It is hard to look at this record and find support for the argument that the financial resources deployed by the IMF and the major economies in the crises [in the 1990s] produced a damaging degree of moral hazard—moral hazard in the form either of governments more prone to profligacy or investors prone to excess risk-taking in lending to banks and sovereign in emerging markets because of the expectation of financial resources from the IMF. Of course, those interventions must have produced some increase in moral hazard, but the effect on incentives does not seem to have been powerful relative to the countervailing effect of the economic and financial losses incurred in the crises.

The foundations of modern risk measurement rest on a framework that uses past returns to measure or estimate the distribution of future returns. The stability of the recent past, even if much of it proves durable, probably understates potential risk. The parameters used to estimate value at risk can produce very large differences in predicted exposure, especially at extreme confidence intervals.

Estimating the potential interactions among these exposures in conditions of stress is even harder, due to the uncertainty about the behavior of investors and other market participants and because of the potential effects of financial distress on overall economic activity.

The relatively short history of returns for new products, the complexity of measuring exposure in many new instruments and limitations on transparency also create the potential for classic “agency” problems—internal conflicts of interest that can lead to problematic outcomes.

Compliance-risk management can be more difficult for management to integrate into an organization's regular business processes because it often reflects mandates set out by legislation or regulation that the organization itself does not view as key to its success.

While all banking organizations should have a program in place to effectively manage compliance risk, these programs can vary considerably, depending on the size, complexity, and geographic reach of the banking organization and the inherent risks of its activities...Therefore, our supervisory expectations regarding an organization's risk-management program, and more specifically the scope of an examination, will vary according to the organization's size and complexity.

Federal Reserve examinations for compliance-risk management are not designed to be gotcha games in which examiners look for one-time breaches of specific regulations or laws. Rather, these examinations are designed to assess the adequacy of the structure and processes the institution uses for managing compliance risk. Examiners are expected to look for the bigger picture and to look at the effectiveness of the program (including policies and processes) for managing the organization's compliance risk.

Both robust risk management and strong capital positions are critical to ensure that individual banking organizations operate in a safe and sound manner that enhances the stability of the financial system. More generally, strong capital helps banks absorb unexpected shocks and reduces the moral hazard associated with the federal safety net.

Because compliance failures have touched many businesses, including banking, securities, and insurance firms, it has become clear that companies operating in more than one type of business must have a compliance strategy that is both globally consistent and locally effective. Increasingly, large, complex organizations are taking an enterprise-wide compliance-risk management approach to augment and better coordinate what had been fragmented and duplicative compliance activities.

A successful compliance-risk management program starts at the top of the organization. It is essential that the board of directors take the lead by requiring a top-to-bottom compliance culture that is well-communicated and incorporated into the organization's day-to-day operations by senior management, in order to ensure that all staff members understand their compliance responsibilities and their roles in implementing the enterprise-wide program.

The proposed guidance is not intended to cap or restrict banks' participation in the commercial real estate sector, but rather to remind institutions that proper risk management and adequate capital are essential components of a sound CRE lending strategy. In fact, both of these components are already in place at many institutions. No element of the proposed guidance is intended to act as a "trigger" or "hard limit" signaling the need for an immediate cutback in or reversal of CRE lending; rather, the thresholds in the proposed guidance are intended as benchmarks identifying cases for further review.

It is important for organizations to make sure they do not ignore or accidentally overlook lower-profile activities that still might bear substantial risks. As I noted, such activities can include financial statement reporting, information security, and back-office systems. And operational risk, more broadly, has the potential to create disruptions for the organization that could reduce the value of the organization. Often, the solutions to these problems are basics such as training, developing internal controls, and establishing the appropriate culture across the organization. Therefore, organizations should look at the discipline of enterprise risk management as a way to ensure that they effectively deal with uncertainty and the associated risk and opportunity.

It is always a good idea to shine some light on areas historically labeled "low risk" to validate that assessment. The low occurrence of loss from an activity should not be the only factor considered when assessing risk.

We are in a period of perceived strength in economic fundamentals in the United States and many countries around the world. This strength has helped to induce significant reductions in a range of market-based perceptions of risk. Much of this confidence may prove warranted and durable, but the extent to which it endures will depend in part on the degree to which those running the major financial institutions in the United States use the opportunity presented by this period of relatively high profitability to strengthen their capacity to withstand a less favorable overall macroeconomic and financial environment.

Policymakers must be very careful to avoid any impression that government oversight comes with a promise of government financial support in the event of a risk-management failure; otherwise, private-market discipline, which has served private and public interests in the stability of CCP arrangements so well for so long, may well be eviscerated. Instead, government regulation should focus on improving the effectiveness of private-market regulation.

These changes [in the U.S. and global financial system] appear to have made the financial system able to absorb more easily a broader array of shocks, but they have not eliminated risk. They have not ended the tendency of markets to occasional periods of mania and panic. They have not eliminated the possibility of failure of a major financial intermediary. And they cannot fully insulate the broader financial system from the effects of such a failure.

The complexity of many new instruments and the relative immaturity of the various approaches used to measure the risks in those exposures magnify the uncertainty involved.