A Framework for Risk

Over the last 10 years, First Tennessee National Corp. has changed its corporate strategy from plain vanilla to tutti-frutti. The Memphis-based bank has more than tripled in size and now is highly diversifiedu00e2u20ac”with a 464-branch network in Tennessee, Mississippi, and Arkansas; a national mortgage company; an investment banking operation; and a sizeable transaction processing business. It sells credit cards and its own line of mutual funds, runs both trust and consumer finance businesses, finances equipment purchases, and offers discount brokerage, venture capital, and insurance brokerage services. When it comes to financial services, First Tennessee offers just about every flavor there is.

Each of those businesses has its attendant risks, and one challenge of running a diversified financial institution is keeping track of all those risksu00e2u20ac”and understanding how they might interact. This growing complexity finally led First Tennessee to formally adopt a more sophisticated approach to controlling risk inside the company. In January, the bank began to manage its multiplicity of exposures using a method that is generally referred to as enterprise risk management (ERM). The effort begins at the grass-roots level and extends up to the company’s board of directors, where both the executive and audit committees are actively engaged in the process.

The purpose is to gather every potential exposure the company faces into a single “portfolio” that provides senior managers with a unified view on risk throughout the entire bank. By taking a more holistic approach to risk management, First Tennessee hopes to avoid serving up the kind of nasty earnings surprise that can result in an unappetizing stock.

Enterprise risk management is still quite avant-garde, and its most advanced practitioners are very large banksu00e2u20ac”some with significant international exposuresu00e2u20ac”whose operations are far more complex than even First Tennessee’s. But this more sophisticated approach to risk management is slowly working its way into the middle market, in part because even smaller banks are becoming more diversified, thanks to the gradual liberalization of U.S. banking law and regulatory policy over the past decade. As they follow a trail that has already been blazed by the likes of First Tennessee, an increasing number of these institutions will begin to apply holistic risk management principles to their organizations.

“We thought this was the best and most efficient way to manage our business,” says Herbert Hilliard, executive vice president for risk management at First Tennessee. “When you become a totally different company than a small regional banku00e2u20ac”and you’re in major business linesu00e2u20ac”it’s really important to do this.”

In fact, regulators will expect them tou00e2u20ac”or at least they will for those nationally chartered banks that are overseen by the Office of the Comptroller of the Currency. “As banks grow in size and complexity, we expect their risk management practices to become more sophisticated,” says Mark O’Dell, deputy comptroller for core policy at the OCC. “We see enterprise risk management as part of the corporate governance process. We do encourage it.”

If ERM has had one dedicated champion in recent years, it would be an industry group that goes by the unwieldy name of The Committee of Sponsoring Organizations of the Treadway Commissionu00e2u20ac”otherwise known as COSO. Comprising various professional associations representing accountants, internal auditors, and financial executives, COSO has done a considerable amount of theoretical work on enterprise risk management, and later this year will release a model framework for its implementation by all corporations.

From theory to practice

In an extensive draft of its proposed model framework for ERM implementation, which was circulated for industry comment last year, COSO identified several other important advantages to this approach, beginning with an alignment of risk appetite with strategy. Risk appetite is the degree of risk an organization is willing to accept in pursuit of its goals. In this sense, ERM is an important tool that enables an institution’s senior management team to proactively evaluate their strategic alternatives within the context of their overall risk appetite.

For example, a bank that decides to start a new construction lending unit would first evaluate the perceived risk of that activity within the context of its overall risk appetite. And while the perceived risk of that business might still fall comfortably within the institution’s appetite, the company may decide to give the unit more attention in the audit cycle than less risky activities. “If there are problems, they can deal with them much sooner,” says Dan Shumovich, director of risk management at the Los Angeles-based consultant firm RSM McGladrey.

Enterprise risk management also develops a stronger linkage between risk, growth, and returns. Financial institutions produce profits by assuming risk, whether it’s lending money, trading securities, or selling fee-based services that are delivered through an elaborate operational infrastructure. The highest risks should provide the greatest returns, and ERM keeps senior management focused on this risk-reward ratio when making strategic decisions.

When senior management has a complete view of the institution’s risk profile, it can make better capital allocation decisions, since the businesses with the greatest amount of risk also require the most capital to back them up. And ERM provides the board of directors with a framework to identify the potential events that make up operational risk and formulate a plan to deal with them.

Indeed, having a robust ERM system in place could also help very large U.S. banks comply with the proposed Basel II accord. If adopted by federal banking regulators, the accord would force those banks to calculate separate capital requirements for credit andu00e2u20ac”for the first timeu00e2u20ac”operational risk. The accord, which will probably go into effect within the next two to three years, would require large banks to make sophisticated risk assessments of highly complex operations activities, a process that draws upon many of the same capabilities vital to effective enterprise risk management.

At this point, it seems likely that only the largest U.S. banks would have to comply with this requirement. Although federal regulators like the OCC and Federal Reserve have not yet completed their deliberations, it’s widely believed that community and smaller regional banks will not have to comply with Basel II, although some large regional banks may do so on a voluntary basis.

