The following definitions apply to this part:

Corporation means the Federal Agricultural Mortgage Corporation and its affiliates.

FCA means the Farm Credit Administration, an independent Federal agency of the executive branch.

OSMO means the FCA Office of Secondary Market Oversight, which is responsible for the general supervision of the safe and sound exercise of the Corporation's powers, functions, and duties and compliance with laws and regulations.

The Corporation's board of directors must approve the overall risk-appetite of the Corporation and regularly monitor internal controls to provide reasonable assurance that risk-taking activities are conducted in a safe and sound manner.

(a) Risk management program. The Corporation's board of directors must establish, maintain, and periodically update an enterprise-wide risk management program addressing how the Corporation's activities are exercised in a safe and sound manner. The implementation of the risk management program may reside with senior management. The risk management program at a minimum must:

(1) Periodically assess and document the Corporation's risk profile.

(2) Align the Corporation's risk profile with the board-approved risk appetite and the Corporation's operational planning strategies and objectives.

(3) Specify management's authority to carry out risk management responsibilities.

(4) Integrate risk management and control objectives into management goals and compensation structures.

(5) Comply with all applicable FCA regulations and policies.

(b) Risk committee. The Corporation's board-level risk committee assists the full board of directors in the oversight of the enterprise-wide risk management program of the Corporation.

(1) The risk committee must have at least one member with an understanding of risk management commensurate with the Corporation's capital structure, risk profile, complexity, activities, size, and other appropriate risk-related factors.

(2) The responsibilities of the risk committee include, but are not limited to:

(i) Periodically assessing management's implementation of the enterprise-wide risk management program;

(ii) Recommending changes to the risk management program to keep the program commensurate with the Corporation's capital structure, risk appetite, complexity, activities, size, and other appropriate risk-related factors; and

(iii) Receiving and reviewing regular reports directly from personnel responsible for implementing the Corporation's risk management program.

(c) Management of risk. The Corporation must have a risk officer, however styled, who is responsible for implementing and maintaining the enterprise-wide risk management practices of the Corporation. The risk officer must have risk management experience commensurate with the Corporation's capital structure, risk appetite, complexity, activities, and size. The responsibilities of the risk officer include, but are not limited to:

(1) Identifying and monitoring compliance with risk limits, exposures, and controls;

(2) Implementing risk management policies, procedures, and risk controls;

(3) Developing appropriate processes and systems for identifying and reporting risks, including emerging risks;

(4) Reporting on risk management issues, emerging risks, and compliance concerns; and

(5) Making recommendations on adjustments to the risk management policies, procedures, and risk controls of the Corporation.

(a) The Corporation's board of directors must adopt an internal controls policy that provides adequate directions for, and identifies expectations in, establishing effective safety and soundness control over, and accountability for, the Corporation's operations, programs, and resources.

(b) The internal controls system must address:

(1) The efficiency and effectiveness of the Corporation's activities;

(2) Safeguarding the assets of the Corporation;

(3) Evaluating the reliability, completeness, and timely reporting of financial and management information;

(4) Compliance with applicable laws, regulations, regulatory directives, and the policies of the Corporation's board of directors and senior management;

(5) The appropriate segregation of duties among the Corporation personnel so that personnel are not assigned conflicting responsibilities; and

(6) The completeness and quality of information provided to the Corporation's board of directors.

(c) The Corporation is responsible for establishing and implementing an effective system to identify internal controls weaknesses and taking action to correct detected weaknesses. The Corporation must document:

(1) The process used to identify weaknesses,

(2) Any found weaknesses, and

(3) How identified weaknesses were addressed.