Conventional wisdom in banking has been that asset size matters in terms of regulatory expectations around enterprise risk management (ERM).
But that traditional school of thought might be changing. A new question has emerged: is it the institution’s asset size that matters, or is the complexity of the risk profile more important?
A common question among peer roundtables: what is a bank expected to do for ERM as it approaches the $10 billion asset size threshold of a regional banking organization (RBO)? The Federal Reserve considers an RBO to have total consolidated between $10 billion and $50 billion.
The next question typically is if regulatory expectations have lessened around comprehensive capital analysis and review (CCAR) or Dodd-Frank Act Stress Test (DFAST) requirements because of recent reforms in Congress?
These are hot topics especially for banks below the $10 billion asset size bubble, known as community bank organizations (CBO) by the Fed, because the cost of ERM implementation remains high.
Specific to CBOs between $2 billion and $5 billion in assets, regulatory agencies have been providing more prescriptive guidance and recommendations to upgrade and enhance ERM and model risk management frameworks consistent with existing regulatory guidance aimed at RBOs.
Examinations are more detailed, covering policies and procedures, personnel, risk appetite, risk assessment activities and board reporting. Examiners are pushing smaller banks to recognize the ERM value proposition because a keen risk awareness will inspire more informed decisions.
An effective ERM program starts with the risk culture necessary for appropriate governance of policies and procedures, risk awareness training, tone from the top and credible challenge. The culture should start with the CEO and the board establishing a proactive risk strategy and aligning the risk appetite of the bank with strategic planning.
Implementing an effective risk management program is understanding your bank’s risk profile and addressing matters proactively, having the discipline to identify emerging risks and mitigating those risks before a risk event or loss.
As banks approach $10 billion in assets, they are expected to increase the rigor around risk identification and assess risks for their likelihood and impact before identifying risk-mitigating controls.
A CBO should have a champion to effect change strategically throughout the organization, rather than a regulatory or audit check-the-box exercise. The risk management champion can be compared to an orchestra conductor who does not need to do everyone else’s job but should be able to hear someone is out of tune. Breaking down silos is key because risk management should be a continuous, collaborative process involving all stakeholders.
Regulatory expectations are converging as examiners push smaller banks to show a safe and sound risk management framework. This should encompass a separate board risk committee, or, at a minimum, a subcommittee responsible for ERM.
All banks have traditionally been expected to maintain appropriate risk management processes commensurate with their size and complexity and operate in a safe and sound manner.
The formality and documentation required is a new, evolving trend. Board and senior management oversight is important, as is risk monitoring and information system reporting. Board support is critical to understand risk areas, develop training programs and establish accountability among leadership and risk management team members.
Regulatory scrutiny for banks below $10 billion of assets has increased for ERM sub-processes, including model risk management, new products and services and third-party risk management.
We live in a post-CCAR world trending toward deregulation; however, the regulatory burden of risk management expectations for the smaller CBOs is increasing. Essentially, asset size does not matter anymore.
It’s not surprising that in the wake of the financial crisis, risk has become a much more important topic on bank boards. What’s more surprising is that it is still front and center, even as credit and economic conditions have remarkably improved.
As Bank Director hosts its Bank Audit & Risk Committees Conference in Chicago this week, risk still is top of mind for attendees and speakers. There are a few notable changes, though, during the past few years.
Five or six years ago, much of the talk for community bank boards was about starting an enterprise risk management system. Regulators were talking about it. Bank officers were talking about it. Boards were trying to figure out how to manage the bank’s various risks in a more integrated, comprehensive manner.
Now, enterprise risk management has plateaued at many banks, says Tim Kosiek, a certified public accountant and partner at Baker Tilly, an accounting and advisory firm. Fewer people are talking about it, or starting new programs. Many banks have already established ERM programs, especially those above $1 billion in assets.
“Bankers are not finding this showing up in the regulatory exams to the degree it was five or six years ago,” says Kosiek, mostly because credit conditions have improved.
ERM still has no set framework. There are no set guidelines from regulators that will tell you exactly how to set one up, or what the perfect ERM program looks like.
But as part of it, compared to four or five years ago, many more banks do have a risk appetite statement, and boards are discussing their risk tolerances for various types of risk, such as credit and compliance.
