What We Learned About Controlling Risk

For the past year, directors at U.S. banks and thrifts have been grappling with their new responsibilities in overseeing and controlling risk. The Dodd-Frank Act significantly increases the compliance requirements of banks and imposes operational and financial restrictions that materially change how banks will be permitted to compete. Dodd-Frank makes it clear that boards need to play a greater role in improving risk policies, controls and systems.

Bank boards will have a larger role-and likewise, greater liability-for risk management. This role will need to evolve reflecting the complexity in the financial system today and the changing demands that will be voiced by regulators, investors and debt holders. The challenge for bank boards is immense and many are not up to the task. Traditional audit committee processes, although important, are not designed to consider this complexity of how risks evolve, interrelate and affect the institution. This is not a problem for big banks only. As demonstrated in the downturn, smaller banks-including community banks-are subject to the same events as larger banks, but have fewer resources to draw on.

The interconnections and dependencies that were exposed in the financial crisis highlighted how difficult it will be to stop the spread of future problems and how vigilant directors must be at effectively discharging their responsibilities. The potential for a major market like mortgages to implode and spread financial contagion across the global network of banking institutions is now well established. The likelihood of other such cascading scenarios is great, making the board’s risk management role a critical and very visible line of defense.

To achieve effective risk management governance, board members of financial institutions must be able to answer the following questions: What can be learned regarding risk from the downturn? What are the effects of the regulatory response on individual institutions? And, most importantly, what should be the board’s role in risk management going forward?

Looking back, many financial professionals and market observers were well aware that there was a bubble building up in residential real estate. Prices were moving up rapidly, investors were actively buying and selling properties, and there was overbuilding in many markets. Individuals were taking on greater leverage and banks were supporting this by allowing for little or no equity in the mortgages that they were underwriting.

Indeed, an overheated real estate market and a potential drop in the subprime market were factored into many institutions’ risk decisions and risk models. What was not appreciated was the cascading effect of problems in subprime working their way into other sectors of the market. Banks that were aggressive in the subprime market were the first to suffer. The first wave of subprime defaults resulted in foreclosures on these homes which were then brought to market as distressed properties. This, in turn, resulted in a further drop in market values of residential real estate, which affected the next tier of mortgage borrowers, eventually working through Alt-A and into prime mortgage borrowers. The fallout from this sequence was a severe drop in building, increased joblessness and mounting losses in credit card, personal loan and small business portfolios.

Rarely does the proximate event result in the largest losses. Like a tsunami, it’s the secondary and tertiary ripple effects that cause the greatest harm. Hence, many banks with limited subprime exposures in 2007 suffered significant losses in their other mortgage, small business and consumer credit portfolios as a result of the contagion.

The lack of preparation for the rapid decline of the subprime market illustrates one of the core issues within risk measurement. Risk has historically been addressed product silo by product silo. However, as is all too apparent, risk does not respect silo boundaries. When there is a shock to the economy, we relearn that the models that function well in stable markets often are fundamentally flawed in highly turbulent markets. There are two primary reasons for this weakness. First, most models do not effectively incorporate changes in the relationship of different economic and market factors caused by a shock. For example, in a stable economy, equity and bond prices tend to move rather independently, but in a stressed economy, their prices typically move in closer alignment. Second, most models do not capture the cascade effect from an initial risk event. When subprime mortgage portfolios collapsed, the losses cascaded into other portfolios to a much greater degree than these models projected.

Globally, regulators have responded to this downturn by revamping rules on risk that have been in place for more than a decade, and have developed new compliance requirements to which the banks must adhere.

The Bank for International Settlements in Basel, Switzerland-the global body formulating international rules for risk measurement and management-acted quickly by adding to its Basel II capital guidelines the next generation of global risk guidelines, logically named Basel III. Basel III increases capital requirements by limiting what qualifies as Tier I capital and increases the minimum amount of this capital that must be held. In addition, it adds a “capital conservation buffer” to be drawn from in periods of stress. Separately, a non-risk-based leverage requirement was established to ensure that banks always have sufficient capital against assets, even when those assets are perceived as low risk. These and other changes to capital and capital requirements, particularly for derivatives, are designed to counteract the worst effects of the recent and future downturns.

Basel III also establishes a set of new rules regarding liquidity in recognition that liquidity is a separate and independent financial resource from capital. That is, banks have two stockpiles of financial resources that they hold for periods of stress-capital and liquidity. The new liquidity rules require banks to hold a minimum of liquid assets that can be used to offset cash outflows that are experienced during stress periods.