Enterprise risk management is a significant refinement of how most banks have managed their exposures in the past, first in its emphasis on aggregating individual risk assessments throughout the company into a single risk portfolio, and second in its concern with the way in which various types of risk might interact to create a gestalt effect. The industry’s traditional practiceu00e2u20ac”which has been to measure and manage various categories individually, be they credit, market or interest rate risksu00e2u20ac”has its limitations. “If you manage risks in a silo, I think you can find yourself making the right decision in the silo, but not the best decision bankwide,” says Glenn C. Wilson, president at Laurel, Maryland-based Citizens National Bank, a $889 million-asset subsidiary of Mercantile Bancshares Corp.

This siloed approach has gradually given way to a more unified method where some banks have attempted to aggregate all the potential exposures facing them, even as new categories, such as operational risk, were added to the mix. ERM takes this evolutionary process one step further by allowing management to see how all those aggregated risks might react in combination with each otheru00e2u20ac”not unlike chemicals that have been mixed in a beaker and heated on a Bunsen burner.

“Enterprise risk management allows you to understand the interaction of all these risks,” says Alden L. Toevs, executive vice president at First Manhattan Consulting Group in New York. “If credit risk goes up, does something else go down?” Or put another way, says Toevs, “Are we making sugar or salt?”

Building the perfect beast

Although ERM can be implemented using a variety of organizational structuresu00e2u20ac”and these may differ from bank to banku00e2u20ac”most experts believe there are a handful of conceptual issues that all institutions must face. One is accountability. By its very definition, ERM involves people throughout the far reaches of the organization, but responsibility for driving the process must rest with a small group of senior executives, or perhaps just one. “I think it’s important that you have a single person accountable,” says Andrew D. Wilson, a partner in the financial services practice at New York-based Accenture.

Some of the largest banks have appointed chief risk officers to oversee the process. But Andrew Wilson says there’s not a deep “talent pool” of people who are well versed in all the activities that pose a potential risk to the institution. For example, the chief credit officer clearly understands credit risk, and may be broadly familiar with interest rate risk if he or she has worked in a bank for any length of time, but that person probably doesn’t understand the operational risks that flow from running a large network of branches, or all of the internal processes that support the institution’s reporting requirements if it’s a public company, or the company’s various property/casualty insurance programs. Areas that might fall within the chief risk officer’s domain include loan review, the asset/liability management function, internal auditing, and information technology. “In today’s environment, it’s hard for one person to have expertise in all these areas,” says First Tennessee’s Hilliard.

Even where responsibility for overseeing the ERM process has been split up among a small number of senior executives, it’s still crucial that there be a management-level committee so all risk issues can be discussed in one place. “It’s key that they deal with this stuff in one central meeting,” says Toevs.

It’s also important that the board of directors be actively engaged in the risk management process. “This needs to get attention at the board of directors’ level,” says Shumovich. “This isn’t something they can just delegate to management.” One problem is that most banks don’t have a board-level committee that has been assigned sole responsibility for this task. If the institution still takes a silo approach, it probably has both loan and asset/liability committees where traditional risk management issues are dealt with, but accounting, legal, and operational problems might be handled in two or three different venues.

One approach would be to establish a new risk management committee as the focal point for these issues at the board level. This would consolidate the corporate governance responsibility for risk management in one place and support ERM’s goal of giving decision makers a single, integrated view of risk throughout the company. But in a survey of 30 leading financial institutions from around the worldu00e2u20ac”conducted in 2002 by First Manhattan and the Philadelphia-based Risk Management Association, an industry group that has traditionally looked at credit issuesu00e2u20ac”only 44% of the study group had formed separate risk management committees.

Another option favored by 39% of the survey group would be to consolidate responsibility for enterprise risk management in the audit committee. This approach has at least two significant drawbacks. One is that the Sarbanes-Oxley Act has imposed tough new auditing and internal control requirements on all public companies, and audit committees, which have responsibility for these activities, are already overburdened. Another shortcoming is that the audit committee’s primary responsibility is for the company’s financial control and reporting mechanisms, while the focus of ERM is much broader. “[Audit] is a better alternative than any other standing committee,” says Toevs. “But the audit focus should be different than the risk management focus. And the audit focus itself is a pretty big agenda.”

In a typical corporate governance structure, according to the First Manhattan survey, the board of directors approves and reviews the bank’s risk management strategy and policies and establishes its overall risk appetite. The board’s risk management committee then reviews and approves both the risk management framework and standards, while the audit committee oversees the internal control process and also reviews the effectiveness of the risk management standards.

Out front with ERM

Not surprisingly, it’s the large global banks that have taken the lead in adopting enterprise risk management. In its survey of global banks, First Manhattan determined that 12 institutions were highly advanced when it came to the measurement and management of risk across the entire organization, while nine were found to be semi-advanced, which is to say they had adopted some but not all of the principles of ERM. A third group of institutions were labeled traditionalists because generally they did not aggregate risks throughout the organization into a unified view, or looked for high correlations between or within risk types.

