, to refer to the RMF and
CRMP. References to the ``Enterprise Risk Management'' department or
``ERM'' would be changed to ``Corporate Risk Management'' or
``Corporate Risk'' to reflect that department's name. In the case of
the Collateral Risk Management Policy, OCC would delete reference to
the Enterprise Risk Management Policy's annual review of concentration
limits because that review is conducted by the Model Risk Management,
which is part of Corporate Risk. The OCC Risk Policies would be further
conformed to reflect that what was formerly referred to as OCC's Model
Validation Group is now referred to as Model Risk Management. OCC would
also remove the Policy Exceptions and Violations sections of the
applicable OCC Risk Policies as the exception and violation processes
for all of the OCC Risk Policies would be covered by the new Risk
Acceptances and Deviations section of the proposed RMF (as discussed
above).
OCC also propose to make administrative updates to cross-references
to other internal OCC policies and procedures and other administrative
changes arising from OCC's annual review of its risk management
frameworks and procedures. Specifically, OCC would also revise the
TPRMF to:
<bullet> include General Business Risk as a type of risk that may
be presented by third-party relationships;
<bullet> Revise the introduction of the on-boarding and off-
boarding monitoring of counterparties with multiple relationships with
OCC to reference the respective procedures and work groups in the
Third-Party Relationship Management section, which as evident from the
existing TPRMF is not limited to monitoring by the Credit and Liquidity
Risk Working Group, as that current introduction suggests;
<bullet> Delete reference to specific OCC Rules in favor of
reference to Chapters of OCC's Rulebook because the specific Rules
currently identified are not a
[[Page 58420]]
complete list of those in the identified Chapters that give OCC
authority to act to protect OCC from exposure presented by a Clearing
Member.
Make other administrative changes to business unit names
(2) Statutory Basis
OCC believes the proposed rule change is consistent with Section
17A of the Exchange Act \39\ and Rule 17Ad-22(e)(3). Section
17A(b)(3)(F) of the Act \40\ requires, in part, that the rules of a
clearing agency be designed to promote the prompt and accurate
clearance and settlement of securities transactions, to assure the
safeguarding of securities and funds in the custody or control of the
clearing agency or for which it is responsible, and in general, to
protect investors and the public interest. Rule 17Ad-22(e)(3)(i) \41\
requires, in part, that a covered clearing agency establish, implement,
maintain and enforce written policies and procedures reasonably
designed to maintain a sound risk management framework for
comprehensively managing legal, credit, liquidity, operational, general
business, investment, custody, and other risks that arise in or are
borne by the covered clearing agency, which includes risk management
policies, procedures, and systems designed to identify, measure,
monitor, and manage the range of risks that arise in or are borne by
the covered clearing agency, that are subject to review on a specified
periodic basis and approved by the board of directors annually. For the
reasons addressed below, OCC believe the proposed changes are
consistent with these requirements.
---------------------------------------------------------------------------
\39\ 15 U.S.C. 78q-1.
\40\ 15 U.S.C. 78q-1(b)(3)(F).
\41\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------
Consistency With Section 17A(b)(3)(F) of the Exchange Act
The proposed RMF and associated policies, including the CRMP, would
be the foundation for a risk management framework designed to promote
the prompt and accurate clearance and settlement of securities
transactions, assure the safeguarding of securities and funds in the
OCC's custody or control, and in general, protect investors and the
public interest. Risk management is the means by which OCC guards
against disruption to OCC's clearance and settlement services and loss
of financial resources necessary to maintain OCC as a going concern or
in OCC's custody or control to address member defaults and liquidity
shortfalls. As a clearing agency that has been designated a
systemically important financial market utility by the Federal
Stability Oversight Counsel, such disruption or losses may present
systemic risks to the markets OCC serves, OCC's Clearing Members, and
other market participants, including investors, thereby harming the
public interest.
