Kathleen M. Beans
There was a time when community banks could be profitable throughout the economic cycle by focusing almost entirely on credit risk. But the days when the five C's of credit defined risk management are over In today global economy a myriad of risks affect banks of all sizes and in every location. It is becoming perilous for community banks not to identify and closely monitor all the risks in their enterprise.
Smaller community banks are privately owned or closely held, so their traditional focus has been capital preservation. But more and more, banks of all sizes are beginning to measure their operational and market risk and, ultimately, their enterprise risk, because managing those risks is important not only from a regulatory perspective but from a business perspective as well. Community banks use different approaches to managing risk, which sometimes includes appointing a risk officer to oversee the effort or forming a committee to do so. Many use a combination of the team and risk officer approach. The CEO also plays an important oversight role.
"Enterprise risk management is an issue we're all going to have to face," says Richard L. Harbaugh, president and CEO of the $150 million Equitable Federal Savings Bank in Grand Island, Nebraska. "It's there right now. It's a matter of segregating the risks and specifically identifying them."
As an RMA Board member and chair of the Community Bank Council, Harbaugh says he is particularly aware of the need to identify and manage all of the bank's risks, not just its credit risk. Enterprise risk management at Equitable is currently in its "embryonic stage," he says. "We're just beginning to take a look at operational and market risk."
As CEO, Harbaugh is the chief risk officer, but he has enlisted the help of his top officers for that task. The chief financial officer monitors operational risk, the chief operations officer monitors market risk, and the chief credit officer, of course, is the watchdog of the credit portfolio. Each of those individuals works separately, trying to quantify specific risks.
"It's problematic because we don't know all we have to look at yet," says Harbaugh, noting that the risks the bank is currently examining include transaction, interest rate, fraud, and identity theft. "After we identify the risks, we can determine how they affect us in our daily operations. We may have to outsource the management of some risks. As a standalone banking franchise, we don't have access to risk information, other than what is available to us through RMA. We're now identifying our risks, but we're also very dependent upon RMA to provide us with a risk management product line."
Blending Compliance and Credit Administration
Until her recent retirement, Jean Hopeman was the credit risk officer for Sonoma Valley Bank in California. At this $150 million bank, Hopeman's position evolved to include both credit and compliance administration. "The risk officer role is different from that of the traditional roles of safety and soundness credit administration and compliance, says Hopeman. "In the past, the two responsibilities were separated, and to this day they still are in most banks. Most banks have credit safety and soundness auditors who know little about compliance and vice versa.
"My greatest challenge and success was the blending of the two and creating a greater awareness among all employees about each type of risk. The understanding of risk in the bank is better if a risk manager takes charge of training in these areas. I hired people to accomplish the training. Basically, the risk manager needs to know the regulatory issues, which change each year, figure out what the employees need to know, and establish procedures that ensure the knowledge is reinforced.
"I also performed an economic analysis of our market and an in-depth analysis of the loan portfolio so that the Board is aware of the industry risks. This is done in conjunction with testing loan loss reserves, which is another FASB requirement."
Complying with the USA Patriot Act
Hopeman believes that any bank that reaches $150 million in assets needs to designate a person within the organization to be risk manager. For instance, compliance with the USA Patriot Act could be facilitated by a risk manager who makes sure that each department knows how to comply with the act. "This act affects human resources hiring, lending, deposit taking, wire transfers, and more," says Hopeman. "In the old days, the training department of the bank would be given this job, but most banks our size don't have such training departments. At Sonoma Valley Bank the risk manager coordinates the effort to get the message across to the entire organization and tracks the learning. I usually organized a meeting and distributed informational materials. To follow through, I tracked with the operations compliance officer to make sure that compliance was completed. We use computer-generated compliance training models, which allowed me to view computer test scores of employees and make sure everyone completed the trai ning. I also check to make sure previous errors from the last compliance exam are not repeated.
"In 2002, compliance took a big chunk of my time as a result of the passage of the Gramm-Leach-Bliley Privacy Act. Its policies and procedures affect all areas of the bank, coordinating awareness of how the Privacy Act affects the bank as a whole is a part of 'risk' management."
Risk Management as a Top-Down Philosophy
At Chemical Bank Shoreline in Benton Harbor, Michigan, the chief responsibility for risk management lies with the risk management committee of the $1.2 billion bank. "Risk management is a philosophy at Shoreline, and we recognize that in order to reduce our risks, everyone in our organization has some responsibility for managing risk," says Joe Calvaruso, executive vice president and risk management officer. He leads the team of six senior people on Shoreline's risk management committee, which establishes goals, identifies issues, and establishes risk management policy. The president of the bank and the executive officers of the institutions are members of the committee.
