Managing Risk

Soothsaying may be a mystical profession, but it`s somewhat akin to what directors must do on the job. After all, it is the board`s responsibility, especially outside members, to keep a finger on the pulse of their community and the world at large, in order to monitor conditions and manage risk that could prove harmful to the institution. Directors must be mindful of volatile economic conditions, technological innovations, and financial intricacies that have a bearing on the underlying strength of the organization, and risk management must be an ongoing effort. This article will detail some of the most critical areas to monitor at present.

Factors affecting risk management

After a year of interest rate increases, a lot of attention is focused on credit quality, particularly as rate increases have hurt certain syndicated loans held by some of the nation`s biggest banks. But, warns David Gibbons, deputy comptroller at the Office of the Comptroller of the Currency, regional institutions should not become complacent because the trouble is only affecting the big banks now. In fact, he says, all lenders should remain diligent about the potential risk created by problems in those large credits. “A lot of problems in the credit markets right now are related to large banks, large loans, and the capital markets,” he says. “But if a local plant [owned by one of those troubled borrowers] closes because of those events, it means people lose their jobs, which may affect how car loans or home mortgages perform for smaller banks.” Gibbons` warning is one borne out by recent bad experiences. In the past three years alone, seemingly isolated events in Asia and Russia sent shockwaves rolling through the global economy, ultimately settling in to affect business in local markets of the United States. For bank directors responsible for setting expectations and direction for the institution, such warnings signal a particularly difficult time ahead, says Gibbons. That is because they have to monitor not only worsening credit quality, but they also have to consider how product innovations, globalization of business, and technological advances are changing the risk structure of their institutions. “Directors have to broaden their understanding of more businesses” to keep pace, he says. Indeed, the pace of change in the business world is having a significant impact on the risks banks face and the way they measure and manage those risks. No longer is the business one of merely taking consumer deposits and making commercial loans. These days, institutions are offering everything from credit cards and home equity lines of credit to providing purchase cards, foreign exchange, and cash management services to their business clients. In every case, along with profit-making opportunities come new operational and financial risks. The pace of technological change has also vastly affected the risk landscape. Nonbank start-ups have tried to steal market share with product and service innovations such as Internet banking, electronic bill payment and presentment and account aggregationu00e2u20ac”a service that collects information from accounts at different financial institutions. In so doing, they are forcing traditional banks to invest heavily in new systems and programs to match the new offerings, or risk losing a large chunk of their payments businessu00e2u20ac”which the New York Federal Reserve estimates accounts for as much as 34% of an institution`s total operating incomeu00e2u20ac”to the newcomers. Technology is a two-way street, however. It also has created more and better ways for banks to measure and manage those risks. Institutions now have the means to measure risks across the entire institution, rather than merely in silos of interest rate or credit risk. Improved information, in turn, has given risk managers a better understanding of how exposures in one part of the bank affect exposures elsewhere, allowing them to act more nimbly. Technology also has produced better risk management tools. Today, banks can use interest rate futures and swaps to manage interest rates in conjunction with credit derivatives and collateralized debt obligations to help manage credit risk. The total effect is that banks must now look to a more sophisticated risk manager. “We`re moving to a more high-tech form of risk management,” says Robert Mark, senior executive vice president and chief risk officer at Toronto-based Canadian Imperial Bank.