As described above, the proposed RMF would be designed to provide a
foundation to support the risk management policies, procedures, and
systems that make up OCC's sound risk management framework. The
proposed RMF would describe OCC's overall framework for comprehensive
risk management, including OCC's framework to identify, measure,
monitor and manage the risks faced by OCC in the provision of clearing,
settlement and risk management services. The proposed RMF would provide
the context for OCC's risk management framework, identify OCC's risk
categories, describe the governance arrangements that implement risk
management, and describe OCC's program for risk management, including
the three lines of defense structure. In addition, the proposed CRMP
would support the proposed RMF by explaining OCC's risk management
activities related to enterprise risk. These changes are not meant to
significantly alter OCC's approach to risk management, but rather to
present OCC's approach to enterprise risk in a standalone policy,
similar to OCC's approach with OCC's risk management. OCC believes that
more clearly delineating its overall approach to risk management and
its approach to enterprise risk through two separate policies helps
support risk management processes designed to promote the prompt and
accurate clearance and settlement of securities transactions, assure
the safeguarding of securities and funds in OCC's custody, and in
general, protect investors and the public interest. Accordingly, OCC
believes that establishing the RMF and CRMP is consistent with Section
17A(b)(3)(F) of the Act.\42\
---------------------------------------------------------------------------
\42\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
The proposed RMF and CRMP would also make a number of substantive
changes to OCC's rules beyond the reorganization and restatement of
existing OCC rules. Consistency of these changes with Section
17A(b)(3)(F) of the Act \43\ are discussed below.
---------------------------------------------------------------------------
\43\ Id.
---------------------------------------------------------------------------
RMF Policy: Purpose Section
The purpose section of the RMF Policy would be revised to reflect
the reorganization of content in the RMF Policy in the new RMF and
CRMP, focusing on the purpose and intent of each of the newly proposed
documents. The proposed change is designed to clearly explain the
purpose of the proposed RMF and CRMP and their place in OCC's overall
framework for comprehensively managing legal, credit, liquidity,
operational, general business, investment, custody, and other risks
that arise in or are borne. OCC believes that providing this enhanced
clarity in two of its key risk management policies would strengthen
risk management processes designed to promote the prompt and accurate
clearance and settlement of securities transactions, assure the
safeguarding of securities and funds in OCC's custody or control or for
which it is responsible, and in general, protect investors and the
public interest. Accordingly, OCC believes the proposed changes are
consistent with Section 17A(b)(3)(F) of the Act.\44\
---------------------------------------------------------------------------
\44\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Context for Risk Management Framework and Risk Management
Philosophy
OCC would delete the Context for Risk Management Framework and Risk
Management Philosophy sections of the RMF Policy from the proposed RMF.
These sections provide history and background information about OCC and
its purpose in the financial market, but do not contain rules of OCC.
Additionally, the information presented in the Risk Management
Philosophy section serves as an additional purpose section and all
items highlighted in this section are covered in the proposed RMF and
CRMP. OCC believes that removing this extraneous information would
enhance the clarity of these risk policies by focusing on the rules
governing OCC's overall risk framework and corporate risk management
program and would strengthen risk management processes designed to
promote the prompt and accurate clearance and settlement of securities
transactions, assure the safeguarding of securities and funds in OCC's
custody or control or for which it is responsible, and in general,
protect investors and the public interest. Accordingly, OCC believes
that revising the purposes changes are consistent with Section
17A(b)(3)(F) of the Act.\45\
---------------------------------------------------------------------------
\45\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Risk Appetite Framework and Tolerance
OCC proposes to make certain modifications to the description of
its risk appetite framework, including descriptions of OCC's use of a
risk universe, risk appetites and risk tolerances, in the new CRMP. As
[[Page 58421]]
described above, the proposed CRMP would revise certain terminology in
OCC's risk universe, such as organizing the universe into ``risk
categories,'' ``risk sub-categories,'' and ``risk statements'' to
effectively represent the Key Risks, Sub-categories, and Definitions
that are discussed in the current RMF Policy. OCC would also modify
certain governance requirements for the risk universe. Under the
current RMF, Key Risks are approved by OCC's Board and risk appetites
for Key Risks are set by the business departments responsible for those
risk in cooperation with Corporate Risk. Under the proposed CRMP, the
risk universe would be owned and approved by OCC's CRO and provided to
the Management Committee and Board. The Board or the Risk Committee
would ultimately be responsible for approving risk appetites and would
continue to approve risk tolerances. The proposed CRMP would also
provide additional details around the internal governance process for
reviewing and approving risk categories, appetites, and tolerances and
for monitoring risk tolerances. OCC would also remove the more general
risk appetite statement definitions (i.e., no appetite, low appetite,
moderate appetite, and high appetite), which are currently described in
the RMF Policy, enabling OCC to use more detailed, qualitative risk
appetite statements for each risk sub-category following the governance
processes described above. In addition, OCC would change the cadence of
risk reporting, including risk tolerance breaches, to align with the
timing of OCC's regular Board meetings. The proposed CRMP would also
introduce the concept of risk rating scales, which provide an
assessment of risk from an impact and likelihood perspective
consistently across OCC and would be used to measure inherent and
residual risk at a risk statement level.
