By Monica C. MeinertEnterprise risk management has become a fundamental component of banks’ day-to-day routines and long term strategic planning processes. As ERM continues to grow in sophistication, organizations are embracing new technologies and improving their operations to better monitor and mitigate risk.
“For most banks, [risk management is] moving on the continuum from introduction to acceptance—to embracing ERM concepts,” says Jason Painley, chief risk officer at Park National Bank, a $7 billion bank based in Newark, Ohio. “It’s embedded into the organizational DNA, much like a credit culture would be.”
The risk landscape is constantly changing; conditions on the ground are considerably different today from one year ago. Gone, for example, is the talk of negative interest rates—rates are now on the rise as the Federal Reserve’s focus shifts to maintaining economic gains made over the last few years. And on the regulatory side, changes in agency leadership are forthcoming, and there’s been a renewed conversation about regulatory reform both in Congress and in the administration.
Bankers must think strategically about what’s on the radar in the near-term, while also keeping their eyes on the horizon for new risk trends that could emerge. Painley and Clifford Rossi, a finance professor at the University of Maryland’s Robert H. Smith School of Business, discussed the top risks facing banks this year during a recent American Bankers Association briefing.
Credit risk and loan losses
Lagging data structures are likely to present challenges from a credit risk perspective, Painley says, particularly as banks prepare to implement the new Current Expected Credit Loss standard for loan loss accounting.
The CECL standard will require banks to make significant changes to their data collection and processing systems. Large institutions that have already had to implement models relevant to the Dodd-Frank Act stress tests or the Comprehensive Capital Analysis and Review program may have a leg up in this area, he adds, but “for those institutions that don’t have a robust architecture in place, there is going to need to be a lot of work in the near term.”
As these new systems are built, Painley recommends that banks focus on building a strong risk data governance framework, reducing dependence on manual interventions and developing common data “dictionaries” to ensure that all collateral relationships and information can be easily tracked, aggregated, analyzed and relied upon.
In the new CECL environment, data integrity will become more important than ever, Rossi adds. “We should be striving to make sure that those data sets that we’re using for our analytics are as clean and consistent as possible.”
Banks have over time have compiled a significant amount of data scattered through systems across the organization, and “we end up creating a series of different credit views that then makes it hard to stitch a consistent story together around these disparate credit metrics,” he explains. “I’m a big fan of looking at the big picture. Step back from what we do on a day to day basis and [ask]: how do we get greater integration around credit risk measurement than we may currently have?”
In addition to building out their data infrastructure, risk managers should also be keeping a weather eye on portfolio concentrations and underwriting standards.
“Loan growth in commercial real estate, commercial and industrial and consumer lending has been really robust. These sectors have all outpaced GDP growth since 2010,” Painley notes. “Historically, that has been an indication that the lending market is close to maxing out its potential and presents higher levels of credit risk.” The past two recessions, for example, were preceded by a strong expansionary run where loan volumes grew, followed by a period in which many borrowers defaulted and credit tightened again.
With that historical hindsight in mind, bankers should ensure that they have a concentration risk policy in place and closely monitor concentrations in their portfolios. Rossi advises paying particular attention to geographic concentrations, and warns lenders to beware of what he calls “product morphing,” when loan products over time change shape as underwriting standards are relaxed.
Interest rate risk
The economy has finally hit a turning point with respect to interest rates, with the Fed forecasting a doubling of the federal funds rate to 3 percent by 2019, and bankers “need to be bolted down and ready for a rising rate environment,” Rossi notes.
One potential danger point here, he says, is that over the last decade, banks have stretched for yield by moving to longer duration assets that could hurt them more in a rising rate environment. Now is a good time to revisit the bank’s strategy for reducing exposure in that particular area, and clearly defining appetites for market risk, he says. He also recommends stress testing loan portfolios under different interest rate scenarios.
There’s a human capital dimension to this, too, Painley notes. “We’ve been in a bull market for several decades—we might be headed into a rate environment that we haven’t seen for three or four decades, and so there are very few portfolio managers practicing today that have had to deal with a sustained increasing rate environment.”
In a rising rate environment, bankers must also pay close attention to deposit behavior, Painley continues. Core deposits, which surged during the recession as depositors sought safety for their funds and have remained elevated over the last several years, could take a turn as interest rates start to rise again.
