Appendix A: The FDIC’s Strategic Planning Process
Introduction
The FDIC is subject to the requirements of the Government Performance and Results Act (GPRA) as modified by the GPRA Modernization Act of 2010 and certain provisions of Title I, Federal Evidence-Building Activities of the Foundations for Evidence-Based Policymaking Act of 2018. In accordance with the requirements of these statutes, the FDIC reviews and updates its Strategic Plan every four years, publishes Annual Performance Plans and Performance Reports, and conducts program evaluations to assess whether the agency’s programs are achieving their stated purposes.
Annual Performance Plan and Report
The FDIC Strategic Plan is implemented through annual performance plans. The annual plans identify annual performance goals, indicators, and targets for each strategic objective. The FDIC submits an Annual Report to Congress in February of each year that compares actual performance to the annual performance goals for the prior year. This report is also made available to FDIC stakeholders and the public through https://www.fdic.gov.
Long-term strategic goals and objectives are expressed in outcome terms, and selected outcome measures are included in the agency’s annual performance plans. However, many of the performance indicators in these annual plans are process measures (for example, completing required examinations). It is often difficult to establish a direct causal relationship between the agency’s activities and the outcomes experienced by insured institutions. The FDIC continues to work with the other regulatory agencies to improve its performance measures.
Corporate Planning and Performance Management Process
The FDIC establishes performance goals annually through an integrated planning and budgeting process. In formulating these performance goals, the agency considers the external economic environment, the condition of the banking and financial services industry (including potential risks), projected workload requirements, and other corporate priorities. Agency plans also may be influenced by the results of program evaluations and management studies, prior year performance results, and other factors. Based on this information, planning guidance is established by senior management with input from program personnel.
After annual performance goals are established, a proposed annual corporate operating budget is developed, taking into account the financial, human capital, technological, and other resources required to accomplish core mission responsibilities and other annual performance goals. The budget is typically approved by the Board of Directors in December.
Annual performance goals are communicated to employees through established supervisory channels, the internal FDIC website, and other means. Staff prepares progress reports, and senior management conducts performance reviews quarterly.
Stakeholder Consultation
The FDIC requested comment from stakeholders and the public on a draft of this strategic plan through a posting on the FDIC website for a 14-day period in August 2021. All comments and suggestions were carefully reviewed and changes made to the plan where appropriate.
Appendix B: Enterprise Risk Management
Enterprise Risk Management
Enterprise Risk Management (ERM) is a way to better anticipate, prioritize, and manage risks across an agency. The FDIC’s ERM program aims to address the full spectrum of significant internal and external risks facing the agency and the combined impact of those risks as an interrelated portfolio.
The FDIC integrates ERM into its strategic planning and budgeting processes to inform decision-making and resource deployment. Each year, the FDIC develops funding requests and corporate-wide goals that consider identified risks. Higher rated risks may warrant increases to financial or personnel resources.
Key ERM program components include the Risk Appetite Statement, Risk Profile, and Risk Inventory. The Risk Appetite Statement serves as a guide for setting strategic goals and objectives and communicates the Corporation’s views about the level of risk taking that is acceptable across various agency programs and operations. The Risk Appetite Statement considers the following eight risk categories: strategic, compliance, reporting, operational, reputational, financial, technological, and external risks.
FDIC’s Risk Inventory is a comprehensive, detailed list of risks that could hamper the FDIC’s ability to achieve its goals and objectives. Divisions and offices identify risks through risk assessments, internal reviews, audits and evaluations, risk committees, and ORMIC research and reviews. Divisions and offices assign residual risk level ratings based on the impact and likelihood of the risk occurring, identify risk mitigations for higher-rated risks, and track mitigation activities to completion.
The Risk Profile is a prioritized inventory of the most significant risks identified and assessed through the risk assessment process. ORMIC maps underlying Risk Inventory items to higher-level Risk Profile items then assigns a mitigation coverage level, risk trend, and residual risk level to each Risk Profile item. ORMIC vets this information with the divisions and offices and deputies to the Chairman. The Risk Inventory and Risk Profile are living documents that are updated as needed and formally validated each summer. The CRO presents the Risk Profile to the FDIC Operating Committee—the FDIC’s ERM oversight body—for review, discussion, and annual confirmation. The CRO also provides quarterly ERM briefings to the Chairman and Operating Committee and semiannual briefings to the FDIC Audit Committee, a standing committee of the FDIC Board of Directors.
Appendix C: Data Governance and Evaluations
Data Governance
The FDIC has long recognized that data is one of its most important resources, both for internal use and for dissemination to the financial industry and other stakeholders. In alignment with the IT Modernization Plan and Roadmap, the FDIC continues to strengthen its data governance, while addressing projects to maximize efficient data utilization. The effective management of data across the organization is central to fulfilling supervisory, insurance, and resolution functions. Managing and governing FDIC data as a corporate resource is fundamental to empowering FDIC staff at all levels of the organization to perform analysis, support operations, and conduct research that enables sound, evidence-based decision-making. Equally important is the need to protect and secure sensitive data and information from unauthorized access or misuse, which requires a corporate understanding and visibility across the entire organization.
Program Evaluations
The Office of Risk Management and Internal Controls (ORMIC) performs and coordinates independent evaluations, research, analyses, and assessments of FDIC programs, operations, and mission-essential functions. Program evaluations are interdivisional, collaborative efforts that involve both management and staff. Evaluations may also involve communicating with other financial regulators for benchmarking or other informational purposes. Individual divisions and offices also conduct internal reviews of their programs and operations, and may involve ORMIC in these reviews as appropriate. Corporate-wide participation in these efforts is critical to fully understanding the program under evaluation, and creates an opportunity for divisions and offices to provide feedback.
Senior management utilizes program evaluation results to gain assurance that programs and operations are efficient and effective, financial data and reporting are reliable, laws and regulations are followed, internal controls are sufficient, and operational approaches and processes are sound. Program evaluations may also identify process improvements, needed changes, and best practices. ORMIC works with divisions and offices to implement such enhancements into ongoing operations. Results also inform near-term and long-range strategic planning processes.