OCC believes the proposed CRMP would provide a more comprehensive
overview of the governance of OCC's risk universe and enhance certain
processes therein. The proposed CRMP would provide additional details
around the internal governance process for reviewing and approving risk
categories, appetites, and tolerances and for monitoring risk
tolerances and improve the governance process for the risk universe by
allowing the CRO to modify risk categories as needed, with oversight of
Management Committee and Board, and provide the Board or Risk Committee
with more direct responsibility for setting the appetites for those
risk. For these reasons, OCC believes the proposed changes would
strengthen risk management processes designed to promote the prompt and
accurate clearance and settlement of securities transactions, assure
the safeguarding of securities and funds in OCC's custody or control or
for which it is responsible, and in general, protect investors and the
public interest. Accordingly, OCC believes that the proposed changes
are consistent with Section 17A(b)(3)(F) of the Act.\46\
---------------------------------------------------------------------------
\46\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Risk Management Governance
OCC proposes to modify certain descriptions of its risk management
governance arrangements in the new RMF. For example, OCC would update
and streamline the description of the responsibilities of its Board as
they are generally already addressed in the Board Charter.\47\ OCC also
proposes to update the description of the responsibilities of the
Management Committee, which primarily relates to the committee's role
and responsibilities in reviewing and recommending changes to OCC's
risk universe, as this would not be addressed in the proposed CRMP (as
discussed above). OCC would also update the discussion of working
groups and their responsibilities and include a description of the
responsibilities of and development opportunities for OCC employees.
OCC believes the proposed changes would improve OCC's risk framework by
presenting a more concise, clear, and transparent description of OCC's
risk management governance and thereby promote the prompt and accurate
clearance and settlement of securities transactions, assure the
safeguarding of securities and funds in OCC's custody or control or for
which it is responsible, and in general, protect investors and the
public interest. Accordingly, OCC believes that the proposed changes
are consistent with Section 17A(b)(3)(F) of the Act.\48\
---------------------------------------------------------------------------
\47\ See supra notes 16 and 17.
\48\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Identification of Key Risks
OCC proposes to replace the Identification of Key Risks section of
the RMF Policy, which provides a brief description of OCC's policies
and procedures for managing each of those Key Risk and their respective
Risk Sub-Categories, with a new OCC Risk Management section of the
proposed RMF. The proposed RMF would reorganize the focus of this
description to align with the three lines of defense model currently
described in the RMF Policy and describe the types of risks managed by
each line of defense. The new OCC Risk Management section of the RMF
would: (i) restate existing content of the RMF; (ii) introduce new
content not currently contained in OCC's RMF Policy; and (iii) delete
certain aspects of the RMF Policy. The proposed RMF would continue to
refer to the same rules and OCC Risk Policies currently maintained by
OCC (and described in the RMF) to address such risks and which are
currently filed with the Commission as rules of OCC.\49\
---------------------------------------------------------------------------
\49\ See supra notes 20-26 and associated text.
---------------------------------------------------------------------------
OCC also proposes to remove certain details concerning its
management of operational risk (e.g., quality standards program,
cybersecurity program, system functionality and capacity, and business
continuity program) as these aspects of its operational risk management
would be contained in a new Operational Risk Management Framework
document, which is currently being finalized by OCC, and will contain a
more detailed and comprehensive overview of OCC's framework for
managing operational risk.
