Quarterly Re-Identification: What the Fed Expects and Most Banks Don't Do

Here is a question I have asked CROs, Heads of ERM, and risk identification leads at Category I firms. Every single one paused before answering.

When was the last time your enterprise risk committee looked for a risk that was not already on the register?

Not updated a score. Not changed a RAG status. Not re-assessed likelihood and impact on an existing entry. Actually looked for something new. Something that was not there last quarter.

The usual answer, once the pause ends, is Q4. The annual material risk identification exercise. Tied to the strategic planning cycle. Tied to the CCAR submission window. Run once, locked in January, and then left untouched for nine months while the quarterly risk committee meetings focus exclusively on the fifty risks that were already on the list.

This creates what I call the 9-month blind spot. And the Federal Reserve has been telling Category I firms for years that it is not acceptable.

The Problem: Assessment Is Not Identification

Most banks run a quarterly risk management cycle. They report to the board every quarter. Risk owners update their Key Risk Indicators. Control testing results come in. The likelihood and impact scores shift. The heatmap changes colour in a few cells. Everyone calls this "quarterly risk management."

It is. But it is not quarterly risk identification.

Every major risk framework draws a hard line between these two activities. ISO 31000:2018 separates Risk Identification (Clause 6.4.2) from Risk Analysis (Clause 6.4.3) and Risk Evaluation (Clause 6.4.4).[1] Identification is the divergent, investigative act of finding, recognising, and describing risks. Analysis is the convergent act of determining likelihood and impact for risks already found. They are different cognitive modes. Different questions. Different outputs.

COSO ERM makes the same distinction. Event Identification is a separate component that must precede Risk Assessment.[2] The Basel Committee's principles for operational risk management define identification as the proactive discovery of risks, distinct from the subsequent evaluation of financial exposure.[3]

The distinction matters because of how human cognition works. When a risk committee is handed a pre-populated list of fifty risks, cognitive anchoring kicks in immediately. The entire discussion gravitates toward debating whether Risk #23 should be scored 3x4 or 4x4. Whether the RAG status on Risk #7 should move from amber to red. The committee spends ninety minutes on convergent analysis of known items and zero minutes on divergent discovery of unknown ones.

Without a procedurally mandated blank slate — a dedicated agenda item that asks "What is missing from this list?" — the discovery phase is entirely bypassed. You can run this meeting every quarter for a decade and never once identify a new risk.

What SR 15-18 Actually Says

Federal Reserve Supervisory and Regulation Letter 15-18 applies to Category I firms — the US Global Systemically Important Banks.[4] It is not guidance. It is not a suggestion. It is a supervisory standard against which these firms are assessed and rated.

The language is specific. SR 15-18 requires that a firm establish a formal risk identification process and evaluate material risks at least quarterly.[5] The word is "identification," not "assessment," not "monitoring," not "reporting." The formal procedural mechanism of identifying risks must be executed at least every ninety days.

This means the institution must actively look for novel threats, difficult-to-quantify risks, and idiosyncratic vulnerabilities every quarter. Not re-score existing ones. Find new ones.

The tailoring proof: SR 15-18 vs SR 15-19

If you want proof that the quarterly identification requirement is deliberate and burdensome — not boilerplate — compare SR 15-18 with its sister letter, SR 15-19, which applies to Category II and III firms.

SR 15-19 deliberately drops the quarterly identification requirement.[6] Category II and III firms may review their risk identification on a semi-annual basis. They may maintain a less formal process. They face lower expectations for capturing difficult-to-quantify risks.

The Fed removed the quarterly identification requirement for smaller firms because it is costly, operationally demanding, and requires dedicated capability. By excluding it from SR 15-19 but keeping it in SR 15-18, the Fed signalled clearly: this is an intentional, high-burden standard reserved for the most systemically important institutions. Category I banks that treat their quarterly risk committee meetings as status updates on an annual register are misreading the regulation.

The CCAR pipeline

There is a practical reason the Fed cares about this, and it is not bureaucratic box-ticking. The risk identification process feeds directly into the Comprehensive Capital Analysis and Review. CCAR requires banks to project capital positions under severe stress scenarios. Those scenarios must be linked to the firm's idiosyncratic risk profile — not generic macro shocks, but stresses tailored to the specific vulnerabilities of that institution.[5]

If a bank identifies risks once a year in Q4, any novel risk that emerges in Q1 will not be in the enterprise risk inventory. It will not be modelled in the stress scenarios. Capital will not be allocated against it. The bank will be running CCAR with a stale risk universe for three quarters. The Fed views this as a capital adequacy failure, not just a process gap.