“We’re already starting to see some of that at this point,” he says. “The question is, how quickly will this reversal play out? Banks must examine carefully the behavior of liabilities and use this information to model alternative assumptions in their interest rate risk models.”
Adding uncertainty to the mix is the evolution of technology, which has made it easier than ever for consumers to move funds from one entity to another, “and so the pace at which funds or liquidity could deplete could be something that financial institutions need to really be able to respond to,” he notes.
Reputational issues can also have bearing on deposit behavior, Rossi notes. He cites as an example the case of Washington Mutual during the financial crisis, which suffered a $5 billion deposit drain over a two-week period as a result of reputational issues surrounding its subprime mortgage lending portfolio.
“You need to ask yourself: ‘What are your backup plans? What are your liquidity contingency plans?’” he says. “Do you have backup lines of credit or sources of wholesale funding available to you? Do you have access to a Federal Home Loan Bank advance?”
When it comes to operational risk, Rossi and Painley point to process risk, vendor risk management and succession planning are hot topics for 2017.
As regulations are expanded or revised, bankers often find themselves “bolting on” new compliance procedures onto existing procedures, which can add noise to what might otherwise have been an efficient process, Painley explains. “As we bolt on compliance procedures, we may be ignoring larger opportunities to eliminate dated processes, reduce redundancies, increase efficiencies or find new ways to embed control structures.”
Ignoring this big picture for too long can have tangible consequences for the organization, Rossi says, particularly as loan production increases—research has shown a statistical relationship between credit loss and process quality. “If the same loan was originated by an institution that had good process quality, and another that doesn’t you would find a statistically higher credit loss associated with the institution that had a lower quality process.” That’s why it’s critical to prioritize “infrastructure ahead of growth,” he says.
Another operational risk trend is third-party vendor risk management. With regulators stepping up their focus on third-party relationships, risk managers should be ranking their vendors based on their level of access to customer data or other sensitive systems, Painley says. He notes that banks should also have quality assurance programs in place to monitor the activities and measure the performance of third-party service providers.
Boards and senior management must also give consideration to succession planning, Rossi points out. “At the end of the day, banks are only as good as the human capital that they have in place. Making sure you’ve got people in the jobs with the right skill sets is hugely important.”
Banks have now had several years to adapt to the onslaught of Dodd-Frank regulations that have been implemented in the years since the crisis. And while conversations in Washington are beginning to become more favorable toward regulatory reform, Painley cautions bankers against taking their foot off the gas from a compliance risk management standpoint. As bankers are well aware, “if we don’t get compliance risk management right, it can be a detriment to the implementation of strategy,” he says.
The final due diligence rule is one particular area where banks will need to invest time and resources over the next year to ensure staff are fully educated and compliance systems are in place before the May 2018 compliance deadline.
In an increasingly high-speed, digital world where content can go viral in an instant—take United Airlines as an unfortunate example—reputation risk is becoming a central focus for businesses across all industries. For bankers, the key to safeguarding the institution’s reputation is by ensuring that ethical standards and business processes are consistent across the enterprise, says Rossi. Everyone—from the chairman of the board to the tellers—need to be singing from the same song sheet when it comes to employee conduct.
“Going forward, there’s not going to be a lot of latitude for missteps here,” Rossi says. “Process matters. How you interact with your customers throughout the process matters. Getting that message across is imperative, and making sure that executive compensation plans and sales compensation plans are aligned with the long-term interest of the shareholder are critical to maintaining… the company’s good reputation.” (To help bankers assess and manage risks posed by sales practices and incentive compensation programs, ABA has created a Sales Practices and Incentive Compensation Assessment Matrix, available for free to ABA members.)
When asked about the risk category most likely to keep them up at night, Painley and Rossi both agree that strategic risk tops the list. With more nonbank players entering the picture each day and new generations clamoring for new and innovative products and services, banks are being constantly challenged to move quickly, which can make strategic planning a particular challenge. Added to that are new market challenges as interest rates rise, and the need to balance all of these factors against the strategic objective of growth.
The key, Rossi says, is to not become complacent and to embrace new technologies. “You’ve got to look at automation as your friend, not your enemy.”
And ultimately, Painley says, bankers must be prepared to buckle up and brace themselves for the unprecedented pace of change. “The velocity of change in strategic risk is something we need to be thinking about. It might not be a gradual change—it might be a very steep, upward-sloping curve in terms of the way this plays out.”