OCC believes these proposed changes would present a comprehensive,
clear, and transparent description of the key risks faced by OCC and
the assignment of responsibility for managing such risk, thereby
strengthening risk management processes designed to promote the prompt
and accurate clearance and settlement of securities transactions,
assure the safeguarding of securities and funds in OCC's custody or
control or for which it is responsible, and in general, protect
investors and the public interest. Accordingly, OCC believes that the
proposed changes are consistent with Section 17A(b)(3)(F) of the
Act.\50\
---------------------------------------------------------------------------
\50\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Risk Management Practice
OCC proposes to relocate the discussion of its enterprise risk
assessments, scenario analysis program, and risk reporting process to
the new CRMP. As discussed above, the proposed CRMP is designed to more
accurately and completely describe the risk assessment, monitoring, and
reporting processes conducted by Corporate Risk. Additionally, OCC
would eliminate the specific IT Risk Assessment section of the RMF
Policy, as these details would be more appropriately addressed in the
forthcoming Operational Risk Management Framework document, and would
also remove the Compliance Risk Assessment section of the RMF Policy
because this information is appropriately covered in the Compliance
section of the proposed
[[Page 58422]]
RMF. OCC believes the proposed changes would result in an improved
description of Corporate Risk's risk assessment, scenario analysis, and
risk reporting responsibilities and thereby strengthen risk management
processes designed to promote the prompt and accurate clearance and
settlement of securities transactions, assure the safeguarding of
securities and funds in OCC's custody or control or for which it is
responsible, and in general, protect investors and the public interest.
Accordingly, OCC believes the proposed changes are consistent with
Section 17A(b)(3)(F) of the Act.\51\
---------------------------------------------------------------------------
\51\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Control Activities
OCC proposes to replace the Control Activities section of the RMF
Policy with more general and broader descriptions of Compliance's
responsibilities in the proposed RMF. In addition, under the proposed
CRMP, responsibility for maintaining OCC's inventory of all business
processes, risks, and associated controls would move from Compliance to
Corporate Risk. As such, Corporate Risk would be responsible for
reviewing the design of controls. Compliance would continue to perform
design testing. OCC believes that assigning responsibility for
reviewing control design to Corporate Risk is appropriate given its
responsibilities in the enterprise risk assessment process, as part of
which Corporate Risk leads quarterly workshops that assess the
likelihood and impact of risks by reviewing data from across OCC,
including risk events, Internal Audit findings, security risk
assessments and observations, third-party observations, control design
assessments, management control self-testing results, and business
impact analyses, supplemented by information from emerging risk surveys
(top-down), process-based risk assessments (bottom-up), and enterprise
technology assessments. This enterprise risk assessment process affords
Corporate Risk a holistic view of risk and controls, which OCC believes
puts Corporate Risk in a unique position to review and improve control
design with respect to controls intended to promote the prompt and
accurate clearance and settlement of securities transactions, assure
the safeguarding of securities and funds in OCC's custody or control or
for which it is responsible, and in general, protect investors and the
public interest. Accordingly, OCC believes the proposed changes are
consistent with Section 17A(b)(3)(F) of the Act.\52\
---------------------------------------------------------------------------
\52\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Exceptions and Violations
OCC proposes to replace the individual Policy Exceptions and
Violations sections in the current RMF Policy and other OCC Risk
Policies with a new Risk Acceptances and Deviations section in the RMF.