The Evidence: What Happens When You Stop Looking

Silicon Valley Bank: the static register

SVB collapsed in March 2023 with $209 billion in assets. The Federal Reserve's own post-mortem — the Barr Report — is explicit about what went wrong in risk identification.[7]

SVB's management failed to identify the compounding interaction between two concentrated exposures: a massive portfolio of long-duration, low-yielding held-to-maturity securities and an overwhelmingly uninsured deposit base clustered within a single networked industry. The bank used only basic interest rate risk measurement, focusing on short-term Net Interest Income metrics that made everything look profitable. Management never properly escalated or identified the severity of repeated breaches in their Economic Value of Equity metrics. There was no evidence the full board was even aware of the EVE status.

When the Fed began raising rates aggressively in mid-2022, SVB's theoretical weakness became an existential threat within months. But because the risk identification process was static and backward-looking, no one re-identified the changing nature of the exposure as the macro environment shifted. In April 2022, SVB actually adjusted modelling assumptions to paper over a limit breach rather than addressing the underlying risk. Simultaneously, they removed interest rate hedges that would have protected the balance sheet.

The CRO position was vacant for eight months during this period. The Fed's supervisors were faulted for slow identification, taking too long to escalate despite 31 open supervisory findings. The Barr Report explicitly calls for sweeping enhancements to risk identification.[7]

A robust quarterly re-identification process would have forced someone — anyone — to ask in Q2 or Q3 of 2022: "The Fed has just raised rates by 150 basis points. We hold $91 billion in HTM securities funded by uninsured deposits. Is this combination on our risk register as a specific, named, material risk?" The answer was no. It stayed that way until the bank run.

Archegos: the risk that grew between cycles

Archegos Capital Management collapsed in March 2021, costing Credit Suisse $5.5 billion. The independent report from Paul, Weiss was damning: the Prime Services business relentlessly focused on short-term profits and failed to rein in Archegos's risk-taking despite large, persistent limit breaches.[8]

The critical identification failure was this: as Archegos's concentrated, leveraged total return swap positions grew exponentially between annual review cycles, the risk was not dynamically re-identified as a firm-threatening exposure. Individual metrics flagged issues. But no one stepped back and asked the identification question: "Does our risk register reflect the fact that a single family office now represents an existential concentration to our Prime Services franchise?"

This is precisely the gap that quarterly re-identification is designed to close. Between annual cycles, positions grow, counterparties change behaviour, correlations shift. Without a formal mechanism to ask "what's new and what's changed?" every ninety days, these shifts accumulate unnoticed until they detonate.

Wells Fargo: failure to identify the root cause

The OCC's enforcement actions against former Wells Fargo executives set a precedent that every risk professional should understand. The formal Notices of Charges cited the former Chief Auditor and former Group Risk Officer for a specific failing: they did not identify the root cause of the sales practices misconduct.[9]

The executives were penalised not for failing to control the risk once it became public. They were penalised for failing to identify and escalate the systemic, enterprise-wide nature of the risk in their internal reporting — despite external signals including negative press coverage, whistleblower complaints, and a pattern of terminations. The OCC treated this as an identification failure, not a control failure. The message is clear: if your process does not actively search for emerging risks between annual cycles, and a risk subsequently materialises, the regulator will hold named individuals accountable for the gap.

The Global Picture

The Fed is not alone in demanding high-frequency identification. This is converging globally.

In the UK, the PRA's Supervisory Statement SS13/13 on market risk explicitly requires firms to identify and assess risk factors under the Risks Not In VaR (RNIV) framework on a quarterly basis, or more frequently if the PRA requests it.[10] This is not quarterly assessment of known RNIV factors. It is quarterly identification of risk factors that are not captured or poorly captured by existing models.

The ECB's ICAAP guide states directly that many risks in previous crises were not appropriately covered by capital because of weaknesses in banks' risk identification. European supervisors expect board agendas to dynamically adapt to encompass the evolving risk landscape — often mandating quarterly reviews for Significant Institutions.