Banks will now have very specific requirements that define the amount of liquid assets that must be held against specific types and levels of cash outflows. This does two things: First, for most banks, it increases the amount of high quality and, hence, low-yielding assets on bank balance sheets. Second, by defining by type of account how much liquidity must be held, they have changed the economics of many businesses. Most retail deposits will not require significant levels of liquid assets to be held, while most corporate and financial institution deposits will have to almost entirely be offset with liquid assets.

In total, Basel III establishes a new norm for capital and liquidity requirements that must be incorporated into the design of risk models and risk management processes in banks. Importantly, U.S. regulators have been applying global standards for risk management to a broader group of banks than what is required by these international standards. Basel II rules that are applicable to large, internationally-active banks are being applied in many ways to banks that don’t fall into this category. However, the stated intention is still to apply risk management standards commensurate with the size and complexity of the institution being evaluated.

Congress responded to the financial crisis by rapidly passing the most significant financial industry legislation since the Depression-era Glass-Steagall Act. Dodd-Frank already has been on board agendas frequently and its aftermath of regulations will likely be driving those agendas for at least the next 18 months.

While Dodd-Frank covers a wide range of issues, there are two risk themes embedded in the act that boards should keep in mind as they enter 2012. First, regulators have been given the authority and resources to develop forward-looking perspectives on the risks in individual banks, as well as for systemic risks to the financial industry. The axis of this power resides in the newly-formed Office of Financial Research (OFR). This office is charged with gathering and interpreting detailed bank portfolio information to develop views of the level of and trends in risks within the system. With an effectively unlimited budget to do its job, OFR is systematically gathering transaction-level data on credit risk within the system and will soon have unprecedented insight into the state of financial institutions.

Second, there is a strong emphasis on regulators having the tools and the authority to take preemptive action. This emphasis is evident in the newly-formed Financial Stability Oversight Council, whose purpose, according to language in Dodd-Frank, is to “identify risks to the financial stability of the United States…to promote market discipline by eliminating expectations on the part of shareholders, creditors, and counterparties of such companies that the Government will shield them from losses in the event of failure…to respond to emerging threats to the stability of the United States financial system.” In other words, the regulators have been given the authority to take preemptive action before the effects of risks are seen, and these actions can be in response to evidence of systemic risk building up that warrants actions affecting all institutions, whether or not those risks are outsized in any particular institution.

The implication of these two themes is that regulators will have better information to evaluate and anticipate risks and the authority to take action to mitigate those risks. Banks will need to retool their risk measurement and management capabilities to be forward looking and aligned with their regulators. Both bankers and regulators will be talking a new language of potential risks and actions to mitigate losses and exposures before they occur. Boards must learn this language and have available to them the critical information to ensure compliance.

The regulatory requirements are resulting in changes to board committee roles, responsibilities and composition. At the same time, there also are near-term challenges the banks will be facing as the higher capital and liquidity requirements drain the profitability of various business lines and significantly change their profit dynamics. These changes are likely to cause major alterations to the businesses that many banks pursue.

Within this context, the board has four primary roles in risk management: 1) Set the risk appetite of the institution, 2) establish suitable risk limits, 3) monitor compliance with risk limits and 4) ensure that internal processes are effective and consistent with the risk management requirements of the institution.

Set the risk appetite.

Among the board’s most important responsibilities is establishing the institution’s risk tolerance. The board must set the risk policy, defining the level and types of risk that are suitable and consistent with the bank’s strategy, capabilities and resources. It must balance the need to preserve capital, maintain liquidity and minimize losses with the exposure necessary to earn an appropriate level of return. The challenge for boards is to help management determine the right total amount and composition of risk for the institution.

The board must determine how the institution’s strategy relates to the type and level of risk it takes on. For example, a retail-bank focused strategy primarily results in credit risks associated with consumer and small business lending, real estate and other collateralized asset risks. The board’s job is to determine the risk tolerance to defaults and to asset values. To do so, the board would seek to understand how these risks relate to each other, and how much potential loss the bank faces under various economic scenarios.

As importantly, the board should determine what risks are inappropriate to the strategy. The retail bank strategy described above should not require a significant market risk exposure. If there is a significant component of market risk, then management is either attempting to supplement core strategy returns or is pursuing a separate strategy that results in significant market risk. The board must be able to discern the difference between these two reasons for market risk and determine the appropriateness of each.

Ultimately, the board must be able to develop an independent perspective on these risks in order to provide an effective counterpoint to management.

Establish suitable risk limits.

Once a risk policy is established, risk limits must be set across the institution, by risk class, type and business line.

