Risk and banking go hand in hand, but the industry’s approach to risk management has changed dramatically since the 2008 credit crisis. The Dodd-Frank Act requires banks with assets greater than $10 billion to have a board-level risk committee, and many of their smaller brethren have followed suit. Enterprise risk management (ERM) programs, which take an overall view of risk at the institution instead of managing risks like credit and compliance separately, have been adopted by many institutions. The board’s role in risk oversight, both in terms of time and responsibility, has increased exponentially.
Many financial institutions are adjusting to these new expectations. But just as banks seem to have a handle on credit risk, cybercriminals are there to remind the industry that risk is ever-evolving, and the scariest risk to bankers is the risk that they don’t know.
More than 100 independent directors and senior executives of banks with more than $1 billion in assets responded to Bank Director’s 2014 Risk Practices Survey in January, sponsored by Jacksonville, Florida-based banking and payments technology firm FIS. The survey analyzed how banks are governing risk and examined the maturity of bank risk management programs. While many banks have the pieces in place to properly govern risk-more than 97 percent of respondents report that their bank has a chief risk officer or equivalent, and risk committees are common for the majority-getting the finer details of risk management right remains a challenge.
Sai Huda, senior vice president and general manager of enterprise governance, risk and compliance solutions with FIS, says that getting those finer details right can have a positive impact on financial performance. The results of the survey tend to support this line of thinking. While almost 40 percent of respondents are unsure of the impact of their bank’s risk management program on financial performance, one-quarter report that they can tie improved performance to their risk management program. Further, respondents from banks with risk committees report a higher return on equity (ROE) and return on assets (ROA) than those that govern risk within a combined audit/risk committee or within the audit committee. Despite the fact that larger banks tend to outperform smaller ones, this held true for banks with less than $5 billion in assets, which report an average ROE of 8.43 for those that govern within a risk committee, compared to 7.79 for a combined audit/risk committee and 7.10 for audit committees.
“Having a separate risk committee and a focused approach to risk governance does translate into better performance,” says Huda. “The more specialization and focus by the board on risk, the better performance you’re going to get financially.”
Sixty-three percent of respondents report that risk is governed at their institution within a dedicated risk committee of the board. Two-thirds of those that don’t govern risk within a separate risk committee say they believe that the management of risk just does not require its own committee. But as the bank gets bigger, many boards are deciding they need a separate risk committee.
Tupelo, Mississippi-based Renasant Corp., a $5.7-billion asset bank holding company, started a board-level risk committee after purchasing two banks from the Federal Deposit Insurance Corp. in 2010 and 2011. That pushed the bank toward the $5 billion threshold, and Renasant’s President and Chief Executive Officer E. Robinson McGraw says the board and management saw a need for a more formalized approach to risk governance. “We already had our chief risk officer in place, but we started making that risk program a lot more formalized than what it was, spending a lot more time and dollars on it,” he says. “There’s still more room for us to go before we finish, and you’ll never finish obviously, but we’re making a lot of real progress.”
Boards that focus on risk within the audit committee, like 8 percent of respondents, or even a combined audit/risk committee, like 19 percent of respondents, could be facing an uphill battle. “It’s very hard for audit committees to do both jobs, because by their very nature, audit committees are really looking backwards,” says Huda, “whereas the risk committee is forward-looking. They’re trying to anticipate risks becoming problems and mitigating them before they become problems and cause an adverse impact on earnings, capital or reputation.”
Risk was governed within the audit committee at $26-billion asset Synovus Financial Corp., headquartered in Columbus, Georgia, before moving to a separate risk committee structure in 2011. Chief Risk Officer Mark Holladay says looking at audit and risk within one committee was just too much ground to cover. Meetings were a day-long commitment, with a deluge of information presented to committee members. “You want your risk committee to be thinking strategically, and that takes a little time and thought,” he says.
For banks that have established a risk committee, the vast majority of these committees focus on matters like establishing the bank’s risk appetite, reviewing stress testing results and approving risk policies. At the board level, directors are reviewing regular risk management reports and approving the overall risk management policy.
But less than half of participants say that their board holds regular sessions with the chief risk officer, and the risk committee chairmen of almost 70 percent do not meet regularly with operating or frontline management. Huda says that these steps can provide the board with an honest view of what’s going on at the ground level, and set a more visible tone regarding the bank’s commitment to managing risk.
Taking the time to meet with operating or frontline management sends a strong message about the board’s commitment to risk, but can also be a great learning exercise about what is happening within the organization. “Reports may not really reflect reality,” Huda says. “Trust but verify, but more importantly, obtain insights from the frontline troops on how they are managing risks and moving the bank forward. This way you can identify emerging risks or problems, and make timely adjustments to strategy and risk oversight.”