Managing credit risk, the old-fashioned way

While technology has created better ways of managing risk once the assets or liabilities are on the balance sheet, the best time to prevent problems is still before any loans are underwritten. Steve Schrantz, executive vice president of commercial banking with Cincinnati-based Fifth Third, says his bank was able to report its 27th consecutive annual increase in earnings because it has promoted the right people to key lending positions. “It`s the cornerstone,” he says. “You can have everything else in place, but if you don`t have that,” you could still have problems. It is not an easy role to fill, though, because in many ways lending involves managing conflicting goals. On the one hand, management wants to see portfolio and earnings grow; on the other hand, it wants that growth to come from solid prospects who won`t default on their loans. That is why it is important to promote lenders who have demonstrated an understanding of the bank`s risk tolerances and new business objectives to key lending posts. “Those who do well and incorporate our expectations and requirements, and are able to grow their business in that framework, they advance,” Schrantz says. Still, it is up to the board and senior management to set expectations. That often requires limits on the size of individual credits as well as on industry risk concentrations. Kevin Blakely, executive vice president of risk management at Cleveland-based KeyCorp, said such limits are needed because a bank never knows what could come out of the blue to affect a loan. “Things such as the strength of the dollar could affect the ability of our customers to compete globally, he says. “It`s truly becoming a world economy, and there are factors that you can`t predict or begin to manage.” To be effective, however, such limits need “teeth,” says Blakely. They should give risk managers the authority to impose changes on specific lines of business as those lines approach their concentration limits. That authority may include everything from gentle reminders to a full dressing down of business managers. But often the mere threat of having officers explain to the audit and risk-review committee why the line of business was allowed to exceed limits set by the board is the ultimate defense against breaches of such policies, Blakely says. “Nobody wants to stand in front of a committee to the board and explain whey they went beyond the rules set by that committee,” he says. “Ninety-nine times out of 100, we don`t have to use it.” Loan concentration was a common problem before Congress, the states, and banking regulators permitted intra- and interstate branching. Banks had little option but to build concentrations in industries located in an institution`s geographic market. Changes to banking laws and increased activity in the syndicated loan and loan participation markets have handed decisionsu00e2u20ac”and their risksu00e2u20ac”about diversification to the boards and management. In turn, some larger banks, such as Bank of America Corp. and Chase Manhattan Corp., have successfully combined geographic expansion with syndicated loan market activity to diversify their portfolios. Smaller institutions, however, have little option but to turn to the loan participation markets, where a lender arranges loans with the intention of selling all or part to another institution. It is a strategy that is fraught with risks to the buyer, warns the OCC. In a May banking circular, the OCC suggested that buying participations could constitute an unsafe lending practice unless the buyer takes precautions. Precautions would include such steps as having a written credit policy relating to participations, performing an independent credit analysis on the credits, receipt of regular updates on the borrowers from the originating lender, and maintenance of written documentation of recourse arrangements. Schrantz says Fifth Third has largely avoided the pitfalls of those lending markets because its geographic markets give it “natural diversification.” That is not to say that the bank will never participate in a syndication. Indeed, it may do so if it wants a closer relationship with the borrower, he says. Relationships are another way Fifth Third is able to sidestep significant credit trouble, according to Schrantz. That is because the profitability of close associations with customers comes from sources other than loans. Commercial relationships often generate deposits to fund future loan growth, all the while enhancing the bank`s understanding of the customer`s businessu00e2u20ac”a prerequisite toward preventing problems and anticipating future needs. On the consumer side, lenders have universally adopted credit scoring as an initial screening mechanism for credit card and mortgage applicants. Those with high scores receive immediate acceptance. Those with low scores receive immediate rejection, and those in between require closer examination. Regardless of the lending strategy, all banks set aside a loan-loss reserve as another tool to manage credit risk. In most cases, the amounts and timing are at the discretion of the banks, themselves, who have adopted internal policies to match those of the regulators. Most banks also have an internal review process to weed out deteriorating loans. Blakely says KeyCorp`s risk management team reviews higher-risk lines of business at least semiannually for signs of compliance with the bank`s loan policy and for exceptions made to that policy. “If a line of business starts to make a lot of exceptions, we will get all over them like a cheap suit,” he says. For lower-risk businesses, though, the reviews are less frequent, occurring once every 18 to 24 months. In between, the team talks frequently with business line managers and monitors various markets for signs of potential trouble. The bank supplements those reviews by tracking the loan grades of credits approved on a quarterly basis for trends in quality. Any downward move in grade should be matched with higher interest rates and fees to offset the greater risk. KeyCorp`s credit administration team looks at every loan in the lower credit grades on a quarterly basis, and everything above that level at least semiannually.

