Banking industry Hot Topics - Forum in New Orleans
Banking industry hot topicsHighlights from the ABA Risk Management Forum in New Orleans:Enterprise risk management – Understanding risk in today’s complex banking environmentGrant Thornton LLP sponsored a panel discussion on I. Value of enterprise risk managemententerprise risk management (ERM) at the annual conference Presented by Steve Goldberg Steve Goldberg has more than 25 years of business experience, including 20 yearsof the American Bankers Association (ABA) — ABA Risk in financial services as an industry executive and management consultant. He has aManagement Forum — held in New Orleans in May 2012. The strong focus on business strategy and operations, including risk management andpanelists included three of Grant Thornton’s ERM specialists: business performance improvement.• Steve Goldberg, Financial Services Advisory Principal What is the value of ERM?• Tariq Mirza, Bank Regulatory National Managing Director A recent survey of 3,000 banks, conducted by Grant Thornton LLP• Erin Morrow, Financial Services Advisory Principal and Bank Director, found that 34 percent of respondents believed they would need to hire additional staff to meet the requirements of Given the immense uncertainty in the market and growing Dodd-Frank, and 21 percent believed their firms would need to hiredemands from the enactment of the Dodd-Frank Wall Street an outside advisor, given that some of the provisions are one-timeReform and Consumer Protection Act (Dodd-Frank) and from events. Nearly half of respondents think the overall financial reformshareholders and customers, organizations face an environment will not be effective at all in detecting the broad risks to the financialof increased scrutiny on their ERM process and its role within system. Others believe that key elements of Dodd-Frank could betheir company. Despite this renewed awareness of ERM, repealed, given the upcoming elections and resistance from Congress.many are still struggling to implement it successfully. Some These responses raise the question: What is the value oforganizations don’t fully understand the value of ERM, while ERM? Given that the Federal Reserve Board (the FRB) andothers may have conducted a risk assessment but have not the SEC are moving forward with Dodd-Frank and expect tofollowed up on it, and still others simply don’t know where finalize the rules and regulations by the summer or fall of 2012,to begin. During this forum, our panelists discussed the value there is distinct value in implementing an ERM program.of ERM, the view of ERM from a regulatory perspective, and Historically, companies have viewed risks in “silos,” withpractical tips for understanding ERM and implementing it in each silo representing a specific risk. Companies would analyzeyour organization. and develop strategies for each risk. The goal of ERM is to take a holistic approach and develop an overall strategy for managing risk across the organization. ERM improves the likelihood of success in the strategic planning process. It also prevents or reduces high- impact risks for the organization and enables it to make timely and informed decisions, with the ability to understand individual risks and how they affect the organization. In the current environment, regulators are looking for a culture of compliance within financial organizations; ERM establishes a culture of transparency and accountability across the organization. Finally, ERM prioritizes the allocation of resources to the most significant risks. Performing a structured risk assessment allows the organization to identify the areas that require the most attention and investment.