The proposed change would provide for a single framework for risk
acceptances, exceptions, deviations, and the escalation of deviations
across OCC's filed policies rather than requiring each policy to have
its own individual Policy Exceptions and Violations sections, which may
over time become inconsistent as policies are updated at different
times. Such inconsistency could create confusion about escalation
obligations and procedures, which could in turn lead to failure to
escalate issues appropriately. Accordingly, OCC believes that improving
the documentation for its escalation process would strengthen risk
management processes designed to promote the prompt and accurate
clearance and settlement of securities transactions, assure the
safeguarding of securities and funds in OCC's custody or control or for
which it is responsible, and in general, protect investors and the
public interest. Accordingly, OCC believes that the proposed changes
are consistent with Section 17A(b)(3)(F) of the Act.\53\
---------------------------------------------------------------------------
\53\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
New Sections in Proposed RMF and CRMP
OCC proposes to add new sections to the proposed RMF and CRMP to
provide additional details concerning its overall framework for
managing risk and its approach to enterprise risk management. For
example, the proposed RMF would include a new section discussing OCC's
Recovery and Orderly Wind-Down Plan. In addition, the CRMP would
introduce a new section to describe Corporate Risk's Risk Monitoring
process, including key risk indicator monitoring and operational risk
even monitoring. The CRMP would also introduce a new section to
describe OCC's risk treatment process, which is the process by which
Risk Owners manage risk exposures by utilizing risk treatment methods
to remain within risk appetites and tolerances. Additionally, the
proposed CRMP would also describe Corporate Risk's process for
escalating risks to the CRO, Management Committee, and Board and
training employees about risk to support risk management and decision-
making. The proposed changes would provide a more comprehensive and
transparent discussion of OCC's overall framework for managing risk and
its approach to enterprise risk management. OCC believes the proposed
enhancements to its risk management documentation would serve to
promote the prompt and accurate clearance and settlement of securities
transactions, assure the safeguarding of securities and funds in OCC's
custody or control or for which it is responsible, and in general,
protect investors and the public interest. Accordingly, OCC believes
that the proposed changes are consistent with Section 17A(b)(3)(F) of
the Act.\54\
---------------------------------------------------------------------------
\54\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
For the reasons set forth above, OCC believes the proposed rule
change would promote the prompt and accurate clearance and settlement
of securities transactions, assure the safeguarding of securities and
funds in the custody or control of the clearing agency or for which it
is responsible, and in general, to protect investors and the public
interest in accordance with Section 17A(b)(3)(F) of the Act.\55\
---------------------------------------------------------------------------
\55\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
Consistency With Rule 17Ad-22 Under the Exchange Act
OCC believes that the proposed rule change is generally consistent
with Rule 17Ad-22(e)(3)(i) \56\ because the proposed RMF would describe
OCC's comprehensive framework for identifying, measuring, monitoring
and managing the risks that arise within OCC or are borne by it,
including legal, credit, liquidity, operational, general business,
investment and custody risk. Moreover, the proposed CRMP would explain
that Corporate Risk evaluates risks that may affect OCC's ability to
perform the services detailed in the proposed RMF. The proposed RMF
would explain how OCC employs established practices, such as the three
lines of defense model for enterprise-wide risk management, to ensure
that OCC maintains and operates a resilient, effective and reliable
risk management and internal control infrastructure that assures risk
management and processing outcomes expected by OCC stakeholders. The
proposed CRMP would describe how OCC's second line of defense monitors
the risks that arise in or are borne by OCC through a variety of risk
assessment, risk reporting, evaluation and internal control management
activities, consistent with the requirements of Rule 17Ad-
22(e)(3)(i).\57\
---------------------------------------------------------------------------
\56\ Id.
\57\ Id.
---------------------------------------------------------------------------
The proposed CRMP would describe OCC's use of risk appetites and
risk tolerances to evaluate OCC's risks across
[[Page 58423]]
its risk universe to ensure that OCC sets appropriate levels and types
risk that OCC is willing and able to assume in accordance with OCC's
mission as a systemically important financial market utility. For
example, the use of risk appetites allows OCC to carefully calibrate
the levels of risk it accepts in a manner consistent with OCC's core
mission of promoting financial stability in the markets it serves. In
addition, the use of risk tolerances helps to inform whether risks are
within Board-approved risk appetites. As a result, OCC believes the
proposed RMF, as supported by the CRMP, is reasonably designed to
provide for a sound, comprehensive framework for identifying,
measuring, monitoring and managing the range of risks that arise in or
are borne by OCC in a manner consistent with Rule 17Ad-22(e)(3)(i).\58\
---------------------------------------------------------------------------
\58\ Id.
---------------------------------------------------------------------------
RMF Policy: Risk Appetite Framework and Tolerance
As described herein, OCC proposes to make certain modifications to
the description of its risk appetite framework, including descriptions
of OCC's use of a risk universe, risk appetites and risk tolerances and
the governance process for maintain the risk universe, in the proposed
CRMP. The proposed CRMP would also introduce the concept of risk rating
scales, which provide an assessment of risk from an impact and
likelihood perspective consistently across OCC and would be used to
measure inherent and residual risk at a risk statement level. OCC
believes the proposed CRMP would provide a more comprehensive overview
of the governance of OCC's risk universe and enhance certain processes
therein. The proposed CRMP would also provide additional details around
the internal governance process for reviewing and approving risk
categories, appetites, and tolerances and for monitoring risk
tolerances and improve the governance process for the risk universe by
allowing the CRO to modify risk categories as needed, with oversight of
Management Committee and Board, and provide the Board or Risk Committee
with more direct responsibility for setting the appetites for those
risk. OCC believes the propose changes are reasonably designed to
provide for a sound, comprehensive framework for identifying,
measuring, monitoring and managing the range of risks that arise in or
are borne by OCC in a manner consistent with Rule 17Ad-22(e)(3)(i).\59\
---------------------------------------------------------------------------
\59\ Id.
