Circular A-129 Appendix C
Appendix C: Management and Oversight Structures
Introduction and Context
Effective management and oversight structures are essential to meeting agency responsibilities outlined in Section I.D.8 of this Circular. This Appendix outlines key objectives and features of management and oversight structures, includes questions helpful to developing the appropriate structures for a given program or agency, and also provides an example of one possible effective oversight framework: an agency-wide credit council.
Agencies must have robust management and oversight structures for credit programs to monitor a program’s progress towards achieving policy goals, to assess the program’s success in remaining within acceptable risk thresholds, and to take action where appropriate. Successful management and oversight structures should be designed to achieve the program policy objectives while minimizing undue risk and cost to the taxpayer. Therefore, they should reflect the program’s scope, policy goals, and risks.
Such structures should be supported through lines of authority that foster accountability and clear delegations of responsibility for administering programs and performing independent risk management functions. These structures should also include mechanisms for effective monitoring of performance with respect to policy goals and risks, and facilitate actions to improve or maintain program efficiency and effectiveness. Effective management and oversight relies on robust reporting systems (see Section III.B.2 of this Circular and Appendix D: Effective Reporting for Data-Driven Decision Making). Moreover, such structures should be reinforced with appropriate internal controls.
Key Objectives and Features
Agencies should maintain effective and timely oversight of their credit programs, individually and in aggregate, and facilitate senior management engagement at appropriate levels. Management and oversight structures will vary by agency and in some cases may differ by program within an agency.1 Although a program may have its own management functions and the majority of credit decisions may be made at the program level, senior agency officials should review key policies and monitor the size and nature of credit exposures within their respective agency. Agencies should periodically evaluate their management structures to determine how such structures can be strengthened through program reviews, as required under Section I.D.10 of this Circular. Effective oversight of an organization as a whole is one of the most fundamental requirements of prudent program management, and as such, these structures should achieve the following objectives:
● Appropriate oversight and governance of policies, procedures, policy performance indicators, and risk tolerances for the administration of credit programs;
● Clear and formal identification throughout the organization of specific individuals accountable for program policy goals, operations, and risk management functions, including defining performance metrics and risk thresholds, approving credit decisions, and having oversight responsibility;
● Clearly-defined authorities, and accompanying limits on those authorities, for individuals and managers;
● Creation and/ or maintenance of a culture of risk management within the organization that includes a strong commitment from senior management;
● Functions that will allow for an independent viewpoint on important matters without reducing the accountability of senior officials and program managers;
●Evaluation of risk management structures, practices, and processes, both at the program level and on a more comprehensive basis;
● Monitoring of program efficiency and effectiveness, and progress towards achieving policy goals within acceptable risk thresholds; and
● Oversight of individual credit assistance or modification decisions that exceed pre-determined thresholds, as appropriate.
A forum, such as a credit council, can serve as a key tool for agencies to achieve many of the objectives of an effective oversight structure. Such a forum would allow for senior agency officials, program managers, and risk managers to meet on a regular basis to review the operating policies, practices, and controls of credit programs and discuss significant risk exposures and credit developments within the agency. An illustrative example of a credit council is included in this Appendix.
Risk Management Structures
Credit programs face a wide variety of risks, from credit to operational to market risks. Risk may also have to do with an agency’s progress (or lack thereof) towards meeting policy goals. Effective risk management functions are generally characterized by independence, expertise, and stature within the organization. The goal of risk management functions is to achieve policy outcomes at lowest cost to the taxpayer within pre-determined risk thresholds, and to identify, measure, monitor, and control risks that may reduce the agency’s ability to achieve its objectives or may prove excessive. Risk management functions should identify issues in a timely manner to allow for proactive management of the program and facilitate informed, data-driven decision-making.
Risk management functions are generally expected to have the following characteristics:
● Clearly-defined responsibilities and accountability, which typically include:
• Supporting senior officials by informing important policy decisions involving risk and policy trade-offs throughout the loan lifecycle, including the creation or expansion of programs;
• Helping senior management develop and implement core policies and procedures with respect to risk management, including defining risk appetite, and establishing risk thresholds accordingly. Risk appetite defines the amount and type of risk an organization is willing to take in pursuit of its objectives;
• Ensuring the current risk levels and processes are consistent with the established risk thresholds and policies;
• Supporting implementation of effective controls, which may include a quality control or loan review function that monitors for underwriting errors or other deviations from acceptable practice;
• Developing strong reporting systems and analysis that incorporate quantitative and qualitative information to provide effective organization-wide views of risk;
• Identifying emerging risks, concentrations, and other situations that should be properly assessed; and
• Elevating critical issues to appropriate levels within an agency in a timely fashion.
● Independence from credit program administration. Professionals engaged in risk management should work closely with the management and staff of the various programs. Such functions are generally more effective when strong working relationships exist. However, professionals engaged in risk management should have well-defined roles, sufficient stature within the organization, and clear reporting lines to senior officials that provide for sufficient independence and ability to raise issues that may not have been identified by program management. In cases of small programs where the same people are in charge of underwriting and oversight, agencies should take steps to facilitate the independence of the risk management function.