Banking industry hot topicsWhat are the current drivers of ERM in the banking III. Understanding ERM, embedded risk management, riskindustry? intelligence and ERM implementationBanking regulators, board members and bank management are Presented by Erin Morrow Erin Morrow is a principal in Grant Thornton’s Financial Services Advisory practice,all driving the renewed emphasis on ERM. Banking regulators and serves as the firm’s Governance, Risk and Compliance Solution leader for thehave increased their focus on broad risk management in their Northeast Region. Morrow is the outsourced internal audit leader for two regionalexams, including expectations of board and management banks. She is also works in an advisory capacity on topics in internal audit and risk management with other banking and financial services organizations ranging fromoversight, and links to internal audit. Board members’ local banks to global institutions.accountability has increased in the wake of the financial crisis;therefore, they are requesting risk updates and risk monitoring Despite the advent of Dodd-Frank and increased public andtools. Bank management teams are also looking for tools to make regulatory scrutiny, ERM still appears to be very immaturethe process easier and give them much earlier warning of risk and loosely adopted. In 2010, North Carolina State Universityevents, such as stress testing. surveyed 460 senior management executives across different industries about the current state of enterprisewide riskII. Regulatory perspective oversight. Findings suggest that there is room for improvementPresented by Tariq MirzaPrior to joining Grant Thornton, Tariq Mirza spent over 20 years with the Federal in ERM processes across most organizations, with over 50Deposit Insurance Corporation (FDIC) in various roles. Most recently, he served as percent of respondents describing risk oversight as casual orsenior advisor under former FDIC Chairman Sheila Bair, providing technical advice unstructured. One-third of respondents said they were not at allon a wide range of banking and regulatory issues. He spoke about ERM from theperspective of a former regulator. satisfied or minimally satisfied with their ERM programs. With the implementation of Dodd-Frank, regulators are also Why are organizations having trouble maturing their ERMholding themselves to the same standards to which they hold programs?financial institutions. In fact, the FDIC recently appointed its There are several issues that appear to be presenting significantown chief risk officer. Some regulators from other agencies challenges in implementing ERM. One of the leading issuesare looking to do the same, indicating that regulators are also seems to be that ERM never got embedded in the culture orlooking at ERM within their own organizations. According business process of the organization. The reasons for this mightto Mirza, regulators are not only “talking the talk, but also include failure to get executive sponsorship, or absence ofwalking the walk.” governance or accountability, or perhaps there was simply no Mirza laid out a basic framework for what the FRB expects awareness of or training for ERM in the organization. Anotherfrom banks’ risk committees. The FRB’s proposal indicates that challenge is the lack of focus. Perhaps ERM was not properlyrisk committees must approve a risk management framework defined or focused and became too big. Some organizationsthat includes the following: may have suffered paralysis through analysis or addressed only• Risk limitations for each business line risk symptoms rather than root causes. Finally, there is a still• Establishing systems for identifying and reporting risks, a general lack of information and intelligence about ERM. In including emerging risks some cases, ERM programs were not forward looking enough,• Monitoring compliance with the risks and management did not receive useful or timely information to• Ensuring effective and timely implementation of corrective respond to emerging risks. actions• Integrating risk objectives into management’s goals and compensation Finally, Mirza discussed high-impact risk. From hisperspective as a former regulator, high-impact risk stemming One of the leading issues seems to be thatfrom a weak or nonexistent ERM program could be an ERM never got embedded in the culture orenforcement action, such as a cease and desist order, consentorder or civil money penalty. These regulatory actions are in business process of the organization.the public domain and may result in substantial reputationalrisk for the institution. The ultimate high-impact risk of a weakERM program is failure; since beginning of the recent financialcrisis, there have been more than 430 bank failures. 2
Banking industry hot topicsUnderstanding ERM What are the types of risk responses?One of the keys to understanding ERM is learning The purpose of risk response is to bring the risk to thethe terminology. There is a common “language of risk acceptable level of risk appetite. The four categories aremanagement” that many professional practicing ERM have acceptance, transfer, avoidance and mitigation. Acceptancecome to adopt. Morrow defined a list of key ERM terms, which simply means to tolerate the risk; management may realizeincluded these: something is a risk but perhaps nothing can be done at a• Risk – The Committee of Sponsoring Organizations of the reasonable cost to mitigate it, or the likelihood and impact of Treadway Commission (COSO) has described risk as “the the risk occurring is at an acceptable level. Transfer is a form possibility that an event will occur and adversely affect the of risk reduction whereby the risk is transferred to a third achievement of objectives.” party. The most common example of risk transfer is insurance.