---------------------------------------------------------------------------
RMF Policy: Risk Management Governance
Rules 17Ad-22(e)(2)(i) and (ii) \60\ require that a covered
clearing agency establish, implement, maintain and enforce written
policies and procedures reasonably designed to provide for governance
arrangements that (i) are clear and transparent and (ii) clearly
prioritize the safety and efficiency of the covered clearing agency. As
discussed above, OCC proposes to modify certain descriptions of its
risk management governance arrangements in the new RMF, including the
roles and responsibilities of the Board, Management Committee, and
OCC's internal working groups. OCC believes the proposed changes would
improve OCC's risk framework by presenting a more clear, concise, and
transparent description of OCC's governance arrangements as they relate
to the management of risk within OCC. As a result, OCC believes the
proposed changes are reasonably designed to provide for governance
arrangements that (i) are clear and transparent and (ii) clearly
prioritize the safety and efficiency of the covered clearing agency in
accordance with Rules 17Ad-22(e)(2)(i) and (ii).\61\
---------------------------------------------------------------------------
\60\ 17 CFR 240.17Ad-22(e)(2)(i) and (ii).
\61\ Id.
---------------------------------------------------------------------------
RMF Policy: Identification of Key Risks
As described above, OCC proposes to replace the Identification of
Key Risks section of the RMF Policy with a new OCC Risk Management
section of the proposed RMF. The proposed RMF would reorganize the
focus of this description to align with the three lines of defense
model currently described in the RMF Policy and describe the types of
risks managed by each line of defense. As described herein, the new OCC
Risk Management section of the RMF would: (i) restate existing content
of the RMF; (ii) introduce new content not currently contained in OCC's
RMF Policy; and (iii) delete certain aspects of the RMF Policy. The
proposed RMF would continue to refer to the same rules and OCC Risk
Policies currently maintained by OCC (and described in the RMF) to
address such risks and which are currently filed with the Commission as
rules of OCC.\62\ OCC believes the proposed changes would present a
more comprehensive, clear, and transparent description of the key risks
faced by OCC and the assignment of responsibility for managing such
risks. As a result, OCC believes the proposed RMF, as supported by the
CRMP, is reasonably designed to provide for a sound, comprehensive
framework for identifying, measuring, monitoring and managing the range
of risks that arise in or are borne by OCC in a manner consistent with
Rule 17Ad-22(e)(3)(i).\63\
---------------------------------------------------------------------------
\62\ See supra notes 20-26 and associated text.
\63\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------
RMF Policy: Risk Management Practice
OCC proposes to relocate the discussion of its enterprise risk
assessments, scenario analysis program, and risk reporting process to
the new CRMP. As discussed above, the proposed CRMP is designed to more
accurately and completely describe the risk assessment, monitoring, and
reporting processes conducted by Corporate Risk. OCC believes the
proposed changes would result in an improved description of Corporate
Risk's risk assessment, scenario analysis, and risk reporting
responsibilities and is therefore reasonably designed to support a
sound, comprehensive framework for identifying, measuring, monitoring
and managing the range of risks that arise in or are borne by OCC in a
manner consistent with Rule 17Ad-22(e)(3)(i).\64\
---------------------------------------------------------------------------
\64\ Id.
---------------------------------------------------------------------------
RMF Policy: Exceptions and Violations
OCC proposes to replace the individual Policy Exceptions and
Violations sections in the current RMF Policy and other OCC Risk
Policies with a new Risk Acceptances and Deviations section in the RMF.