Challenges still remain. For example, it’s still tough for banks to ensure that their various divisions are sticking to the risk tolerances that have been established, Kosiek says. Also, not all banks have a comprehensive enterprise risk management program in place. The people in charge of risk in the organization don’t necessarily have their compensation clearly tied to their performance as risk officers, for example.
Still, despite those challenges, there are some areas where banks have made significant progress as a whole. In general, bank boards are much more likely to discuss cybersecurity risk. They want to learn about it, they want regular updates from bank management and they want to ensure their organizations have good defenses.
In Bank Director’s 2014 Risk Practices Survey, 51 percent of bank directors said cybersecurity was a top concern. In 2017, 85 percent did.
It’s no secret why they are worried. The reality that pretty much every bank is vulnerable has set in. Twenty-six percent of respondents to Bank Director’s 2017 Risk Practices Survey said their bank has experienced a data breach in the last two years.
It’s not just the risk but the difficulty getting a handle on the risk that is so vexing. Cyberattacks, with their constantly changing bad actors and tactics, are difficult to prepare for.
“[Bankers] have spent so much time on credit risk, which they can have an influence on,’’ Kosiek says. “In the cyber side, they just don’t have all the information.”
The topic is so high up on the board’s agenda, Bank Director digital magazine devoted an entire issue to cybersecurity.
While bank boards fretted over cybersecurity concerns during the last few years, they also had to get ready for one of the biggest accounting changes in decades, CECL, which stands for current expected credit loss standard. Basically, banks must start estimating losses for loans and other assets as soon as they acquire them for the life of the asset. CECL goes into effect for public banks’ fiscal years after Dec. 15, 2019 and for nonpublic banks a year later. Audit committees are overseeing the process.
For more information on preparing your bank for the standard, see The Audit & Risk issue.
All these changes are one reason the job of serving on an audit or risk committee is certainly one of the toughest on a bank board. Even as banks have watched their profitability and credit metrics improve in the last few years, the focus on risk coming out the financial crisis has not gone away. It has only shifted.
Chief risk officers, risk committees and enterprise risk management—which go together like toast, eggs and ham—are still relatively new concepts in banking even though they have been mandated by the Federal Reserve Board since 2014 for institutions of a certain size. Banks with $10 billion in assets or greater are required to have an enterprise-wide risk committee, and banks above $50 billion must also have a chief risk officer. Union Bankshares Corp., a $7.8 billion asset institution headquartered in Richmond, Virginia, has all three. Under the leadership of Executive Vice President and Chief Risk Officer David G. Bilko, the holding company for Union Bank & Trust implemented its ERM program two years ago. Bilko is an enthusiastic supporter of an ERM approach, which he believes provides a clearer, more unified view of the bank’s risk profile than its previous approach, which tended to be fragmented. In an interview with Bank Director Editor in Chief Jack Milligan, Bilko talks about the challenges of implementing an ERM program, among other topics.
Define your role at Union. What are you responsible for? Bilko: In a nutshell, my responsibility can be boiled down to this: I own the design, implementation and governance of the enterprise risk management program.
We utilize the traditional three-lines-of-defense model. From a risk management perspective, the first line?which is the front line of the business units and support functions, really own and are responsible for managing risk. The second line, which is the ERM function that I manage, provides the program, tools standards and consistent practices that we use to help the first line in their risk management responsibilities. The third line of defense, which is the internal audit function, does the test work to ensure that those things are working properly.
How long has Union had an enterprise risk management program in place? What were some of the big challenges you had to deal with in terms of implementation? Bilko: We’ve had our ERM program fully in place for about two years now. It took us eight months or so to get the foundation laid and put the elements of the program in motion. We started with more of a top-down approach to make sure we had the right governance structure?the reporting structures to the board and executive management?set up. Concurrently, we implemented what I would call the bottom up part of it, which is the grass-roots risk and control assessment process.
It takes time to get that into motion and by the latter half of 2014, we were finished, or at least established in a consistent fashion. We’ve just continued to build on it from there. It’s really a maturation process. It’s never over. You always have to continue to mature and get better at it.
In terms of challenges, one is awareness. In an organization such as ours, where risk management was more distributed across the organization, we were doing it but it was ad-hoc in nature and not tied together in a central program, or a consistent discipline across the organization.