The survey found the 12 leaders were three times as likely as the less-advanced institutions to see their risk management capabilities as a distinct competitive advantage, and to have boards of directors that were significantly more involved in establishing the institution’s overall risk appetite and monitoring risk levels. As one might expect, First Manhattan also concluded that the advanced group appeared to have a more proactive risk management culture, where “risk officers” were encouraged to question the risk decisions of business managers, while business managers were encouraged to question the risk decisions of other business managers.

The leaders also used more-advanced risk measurement methodologies and routinely looked for intrarisk correlationu00e2u20ac”for example, between commercial real estate and residential mortgage loansu00e2u20ac”and interrisk correlation between major categories, such as credit and market risk. And 75% of the advanced group put together a detailed enterprise risk management report, providing senior managers and the board with a unified view of their institutions’ risk profile. By contrast, only a third of the less-advanced institutions take this step.

First Tennessee is proof positive that even large regional institutions are beginning to incorporate many elements of enterprise risk management into their overall risk management efforts. The bank’s diversification strategy had created a far more complicated organization, and its traditional practice of managing risk on a business-line basis was no longer an effective approach. “There was no place where we pulled it all together in one [meeting],” Hilliard explains. Senior management lacked a clear sense of how all those risks were interacting. For instance, First Tennessee makes commercial real estate loans in addition to being a large originator of residential mortgage loans, and the bank needs to understand how those different markets might interact to increase its risk profile. Smaller banks might still be able to look at risk on a transaction-by-transaction basis, but First Tennessee decided it could not. “It’s a totally different way of looking at risk when you’re a small company, rather than a national company,” he says.

Although its program differs in some respects from larger institutions studied by First Manhattan, the bank has moved toward more of an enterprisewide approach. Separate committees for credit, operations, and asset/liability management still review the institution’s risk profile in those key areas. But starting in January, those committees now report to a new enterprisewide risk management committee that will review the bank’s risk profile on a more unified basis. The ERM committee members will include the chief executive officer; the chairmen of the credit, A/LM, and operations committees, and all major business managers. It will meet 10 times a year.

First Tennessee did not charter a new risk management committee at the board level, but chose instead to delegate credit and interest rate risk oversight responsibilities to the executive committee and operational risk to the audit committee. “We feel that between those two committees, they can handle the job,” says Hilliard. “I think the key thing is making sure all the risks are covered.”

The bank also chose not to appoint a chief risk officer, but to split responsibility for ERM between its chief credit officer and Hilliard, whose portfolio as head of operational risk includes security and internal audit. Hilliard points out that First Tennessee’s chief credit officer has over 10 years’ experience at the bank, and he says it would be difficult to find one executive who would bring a thorough understanding of all major risk categories. “We feel this works better for us.”

Applications for community banks

Enterprise risk management is still a relatively new concept at the community bank level, where most institutions are still primarily focused on credit risk. A survey of 160 community banks last year by RMA found that most of them were less concerned about market and operational risk, believing that credit risk had a more immediate impact on earnings. To a large extent, this finding reflects the simple reality that most community banks are still less diversified than larger institutions and derive a greater percentage of their earnings from lending activities.

But the survey did report that at least one-quarter of the respondents were trying to take more of an enterprise approach to their risk management efforts, and another 14% had anticipated doing so in 2003. Pamela Martin, RMA’s director of regulatory relations and communication, says that many smaller banks are attempting to take a more holistic approach to managing risk, even though they may not apply the ERM moniker to their process. “It’s a risk management philosophy that community bankers can implement without setting up capital allocation systems or very complex modeling systems,” Martin adds. “It’s just good risk management.”

One such example, Citizens National in Maryland, has assigned responsibility for overseeing the risk management process to its compliance committee, which meets every other month and includes the entire management team. Both the credit and asset/liability management committees operate as “subsets” of the compliance committee, according to Glenn Wilson, who recently became president of the bank. The compliance committee also handles all regulatory and auditing issues. “We make sure that everyone is aware of what the issues are,” says Wilson.

Citizens National has not appointed a chief risk officer to oversee the risk management process on an enterprisewide basis, and Wilson figures the bank is still too small to take that step. He recalls that some years ago, when Citizens National reached approximately $1 billion in assets, the bank’s primary regulator asked that it divide up the business development and credit management functions, saying it was now large enough that those duties should be performed by different people. “I was fine with [the old approach] when we were at $800 million,” Wilson says. “But at $1 billion, I could see the need to have that happen.”

He believes the same dynamic might apply to the chief risk officer function as well. Once an institution has reached between $1.5 billion and $2 billion in size, there might be a need to consolidate responsibility for all risk management activities under one individual. “[The risk management function] does need to scale with size,” Wilson says. But we feel that we’re effectively managing it now.”

Regardless of what you call it, the most important thing is making sure that senior executives are reviewing their institution’s risk profile in a unified manner and that all parts of the organization participate in the process. Says Wilson, “We start with the premise that risk management is everyone’s job.”

Join OUr Community

Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.

Become a Member

Our commitment to those leaders who believe a strong board makes a strong bank never wavers.