In meetings that take place every other month, this risk management team reviews specific categories of risk such as liquidity or credit risk. They review the policies and controls for those risks, determining where there might be deficiencies that need attention. Using a predetermined model for measuring risk, the committee assigns the risk level and then determines whether the risk is increasing, decreasing, or stable.
Calvaruso's role at Shoreline also includes legal and compliance issues. The size of a bank and how the bank is structured really determine whether an institution needs a full-time risk manager, says Calvaruso. "The key for the risk manager--whether it's a solo responsibility or not--is to be looking at and striving to point out these issues and to have a philosophy that is different from sales. Sales are what we balance against," he said.
He also stressed that the risk management process needs to be formalized and documented for regulatory purposes and also for the bank to be able to track its own progress. "Risk evolves, so you have to be able to establish benchmarks as guidelines," says Galvaruso.
Legal/Compliance Risk
The best way to handle legal risk is to avoid problems, says Galvaruso. "When we' re executing contracts or doing new bank forms, we are careful to make sure they conform to laws and that they are clearly written and easy to understand. When we do get into an unfortunate situation, we proactively work through the issues, attempting to resolve them at the earliest stages. As the risk officer, I get involved very early with problems that could develop into legal issues.
"Recent legislation such as the Privacy Act and the USA Patriot Act are part of the government s attempt to protect our country and its citizens," says Calvaruso. "Banks must understand their own practices and procedures so that they can meet new regulatory guidelines as they become established. To comply with the Privacy Act, we went to each department that meets with customers or that has access to customer information and we verified how we treat that information."
Appointing a Risk Manager
The CEO is the person responsible for risk management at most small community banks, where the number one risk is still credit risk. At other community banks, a senior executive, such as the senior credit officer, takes on the overall responsibility of risk management in addition to his or her other duties.
Jack Hamm, an Alabama-based consultant to banks on regulatory issues and an RMA instructor, says the team approach banks used to confront the Y2K challenge would be a good one to adopt as they manage enterprise risk. "It's a good idea to create a task force for risk management composed of senior-level people from various parts of the bank. Through an ongoing committee process, the task force members will deepen their understanding of the issues. You need more than one brain to solve complex problems. While this approach can work for any size bank, it is particularly well suited to community banks. It requires strong leadership, a methodical approach, and team spirit."
Another community bank consultant, George Darling of the Massachusetts-based George Darling Consulting Group, says credit risk is still the number one risk at community banks, followed by interest rate and liquidity risk, then compliance and regulatory risk. He says one of his client banks created a chief risk officer position to which auditing, credit and loan review, and regulatory review and compliance all report. The CEO of the bank looks to this individual for recommendations to make sure processes are adequate and intact. He is also the contact for regulators.
All the community bankers and consultants interviewed agreed that the best candidate for a risk management officer is one from inside the bank who has a broad base of banking experience. "Someone from your own organization is more valuable because he or she knows the bank's policies and culture and can bring that to the task of risk management," says Calvaruso. "The risk manager needs to look at things from a perspective different from the salesperson's. Risk is something you measure; it's not a yes or a no."
Risk management is an exciting new area and it's only going to get more exciting, says Hamm, who predicts that in the future universities will offer graduate programs in risk management. But in the present, he adds, community banks don't have the resources to handle risks so they pay a premium to outsource some of their risk management.
"Community banks have to be smart about choosing which risks to manage themselves and which to outsource," Hamm says. "To know how to determine that requires complete knowledge in a wide variety of subjects. That's why the committee or team approach for risk management works best. In the operational risk area, most credit people don't have operational understanding. Obsolescence, vandalism, and supplier liability are major issues that need a team approach even at the large-bank level."
The risk manager should be part of the senior management team, and the compensation should reflect that. "The value that the chief risk officer brings to an organization has increased in the past few years as regulators have pushed the need for risk management and as institutions have better understood the importance of risk management, says Calvaruso. "The difficulty of finding someone with the right background also pushes the salary upward." He believes the salary should be derived from a formula based on the institution's growth and losses. "The real function of the risk officer is to control losses and risk, but not deter growth and profitability. If the risk officer is too stringent, he can throttle the institution's growth."
Today, risk management encompasses more than credit risk at banks of every size. "Community banks need to be aware that there are more risks in banking than just credit risk," says Harbaugh. "Operational and market risk, along with credit risk and the other risks, create enterprise risk. We need to look at our banks on an enterprise-risk basis. It's not just for big banks. Enterprise risk exists in our banks, and we need to emphasize and address it."
Beans may be contacted by telephone at 215-446-4095 and by e-mail at kbeans@rmahq.org
[c] 2002 by RMA. Beans is senior writer and public relations manager at RMA.
COPYRIGHT 2002 The Risk Management Association
COPYRIGHT 2005 Gale Group
No comments:
Post a Comment