Australia's APRA requires risk management processes to be dynamic and triggered by specific events under CPS 220. Singapore's MAS mandates continuous monitoring and immediate reassessment when significant changes occur in the business environment. The direction of travel is uniform: static, annual identification is a relic. Every major regulator is moving toward continuous or quarterly discovery.

What Good Looks Like

The reason banks resist quarterly re-identification is understandable. A full-scale Risk and Control Self-Assessment is a massive exercise. It pulls thousands of hours from the first line. It takes months. If you try to cram that into a quarterly cycle, you get assessment fatigue, rubber-stamping, and degraded data quality. The business grinds to a halt.

The solution is not to run a full RCSA every quarter. It is to decouple identification from the RCSA entirely.

Trigger-based identification

Build a set of predefined triggers that force a targeted identification exercise when activated. These are not vague. They are specific and measurable:

• Macro-economic triggers: Central bank raises rates by more than 50 bps in a single quarter. A sovereign credit rating is downgraded. Commodity prices move by more than 20% in 30 days.
• Internal triggers: A Key Risk Indicator breaches its appetite tolerance. A material audit finding is issued. A significant new product or market entry is approved.
• External loss triggers: A peer bank suffers a catastrophic loss in a specific risk category. A new regulatory enforcement action targets a failure mode relevant to your business.
• Strategic triggers: A major acquisition, divestiture, or restructuring is announced. The vendor supply chain changes materially.

When a trigger fires, it does not launch a full RCSA. It forces a single, targeted question to the relevant business unit: "Has this event introduced a new material risk that is not currently on the register?" The answer is documented, escalated, and auditable. Total time: hours, not months.

Quarterly horizon scanning workshops

To meet the Fed's expectation of a formal quarterly process, run a lightweight Horizon Scanning workshop at the end of each quarter, positioned just before the board reporting cycle. This is a two-hour session with a cross-functional group — heads of Credit, Market Risk, Information Security, Compliance, Operations, and one or two business line leaders.

The workshop has one question and one question only: What has changed in the last 90 days that could materially affect our business model, capital adequacy, or risk profile — and is not already on the register?

No one is asked to score anything. No one is asked to update a RAG status. The entire session is divergent discovery. The output is a formal memorandum listing any newly identified risks, escalated to the Enterprise Risk Committee and the Board. If nothing new is found, that is documented too. Either way, you have an auditable record that the identification process ran quarterly, exactly as SR 15-18 requires.

The "what's missing?" agenda item

The simplest, lowest-cost intervention is also the most powerful. Add a standing agenda item to every quarterly enterprise risk committee meeting: "What risks are not on this register that should be?" Allocate fifteen minutes. Go around the table. Force every attendee to answer, even if the answer is "nothing." Document every response in the minutes. This single change transforms the committee from an assessment body into an identification body — at zero incremental cost.

What To Do Monday Morning

1. Pull your last four quarterly risk committee agendas. Search for any agenda item that explicitly asks the committee to identify new risks — not update existing ones. If you cannot find one in the last twelve months, you have the 9-month blind spot. Your identification process runs annually, regardless of what your policy document claims.
2. Add the "what's missing?" standing item immediately. Next quarterly committee meeting, insert a 15-minute agenda item: "Risks not currently on the register." Go around the table. Document every response. This alone gives you a defensible quarterly identification artefact.
3. Define five triggers. Pick the five external or internal events most likely to change your risk profile. Write them down. Assign an owner for each. Define what happens when one fires: who runs the targeted identification exercise, what questions they ask, where the output goes. This is your trigger-based identification framework. It does not need to be complicated. It needs to exist.
4. Run a two-hour horizon scan before your next board cycle. Gather six to eight senior people from across the business. Brief them on the macro environment for ten minutes. Then ask: "What new risks should the board know about that are not currently in our risk taxonomy?" Document the output. Attach it to the board pack. You now have a formal quarterly identification process.
5. Check your SR 15-18 mapping. If you are a Category I firm, pull out the attachment to SR 15-18 and read the specific language on identification frequency. Map your current process against every requirement. If your process runs annually with quarterly re-assessment, you are not compliant. The gap is documentable and the Fed's examiners know exactly where to look.