Distributing the risk

Sometimes, adhering to good banking practices can run counter to maintaining good relations with valued clients. To solve such problems, smaller banks have often sold participations to larger institutions. When larger competitors need assistance, they form syndicates to distribute a portion of the total loan to other lenders. The problem with those tools is that the selling bank is effectively introducing its best customers to its chief competitors. For smaller institutions, there are currently few options. For larger lenders, though, the financial markets are providing some assistance. Increased liquidity in the asset-backed securities market has created a market for securities backed by payments from banks` commercial loans. Such collateralized loan or debt obligations, as they are called, permit banks to shed risk on a segment of their portfolios by selling securities to institutional investors. FleetBoston Financial Corp. recently used the strategy when, on Jan. 10, it securitized some troubled commercial loans with an original face value estimated at $1.35 for sale to Patriarch Partners, a New York-based investment firm, for $928 million in cash and securities. The sale generated a $75 million loss for the bank, which had written the loans down to an estimated $1 billion at the time of sale. In September, Paris-based Sociu00c3u00a9tu00c3u00a9 Gu00c3u00a9nu00c3u00a9rale Group accomplished the same feat by selling $283 million of credit risk from multiple loans through the online trading platform of creditex Inc. It was the first such online risk sale ever and highlighted the growing use of credit derivatives by large, international banks. Credit derivatives hold even greater promise for helping small and large lenders, alike, manage credit risk. The instruments allow lenders to hedge credit risks by negotiating with investors or insurance companies who want to assume the risk of a certain company or of an industry. By using the instruments to reduce risk, lenders can continue serving their best customers. It is a strategy whose time is coming soon, said Dennis Oakley, a managing director with J.P. Morgan & Co. in charge of managing counterparty risk and using credit derivatives to manage credit risk. “It`s going to become a very efficient way to distribute risk,” Oakley said of credit derivatives. “With credit derivatives and securitization, you can move risk around more easily.” So far the instruments have received little attention outside of the 15 banks in the United States. According to the OCC, there was $387.1 billion in notional amount of credit derivatives outstanding at Sept. 30 for the 25 largest banks that used derivatives. (Notional amounts relate to the face value of the underlying assets being hedged, not to the amount the asset owner has at risk.) By comparison, there were $30.9 trillion in outstanding notional amount of interest rate derivatives at the same date. The limited market has restricted the instruments` effectiveness as a credit risk management tool for most institutions. “The concept of using credit derivatives for portfolio management is not well-developed yet,” said KeyCorp`s Blakely. Still, open interest at Sept. 30 was 156.1% above year-end 1998, and 32.7% ahead of Dec. 31, 1999. And Oakley sees liquidity in the marketplace building as more investors such as insurance companies become interested. Credit derivatives users expect their use to eventually match or exceed the volume of interest rate derivatives currently used by financial institutions, given that there is an estimated $75 trillion in credit risk outstanding throughout the world. Today, though, interest rate contracts account for nearly 75% of the total $41.2 trillion notional amount of open derivative contracts at U.S. banks on Sept. 30, according to the OCC. Interest rate instruments got their initial push from savings and loans that used the contracts to prevent a recurrence of the original S&L crisis of the late 1970s. That is when institutions were caught holding a low-yielding portfolio of 30-year loans that were financed by high-yield, three-month deposits. It was a mismatch that banks today avoid religiously. Avoiding such mismatches is not easy, said Steve Tomasi, a banking consultant with Rockville, Maryland-based Danielson Associates. He said the process of matching maturities typically begins with a forecast of the direction of interest rates. From there, the bank makes assumptions on how those movements will affect prepayment speeds on existing loans, creation of new loans and funding sources. To maintain adequate funding under changing conditions requires bank funds managers to communicate closely with business line managers so that they know how many loans are prepaying, how many new loans are originated, what kind of loans are originated. At the same time, they must stay abreast of changes in deposits and other funding sources. It is a constant balancing act, said Tomasi. If the bank invests too much of its available funds in overnight securities, it may miss out on higher-yielding loans that will go to a competitor. If it lends out too much, it could find itself with a funding shortfall, requiring higher-cost overnight funds. Even while banks want to limit the mismatch between the maturities of their assets and liabilities, they do not necessarily wish to eliminate it entirely. “You would like to match your long-term assets with long-term liabilities or long-term hedges,” Tomasi said. But, he added, “You can`t mitigate your risk down to zero because if you did you wouldn`t have any profit.” Nonetheless, he said if banks understand their asset and liability mix, they could react to changes more effectively. For example, if a rate drop prompts depositors to move funds to the equity markets, the institution can decide whether to use the wholesale funding market to replace the lost deposits, or make special offers to lure new depositors. It is a process that big and small banks must perform constantly. While larger firms have trading desks to fill the role, most small banks have must hire institutions such as First Tennessee Corp., who help small banks manage their cash and securities holdings on an outsource basis for a fee. Whether handled internally or outsourced to others, the process is typically handled at the management level and requires little oversight from directors, said Tomasi, aside from a strategic review. Instead, directors will typically check the validity of the assumptions presented by management, and question whether the bank can achieve its production goals considering the strategy of a competitor`s offerings. “They will typically question the strategy, not the implementation of the strategy,” he said.

