U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


The FDIC’s Implementation of Enterprise Risk Management Summary

The Office of Inspector General of the Federal Deposit Insurance Corporation (FDIC) issued its report on the FDIC’s Implementation of Enterprise Risk Management (ERM).  ERM is an agency-wide approach to addressing the full spectrum of internal and external risks facing an agency.  The FDIC Board of Directors (Board) designated the FDIC Operating Committee (OC) as the “focal point” for the coordination of risk management at the FDIC.  The FDIC further designated the OC as the FDIC’s Risk Management Council (RMC) and the oversight body for ERM.
We found that the FDIC needs to establish a clear governance structure, and clearly define authorities, roles, and responsibilities related to ERM.  Importantly, the FDIC did not clearly articulate in its policies and procedures how the OC, as the FDIC’s designated RMC, performs its responsibilities.  In particular, the FDIC should define the Operating Committee’s role with respect to its oversight of the establishment of the FDIC’s Risk Profile; oversight of the assessment of risks; oversight of the development of risk responses; and the final determinations of the approaches and actions to address the risks included in the FDIC’s Risk Profile. 
We also found that the FDIC had not clearly defined the roles, responsibilities, and processes of other committees and groups involved in ERM.  The FDIC did not: 

  • Ensure that the Board endorses the Risk Appetite statement prior to its issuance; 
  • Ensure effective communications to the Board relating to ERM; 
  • Ensure that the Board understands its role with respect to ERM at the FDIC; 
  • Develop procedures to specify how risk committee activities are to be accomplished and how they interface with other ERM processes; 
  • Require documentation of meetings of the various risk committees; and
  • Update and memorialize ERM processes for the Risk Management and Internal Controls Branch. 

Without a clear governance structure over ERM, the FDIC cannot ensure that ERM will fully mature and be integrated into the agency and its culture.  Integrating ERM leads to improved decision-making and enhanced performance.

We made eight recommendations to strengthen the FDIC’s implementation of ERM.  Management concurred with five recommendations and non-concurred with the remaining three recommendations.