T4
FHFA
Medium Confidence
Guidance
Enterprise Risk Management Program
FHFA supervisory guidance establishing enterprise risk management program requirements for regulated entities
MODERATE
Impact Level
Top: compliance (3)
Classification
- Regulatory Program
- Enterprise Risk Management
- Doc Type
- Guidance
- Effective Date
- —
- Days to Action
- —
- Comment Deadline
- —
- Published
- —
Urgency Basis
Advisory bulletin with no specified effective date or enforcement timeline
Operational Context
Flags
Examination Focus
Board Reporting Required
Systems Change Required
Affected Functions
Risk Management
Compliance
Internal Audit
Board Governance
Operations
Finance
Institution Applicability
Federal Home Loan Banks
Fannie Mae
Freddie Mac
Government-Sponsored Enterprises
Impact by Category
Compliance
3
Operational
3
Data Governance
2
Model Risk
2
Reporting & Disclosure
3
Capital & Liquidity
2
Consumer Protection
1
Third-Party Risk
2
Key Requirements
- Establish comprehensive enterprise risk management framework
- Implement board-approved risk appetite and tolerance statements
- Maintain independent risk management function with appropriate reporting lines
- Conduct regular risk assessments across all business lines
- Develop risk monitoring and reporting capabilities
- Ensure adequate risk management policies and procedures
- Establish risk governance structure with clear roles and responsibilities
Scoring Rationale
Advisory bulletin represents moderate supervisory guidance requiring multi-business unit implementation and examination focus, but lacks specific enforcement deadlines or penalty provisions that would drive higher urgency
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory
Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or
omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment.
Effective dates, applicability determinations, impact assessments, and any recommended actions should be
independently verified against primary regulatory source documents and reviewed by qualified compliance or legal
personnel before taking compliance action. This output does not constitute legal or compliance advice.