Chief risk officers, risk committees and enterprise risk management—which go together like toast, eggs and ham—are still relatively new concepts in banking even though they have been mandated by the Federal Reserve Board since 2014 for institutions of a certain size. Banks with $10 billion in assets or greater are required to have an enterprise-wide risk committee, and banks above $50 billion must also have a chief risk officer. Union Bankshares Corp., a $7.8 billion asset institution headquartered in Richmond, Virginia, has all three. Under the leadership of Executive Vice President and Chief Risk Officer David G. Bilko, the holding company for Union Bank & Trust implemented its ERM program two years ago. Bilko is an enthusiastic supporter of an ERM approach, which he believes provides a clearer, more unified view of the bank’s risk profile than its previous approach, which tended to be fragmented. In an interview with Bank Director Editor in Chief Jack Milligan, Bilko talks about the challenges of implementing an ERM program, among other topics.
Define your role at Union. What are you responsible for?
Bilko: In a nutshell, my responsibility can be boiled down to this: I own the design, implementation and governance of the enterprise risk management program.
We utilize the traditional three-lines-of-defense model. From a risk management perspective, the first line?which is the front line of the business units and support functions, really own and are responsible for managing risk. The second line, which is the ERM function that I manage, provides the program, tools standards and consistent practices that we use to help the first line in their risk management responsibilities. The third line of defense, which is the internal audit function, does the test work to ensure that those things are working properly.
How long has Union had an enterprise risk management program in place? What were some of the big challenges you had to deal with in terms of implementation?
Bilko: We’ve had our ERM program fully in place for about two years now. It took us eight months or so to get the foundation laid and put the elements of the program in motion. We started with more of a top-down approach to make sure we had the right governance structure?the reporting structures to the board and executive management?set up. Concurrently, we implemented what I would call the bottom up part of it, which is the grass-roots risk and control assessment process.
It takes time to get that into motion and by the latter half of 2014, we were finished, or at least established in a consistent fashion. We’ve just continued to build on it from there. It’s really a maturation process. It’s never over. You always have to continue to mature and get better at it.
In terms of challenges, one is awareness. In an organization such as ours, where risk management was more distributed across the organization, we were doing it but it was ad-hoc in nature and not tied together in a central program, or a consistent discipline across the organization.
You have to make people aware of what enterprise risk management is, and what it isn’t, and who’s doing what, and how it’s supposed to work, and what the governing principles are. The awareness piece of it is an educational process that takes time, and is a challenge, in terms of how you go about that.
Which also leads into another challenge, which is role clarity. I mentioned the three lines of defense; people need to know what is expected of them under the program.
ERM gives you a holistic view of risks throughout the enterprise. That sounds like something that’s good to have, but does it really, in a very tangible way, enable management and the board to control risk more effectively than when risk management was siloed—or as you put it, distributed—throughout the organization?
Bilko: In my opinion, it does because it allows you to break down your risks into portfolios that receive very focused attention on a regular basis. There’s constant assessment and identification of risk that leads to control or mitigation, and it all rolls up into a risk profile at the portfolio category level, which would include such risks as credit, market, operational, strategic and reputation, that then can be consolidated into an aggregate portfolio for the institution. We provide quarterly updates on those risk portfolios as well as the aggregate risk profile, so that anything that needs to be addressed is addressed more quickly.
We’re able to get a more forward looking view rather than always looking behind us, which is more of the old way. This is much more dedicated to seeing the train coming at us rather than looking at it right after it’s run over us.
What advice would you give another bank that starting down the path of ERM design and implementation based your experience?
Bilko: First of all, there’s a ton of information and knowledge available today on ERM. You can find whatever you want just by searching the internet, not to mention all the consulting firms that offer advice on it. There’s no shortage of information.
I think the biggest thing you have to do is align the program with your culture. If you do something because it’s traditional, or best practice, but is counter to your culture, it’s going be way more difficult to implement.
One of the things that I focused on here was to make sure I understood our culture, so that we could implement or build a program that was aligned with that, recognizing that culture changes over time.
I also think it’s important to keep it simple so that it’s easier to create and to understand for the people who are involved in it.
What’s your reporting relationship with Union’s CEO, William Beale, and with the board of directors? How do you line up with both of them from a communication and accountability perspective?
Bilko: I report directly to our CEO. He actually sits in the office right next to mine, and he keeps me close by. We talk a lot. He’s very inquisitive and very focused on ERM, and he uses me a lot as a sounding board on a lot of different risk and control issues.
