Beverly J. Foster
If enterprise risk management is a journey, banks follow paths that at certain points intersect with those of other banks, but then may diverge as well. It can be useful for a bank to hear about other journeys before embarking on its own.
The paths taken by large banks have been chronicled far more than those of smaller ones. The RMA Journal asked risk officers at four banks in the Western U.S. to respond to seven questions about their enterprise risk management efforts. Ebrahim Shabudin, EVP and COO, responded for $8 billion United Commercial Bank of San Francisco, California; James Kempf, SVP and manager of Risk Assessment, responded for $4 billion 1st National Bank of Arizona and 1st National Bank of Nevada; Kai Neizman, VP and manager of Sarbanes-Oxley compliance, responded for $4 billion Columbia Bank of Tacoma, Washington; and Mary Sellers, chief risk officer, responded for $10.5 billion Bank of Hawaii.
There are commonalities in all of the banks' definitions of enterprise risk management. Only one of these banks has a chief risk officer, per se, but all have an ERM structure in place. All agree on the importance of and difficulty in data collection, while all differ on the risks that most concern them currently. Other topics discussed include ERM investments and ERM as an agent for growth.
For any program to have a chance of success, an institution must carefully negotiate its way through the first steps, which usually include 1) defining the program; 2) identifying leaders and champions; 3) designing a framework and reporting structure; and 4) creating policies and procedures to support it. These certainly aren't the only steps, but they do lay the foundation. Within these steps, there are lots of decisions to be made. No one needs to reinvent the wheel, so seeing how other institutions are creating their enterprise risk management (ERM) programs is helpful to banks that are not quite as far along the path. This article brings together the experience and insights of four bankers on the West Coast (and beyond). The banks represented here are United Commercial Bank of San Francisco, California; 1st National Banks of Arizona and Nevada; Columbia Bank of Tacoma, Washington; and Bank of Hawaii.
Defining ERM
Among the four banks, definitions for enterprise risk management hold many similarities. Importantly, each bank has a definition of what enterprise risk management means to it.
United Commercial Bank defines ERM as "the identification and measurement, analysis and mitigation, reporting and control, management and oversight of all risks associated with doing business in our banking marketplace, as well as their impacts on our company." Ebrahim Shabudin, EVP and COO, says that the bank includes credit, market, and operational risks in the management of enterprise risks, using Basel definitions to categorize them.
James Kempf, SVP and manager of Risk Assessment, says that 1st National Bank uses ERM to align strategy, processes, people, technology, and knowledge with the purpose of evaluating and managing the uncertainties the company faces as it creates value. And Kai Neizman, VP and manager of Sarbanes-Oxley compliance, Columbia Bank, adds that "The passage of the Sarbanes-Oxley Act--in particular, Section 404--has really forced us to focus on and understand the processes and risks across the organization. We continually refine our processes to reflect the changing risks within the organization and attempt to take a more proactive approach to managing these same risks."
Necessary steps in the process, according to Kempf, include:
* The removal of traditional functional, divisional, departmental, or cultural barriers.
* A process-oriented approach that helps 1st National Bank manage key business risks and opportunities while maximizing shareholder value.
* Identifying, prioritizing, and managing risks across an enterprise or division.
"It's important to recognize and take into account both quantitative measures and qualitative considerations so that objective evaluations and subjective judgments come into play," says Shabudin. "This means that we believe ERM is both an art and a science." That statement may sound simple, but it has not been well practiced. Following several years of being deferential to and in awe of quantitative models, today's risk managers are increasingly aware of the need for both aspects of the ERM discipline.
Bank of Hawaii identifies, right in its definition, that enterprise risk management is to be used to competitive advantage. The three components of BOH's definition of ERM, says Mary Sellers, chief risk officer, are as follows:
* Continuously identify, develop, and manage solutions for significant risks (defined as those that impact shareholder value) in a cost beneficial way.
* Capitalize on opportunities identified through risk management processes.
* Use BOH's risk management culture and processes as a competitive advantage in growing our business.
