1 Enterprise Risk Management Building an Effective Enterprise Risk Management Program in a Community Bank Jay Gallo Chief Risk Officer
Topics for Discussion 2 Defining Enterprise Risk Management Do Community Banks Need ERM? The Business Case for ERM Basic Elements of an ERM Program Risk Identification and Assessment One Model for Risk Management ERM Program Details Sample Best Practices Is Your Bank Ready for ERM?
Defining Enterprise Risk Management 3 Enterprise Risk Management is A process put into action by a bank s board of directors and management Applied in strategic framework and across the enterprise Designed to manage risks within a risk appetite provide reasonable assurance regarding the achievement of bank objectives identify potential events that may affect the bank
Do Community Banks Need ERM? 4 The point to risk management is not to try and operate the bank in a risk-free environment. Rather, it s to tip the scale to your advantage. It s to make risk management an offensive, strategic strength instead of a defensive tactic. - CEO of a Community Bank
Do Community Banks Need ERM? 5 Why an enterprise approach to risk management? Better information about risks Coordinated risk responses Consistency in approach Create a uniform way to view and measure risks Match actions to strategy
Do Community Banks Need ERM? 6 A successful ERM program at a Community Bank will accomplish three risk management objectives: It will ensure there is a written, risk appetite document that complements the bank s detailed strategic objectives. It will link that risk appetite charter to specific metrics that define risk tolerances and boundaries across the organization. And it will create a framework for cross-enterprise reporting and the active management of risks throughout the entire institution.
Do Community Banks Need ERM? 7 A successful ERM program at a Community Bank will accomplish three risk management objectives: It will ensure there is a written, risk appetite document that complements the bank s detailed strategic objectives. It will link that risk appetite charter to specific metrics that define risk tolerances and boundaries across the organization. And it will create a framework for cross-enterprise reporting and the active management of risks throughout the entire institution.
The Business Case for ERM 8 Identify strategic advantages and opportunities With comprehensive information management, true competitive advantages are easier to identify. Opportunities can be elevated to decision-makers for faster responses. Since not all strategies bear same level of risks, organizations can focus resources on the best riskadjusted investment opportunities.
The Business Case for ERM 9 A reduction in overall institutional risk for the same return-on-investment (or higher ROA/ROE for the same risk) Improved operating margins Better portfolio management and credit risk practices Reduced problem loan charge-offs and management costs Higher net interest income due to risk adjusted pricing An improved efficiency ratio, allowing the bank to grow with steady costs
The Business Case for ERM 10 Bottom Line Reduce volatility and surprises Improve risk adjusted returns Deploy people and capital to best opportunities Reduce organization redundancies Optimize efficiency ratio Improved organizational communication and decision-making
Basic Elements of an ERM Program 11 A Risk Committee and charter Who gets to make decisions Understand your Bank s Risk Philosophy and Risk Culture A risk appetite document that establishes boundaries and controls for a set of key metrics Linked to business strategy Qualitative and quantitative measures of risk A process for measuring risks and prioritizing the impact Dealing with limit violations Periodic reports on metrics and economic data Periodic stress and scenario testing Someone in charge of the process and results
Basic Elements of an ERM Program 12 Phases of implementation: Assess current risk management practices at your bank. Understand and document your actual risk culture. Define a risk appetite. Agree on metrics, boundaries and reports. Develop a process to feed information to decision-making team and facilitate action. Develop analytical capabilities to answer whatif questions. Work with executives to follow a consistent process of action.
One Model for Risk Management 13 Risk Appetite & Concentrations Market Conditions Metrics & Reporting Analytics Four Inputs Four Levers Risk / Service Standards Balance Sheet Management Decision Process Product / Service Pricing Human Resource Assignments
One Model for Risk Management 14 Four inputs and four levers to avoid, reduce, share, accept or exploit risk. Decision-making is coordinated in a leadership team where each member is responsible for acting on inputs and following through on output decisions. The ERM value proposition is achieved through the process of coordinating intelligence and action with the goal of improving the performance of the organization. Bottom line better returns with the same risk or same returns with less risk.
One Model for Risk Management 15 Risk Appetite & Concentrations Market Conditions Metrics & Reporting Analytics Four Inputs Four Levers Risk / Service Standards Balance Sheet Management Decision Process Product / Service Pricing Human Resource Assignments
One Model for Risk Management Four ERM Model Inputs 16 Risk Appetite and Concentrations How much risk are we willing to take? What risk do we currently have today? What boundaries exist? Can our capital support our risk taking decisions? Market Conditions What is the current market? Where is it going? Where are we in the cycle? How does a change in the market affect our risk profile?
One Model for Risk Management Four ERM Model Inputs 17 Metrics and Reporting What do you track? Are there goals? What is the trend? How must history do we show? Analytics How do we slice data to reveal more detailed information to support better decision making? How do we show the impact of changes in market conditions on future positions? What do we stress and how do we stress it?
One Model for Risk Management 18 Risk Appetite & Concentrations Market Conditions Metrics & Reporting Analytics Four Inputs Four Levers Risk / Service Standards Balance Sheet Management Decision Process Product / Service Pricing Human Resource Assignments
One Model for Risk Management Four ERM Model Levers 19 Balance Sheet Management Participations, loan sales, match funding Capital management, hedging Risk and Service Standards LTV and DSC ratios, loan balance limits Customer and employee service and satisfaction standards Technology investments to keep costs controlled Appropriate controls to improve risk awareness
One Model for Risk Management Four ERM Model Levers 20 Product and Service Pricing Risk adjusted and absolute yields Price points and minimum balances Human Resource Assignment Strengthen employee skills Add new skills to manage new risks Outsource as necessary
ERM Program Details 21 How does the organization define the playing field? How much authority is delegated and to whom? How does the organization elevate its skills? What tools are used to manage risk? What is the structure for risk decision-making?
