The word we hear from bank CEOs and directors is that the examiners are busy admonishing community banks for weaknesses in their risk management systems and procedures. Financial institutions are being put on notice that if lapses in risk management aren’t repaired by the next exam, enforcement actions, including cease-and-desist orders, are likely.
Is this a trend? Has external risk become so intense in the current business environment that even conservatively managed community banks are in the hot seat? Many of the bank leaders I talk to wonder whether we have entered a new era in which the classic management techniques they have used to succeed in the past are no longer sufficient to control dangerous new risks.
What are we up against?
It is true that some risks have intensified in the post-9/11, post-Enron business environment. Many of the institutions receiving criticism say the examiners are finding fault with their information security practices. In new guidance released in February, the Federal Financial Institutions Examination Council emphasized that information security is a matter of safety and soundness for financial institutions.
Another emerging risk area involves compliance with the anti-money-laundering and terrorist financing laws. Myriad new rules have been issued under the USA Patriot Act, and zero tolerance for Bank Secrecy Act violations is a high bar to clear. As a result of these heightened obligations, most institutions are experiencing a spike in compliance risk.
Operational risk has also intensified since the terrorist attacks. The Basel II Capital Accord, scheduled to go into effect by the end of 2006, includes a new capital requirement for operational risk, defined as the “risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” That is a broad definition, and as of now, the industry does not have a common standard for measuring operational risk.
On top of these evolving risks are the brand-new risks posed by the corporate accountability requirements of the Sarbanes-Oxley Act. The law and the implementing rules now being issued by the Securities and Exchange Commission require senior officials and board members of publicly traded companies, including financial institutions, to shoulder broad new areas of governance and professional risk.
In one set of rules, attorneys practicing before the SEC are required to report “material violations” of securities laws “up the ladder” within the issuer. The purpose of this rule is to make sure that the company’s top management is aware of violations and held accountable to shareholders and pension plan participants. Another rule requires the “principal executive officer” and “principal financial officer” to personally certify the accuracy of the company’s financial statements.
Although Sarbanes-Oxley applies to publicly traded companies, note that small, closely held financial institutions are not off the hook. Banking regulators are devising a number of parallel governance rules to apply to closely held financial institutions and their insiders.
Then there is the rising specter of interest rate risk. Historic declines in interest rates caused serious net-interest margin compression at community banks in 2001 and early 2002. Interest rate declines also created serious asset liability imbalances for some banks. Finally, actions taken by many banks to counter the resulting effects on their earnings and balance-sheet structure resulted in increased interest rate, credit, and liquidity risks. Some banks have lengthened asset maturities, originated higher-risk loans, and taken securities gains to augment earnings and loan-loss allowances while impairing investment portfolio yields.
Undeniably, we are entering a phase of intensified risk for financial institutions of all sizes. If there is one element of my consulting practice that has assumed greater importance in today’s environment, it is how to help bankers manage risk.
Who’s responsibility is it?
In these uncertain times, active risk management is a critical element of any institution’s drive to maximize shareholder value. Given the stakes, why are examiners suddenly finding so many lapses in risk management?
Federal Reserve Board Gov. Mark W. Olson, a former community banker, thinks the reason is straightforward. In a speech on last February, Olson blamed corporate accountability abuses on breakdowns in internal controls and relaxation of basic risk management processes. “Perhaps the most fundamental lesson is the need to fully assess the character of a borrower, counterparty, or customer and to incorporate that assessment into the entire relationship between the institution and the customer,” he said. Although financial institutions are not directly accountable for the actions of their customers, “to the extent that their name or product is implicitly associated with their customer’s misconduct, they may be significantly exposed to additional legal and reputational risk,” Olson said. He urged financial institutions to institute “policies and procedures that require management to understand the totality of their business relationships.”
My good friend Bob McGoffin, regional president for Riverside National Bank, a $1.9 billion institution in Vero Beach, Florida, is on the same wavelength. McGoffin believes that the basic problem is not so much the risks themselves but the management of the risks. “The examiners are coming in and dictating to us; telling us we have risks and what we should do to control them. It really should be the other way around. We should be managing our portfolios and products to mitigate the risks unique to our own particular institutions. Then when the examiners come around, we can show them what we are doing and that our process is satisfactory. The examiners would be functioning as auditors, not as risk managers.”
Managing by risk
Financial institutions do not have a long history as risk managers. Risk has always been present in the banking business, but it has been a scant decade since the phrase “risk management” came into the average banker’s lexicon.
Since the mid-1990s, bank regulators have assumed variations on the Office of the Comptroller of the Currency’s “supervision by risk” approach. Supervision by risk is really a way of allocating examiner resources to focus on where they do the most good: the functions, activities, and product lines that pose the greatest risk to an institution’s stability. Taking this supervisory approach, the examiners are principally interested in learning whether an institution has identified its risks and instituted appropriate risk management controls to minimize violations and maintain the institution’s overall safety and soundness.