Leading the ERM Effort
The position of chief risk officer (CRO), found at many large institutions and seemingly the crux of any coordinated ERM effort, does not necessarily exist at banks whose products, geography, and relationships are less complex and expansive. However, as noted in the definitions provided for enterprise risk management, there does need to be a clear and efficient structure and reporting system.
Kempf says that the primary risk responsibilities are handled by 1st National's EVP and director of Strategic Enterprise Risk Management. Functions directly reporting to this position include the ERM Risk Assessment Office, Compliance, Corporate Governance, Credit Review, and Appraisal.
"In the current banking environment, we believe that it is difficult to find a person who is an expert in all risk areas--credit, market, and operational," says Shabudin, who spearheaded the development of ERM at United Commercial Bank. As COO and with the support of the CEO and other colleagues, Shabudin built the infrastructure. "We first designed what I like to call the Risk Management Concept (RMC), and then we started to build the 'foundation elements' with an integrated approach in mind," he says.
"In our experience, the closest one can get to a CRO is to find a person who has expertise in two out of the three disciplines," says Shabudin. Thus, risk management at United Commercial Bank is handled by the COO (for credit and operational risk) and by the CFO (for market risk). The COO is responsible for all credit, operations, technology, and integration risks, with his direct reports managing each of these areas. In addition, the bank has a director of Enterprise Risk at the EVP level to provide "coordination and oversight of all the risks associated with our various businesses." This risk director reports administratively to the CEO and functionally to the chair of the Audit Committee of the board of directors. The risk director also is responsible for regulatory compliance and Sarbanes-Oxley process implementation. The CFO and COO each report directly to the CEO. United Commercial Bank also has an SVP who serves as chief Audit executive and a FVP who acts as director of Independent Asset Review, both of whom report administratively to the CEO and functionally to the chair of the Audit Committee. "These individuals provide internal audit services and obtain external sourcing of expertise for selected areas when necessary," says Shabudin. "The director of Enterprise Risk provides leadership, coordination and oversight of the process."
The duties of a CRO match up well to those of Columbia Bank's general auditor, says Neizman, a position that he reports to as SOX risk manager. The Corporate Audit manager and the Loan Review manager also report to the general auditor. Internal Audit and Loan Review continues to play a significant role in identifying operational and credit risks. Neizman's responsibility has been to work closely with Accounting to bring together all areas of the bank and their related processes to identify, track, and find support for strong mitigating controls. "Sarbanes-Oxley has forced us to understand not only controls around financial reporting, but risks and controls across all areas of the bank," he says. "As a result, we are all 'risk analysts' in that we should continue to better understand 1) how our job impacts the risk management process and 2) what we can do better to mitigate risks as they arise."
As the only chief risk officer among the four banks, Mary Sellers at Bank of Hawaii oversees the following areas:
* Risk Management
* Information Protection
* Wholesale Credit
* Retail Credit
* Special Assets
* Credit Policy and Procedures
* Appraisal
* Credit Portfolio Management and Reporting
* Credit Process and Systems
* Commercial Credit Underwriting and Approval
* Credit Training
ERM and Risk Appetite
1st National Bank's CEO and Executive Management team set strategic direction and are responsible for communicating the risk appetite for the company. ERM risk assessments have identified potential changes to existing business processes that could be related to future business activities, Kempf says.
Establishing the foundation elements has meant that United Commercial Bank needed to define what it wanted to accomplish from risk self-assessments, independent asset reviews, compliance oversight, internal audits, and other exercises, says Shabudin. The bank has designed specific approaches, formats, and management reports for these purposes.
"Of course, we also revisited our policies, procedures, and guidance," Shabudin continues. "As a result, we have been able to establish and implement a more granular internal risk-rating system, a more robust asset review program, and post-approval review process, as well as unit and portfolio risk assessments, and independent audits." Thus, the bank's risk appetite is communicated through its policies, procedures, and guidance as well as through discussions in the appropriate committees. "Our committee structure is streamlined to mirror the way we do business. Our management reports to the board committees also have been significantly enhanced to provide better analysis. We have examples of new product introductions and limitations or diversification strategies resulting from these initiatives," he says.