• Enterprise risk management – A report from COSO A premium is paid, and the insurance company takes on the describes ERM as an ongoing process, implemented by risk. Avoidance means just that: avoiding or exiting activities an entity’s board of directors, management and other that give rise to risk, such as a risky market, product or line personnel, applied in strategy-setting and across the of business. Mitigation involves the process of developing enterprise, designed to identify potential events that may options and actions to reduce the risks by putting controls and affect the entity.1 monitoring in place to detect and prevent and/or control risk.• Inherent risk – This refers to the “natural” level of This is the most common risk response. risk associated with doing business. Inherent risk is not necessarily a bad thing, given that most activities banks Embedded risk management engage in to make money are inherently risky. Inherent risk ERM not just a project: it needs to be part of the day-to-day is not static; it can rise because of external factors. operations of the company and its decision-making processes.• Residual risk – This refers to the remaining risk after Merely putting ERM components in place is also not enough management’s controls are taken into account. to create value or to avoid corporate failure; the key to making• Key risk indicator (KRI) – This is a measure used in ERM valuable is to embed it in the organization where it must management to indicate the level of risk currently in place. It be accepted and understood. So how can management achieve gives a quantifiable view of the risk the bank is adopting. this? Embedding risk management entails performing a risk• Risk appetite – According to COSO, risk appetite is “the assessment, installing a monitoring system, and developing amount of risk, on a broad level, an entity is willing to a process for responding to changing risk levels quickly. accept in pursuit of value.” Bank management may say they Furthermore, risk management ownership and participation have no appetite for risk, but in order to grow and make is an enterprisewide endeavor. Everyone in the organization, money, banks need to take on some risk. ranging from tellers to loan officers to the president and board• Risk response – Once a key risk is identified, management of directors, owns some portion of risk. will evaluate the risk and formulate a response. Risk Risk management should also be relevant to your responses are grouped into four categories. organization. There is no single way to do risk management. However, under Dodd-Frank, if an organization has over $10 billion in assets, it must have a board risk committee. The board committee must be independent of other committees and also have an independent director with experience in risk management. The board risk committee has oversight of risk strategy and tolerance, and overall risk effectiveness.1 Source: The Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management – Integrated Framework, September 2004. 3
Banking industry hot topics Another important element in the ERM process is installing Responding to the KRIs involves determining strategica management risk committee. The management risk committee responses the business would take if risk tolerance is exceeded.is chaired by the chief risk officer, and its members usually Often this comprises a set of responses for progressively morecomprise the CFO, and legal and compliance personnel. Its role severe tolerance thresholds. In addition, the organization needsis to review risk policies, implement risk strategies and make to decide when the risk threshold has been met, and then itrecommendations to the CEO. needs to implement the appropriate strategic response. Banks should leverage risk intelligence to continuously update andRisk intelligence improve the ERM program. When there are changes, eventsRisk intelligence means being effective and efficient at managing and indicators that affect the organization, management shouldrisks to both existing assets and future growth. Banks should internally or externally review the current risk assessment (touse risk intelligence to monitor and respond to risks on a determine if there are new emerging risks to address), the ERMconstant basis. Monitoring involves determining KRI for each strategy, communications protocols and risk responses.risk in the watch list, determining a process for reporting KRIs,and developing a process for communicating risk events. ERM implementation – Key steps The development of effective KRIs can be a challenge for The process of implementing an ERM solution can seemmost companies. Financial institutions usually have a large overwhelming; however, we have found it less daunting foramount of credit risk and market risk indicators, and most of some clients to break down the process into “bite-sized” steps:them have a sound system for addressing them. But there areadditional “soft” indicators that go beyond the basics of credit 1. Define the organization’s risk universe, and rank each riskrisk and interest rate risk that many people overlook. These by impact and likelihood.include the following: 2. Select a framework that fits the organization’s culture. Consider how the bank works and people communicate, and• Financial market turmoil/Unemployment — An increase structure something that will be successful for that group. in unemployment can be an indicator of increased fraud risk. 3. Establish board or related board committee responsibilities• Client dissatisfaction — Low client satisfaction scores can for risk oversight so they understand their responsibilities. forecast an erosion of revenue. Although there is no one document that defines how to• Staff turnover — High levels of staff turnover can predict manage risk, having a procedure manual that talks about the reduced customer service and/or quality. whole risk program can be very useful.• Open compliance cases — An increase in open compliance 4. Appoint a chief risk officer and/or an internal management cases might indicate a change in the risk profile of clients or risk committee and related charter with roles and staffing not keeping pace with growth. responsibilities.• Loan growth — Significant loan growth can indicate a need for additional hiring to keep pace. 4