ERM Program Details 22 How does the organization define the playing field? What are the boundaries around products, customers and geography? (Need to define risk in manageable terms.) Defined at the specific level and managed at the portfolio level. What will the organization not do? Is the risk appetite documented linked to charters of key committees and Bank policies?
ERM Program Details 23 How much authority is delegated and to whom? What committees should exist? What are individual authority levels? What limits should be articulated around terms, amounts, risk? Who is the traffic cop? Do you control loan level risk or portfolio level risk at the management level?
ERM Program Details 24 How does the organization elevate its skills? Is there a risk management philosophy that makes the institution unique? Is credit risk management a competitive advantage for the bank? How does the organization teach the way to new people? How does the organization refine the skills of staff and directors for changes in the markets or sharpen the competitive distinctions between itself and other institutions?
ERM Program Details 25 What tools are used to manage risk? What is the analytics and reporting package? Is it integrated into the core systems? How many people do stress testing and what if analytics? How are they tasked? To whom do they report? What reports exist? Are they showing history, goals and peer group? Do multiple peer groups exist based on the analysis being done?
ERM Program Details 26 What is the structure for risk decision-making? Is there a charter for the decision-making committee? Who is in the room? What inputs and documents are reviewed? What market inputs steer risk appetite? Is the risk appetite sandbox clearly defined? What are the primary levers of risk management used to adjust course?
Sample Best Practices 27 Loan review is not just loan review Data, Data, Data then Analytics, Analytics, Analytics Portfolio level reporting Risk Appetite document Chief Risk Officer ERM decision making model Risk adjusted pricing
Sample Best Practices Loan Review is Not Just Loan Review 28 First, confirm ratings and identify Watch Loans. Watches are assessed for stay or exit, then ameliorate or move to soft/hard exit. Second, look at profitability of loans/relationships. Which relationships should be deepened, reduced or modified due to margin or risk/pricing mismatch? Loan Review is integral to strategic planning, overall portfolio growth and risk management.
Sample Best Practices Analytics, Analytics, Analytics 29 Integrated data collection and analytics to core systems. Stress testing against multiple scenarios (defined by risk appetite document) and ALLL adequacy assessment based on planned growth. Skilled analysts and streamlined reporting. Data visualization software Does marketing flow from identification of target customers and products based on profitability analysis and modeling? Do we need a separate data warehouse for marketing or risk analytics?
Sample Best Practices Portfolio Level Reporting 30 Reports and (board level) conversations should be at the portfolio level. Reports need sufficient history, goals, peer group comparisons Concentrations should be viewed from multiple angles For example, assess the commercial portfolio by loan type, geography, risk rating, yield, profitability indexing, market cycle, etc.
Sample Best Practices Risk Appetite Document 31 Board developed and approved. Risk culture and risk appetite are cannot exist independent of each other. Interdependent with strategic plan and marketing plan. Directors have skills and capacity to drive risk tolerances. Reports provide right information to make adjustments. Clarity around control mechanisms and delegated authority.
Sample Best Practices Chief Risk Officer 32 Ensure that fundamental ownership of risk resides in the business not in the risk function. Needs to be senior enough to be influential. Need to clearly define the CRO s role in decision making. Finding the right person means identifying the optimal balance of technical versus business expertise. The role will evolve as the organization matures and grows. Reporting line should match the organization s governance structure.
Sample Best Practices ERM Decision Making Model 33 Define inputs and levers to avoid, reduce, share, accept or exploit risk. Decision-making is coordinated in a leadership team where each member is responsible for inputs and outputs. Goal better returns with the same risk or same returns with less risk.
Sample Best Practices Risk Adjusted Pricing 34 Define inputs at the loan level. Assess performance at portfolio level with focus on two tails. Ownership: lending, credit, finance, marketing? Drives profitability analysis of customers and products.
Is Your Bank Ready for ERM? 35 Here are three questions that a senior management team should be asking: Is our board willing to work with senior management to articulate a risk appetite strategy for our institution? Are we capable of measuring and tracking risk at the functional / department level? When faced with trustworthy and sufficient data, will management re-deploy capital and people to reduce risks or take advantage of opportunities in the marketplace?
Is Your Bank Ready for ERM? 36 In answering these three questions, executives need to gauge their organization s strengths and weaknesses and be honest in their assessment. If an organization is not capable of tackling ERM today, then management has a challenge to improve the skills and ability of the organization so that everyone is capable of talking about risk and making sound decisions based on facts.
Is Your Bank Ready for ERM? 37 The financial landscape is moving quickly and against Community Banks as large-scale competitors strive to take the best customers away from local institutions and supervisory organizations try to over-regulate risk taking. With increasing requirements to build and store capital, Community Banks need to act judiciously in deploying people and assets. A clear understanding of the risks an institution faces and a mechanism for interpreting those risks and deploying solutions is now an essential element of management s charter.
Contact Information 38 Jay Gallo Chief Risk Officer Sage Bank 978.322.7075 jgallo@sagebank.com www.sagebank.com