The proposed change would provide for a single framework for risk
acceptances and deviations, and the escalation of deviations across
OCC's filed policies rather than requiring each policy to have its own
individual Policy Exceptions and Violations sections, which may over
time become inconsistent as OCC's individual risk policies evolve. This
single framework would help to avoid ambiguities or confusion about
escalation obligations or procedures that might otherwise arise if
changes to such procedures were not applied consistently. The change
would also reduce the administrative burden of having to update each
document within OCC's universe of policies and procedures as OCC's
process for escalating risk acceptance and deviations from those
policies and procedures matures over time. OCC believes that improving
the documentation for its escalation processes is reasonably designed
to support its comprehensive framework for identifying, measuring,
monitoring and managing the range of risks that arise in or are borne
by OCC in a
[[Page 58424]]
manner consistent with Rule 17Ad-22(e)(3)(i).\65\
---------------------------------------------------------------------------
\65\ Id.
---------------------------------------------------------------------------
New Sections in Proposed RMF and CRMP
OCC proposes to add new sections to the proposed RMF and CRMP to
provide additional details concerning its overall framework for
managing risk and its approach to enterprise risk management. For
example, the proposed RMF would include a new section discussing OCC's
Recovery and Orderly Wind-Down Plan \66\ and introduce a new section to
describe Corporate Risk's Risk Monitoring process, including key risk
indicator monitoring and operational risk even monitoring. The CRMP
would also introduce a new section to describe OCC's risk treatment
process and would also describe Corporate Risk's process for escalating
risks to the CRO, Management Committee, and Board and training
employees about risk to support risk management and decision-making.
The proposed changes would provide a more comprehensive and transparent
discussion of OCC's overall framework for managing risk and its
approach to enterprise risk management. OCC believes the proposed
changes are therefore reasonably designed to provide for a sound,
comprehensive framework for identifying, measuring, monitoring and
managing the range of risks that arise in or are borne by OCC in a
manner consistent with Rule 17Ad-22(e)(3)(i).\67\
---------------------------------------------------------------------------
\66\ OCC believes this proposed change also supports compliance
with Exchange Act Rule 17Ad-22(e)(3)(ii), which requires a covered
clearing agency to maintain a sound risk management framework for
comprehensively managing legal, credit, liquidity, operational,
general business, investment, custody, and other risks that arise in
or are borne by the covered clearing agency, which includes plans
for the recovery and orderly wind-down of the covered clearing
agency necessitated by credit losses, liquidity shortfalls, losses
from general business risk, or any other losses. See 17 CFR
240.17Ad-22(e)(3)(ii).
\67\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------
Consistency With Section 19(b) of the Exchange Act
Section 19(b)(1) of the Act \68\ and Rule 19b-4 \69\ thereunder set
forth the requirements for SRO proposed rule changes, including the
regulatory filing requirements for ``stated policies, practices and
interpretations.'' \70\ OCC proposes to retire its existing RMF Policy,
which was, in part, previously filed as an OCC ``rule'' with the
Commission, as the RMF and CRMP would replace the RMF Policy in its
entirety. Under the proposal, the material aspects of OCC's overall
risk management framework and Corporate Risk program would be contained
in the proposed RMF and CRMP described herein. As described in detail
herein, various details in the current RMF Policy would no longer be
OCC rule text following adoption of the RMF and CRMP. Specifically, OCC
believes the removing the following sections of the current RMF Policy
from OCC's rule text are consistent with Section 19(b)(1) of the Act
and Rule 19b-4 because they are administrative in nature and do not
address material aspects of the of the operation of the facilities of
OCC:
---------------------------------------------------------------------------
\68\ 15 U.S.C. 78s(b)(1).
\69\ 17 CFR 240.19b-4.
\70\ See supra note 38.
---------------------------------------------------------------------------
<bullet> The Context for Risk Management Framework and Risk
Management Philosophy sections providing history and background
information about OCC and its purpose in the financial markets; \71\
---------------------------------------------------------------------------
\71\ Additionally, OCC believes the information presented in the
Risk Management Philosophy section serves as an additional purpose
section and that all items highlighted in this section would be
covered in, or otherwise reasonably and fairly implied by, the
proposed RMF and CRMP.
---------------------------------------------------------------------------
<bullet> Sections of the RMF Policy related to project planning,
corporate budgeting, and Human Resources and Compliance training; and
<bullet> The Risk Universe, which reflects the output of policies
and processes described in the RMF Policy (and eventually, the proposed
CRMP).