As technology solves old problems, it also creates new ones

It is on the operational front where technology is creating havoc. Advances in processing power have enabled banks, and even technology start-ups, to create a host of new products that demand institutions to track and analyze more data, often in real time. If that weren`t enough, operations managers must deal with a frequently changing lineup of systems, engineers, and hackers. “Perhaps the biggest problem is that the pace of change is enormous,” says Don Smith, senior vice president in corporate operations and information technology with Cleveland-based National City Corp. Smith cited security as an example of how change creates problems. As new systems, programs or products are introduced, the bank must ensure that new software does not create opportunities for what Smith calls “bad guys,” to infiltrate the bank`s systems and obtain secret customer and bank information. Such visits are frequent, Smith says, occurring more than hourly. Some intruders are out for personal gain by trying to steal credit card numbers and other personal identification information. Others merely want to make life miserable for the institution by trying to crash its systems. Then there are those who wish to embarrass the company by entering its website to create an imposter site. And it is not just people in the local community that are attempting to subvert banks` systems. Smith says National City has encountered visitors from all over the world. “The technology is so pervasive that you are often not dealing with people who have the same kind of law and order constraints that people do in this country or in those of our primary trading partners,” he says. So far, though, the biggest attacks have occurred to overseas institutions. In September, Egg, the U.K.-based Internet banking subsidiary of Prudential Insurance, was the target of a foiled infiltration attempt by organized criminals. A month earlier, Barclays Bank kept its 1.25 million online customers out of the system after an earlier glitch allowed customers to view the account information of other bank clients. Such significant glitches are rare. Still, Smith says, every institution should be vigilant about protecting against similar occurrences and communicates problems. The OCC is concerned enough about security and technology issues that it has issued 17 different advisories, alerts, and guidance circulars in the two years just ended. Among the topics covered were risk management of outsourcing technology, privacy laws and regulations, infrastructure threats, suspicious activity reports, and distributed denial of service attacks. Adding to the headache of staying on top of technological change are the myriad products Internet start-ups have launched to disintermediate a portion of commercial banking`s payments business. Companies like Billserv Inc. and Yodlee Inc. have created products offering solutions for electronic bill payment and presentment and account aggregation. In many cases, banks have outsourced the technology necessary to offer those products, but that, too, carries its own set of risks, according to the OCC. “The Internet, with its broad geographic reach, ease of access, and anonymity, requires extra attention to maintaining secure systems, detecting intrusions, developing reporting systems, and verifying and authenticating customers,” stated Emory Rushton, senior deputy comptroller for bank supervision policy at the OCC, in a Nov. 28 advisory letter to bank executives. “Regardless of whether technology solutions are managed internally or outsourced, the board of directors and management need to understand the inherent risks to the institution and implement appropriate controls.”

Managing risk holistically

The goal of nearly every risk management effort is to determine how much capital the institution should have as a backup against potential problems. That effort received a significant boost in 1998 when the Basel, Switzerland-based Bank for International Settlements, which fosters cooperation among national central banks and sets international guidelines, gave banks the option of creating internal risk measurements to determine capital requirements, or rely upon the BIS to assign a capital charge for them. It was a move that spurred banks on to better internal risk measurements, says CIBC`s Mark. It happened because the capital requirements assigned by the BIS were likely more conservative than the amount an institution could calculate for itself. The push finally encouraged financial institutions to adopt the same kind of risk management measures for their loan businessesu00e2u20ac”or bank book as Mark called itu00e2u20ac”as they were already using to manage their trading book. In other words, banks began to look at how some loans caused the risk of the entire portfolio to increase or decrease. What many banks found was that loans previously thought to help diversify the portfolio were really adding to the portfolio`s risk profile. “As [the banking industry] began to understand its risks, you began to see a movement of banks looking at the banking book not only from a transactional point of view, but also from a portfolio point of view,” Mark explains. “Banks were making sure that their limits were well designed to ensure that their concentrations didn`t get out of hand.” On a final positive note, the developments in the measurement of risk and the tools available to manage those risks have created better communication across the bank. For example, the need to shed risk as a result of a concentration of risk in one industry required the assistance of capital markets specialists who helped foster the creation of collateralized loan and debt instruments. Ultimately, the message from risk managers is that the variety and sources of risk have risen even as financial institutions have developed more and better ways to manage it. As banks fight to safeguard their customers against a rising tide of competitors and intruders, the task for bank directors will become that much harder. “Directors need to understand the risk implications [of the products and services offered] and they need to know how to control those risks,” says the OCC`s Gibbons. “They really need to be looking at the indicators of risk, not just the indicators of the aftermath of risk.

Join OUr Community

Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.

Become a Member

Our commitment to those leaders who believe a strong board makes a strong bank never wavers.