You have to make people aware of what enterprise risk management is, and what it isn’t, and who’s doing what, and how it’s supposed to work, and what the governing principles are. The awareness piece of it is an educational process that takes time, and is a challenge, in terms of how you go about that.
Which also leads into another challenge, which is role clarity. I mentioned the three lines of defense; people need to know what is expected of them under the program.
ERM gives you a holistic view of risks throughout the enterprise. That sounds like something that’s good to have, but does it really, in a very tangible way, enable management and the board to control risk more effectively than when risk management was siloed—or as you put it, distributed—throughout the organization? Bilko: In my opinion, it does because it allows you to break down your risks into portfolios that receive very focused attention on a regular basis. There’s constant assessment and identification of risk that leads to control or mitigation, and it all rolls up into a risk profile at the portfolio category level, which would include such risks as credit, market, operational, strategic and reputation, that then can be consolidated into an aggregate portfolio for the institution. We provide quarterly updates on those risk portfolios as well as the aggregate risk profile, so that anything that needs to be addressed is addressed more quickly.
We’re able to get a more forward looking view rather than always looking behind us, which is more of the old way. This is much more dedicated to seeing the train coming at us rather than looking at it right after it’s run over us.
What advice would you give another bank that starting down the path of ERM design and implementation based your experience? Bilko: First of all, there’s a ton of information and knowledge available today on ERM. You can find whatever you want just by searching the internet, not to mention all the consulting firms that offer advice on it. There’s no shortage of information.
I think the biggest thing you have to do is align the program with your culture. If you do something because it’s traditional, or best practice, but is counter to your culture, it’s going be way more difficult to implement.
One of the things that I focused on here was to make sure I understood our culture, so that we could implement or build a program that was aligned with that, recognizing that culture changes over time.
I also think it’s important to keep it simple so that it’s easier to create and to understand for the people who are involved in it.
What’s your reporting relationship with Union’s CEO, William Beale, and with the board of directors? How do you line up with both of them from a communication and accountability perspective? Bilko: I report directly to our CEO. He actually sits in the office right next to mine, and he keeps me close by. We talk a lot. He’s very inquisitive and very focused on ERM, and he uses me a lot as a sounding board on a lot of different risk and control issues.
The way we’re set up is, I have a direct reporting line into the CEO and a dotted line into the risk committee of the board. I kind of view it as a triangle: The CEO, the board’s risk committee and myself. We try to keep the triangle intact, and be very transparent with everything we’re doing. I think that’s a good way to do it. The risk committee is very involved in the oversight of the enterprise risk management program. Our CEO’s participation and interaction in my process allows us to be better and more affective in terms of governance reporting and actual practice.
Union has both an audit committee and a risk committee. How has the board divided up risk governance between the two, and how often, and in what way, do you communicate with both committees? Bilko: The risk committee of the board is charged with the oversight of enterprise risk management. All the elements of that program are under their umbrella, and we report on them. To draw the distinction between the risk and audit committees, I participate in the audit committee meetings just like our chief audit executive participates in our risk committee meetings. There is a lot of sharing going on there and a lot of interaction. I hear what the conversations are within the audit committee realm from a control perspective and risk mitigation perspective. In the same vein our chief audit executive hears that from the risk committee side. There’s a fairly deep connection there.
Additionally, our audit committee and risk committee have a joint meeting once a year where all the directors on those committees are in the same room and we build an agenda that reflects what the risk management program is doing and reporting on, as well as what the audit group is involved with and some of the significant issues that they’re reporting on.
And finally, we have two directors that are on both the audit committee and the risk committee, so there’s that cross-over that’s happening as well.
I wouldn’t characterize it as dividing up risk between the two committees. I would characterize it as more open and broader communication across the committees so that both are aware of what’s going on, what issues need to be discussed, elevated and acted on. The full board is getting the benefits of those reports from both committees, and they’re both in the know.