Accordingly, OCC believes the proposed changes would be consistent
with the requirements of Section 19(b)(1) of the Act and Rule 19b-4
thereunder.\72\
---------------------------------------------------------------------------
\72\ See 15 U.S.C. 78s(b)(1) and 17 CFR 240.19b-4.
---------------------------------------------------------------------------
(B) Clearing Agency's Statement on Burden on Competition
Section 17A(b)(3)(I) of the Act \73\ requires that the rules of a
clearing agency not impose any burden on competition not necessary or
appropriate in furtherance of the purposes of the Act. OCC does not
believe that the proposed rule changes would impact or impose any
burden on competition. The proposed rule change clearly and
transparently presents the framework OCC uses to identify, monitor and
manage its risks. While the proposed rule change would enhance OCC's
framework of risk management documentation, these updates do not affect
Clearing Members' access to OCC's services or impose any direct burdens
on Clearing Members. Accordingly, the proposed rule change would not
unfairly inhibit access to OCC's services or disadvantage or favor any
particular user in relationship to another user.
---------------------------------------------------------------------------
\73\ 15 U.S.C. 78q-1(b)(3)(I).
---------------------------------------------------------------------------
For the foregoing reasons, OCC believes that the proposed rule
change is in the public interest, would be consistent with the
requirements of the Act applicable to clearing agencies, and would not
impact or impose a burden on competition.
(C) Clearing Agency's Statement on Comments on the Proposed Rule Change
Received From Members, Participants or Others
Written comments on the proposed rule change were not and are not
intended to be solicited with respect to the proposed rule change and
none have been received.
III. Date of Effectiveness of the Proposed Rule Change and Timing for
Commission Action
Within 45 days of the date of publication of this notice in the
Federal Register or within such longer period up to 90 days (i) as the
Commission may designate if it finds such longer period to be
appropriate and publishes its reasons for so finding or (ii) as to
which the self regulatory organization consents, the Commission will:
(A) by order approve or disapprove such proposed rule change, or (B)
institute proceedings to determine whether the proposed rule change
should be disapproved. The proposal shall not take effect until all
regulatory actions required with respect to the proposal are completed.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views and
arguments concerning the foregoing, including whether the proposed rule
change is consistent with the Act. Comments may be submitted by any of
the following methods:
Electronic Comments
<bullet> Use the Commission's internet comment form (<a href="http://www.sec.gov/rules/sro.shtml">http://www.sec.gov/rules/sro.shtml</a>); or
<bullet> Send an email to <a href="/cdn-cgi/l/email-protection#a7d5d2cbc28ac4c8cacac2c9d3d4e7d4c2c489c0c8d1"><span class="__cf_email__" data-cfemail="582a2d343d753b3735353d362c2b182b3d3b763f372e">[email protected]</span></a>. Please include
File Number SR-OCC-2022-010 on the subject line.
Paper Comments
<bullet> Send paper comments in triplicate to Vanessa Countryman,
Secretary, Securities and Exchange Commission, 100 F Street NE,
Washington, DC 20549-1090.
All submissions should refer to File Number SR-OCC-2022-010. This file
number should be included on the subject line if email is used. To help
the Commission process and review your
[[Page 58425]]
comments more efficiently, please use only one method. The Commission
will post all comments on the Commission's internet website (<a href="http://www.sec.gov/rules/sro.shtml">http://www.sec.gov/rules/sro.shtml</a>). Copies of the submission, all subsequent
amendments, all written statements with respect to the proposed rule
change that are filed with the Commission, and all written
communications relating to the proposed rule change between the
Commission and any person, other than those that may be withheld from
the public in accordance with the provisions of 5 U.S.C. 552, will be
available for website viewing and printing in the Commission's Public
Reference Room, 100 F Street NE, Washington, DC 20549, on official
business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of
such filing also will be available for inspection and copying at the
principal office of OCC and on OCC's website at <a href="https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules">https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules</a>.
All comments received will be posted without change. Persons
submitting comments are cautioned that we do not redact or edit
personal identifying information from comment submissions. You should
submit only information that you wish to make available publicly.
All submissions should refer to File Number SR-OCC-2022-010 and
should be submitted on or before October 17, 2022.
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\74\
---------------------------------------------------------------------------
\74\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------
J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2022-20728 Filed 9-23-22; 8:45 am]
BILLING CODE 8011-01-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on September 26, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.