Columbia Bank is in the process of establishing and communicating its risk tolerance through policy and procedures review as well. "Our first step is to better align the how and why of the way we do things with the risk appetite/risk tolerance of our bank," says Neizman. "We want to be forward looking and not create our policies or procedures due a large loss, a regulatory issue, or some other event. For example, we are currently working on policies and procedures within credit to better identify and refine thresholds and risks with which we are comfortable. On a related note, we are implementing a new asset-quality system to allow for more granularity, associated risks, and robust reporting capabilities. That said, we don't want to make it more complicated than it needs to be, so we're trying to use a commonsense approach when managing these risks."
As part of its governance process, Bank of Hawaii and its board of directors determine together the amount of risk the bank is willing to take. Sellers says the bank uses the following criteria:
* Targeting a continuing "A" rating for BOH.
* Strategic assessments.
* Asset quality standards, ALCO limits, etc.
* Guidelines for internal controls and practice.
"Communication of our risk tolerance is integrated into our framework," she says [see Figure 1]. "Our integrated approach to risk management has supported new product development and enhancement, in large part by giving executive management confidence that the process through which these decisions are considered incorporates an analysis of potential risks and the controls needed to manage those risks. It also ensures that new product development or enhancement is not done in a 'silo' and that there's the appropriate monitoring and reporting of performance against expectations to ensure that action can be taken quickly if things do not go as anticipated. And, it ensures that we are receiving the appropriate risk-adjusted return on capital for our shareholders. Conversely, there are business activities that we've reduced the scope of or exited, or elected not to enter given the risk-adjusted return on our capital."
Risk Mitigation versus Risk Acceptance
Shabudin's response is similar to those of Kempf, Neizman, and Sellers in that he sees the primary role of ERM as risk mitigation, but he believes it also can be used to properly understand the risks associated with growth in order to foster prudent growth.
Kempf concurs, saying that while integral to identifying, monitoring, and controlling risks, ERM can be used to help the company identify potential structural and/or strategic adjustments to enhance organizational effectiveness in building shareholder value.
Neizman expands on the answer: "I believe ERM is an agent that enables prudent growth--with the right tools and practices in place, an organization can quickly identify, measure, and mitigate new risks. While that is easier said than done, risk management practices should evolve as the institution grows and evolves. An institution must define and document risk tolerance and appetite, which should allow it to grow in a more consistent fashion. While our institution moves toward trying to capture and measure related risks, the process will continue to be a work in progress."
Using Customer and Portfolio Data in ERM
There's no doubt in the minds of any of the participants that data collection is very important to the overall ERM process of risk management and oversight. Neizman first mentions the opportunity aspects of data. "Marketing gathers customer data using software and a third-party service provider to generate reports for specific uses," he says. "If an institution is to move forward, customer information needs to be tracked and housed; if we can't get it, missed markets become missed opportunities."
However, all four talk about both the critical risk management aspects of data collection as well as the challenges. "The challenge lies in finding the right middle ground between cost, system capabilities, and timeliness of data," says Kempf.
Neizman says that Columbia Bank has made "great strides in gathering, analyzing, and reporting on portfolio data." The bank scores different portfolios by using internal measures and trying to balance the risk/reward process with the use of a refined pricing model. "Some of the challenges have included coming to a consensus on the different types of portfolio reports to feature and improving upon the portfolio information given to executive management and the board of directors," he says.
"It is not easy to have meaningful information readily available because, in my view, too little time is spent on determining what information is important and too much time is spent just generating data," says Shabudin. "I have found that if line managers personally spend time thinking about the risks that need to be managed and design the 'back of the envelope' requirements themselves, the information gathered and produced (sometimes automatically and often times manually) is far superior. Our portfolio reporting approach has now become one of the 'foundation elements' I mentioned earlier."