Some types of risk are relatively easy to identify, size and set meaningful limits for. As an example, credit and market risks are regularly measured and reported during normal business operations, and the organization is typically well versed in working with risk standards and limits in these areas. At the same time, all of these risks are embedded in transactions that were not explicitly created to take a credit or market position. Credit risk, for instance, can be found in loan portfolios, investment portfolios, vendor arrangements and insurance contracts, among others. The bank must be able to identify the collective credit risk of these sources as well as consistently measure the risk from each. Market risk is embedded in investment portfolios, but also in loan portfolio valuations for securitizations or as collateral, and in embedded optionality (e.g. a bond that gives the issuer the option to call the bond early or convert it into equity), which affects the overall asset/liability position.

Measuring and setting limits for operational and liquidity risks are more complex, yet they can cause severe damage to a bank. Two well-known forms of operational risk are model risk and rogue trader risk. Both of these are outgrowths of natural business activities of a bank and both require a combination of process evaluation and ongoing oversight. And while a regulatory framework has recently been established for liquidity risk, the actual calibrations of the framework remain uncertain, and are still actively in debate worldwide.

In establishing risk limits, the board should frame the issues in terms of the two primary warehouses of financial protection that financial institutions hold: capital and liquidity. The Bank for International Settlements makes the point on capital and liquidity by establishing separate regulatory requirements for these resources. Historically, capital was subject to regulation, but in recognition of the effects of liquidity on financial institutions in the recent downturn, new liquidity requirements have been established. This reinforces the point on interrelationships of markets, institutions and risks in today’s global economy.

Monitor compliance.

With these definitions and limits in place, management and boards must find ways to communicate in a clear and concise way. Management must report to the board the specific measures of compliance, along with supporting information that provides insight as to how risks are evolving and what types of risk events could occur in stressed environments. One of the most valuable initiatives management can undertake is to formulate the reporting structures and information that permits the board to effectively monitor the risks and maintain effective control.

Ensure effective internal processes.

As important as process management is to the success of the institution, it is often overlooked by the board and relegated to lower levels in the organization. While there are a wide range of processes, few are as important to risk management as those related to compensation, compliance and clout.

The board should have a strong hand in setting the compensation principles of the institution and how those principles affect the size and types of risk being taken. As Dodd-Frank recognizes, people tend to do what you pay them to do. In the case of incentive compensation, if there is limited downside to aggressive risk-taking and significant upside, there is very little question what will happen.

This logic carries through to other roles within the institution and requires thoughtful balancing of risk concerns with the strategic objectives of the institution and the realities of doing business. Senior managers in credit businesses compensated on volume are going to behave differently than those compensated on risk-adjusted return. Most likely the former will be pushing to the edge of their credit limits while the latter will be working with the risk team to find ways to get greater return from their business while lowering the risk content.

Another area where alignment is often challenged is in systems and process support. Sarbanes-Oxley went a long way in raising visibility of this issue and in establishing compliance processes, but it does not obviate the need for active board involvement and oversight of how systems and process infrastructure affect risk.

Infrastructure oversight is particularly important in periods of rapid growth or significant cost cutting. Rapid growth businesses are routinely given outsized influence in recognition of their success, which often results in a tendency to ease up on compliance. Unfortunately, it is an axiom that the most successful businesses are the ones that amass the greatest power, and ultimately create the most significant risk to the institution. Conversely, cost cutting presents the challenge of near-term earnings benefit, potentially creating increased long-term risk exposure by removing or not implementing “costly” checks and balances. New capabilities that reduce long-term risks, but also have near-term costs, are difficult to get funded in cost reduction periods.

The board has the ultimate responsibility for risk in the organization and must ensure that the processes in place are sufficient and effective under all conditions.

All banks are functioning in a highly complex and interconnected environment. As demonstrated in the recent downturn, problems that were assumed to be contained in one sector cascaded into other markets and portfolios, which caused much greater damage than was contemplated by most banks for even the most severe scenarios. Bank risk measurement and management processes fell far short of envisioning the breadth and depth of the downturn. Taken together, traditional banking risks combined with a highly-leveraged and intertwined economy make for complex business risks. To contend with this environment, banks must pair sound fundamental capabilities with the capacity and culture to convert their capabilities into strong strategic decisions.

For these reasons, the board’s role in risk management has been and continues to be critical to the long-term value of the institution. Bank boards must be intimately familiar with risk management issues affecting the institution, and ensure that they have the tools to anticipate and control the effects of internal and external risk factors. Doing so requires a highly disciplined and effective framework. Few boards fully meet this standard, making future enhancements critical to their effectiveness. In short, bank boards have a very busy future in risk management, and potentially can have a very significant effect on the success-or failure-of their institutions. |BD|

Steve Turner

Join OUr Community

Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.

Become a Member

Our commitment to those leaders who believe a strong board makes a strong bank never wavers.