Regulation becomes much tougher when a bank crosses over the $10 billion asset threshold. My understanding is that the regulators don’t wait until you get there and then suddenly look at you differently. As you get closer to that magic number, they want to know where you’re going as an organization. They want to know what your growth plans are, they want to know where you think the bank might be in five years, and they want you to start building an infrastructure that is scalable and appropriate for a larger bank, even if you haven’t reached that point legally. Is that how it works, in your experience? Bilko: Yes. The way you described that is pretty spot on. The regulatory agencies, and our primary regulator is the Federal Reserve, want to understand your objectives, your strategies, and if those strategies are growth oriented. We have regular conversations with our counterparts at the Federal Reserve to keep abreast of those types of things and what we can expect. Clearly, it’s a matter of readiness and scalability. If you’re going to grow, you need to be ready to grow. When they talk about it, that boils down to infrastructure and processes that are capable of handling that growth dynamic. It’s something that we’ve certainly experienced over the last few years as we’ve continued to execute our growth strategy.
What do you think that the greatest risk challenges are facing banks today, including Union? What do you worry about most? What would keep you up at night? Bilko: I get asked that question a lot, actually. I think what’s top-of-mind always?and it seems to be what we read about the most—is the risk associated with technology, vulnerability to data loss, information security, breaches, those sorts of things. We can play defense, but the bad guys are really good at playing offense, so our defense lags. We don’t consider ourselves necessarily to be a prime target, but the effort to keep our data protected is an ongoing imperative.
Process discipline has also become very important. Operationally, we want to be very sure that we have appropriately determined the risk around our processes, and that they are controlled adequately and are kept up to date. Typically, where you have gaps in your processes is where you have breakdowns.
I would summarize by saying that a lot of risk management is change management?adapting your risk practices to the constant changes that are occurring. We live in a rapidly changing world, both regulatory and otherwise, and we have to be able to adapt quickly.
What’s your professional background, and what path did you follow to become a chief risk officer? Bilko: I have spent my entire career in banking, at both big banks and small banks. I worked for a couple years in retail banking, and then a couple of years in the support group for lending. But up until about the last six years, most of my career has been spent in internal audit. I have been involved with, or at least got to see and learn, just about every aspect of the business, and every area within the institution. It created a broad view for me, of how how things run and what makes these banking organizations tick.
Over the course of time, I was able to really understand all the different functions and businesses within [a banking] organization. Later on, I became more involved in the management and infrastructure of the company as chief audit executive. It was kind of a natural progression from the control world of internal audit to a broader enterprise-risk view.
Internal audit seemed to be a logical training ground for a chief risk officer because there’s probably no one who has a better view of the entire organization than the internal audit team. It’s their job to poke into everything. Are there other disciplines within the bank that could also be good training ground for CROs? Bilko: I would say that beyond internal audit, there’s certainly other skills that will add to the versatility. Technology, data management and data analytics are such a large part of what we do today?and will be going forward?so there’s a clear need for experience and background in utilizing data to better identify, understand and prevent risk incidents or events. The whole big data thing is important to translate well into the risk management world.
And it will never hurt to live for a little while in the credit space, particularly if you’re doing some credit analysis, or you’re supporting a lending activity, where you get to understand the underwriting criteria and loan portfolios.
Most every banking survey I have seen in the last five years includes a question about the ways banks could improve non-interest income fees with the answer of wealth management being the overwhelming number one response. Wealth management is fraught with increased regulation, execution risk, a lack of expertise and culture integration issues. However, it is a wonderful tool to build cross-selling opportunities, customer loyalty and fee income, if done correctly. What is the best direction to begin for a community bank? One of the best ways is to not reinvent the wheel, yet try to do something that differentiates you from others and is easy to implement. How about considering the 401(k) business? But before you decide to market 401(k)s, you might consider reviewing your own 401(k) program.
401(k)s have an inherent risk that many bankers haven’t considered and it is fast becoming a nationwide problem for those worried about Enterprise Risk Management.
Did you know there are 38 cases of ongoing lawsuits where employers are being sued by employees for issues related to employer-provided 401(k) programs? Did you know this includes employers such as The Boeing Co., Walmart Stores, Lockheed Martin as well as 401(k) providers like MassMutual Financial Group, which are being sued or have been sued by their own employees over 401(k) programs?
Do you know if your provider is or has been sued by its employees or others?
Do you know what your fiduciary risk is as a plan sponsor?