Working with outsourced systems presents its own challenges, Sellers says. "There are data elements needed for portfolio analysis that are simply not available in any extract provided," she says. "Also, requests to have the data elements be made available are often overshadowed by more pressing business needs or by the expense of getting the information. And we need to be able to rely on the vendor(s) for explanation and/or research of data issues /and problems."
Sellers lists three "lessons learned" in data management as she acknowledges the importance of:
1. Management commitment and focus on a data management strategy that includes ownership of data, data architecture, etc.
2. Effective communication with the booking and other operational areas to properly "clean up" the data problems as they occur and to implement or clarify procedures to prevent reoccurrences.
3. Effective audit and credit review processes that evaluate data management.
Top Three Risks over the Next 12 Months
While all participants agree that compliance risk is a top risk, current priorities differ among the banks.
Kempf reports that smart growth, the regulatory environment, and the potential for a market/ economic downturn are 1st National Bank's top concerns, but that "ERM has provided a more proactive approach to discussing potential risks that may arise."
Sellers and Neizman both are concerned about training, retention of employees, and compliance risk. Neizman reserves the right to mention a fourth risk. "Since we are really at the early stages of the ERM journey, the first two risks are important because highly capable employees are our biggest asset," he says. "At the same time, we understand that a proactive approach toward our employees must be used if we are to grow in a competitive environment. We also are starting to understand the quantitative impact to our business model by having regular ongoing training and by beginning to house data on employee turnover for annual review. As we continue to move forward, it will be more difficult to quantify and qualify these risks without good analytics and measurements." As to compliance risks, he says, "We must have the systems and procedures in place to ensure the integrity of the data through accurate and timely reporting." And the fourth risk? "I believe reputation risk will continue to be an issue because if we don't manage the above risks well, we will fail to recognize the impact these risks will have on the organization, the public's perception, and shareholder value."
Shabudin is concerned about the impact of the flat yield curve and risk concentration. "As a result of our self-assessment process, we are more clearly able to articulate our market risk exposures to our management team, particularly those not directly involved in the day-to-day management of market risk," he says. "This has helped us to get on the same page and develop an appropriate action plan. The Portfolio Review Committee has been able to see the concentration data and react to it by revisiting policies and establishing both product diversification and geographic diversification strategies for the bank. In the past, I believe we may have still taken similar actions, but they would have been taken by selected individuals rather than through an institutional process."
Sellers considers information security and data loss to be a top challenge for BOH. This risk certainly also encompasses the reputation risk that Neizman mentions. "Our customers have entrusted us with a great deal of personal information that we have a fiduciary responsibility to safeguard," Sellers says. "Ensuring we don't have a data loss or compromise of any customer information is critical, particularly in Hawaii, given the relative size of our community."
Next ERM Investments
"Now that we have an ERM foundation, our future investments in ERM are likely to be in 'building the house,'" says Shabudin. "Steps will include specific training of business unit managers and use of experts, rotational assignments, data refinement, reporting improvements, and better use of the new tools of the trade to embellish our risk management and oversight programs. This will include further development of risk-adjusted-return approaches and practices."
1st National plans to invest in management reporting software tools that will use data gathered during ERM risk assessments to provide reports that will assist various business units and executive management in undertaking more effective risk monitoring. Kempf says, "This will allow us to integrate ERM and identified operational risks with financial risks to make smarter decisions. The software will also link ERM into RAROC, Basel II concepts, and other risk-based regulatory initiatives that may be on the horizon."
Investment in systems echoes with Neizman and Columbia Bank. "Converting to a new core system is our most recent ERM investment," he says. "The new system will allow us to better use and maintain customer data with the goal of producing effective and timely reports. As stated before, our reporting to executive management and the board of directors has improved dramatically, and the new system will only enhance that. We are in the process of evaluating more robust audit and loan review software that will allow us to improve our risk management and risk assessment process throughout the bank. We hope to gain efficiencies through both departments and leverage the power of information that our new host system will provide. We also are in the process of rewriting our risk and internal control policies to better define and align our risk tolerance to our overall strategies. This will help our employees understand their role in these processes and help foster an environment of managing risks."