In order to better understand management’s role as well as his own in risk management, Joseph Prochaska Jr., the risk committee chairman at Synovus, spent time with the various management-level risk committees upon establishment of the board-level risk committee in 2011. It’s not an ongoing practice, but Holladay appreciates this proactive approach and says he would not be surprised to see Prochaska do this again. What happens at the management level is “pretty crucial for somebody in that chair” to understand, he says. “I thought that was pretty sharp of him to ask if he could do that.”
The majority of respondents, at 82 percent, feel that the board devotes enough discussion to risk management issues, with almost half reporting a quarterly review of the bank’s risk profile and related metrics with senior management. Less than 20 percent conduct this review on a monthly basis, and Huda says a monthly review of critical metrics and key risk indicators can provide bank boards with the necessary intelligence to anticipate a threat before it materializes. “Look for leading, not lagging, indicators of risks and nip it in the bud before it’s too late,” says Huda. “After all, the end game is to ensure high performance to attain strategic objectives while avoiding surprises.”
RISK & STRATEGY
At Synovus, any new initiative is vetted for potential risk by measuring its impact on areas such as capital levels, concentration limits and risk tolerance levels. Linking risk appetite with strategy ensures that growth initiatives do not create unwanted risk. “It’s being at the table at the very beginning to really sit there and assess” the potential risks of strategic initiatives, Holladay says. Then, he sees a need to continue to monitor the progress of the strategic plan and reassess risk.
ViewPoint Financial Group, a Plano, Texas-based bank holding company that is in the process of buying LegacyTexas Group of Plano to become a $5.2-billion asset company, takes a simplified approach to establishing risk appetite. The board and management will not take on risk that they do not understand. “If people in your company don’t have that baseline understanding about not assuming risk that you don’t understand, taking the additional step of writing a complicated risk appetite statement will be completely ineffective,” says Scott Almy, ViewPoint’s chief risk officer. He adds that many of the components of risk appetite can be found scattered within bank policy, so looking within existing policies is a good starting point. This simplified approach doesn’t require additional investment in sophisticated technology. “[It] just requires that people in the organization understand your business,” says Almy.
Connecting risk and strategy challenges bank boards and executives, as evidenced by the survey. While 80 percent of risk committees are tasked with establishing their bank’s risk appetite, one-third do not review the strategic plan and risk mitigation strategies. For the overall board, 35 percent do not review and approve the bank’s risk appetite statement, and one-quarter report that the bank does not have a risk appetite statement at all.
When asked how bank boards use the risk appetite statement, less than half use it to provide limits for board and management, and just 13 percent analyze the impact of risk appetite on financial performance and strategic objectives.
Further, just 31 percent of participants say that the bank’s risk appetite statement covers all the risks faced by the organization.
Almost half of respondents say that bank boards could use more training and education on how to oversee the bank’s risk appetite. Huda recommends that boards develop the risk appetite statement with input from the executive team, determining how the bank should grow and what the risk limitations are around that growth.
The chief risk officer and banking systems officer at Renasant are currently developing a risk appetite statement, which McGraw says the board will approve at their annual retreat this year. “What that will do is take our strategic initiatives and then it will quantify each of the risk tolerances related to those. And [those risk tolerances] will then become a formalized part of our monitoring.” Right now Renasant’s risk profile focuses on quantifying loan growth and non-performing assets.
Taking an enterprise view of risk is arguably critical to the bank’s goals, and some regulators do see benefits. “Many of the risk management techniques involved in ERM have been developed by banks in an effort to better identify risks, operate efficiently, compete effectively and inform strategic and capital planning,” said John Conneely, assistant regional director for the FDIC New York region, at a February 2012 teleconference.
Enterprise risk management programs are relatively new to the banking industry, and less than one-quarter of respondents describe the maturity level of their institution’s ERM program as advanced. As defined in the survey, a bank has an advanced ERM program when it incorporates the strategic plan, has a risk appetite statement, performs regular stress testing of all risks and has a risk dashboard, which provides the board with an at-a-glance view of the bank’s risk profile across different areas. The majority of respondents, at 62 percent, would instead rank their ERM program as intermediate, with room for improvement.
Supporting an ERM program presents its own challenges, which can hold banks back from having a more comprehensive view of risk. Two things challenge bank boards and management most when it comes to supporting an ERM program: Proactive identification and management of all the risks faced by the institution, at 52 percent, and integration of all risk silos, from compliance to credit risk, into one single program, at 40 percent.