Do you know if your provider is a fiduciary or whether you, as a sponsor, bear that risk exclusively?
So what’s all the fuss about? 401(k)s have been around for about 40 years. Yet, providers have been more focused on making money and pushing product than providing the best portfolio and overall solutions for employers and their employees.
Most plans contain many issues:
Provider companies don’t act as a fiduciary alongside the employer plan sponsor.
There is no investment advisor fiduciary to assist the plan sponsor (i.e. the employer).
The provider is pushing its own funds, which represents a conflict of interest.
High fees look egregious, especially in a market that has a poor outlook for stocks, bonds and cash.
There is a lack of disclosure of all fees involved, although recent legislation is improving the level of disclosure.
Many plans offer poor structure and poor performance. Recent studies over the past 20 years show the average stock and bond mutual fund investor has under-performed the S&P 500 and the Barclays Aggregate U.S. Bond Index by a whopping 4 percent to 5 percent per year.
Even plans with stable value and target-date funds have issues of fees, structure and poor performance.
The recent Supreme Court ruling in May, 2015, requires plan sponsors to “monitor trust investments and remove imprudent ones. This continuing duty exists separate and apart from the trustee’s duty to exercise prudence in selecting investments at the outset.”
An independent review of your plan can have the following benefits for you:
Reduce enterprise risk management issues
Lower fees, improve structure
Improve performance
Lessen fiduciary risk exposure
Lessen other liability risk
Improve employee morale
Provide a competitive hiring edge
Satisfy ongoing monitoring obligations
Despite the risks, 401(k)s are a great way to enter or enhance wealth management divisions and add interest income to the bank. It’s a fairly easy way to compete given the large problems in the industry that are loaded with many poorly structured and under-performing 401(k) plans. We know many banks with large trust departments and wealth management businesses where 401(k) sales are the biggest profit center in that line of business. Designing a great 401(k) can help shape your employees’ future and make a long-lasting impact on their lives. Don’t settle for a mediocre plan. When your employees and your customer’s employees deserve a really great plan that helps them meet their financial goals.
Do you want a chance to impact your employees’ well-being, reduce your enterprise risk, improve performance for employees, the bank and the bank’s customers? Consider learning more about 401(k)s.
Three significant events have altered expectations for capital plans. First, as of January 1, 2015, banks need to comply with the new BASEL III capital requirements, including the new “capital conservation buffer.” Second, regulatory authorities now view strategic planning and capital planning as risk appetite and risk mitigation documents, respectively. Finally, the demise of the market for trust preferred securities has reduced the ability to raise just–in–time capital, which was a prevalent concept from 2005 to 2009.
Every board should ask the hard question of whether or not the depository institution has sufficient capital to (1) address BASEL III regulatory requirements, (2) navigate the current economic environment, and (3) implement the desired strategic plan for the depository institution. If the answer is no, management should focus on how much capital is needed, and the board and management should determine the sources for funding those needs.
Even if you currently have a capital plan, it may not “chin the bar” with the regulators. Traditional two–page or five–page capital plans are falling short of what regulators expect to see in capital plans. Such plans are now becoming much more robust and are truly a management planning tool rather than simply something that is “nice to have.” A strong capital plan is a critical document, as it ensures that there is enough fuel to drive the bank’s strategic plan and ensures that there is adequate insurance against the bank’s risk profile. Every depository institution, even healthy depository institutions, should have a comprehensive capital plan that dovetails with its strategic plan and its enterprise risk management plan.
The regulatory agencies are clearly steering institutions away from the concept of just–in–time capital that resulted in many depository institutions finding trouble in 2008 and 2009. Some regulators have even hinted that a comprehensive capital plan may soon be an integral part of the safety and soundness examination process, perhaps showing up as an element in the capital or management component of the CAMELS–rating system. Some of our clients have already received questions in this regard in light of upcoming regulatory examinations, so it is likely a trend that will only continue to become more frequent and ultimately a requirement.
The breadth and depth of a comprehensive capital plan will, of course, depend on the risk profile of the depository institution. While there is no magic outline for a capital plan, almost all capital plans should have a few critical components: (a) background on the depository institution’s strategic plan, operations, economic environment and current capital situation, (b) tolerances and triggers, (c) alternatives for available capital, (d) perhaps a dividend policy and (e) financial projections.