Sellers is looking at people. "We'll be rotating business management through the risk managers area as a developmental opportunity for them," she says. "They bring a business focus and perspective to ERM that's invaluable in reaching across the organization. We're also strengthening and building bench strength in areas such as compliance and information security. By doing so, we're ensuring that our businesses have the support to continue to grow."
Contact Beverly Foster by e-mail at bfoster@rmahq.org.
[C] 2006 by RMA. Beverly Foster is editor of The RMA Journal. She thanks John Baier, consultant, Member Relations, for his help with this article.
Figure 1
Bank of Hawaii's Risk Management Framework
Governance: Committee Structure and People
* Reviewed Board and Management Committee structures, including roles
and responsibilities, expanding or sharpening committee charters
where needed, and validating membership to ensure the appropriate
stakeholders were at the table.
* Established two new committees--the Risk Council and the Operational
Risk Committee--to further strengthen risk oversight.
* The Risk Council, chaired by the chief risk officer, includes all
of the company's Managing Committee as members and the heads of
Internal Audit and Credit Review as permanent guests. The Risk
Council is charged with providing executive management with a
specific forum for the review and communication of both
specific and company-wide risk issues. The Council also serves to
enhance collaboration among all areas of the company, while
reinforcing executive management awareness of risk management.
* The Operational Risk Committee-either directly or through its
established Payments Risk and Operating Loss subcommittees--reviews
and, where necessary establishes, policies and procedures to manage
operating risk. The Operating Loss subcommittee specifically
focuses on areas where control breakdowns have resulted in losses.
Loss data is collected by the group and analyzed for systemic
issues that can be remediated to generate bottom-line benefits.
The Payments Risk subcommittee focuses primarily on payments
systems and the management of risks around these.
* The Operational Risk Committee is also chaired by the chief risk
officer and includes line of business management, as well as the
company's risk specialists. Risk specialists are responsible for
overseeing risk types, such as compliance, information security,
vendor, security, business continuity, etc.
Governance: Risk Appetite
* Defined risk appetite and established risk management, product
approval, and other policies to support it.
* Defined an "A" rating target for BOH's strategic assessments,
asset quality standards, ALCO limits, etc.
Governance: Culture
Worked to build a strong risk culture by establishing:
* A common set of values.
* Standards for consistent, disciplined behavior.
* A strong balance between control and driving the
"revenue engine" forward.
* Clear, consistent, and frequent communication.
* A business strategy that aligns with risk and accountability.
* Incentives and performance standards linked to desired risk
management practices.
Business Unit Management: Education
Ensured risk management was embedded within the various lines of
business strategies, reinforcing that business unit management
owns the risk in their businesses, just as they own the revenue
or expense streams.
Business Unit Management: Risk Self-Assessment
Introduced the risk self-assessment process as a tool for business
unit management to use to identify and prioritize risks in their
business, identify control gaps, and develop plans to close those gaps.
Business Unit Management: Capital Modeling / Management
Business unit management was introduced to and educated on the concept
of a risk-adjusted performance system that:
* Facilitated the ability of business managers to view business in the
way management and shareholders do.
* Established NIACC and RAROC as standards against which businesses are
evaluated.
* Instituted higher capital penalties for greater risk.
* Facilitated management taking appropriate action to improve business
performance, in part by reducing the level of risk in the business,
or alternatively by deploying that capital to another business that
would provide a better return.
Business unit leaders review results each quarter with CEO and CFO.
Reporting
Appropriate and timely reporting was developed for various
constituents. For example, an Enterprise Risk Position Report is
compiled quarterly and presented to management, the board, and our
regulators. This report includes appropriate measures and trends
for each risk type (credit, market, strategic, and operational) as
well as any targets, standards, guidelines, etc. that are used to
gauge the risk positions.
COPYRIGHT 2006 The Risk Management Association
COPYRIGHT 2008 Gale, Cengage Learning
No comments:
Post a Comment