● Appropriate knowledge and skills. Agencies should ensure that risk management staff possess the experience and expertise necessary to perform their duties and support sound operations.
While the most effective risk management functions depend on a variety of factors, agencies should strongly consider the formalization of risk management functions through the creation of a risk management office led by a Chief Risk Officer. Under any structure, the agency should clearly identify who at the agency is responsible for these functions.
As agency officials develop enhanced program oversight and risk management structures, they should focus on how to implement practices that are most appropriate for their specific circumstances. The list of questions below is intended to help agencies in reviewing and strengthening their current practices and policies.
● Risk. What are the key risks that the agency’s programs face? How should quantifiable risk thresholds be identified and tracked, how often should they be reassessed? How should the agency monitor and control risks arising from its credit activities in real time?
● Policies and Procedures. How should each program review and approve major risk-related policies, practices, underwriting standards, and policy performance metrics, and how should such policies delineate thresholds whereby additional approvals of potential credit assistance may be required?
● Key Credit Decisions. What oversight should exist for the key credit decisions that the agency makes? Who should be informed and/ or have to approve these decisions? What information should be communicated to whom on these decisions and how?
● Policy Goals. How can the evaluation of program effectiveness be designed to link policy performance metrics to the statutory purpose of the program and to the underlying market failure that the credit program is designed to correct? How should the program or agency monitor the performance of each program with respect to policy goals and financial outcomes?
● Independence. How can the agency ensure independence of credit and risk functions to facilitate identification, elevation and appropriate responses to potential or existing risks? How can the reporting structure allow for this independence and promote equal stature within the organization for risk officials and those responsible for underwriting?
● Program Diversity. How should the diversity of credit activities, both within credit programs and across the agency’s credit programs, impact management and oversight structures?
● Current Structure. What are current agency management and oversight structures, and what are the interactions between the credit program and other offices in the agency? What, if any, issues with the current oversight and risk management frameworks have been identified by internal program stakeholders, agency partners, or auditors?
Illustrative Example: Agency-Wide Credit Council
Agency-wide credit councils can be a very effective management and oversight mechanism. They can help support an organization-wide culture focused on program results and accountability by creating a forum for senior leaders, program managers, and risk managers to discuss and actively manage credit programs. Membership, structures, and duties of a given council would need to be tailored to the specifics of the agency and its programs.2 Below is an example of an agency-wide credit council designed to oversee several credit programs, each of which provide a small number of large loans and loan guarantees. Loan characteristics vary greatly by program, and each loan has customized contract terms and conditions, established through negotiation with the borrower and other counterparties. 3 In this example, an agency-wide framework was chosen because the agency’s credit programs support different aspects of the same sector.
Membership should include senior program and finance officials (such as the Administrator, Deputy Secretary, Chief Risk Officer (CRO), and Chief Financial Officer (CFO)), as well as representatives from important functional areas, such as the Office of the General Counsel. It should also include the senior official for each of the agency’s credit programs, officials responsible for policy development, and other representatives as the Secretary deems prudent, subject to pre-defined limitations. To facilitate discussion and voting, such councils should generally seek to have an odd number of members, and be of sufficient size.
The Council should meet in person regularly, but no less than once per quarter. In accordance with Section III.B.2 of this Circular and Appendix D: Effective Reporting for Data-Driven Decision Making, Council members and support staff should receive regular reports on program performance and risks to inform deliberations and decisions.
Chairmanship and Its Duties
A senior agency official, such as the Administrator, Deputy Secretary, CRO, or CFO should serve as Chair of the Council. The Chair should name another Council member as Vice-Chair. The Vice-Chair should serve the role of Chair in the event of the Chair’s absence from a meeting.4
- 1. Program Design and Implementation. The Council should set the agency’s credit policies and oversee the agency’s credit programs, including reviewing existing guidance and formulating new guidance. At a minimum, guidance should set forth the agency’s risk tolerances, key performance measures, and guidelines for managing the application process and for assessing financial viability and other key application characteristics. In addition, the Council should oversee programs’ administration of and compliance with these policies and procedures, supported by clearly-defined lines of authority within the management structure.
- 2. Underwriting. If appropriate to the program, the Council may provide recommendations on specific credit decisions. Alternatively, the Council may choose to set guidelines for how approvals should be made, and establish thresholds and criteria that require only a subset of credit decisions to be reviewed by the Credit Council.
- 3. Monitoring/ Servicing, Risk Management, and Loss Mitigation. The Council should oversee and manage the agency’s enterprise-wide risks, such as its credit and operational risks, including the program’s status relative to the pre- determined risk tolerances.
1 For instance, an agency with a relatively small credit portfolio will likely have different needs than an agency with a very large credit portfolio. Similarly, programs with large numbers of similar, relatively small loans will have different needs than programs that provide project financing, with large loans of various sizes and customized terms.
2 In some cases, a bureau-wide or program-level council may be more appropriate, given program diversity, organizational structure, or other characteristics.
3 Agency-wide credit councils may also be useful for portfolio programs, with smaller loan sizes and similar terms and conditions for each program.
4 The Chair or Vice-Chair could potentially be the CRO, or other accountable official for risk management for agencies that do not have a formal CRO.