The tolerances and triggers may be the most important part of the capital plan, as this is how the institution will avoid needing just–in–time capital. The identification of tolerances and triggers operate as an early warning system to alert management that capital may become stressed in the near future. Careful planning should take place when considering what the tolerances and triggers will be, as these are the key drivers in making the capital plan a true planning tool.
In summary, capital planning is an important, if not necessary, tool for any depository institution, regardless of condition. There is a growing sea change in how the regulators view the necessity of a capital plan, and a growing expectation that every depository institution have a viable capital plan. It is important to note, however, that there is no one–size–fits–all capital plan that can be pulled off of a shelf as a form document. Instead, the plan should be carefully considered and evaluated, either as part of the institution’s strategic plan or as a separate plan working in tandem with the strategic plan. Finally, after it is prepared, the capital plan cannot simply sit on the shelf, but should instead be treated as a living, breathing document that will need to be revised as the economic and regulatory environment, risk profile, strategic direction and capital resources available to the institution change over time.
Many community bankers assume that because of their size, there are limited benefits to implementing an enterprise risk management (ERM) process. Given the impact of the latest financial crisis, ERM programs offer several advantages for banks of all sizes. In this video, David Ruffin of Credit Risk Management, LLC, explains those benefits and what to avoid.
While there is a lot of understandable energy being spent by community bankers and advocates to waive various mandates for community banks coming out of the Dodd-Frank Act and the international capital rules Basel III, there is one concept, periodic stress testing, which must be embraced going forward. Although it is not required for banks under $10 billion in assets, stress testing is a crucial tool for banks of all sizes to manage assets and risks. Stress testing is really nothing to fear. It can be done inexpensively. It’s also an integral component of emerging enterprise risk management (ERM) practices at community banks. Here are five reasons why stress testing helps your bank:
Stress testing gives early warnings. No more important lesson was learned from the financial crisis than the need to move from a chronicling the past to a more forward-focused, risk assessment mindset. Virtually everything about ERM is about looking to the future, and stress testing helps banks identify early potential weak spots in product and collateral. This enables management to be more proactive. Time is very much the essence in reducing loan losses. And, through the use of unlikely hypotheticals, stress testing helps establish quantified boundaries of acceptable risk as well as quick, red light indicators of possible near-term problems.
Stress testing ties traditional transactional credit risk to modern macro portfolio risk. Community banks are still struggling to grasp the benefits of macro portfolio management with its modeling and quantitative disciplines, still foreign to classic credit analysis and underwriting protocols. Stress testing is a perfect bridge between these two equally important credit risk management concepts. Trends emerging at the macro level can inform needed adjustments at the product offering and loan origination level.
Stress testing provides in-depth concentration management. Stress testing allows you to understand your product lines in a more intimate manner—both for imbedded weaknesses and potential opportunities. It goes beyond the bluntness of raw concentration exposures to inform qualities of: underwriting, portfolio growth, infrastructure, personnel, training and even pricing.
Stress testing documents defense of strategic/capital initiatives. Stress testing is no longer just about a theoretical portfolio loan loss estimate in a vacuum. It has emerged as an important tool in strategic, capital, liquidity and contingency planning by incorporating the impact of potential outcomes during times of stress. Within ERM, it forces not elimination, but mitigation of risk. Given the increase in small bank consolidations, stress testing also provides one of the most informative tools in evaluating strategic M&A initiatives. For example, estimating a targeted loan portfolio’s credit mark can be the by-product of stress testing.
Stress testing engenders confidence in management. After reeling from the difficulties and distractions of the past five years, perhaps no benefit is greater than that of stress testing—along with ERM—imbuing bank boards and management with a legitimate sense that they are in command of their own destiny. As it validates the presence of effective planning and controls at community banks, early adopters of stress testing inevitably will improve regulatory and audit relationships. Bankers must get over the fear of being presented negative data: unattended, problems almost always get worse. Even when stress tests point out weaknesses or reduced capacity to withstand losses, it’s always better to have made those assessments on your own—thus beginning your own suggested remediation strategies. Not many people are talking about it, but one provision of Dodd-Frank allows regulators to assign a potentially punitive supervisory assessment of capital beyond the broader increased levels prescribed in the law. If such an assessment occurs, you could presume regulators thought management was unaware of the full scope of the organization’s risks. Active use of periodic stress testing can help immunize a bank from such an unwanted perception.