Each of the agencies’ procedures differ slightly and make small distinctions in risk definitions and terminology. The Office of the Comptroller of the Currency defines nine distinct types of risk to earnings or capital. The Federal Reserve Board uses six categories of risk to assign risk management ratings to institutions under its supervision, and the FDIC generally recognizes seven types of risk. The Office of Thrift Supervision also uses risk-based exam procedures.
Regardless of the labels, all the regulators are basically on the same page with respect to what they expect of financial institutions. Management and the board of directors should have the capability to identify, measure, control, and monitor risk in their institutions. Further, they should be able to demonstrate that they are managing individual risk areas within the institution.
Given this emphasis, it would be reasonable to expect that risk management practices are well entrenched in most banks today. If bankers are tripping up, the fault must lie in the current business environment, where so many new and intensified risks have appeared. I am convinced, however, that it is not the number or nature of risks that is causing problems. The failure to adequately analyze risk and to apply fundamental management principles to today’s business challenges are leading to heightened levels of risk. Bank CEOs and directors are clearly entering a new era of risk management expectations and accountability.
The clouds before the hail
Today, the products and services banks offer are more complex, the costs of implementation are greater, and the consequences of missteps are higher. Serious consequences include financial losses, regulatory enforcement actions, lawsuits, customer flight, and even bank failure. Complexity, cost, and consequences could be called the “three Cs” of risk management.
How does a banker judge the risk implications of each decision or activity in terms of the three Cs? Notwithstanding the high stakes involved in managing risk, there really is no secret here. Managing risk simply involves paying attention to your portfolios and business lines and taking appropriate actions before problems occur.
Breaking the ongoing risk management process down into definable steps is useful. Ken Proctor, director of our risk management practice, suggests that bankers consider the following steps:
1. Know where you’re going. Clearly define the bank’s strategic direction, goals, and objectives.
2. Identify risk tolerance levels. These are the levels of risk the bank can take, or must take, in order to achieve its strategic business goals and objectives.
3. Establish appropriate guiding policies, spelling out the levels of allowable risk, such as concentrations of credit. Again, consider those risks that must be taken, not just avoided, and include contingency plans to execute when the bank steps outside the risk limits.
4. Assess risk and exposure levels throughout the bank in each category of risk (credit, interest rate, liquidity, operational, and so forth).
5. Develop a management reporting structure that reflects a picture of the forest as well as the trees. These reports must include leading indicators of problems, such as loans that are missing financial information or whose holders are delinquent in paying taxes and insurance, as well as trailing indicators, such as loans that are past due. The reports should also compare the bank’s current risk position with policy limits.
6. Collect appropriate information and analyze it on a regular basis, again tracking trends of leading and trailing indicators.
7. Formulate appropriate, cost-effective risk management strategies and action plans to address developing risk situations.
8. Clearly document the analysis and actions taken. Bankers are familiar with these steps. The interesting thing, however, is that a lot of banks that have been cited by the examiners for weaknesses in risk management started at step 7, largely foregoing the process of data collection, analysis, and reporting. McGoffin compares this to not looking up at the sky when bad weather starts gathering on the horizon. “The key in managing risk is to have the sense that you will be able to see the dark clouds before hail starts hitting you on the head … and certainly before the hail gets to be the size of baseballs.”
Akin to having weather predictive capabilities, having the appropriate management information is a fundamental requirement of effective risk management. Most important, this information should be linked to the policies and related risk-tolerance levels approved by management and the board, thus acting as an early warning system of increasing risk. The information should reveal trends, allowing managers to formulate focused strategies in response to specific risk indicators.
Data extracted from your own database, combined with peer group data and general economic information, is the basis for identifying both present and potential risks. The process of setting up an appropriate management information system and assessing the current risk environment is where consulting support can be useful.
Once you have the information, it becomes fairly easy to engage in an intuitive “if this, then that” analysis and devise action steps geared toward the level and severity of the specific risks you have identified. Again, this action stage of risk management is based on nothing more than classic management theory.
Another critical element that many bankers overlook is documentation. From the standpoint of working with the examiners and avoiding criticism, nothing works better than to show them you have key management reports and can document each action step you have taken in response to both internal and external information. Many bankers are afraid of documenting their risk analyses, thinking that the examiners will “hang” them with their own findings. In fact, by documenting risk, you prove to them that you are managing your risksu00e2u20ac”which is what really needs to be done, examiners or no examiners.
That’s called management
Granted, the risks borne by banking organizations are becoming more complex, costly, and have greater consequences. Despite its relatively short history within the financial services industry, formal risk management and its philosophy and practices have evolved rapidly. Today, risk management is deemed a pillar of bank management, with the ultimate responsibility for controlling the bank’s overall risk posture rising to the level of the CEO and board of directors.
At the same time, a growing mismatch between expectations and reality is becoming apparent. Whether a bank concentrates on growing its traditional businesses or sets off pursuing new horizons, managers and the board must not abandon the fundamental management techniques that got them to that point. With good information and the steady application of internal management controls, the inherent risks of any given activity can be minimized.
Managing risk is pretty straightforward: If you get the right information and you put good procedures into practice, your odds get a lot better. At the end of the day, it’s all simply a part of good bank management.