The way we’re set up is, I have a direct reporting line into the CEO and a dotted line into the risk committee of the board. I kind of view it as a triangle: The CEO, the board’s risk committee and myself. We try to keep the triangle intact, and be very transparent with everything we’re doing. I think that’s a good way to do it. The risk committee is very involved in the oversight of the enterprise risk management program. Our CEO’s participation and interaction in my process allows us to be better and more affective in terms of governance reporting and actual practice.
Union has both an audit committee and a risk committee. How has the board divided up risk governance between the two, and how often, and in what way, do you communicate with both committees?
Bilko: The risk committee of the board is charged with the oversight of enterprise risk management. All the elements of that program are under their umbrella, and we report on them. To draw the distinction between the risk and audit committees, I participate in the audit committee meetings just like our chief audit executive participates in our risk committee meetings. There is a lot of sharing going on there and a lot of interaction. I hear what the conversations are within the audit committee realm from a control perspective and risk mitigation perspective. In the same vein our chief audit executive hears that from the risk committee side. There’s a fairly deep connection there.
Additionally, our audit committee and risk committee have a joint meeting once a year where all the directors on those committees are in the same room and we build an agenda that reflects what the risk management program is doing and reporting on, as well as what the audit group is involved with and some of the significant issues that they’re reporting on.
And finally, we have two directors that are on both the audit committee and the risk committee, so there’s that cross-over that’s happening as well.
I wouldn’t characterize it as dividing up risk between the two committees. I would characterize it as more open and broader communication across the committees so that both are aware of what’s going on, what issues need to be discussed, elevated and acted on. The full board is getting the benefits of those reports from both committees, and they’re both in the know.
Regulation becomes much tougher when a bank crosses over the $10 billion asset threshold. My understanding is that the regulators don’t wait until you get there and then suddenly look at you differently. As you get closer to that magic number, they want to know where you’re going as an organization. They want to know what your growth plans are, they want to know where you think the bank might be in five years, and they want you to start building an infrastructure that is scalable and appropriate for a larger bank, even if you haven’t reached that point legally. Is that how it works, in your experience?
Bilko: Yes. The way you described that is pretty spot on. The regulatory agencies, and our primary regulator is the Federal Reserve, want to understand your objectives, your strategies, and if those strategies are growth oriented. We have regular conversations with our counterparts at the Federal Reserve to keep abreast of those types of things and what we can expect. Clearly, it’s a matter of readiness and scalability. If you’re going to grow, you need to be ready to grow. When they talk about it, that boils down to infrastructure and processes that are capable of handling that growth dynamic. It’s something that we’ve certainly experienced over the last few years as we’ve continued to execute our growth strategy.
What do you think that the greatest risk challenges are facing banks today, including Union? What do you worry about most? What would keep you up at night?
Bilko: I get asked that question a lot, actually. I think what’s top-of-mind always?and it seems to be what we read about the most—is the risk associated with technology, vulnerability to data loss, information security, breaches, those sorts of things. We can play defense, but the bad guys are really good at playing offense, so our defense lags. We don’t consider ourselves necessarily to be a prime target, but the effort to keep our data protected is an ongoing imperative.
Process discipline has also become very important. Operationally, we want to be very sure that we have appropriately determined the risk around our processes, and that they are controlled adequately and are kept up to date. Typically, where you have gaps in your processes is where you have breakdowns.
I would summarize by saying that a lot of risk management is change management?adapting your risk practices to the constant changes that are occurring. We live in a rapidly changing world, both regulatory and otherwise, and we have to be able to adapt quickly.
What’s your professional background, and what path did you follow to become a chief risk officer?
Bilko: I have spent my entire career in banking, at both big banks and small banks. I worked for a couple years in retail banking, and then a couple of years in the support group for lending. But up until about the last six years, most of my career has been spent in internal audit. I have been involved with, or at least got to see and learn, just about every aspect of the business, and every area within the institution. It created a broad view for me, of how how things run and what makes these banking organizations tick.
Over the course of time, I was able to really understand all the different functions and businesses within [a banking] organization. Later on, I became more involved in the management and infrastructure of the company as chief audit executive. It was kind of a natural progression from the control world of internal audit to a broader enterprise-risk view.
Internal audit seemed to be a logical training ground for a chief risk officer because there’s probably no one who has a better view of the entire organization than the internal audit team. It’s their job to poke into everything. Are there other disciplines within the bank that could also be good training ground for CROs?
Bilko: I would say that beyond internal audit, there’s certainly other skills that will add to the versatility. Technology, data management and data analytics are such a large part of what we do today?and will be going forward?so there’s a clear need for experience and background in utilizing data to better identify, understand and prevent risk incidents or events. The whole big data thing is important to translate well into the risk management world.
And it will never hurt to live for a little while in the credit space, particularly if you’re doing some credit analysis, or you’re supporting a lending activity, where you get to understand the underwriting criteria and loan portfolios.