Stress testing at community banks is as beneficial as it is at the larger banks. An advantage the smaller institutions have is their greater implementation flexibility, given these tools are not specifically prescribed at their level. As long as the approach is practical, documented, and rational, its effectiveness is in the eye of the beholder—perhaps a rare win for community banks.
If you have some experience with enterprise risk management (ERM) implementation and evaluation projects for community financial institutions, two things quickly become apparent: No two ERM processes are exactly the same, and very few institutions like to put their risk appetite down on paper. The common reason for the latter seems to be the fear of being restricted by formal documentation. Institutions seem to be fine with the idea that their risk appetite is inherent in the decisions they make, so why spend time on something that doesn’t really move the organization forward?
But we’ve all seen too recently and frequently what the failure to properly manage risks can do to a financial institution. That’s why defining your risk appetite is the starting point for communicating risk management—it gives you a common baseline for communicating across the organization and sets the tone for risk management throughout the bank. Without it, you’re just assuming everyone is on the same page when it comes to risk management. Can you afford to take this chance?
As with many things that present a challenge, it often comes down to where to start. Consider starting with a risk continuum, with “Accepting of Risk” on the left and “Not Accepting of Risk” on the right. Take the various risk events you’re reporting to the board (ideally somewhere between five and 15 events), and plot them on the continuum by asking yourself, “How willing am I to accept the risk related to each event?” Are you more or less accepting of the risk of losing customers for not having the technological capabilities of larger institutions? Are you more or less accepting of concentrations in construction loans of a certain type in a certain area? New products? Loss of executive management? Regulatory violations? An untested disaster recovery plan?
As you plot all these critical risks, the ones furthest to the right on the continuum (the Not Accepting of Risk side) are essentially what defines your organization. If you take those risks and incorporate them into a general statement such as the following, you’ve essentially defined your risk appetite:
“The bank operates within a low overall risk range. Its lowest risk appetites relate to credit risk and concentrations in construction loans. The bank has a marginally higher risk appetite toward its strategic goals, including developing new products and implementing new customer-facing technologies. This means reducing to reasonably practical levels the risks originating from construction lending will take priority over our other strategic goals.”
That’s all you need to do to get a risk appetite started. Your risk appetite really should be general in nature to start and should be thought of as the overarching guidance for the whole organization. As you continue to reevaluate and redefine your appetite, you can become more precise if needed. From this risk appetite, you can develop more defined and specific risk appetites as you move down the organization—perhaps even better, you can develop risk tolerances.
There’s often confusion between the terms risk appetite and risk tolerance. Keep it very simple and think of risk tolerances as the metrics that often coincide with the strategic metrics, such as establishing a level of nonperforming loans to total loans that shouldn’t be exceeded. The appetite guides the tolerances, and the tolerances are consistent with the goals of the bank, which can be used to establish triggers as you approach various risk tolerances, so that corrective actions can be taken proactively.
Don’t commingle risk tolerances in your risk appetite. Remember to keep your risk appetite overarching and allow the risk tolerances to be specific to the various established risk areas (for example, strategic, credit, interest rate, liquidity, reputation, operational, compliance and legal risks).
Also, don’t overcomplicate the process of defining your risk appetite. Leverage the ERM work you’ve already completed and think general in nature. By doing this, you’ll find that your risk appetite statement can provide the overarching guidance needed—without being restrictive to your institution.
It may not be a surprise to most bankers, but keeping up with regulatory changes was cited as a top risk management challenge by 72 percent of risk officers and 69 percent of bank board members in a recent survey conducted by Bank Director and Wolters Kluwer Financial Services, a consulting firm focused on risk management and regulatory compliance.
“If you take a look at just what happened in the month of January with the regulations that [the] CFPB [Consumer Financial Protection Bureau] issued,” says Timothy Burniston, vice president and senior director of the risk and compliance consulting practice at Wolters Kluwer, “there were a number of separate rulemakings that were released in final form that are going to have an effect on institutions.”