Huda says an enterprise-wide risk dashboard allows the board and management a better view of the bank’s risk profile and risk trends in real time, with access to all of the bank’s risk data in one place. “This way you are using a uniform set of intelligence to make key decisions and drive the bank to higher performance while avoiding pitfalls,” says Huda. “Is it required by regulations? No. But is it a best practice, is it of value? Immensely.” Fifty-eight percent of respondents say the bank has implemented a risk dashboard for both management and board, while 9 percent have implemented one for just bank management or just the bank board. Nineteen percent plan to implement a risk dashboard soon.
Of the respondents that report the bank uses a risk dashboard, more than 70 percent say it is used to identify emerging risks, to provide reports to the board and to ensure the bank does not exceed risk tolerances.
Almost 40 percent do not use the risk dashboard to evaluate bank performance, and that may account for why 39 percent say they are unsure how to measure the impact of the bank’s risk management program on financial performance. “The key to success is to view the risk dashboard as a tool not only for defense, but also offense,” says Huda. “Risk governance, oversight and a solid risk management program do positively impact the bank’s financial performance, so why not use the risk dashboard to also measure impact?” Huda advises using the risk dashboard to track the effect of key risk indicators and risk mitigation decisions on risk appetite, while key performance indicators measure its impact on bank performance.
Holladay says the best way to measure the outcome of sound risk management is to evaluate its role in sustainable performance, particularly in shareholder returns over an extended period, looking at a minimum of three years. He says to specifically look for less volatility while at the same time creating long term value. “Our role is to help those lines of business achieve the objectives that they’ve set, year in and year out, and risk management plays a very important role [in] doing that.”
REGULATORY & TECHNOLOGY CHALLENGES
The seemingly constant wave of regulations coming out of Washington, coupled with technology and data concerns, remain top of mind for survey respondents.
Specifically, keeping up with regulatory expectations of risk management practices is cited as a top challenge for almost half of respondents. For 55 percent, the sheer volume and rapid pace of regulatory change is seen as the factor most likely to cause risk evaluation failure.
“Every day you turn around, there’s a new regulation,” says Renasant’s McGraw. “Every day we find more risks on existing products and processes.” More than half of respondents feel that the board needs a better understanding of how new regulations could pose risk to and impact the bank, and educating the board on challenges like these is a focus for Renasant. “We’re trying our best to spend a lot of time in educating our directors,” he says. “Better educated directors are better directors, and…there’s a lot of liability out there today with directors.”
Forty percent of participants say that maintaining the technology and data infrastructure to support risk decision-making is a top risk management challenge, and for Synovus, getting the technology in place is a continual process, with plans to integrate all the data into one governance, risk and compliance tool. After researching potential software tools for several years, the company decided to move forward last year, choosing a product based on implementation, ease of use and cost. Getting the data in one place will allow Synovus to focus less on aggregating data-now a manual process-and more on data analysis and reporting. This should result in better information for the board and key members of management. Currently, “it does take a lot of time to aggregate all these components together and then to put them in a format that’s easy for the board to understand,” Holladay says. Updated technology will allow Synovus to automate much of this process.
ViewPoint’s Almy agrees that data cannot be overlooked. “The winners in our industry, years from now, will be those who can most effectively navigate the challenges of increasing regulatory requirements, can focus on the imperatives of their strategy for their market and who can most effectively manage data,” he says. “There’s a value associated with having a strategy around better understanding data within our organization.”
And you can’t talk about technology without talking about cyber security. More than half of respondents say that understanding emerging risks, like cyber security, is an area in which the board could benefit from additional training. When asked about the category of risk that concerns them most, cyber security risk tops the list at 51 percent of responses, followed by compliance risk, at 43 percent, and operational risk, at 27 percent. News of the massive data security breach at Target Corp., announced in December 2013, was likely fresh on the minds of survey respondents.
“You have to prevent or mitigate somebody breaking into your inner sanctum, to your information,” says Agustin Abalo, a director with Coral Gables, Florida-based BAC Florida Bank, a $1.4-billion asset commercial bank. While not entirely preventable, banks can lessen the impact of cybercrime by having the risk controls in place. “It’s like a war. You have to keep fighting it and you have to have good people fighting it,” he says. “There’s always a risk, but that’s what we are in business for. Risk management is our business.”
ABOUT THE SURVEY
In January 2014, Bank Director surveyed 107 senior bank executives and independent directors of banks with more than $1 billion in assets, focusing on how these institutions govern risk, the challenges they face and the connection between risk management best practices and financial performance. The survey was conducted by email. Twenty-three percent of participants serve as the chief risk officer of the bank. Independent directors and chairmen account for 65 percent of responses, and of these, 57 percent serve on their institution’s risk committee. Most respondents, at 58 percent, represent a bank with less than $5 billion in assets, 24 percent a bank with between $5 billion and $10 billion in assets and 18 percent a bank with more than $10 billion in assets.