The 2013 Risk Practices Survey was completed by a group of risk officers and board members at banks over $5 billion in assets through January of this year.
Sixty-one percent of risk officers and 41 percent of directors also revealed that maintaining the technology and data structure to support risk decision-making is a challenge. “The sustainability of the technology products that exist in the marketplace is not very high,” says John Fleshood, executive vice president, risk management at $17.5-billion asset Wintrust Financial Corp., a financial services holding company headquartered in Rosemont, Illinois.
Ninety percent of risk officers and 75 percent of directors reported that their banks either have or are in the process of creating an enterprise risk management program. Fifty-six percent of risk officers and 38 percent of directors cited regulatory requirements as one of the primary reasons their bank invested in an enterprise risk management program.
The top reason cited by risk officers for this investment, at 61 percent, was to ensure consistent, solid performance.
Directors seem more concerned with ensuring success of the bank’s strategic direction (50 percent) and developing a governance system that sets the tone from the top (41 percent). “As a director, that’s the kind of view of the organization that I would want to have,” says Burniston. “I would want to make sure that I understand what’s going on in every critical area that presents risk to my institution, and for management to be in a position to explain the interconnectivity, the relationships between those risks, [and] how the organization holistically is taking a look at it.”
When asked about the biggest challenges in supporting an enterprise risk management program, 61 percent of risk officers cited collecting, analyzing and reporting risk data as a top concern. Fifty percent cited creation of a risk culture, in which employees are motivated to own and manage risk, as a key concern. “Ultimately what you want from a risk management program is that you have [everyone in] your organization thinking about risk in their daily job and how it affects their daily job,” says Phil Gaglia, chief risk officer of First Interstate BancSystem Inc., a $7-billion financial holding company based in Billings, Montana.
When asked about specific risk categories, operational risk is the top concern of both risk officers, at 83 percent, and directors, at 56 percent. Christina Speh, director of new markets and compliance strategy in the risk and consulting practice at Wolters Kluwer, is glad to see this focus on operational risk, as it was not a focus for banks in the past but caused a lot of problems in the industry over the last several years. The breakdown in the mortgage industry was a breakdown on the operational side, says Speh. “The compliance processes had been set, and the financial requirements were being followed, what happened was a breakdown in the operations,” she says, “and many of the settlement requirements required the operational breakdowns to be fixed.”
Despite the challenges, both directors and risk officers expressed a high level of confidence in their bank’s ability to manage risk across all lines of business, with 91 percent of directors and 89 percent of risk officers identifying themselves as very confident or confident. None of the respondents expressed a negative view on their bank’s ability to manage risk. When directors were asked to rate the bank management team’s ability to identify, manage and control potential risks to the bank, 91 percent of directors rated their management team’s work in this area as excellent or good.
As to the board’s role in risk management, risk officers appear to be fairly confident in the abilities of their directors. Eighty-three percent of risk officers rated their board’s ability to understand and interpret risk data as excellent or good. Perhaps this confidence level is understandable, as both groups indicate that, over the last three years, boards are devoting more time to risk management issues, with all risk officers and 91 percent of directors reporting an increase. Pressure on banks brought about by regulatory changes as well as other issues has caused risk management to get more board-level attention. “The attention to risk management has been fairly high even preceding the financial crisis, but we learned a lot of things going through that process,” says James Bork, senior banking compliance analyst at Wolters Kluwer. Regulatory change has been a part of that education. “I think it has raised awareness on the part of directors to the many ways that risk can infiltrate an organization,” he says.
“[Directors are] asking questions that they weren’t asking several years ago,” says Burniston, “which shows that they are definitely tuned in to the need to make sure that they’re on top of risk in their institutions. “
ABOUT THE SURVEY RESPONDENTS Bank Director surveyed in January risk officers and members of the board of directors with $5 billion or more in assets, using two similar but separate surveys. Nineteen respondents were risk officers and 32 were directors.
How should your bank’s compliance program adapt to the new demands of The Consumer Financial Protection Bureau? In this video, Wolters Kluwer’s Christina Speh offers some best practices for creating a customer-centric compliance program and implementing it from the top down.
Highlights include:
Creating a culture of compliance
Preparing for the change—shifts in standards and practices