In the first part of this series, “Getting started right in Enterprise Risk Management,” we discussed the various expectations of an ERM program, and how a CRO might approach fulfilling them. Part 2, “Where should ERM live?” discussed risk committee structure. In this conclusion Dan Rothstein reviews what management and the board should be hearing from the Chief Risk Officer.
Part of putting an Enterprise Risk Management program to work entails having a way to pull everything together, to enable decision makers to act in an informed manner.
In this final part of the series, we’ll discuss what the CRO’s report should look like, and what the responsibilities of a Risk Committee should be. Perhaps counter-intuitively, we’ll begin with the structure of the CRO’s report.
I do so because a report from the CRO should proceed in an orderly fashion to depict the enterprise risk levels within the organization. The report structure is critical, as it should reflect the oversight responsibilities of the Risk Committee.
Reporting sets performance
What a CRO chooses to report on, in what format, and in what level of detail is important to the overall effectiveness of the ERM program. Every report should be designed to tell the reader, in a simple, quick format, whether action is indicated or to decide—affirmatively—that no action is necessary.
Topics to be covered usually resolve themselves into these areas:
• Loan portfolio position and trends
• Market risk position and trends
• Operational risk summary
• Significant risk events
• Emerging issues
Laying out ERM’s priorities
Let’s look at these individually.
• Loan portfolio position and trends should depict performance at the portfolio level only.
The place for discussion of individual loans is in the Loan/Credit Committee, which need not be rehashed here. Riskiness inherent in the various portfolios should be clear, with new loan trends and migration within the existing loans segregated. This is especially important if new loans vary in risk profile, for better or worse, than the existing loans.
I recommend profitability measurements along with risk measurements to be combined in these reports. In this way it becomes clear how ERM is inherently part of the value-creation process.
• Market risk position and trends should reflect the key outcomes of the ALCO process. Don’t just rehash the CFO’s ALCO report.
One or two summary measurements on each of the major risk categories should suffice. These are interest rate risk, liquidity risk, capital adequacy, and, if a significant factor, price risk.
Trends should be made clear so it is easy to explain where the bank is, how it got there, and whether that is a desirable position in light of the bank’s plan and the current and expected future operating environments.
• Operational risk summary is in some ways the most challenging item on which to report.
This area may suffer from a lack of well-understood measurement systems with history and trends. To the extent that the bank has developed these measurements, they can be reported in summary with trends and placed in the context of the bank’s strategic initiatives. This may involve a variety of key risk indicators, or it may also include results from risk assessments over time.
Typically, the CRO will also want to use brief statements regarding risks of an operational nature, especially legal, regulatory, and compliance items that may not be captured elsewhere.
• Reporting on significant risk events, such as a major fraud or very expensive operational error, should focus on an analysis of root causes, and then concentrate on what action has been taken or will be taken to modify controls.
These events should also include near-misses, as they often depict flaws in the control environment. More detailed oversight of the control environment is the direct responsibility of the Audit Committee. Therefore, the CRO need not rehash all the work done there.
Emerging issues works well to prepare board members in particular, but also some senior managers, for events that are expected to affect the strategy and operations of the bank.
In this category today fall items such as cyber/information security, vendor management, BSA/AML requirements, and any of the various regulations adopted, or expected to be adopted, pursuant to the Dodd-Frank Act.
A good CRO will spend some time in considering the format for these reports. Make your points easily understood. This is the time for concise graphs, primary colors, and brief, targeted statements.
Presenting the detail and analysis to arrive at the overall picture may well be counter-productive. Time and attention are limited resources and a good CRO will use them wisely.
What does the Risk Committee do with this?
This leads us to the role of the Risk Committee. The Risk Committee is charged with assisting the board in overseeing the levels of risk in the organization and assisting it in determining the bank’s risk appetite across the full spectrum of risks to which the bank is subject.
The board of directors, of course, has overall responsibility to set standards and concern itself with the functioning of the ERM program, but it relies on the Risk Committee to work through the analysis and make comprehensive recommendations. Inherent in this process is that any one risk or set of risks relates to every other one.
A typical agenda will reflect the list of areas suggested for the CRO’s report. In addition, it is good practice to assure follow-up on any matters remaining open from prior meetings.
The committee will want a simple compliance report regarding previously set risk levels. If any areas are out of compliance, management will need to propose plans, with specific actions and timeframes, to bring positions back into compliance.
In building maximum acceptable risk levels, the CRO will do well to establish trigger thresholds that will cause management to investigate and determine if action is necessary to avoid breeching the maximum risk level.
For example, if a maximum percentage of capital is allocated to a particular loan category, management will want a trigger below the limit, which should allow for an orderly change in strategy if that is the decision.
This also affords a better chance to avoid what we all dislike—major negative surprises. If a risk level is in jeopardy of being breeched, there is a better chance to identify it ahead of time.
Risk committee in action
Once your bank’s Risk Committee has gotten fully underway, it will significantly add value by working with management to view risk levels across the enterprise, and help management and the board select the mix of risks and rewards that are most sensible for the bank.
If the bank’s plans call for significant loan growth, for example, management and the committee will want to think about whether liquidity should be higher than might otherwise be the case. Also, if the bank is originating loans that will perform more cyclically than average, then capital levels might well need to be somewhat higher. Finally, if there are significant new products in the offing, operational resources and expertise need to be part of the plan.
The Committee should also expect that the CRO has developed sufficient internal mechanisms so that the CRO, the CEO, other senior managers, and the board become aware of the risk events, concerns, and trends within the company.
Candor with the Committee is a great attribute for the CRO. No ERM program can succeed without it.
Going forward with ERM
In this three-part article, we’ve discussed how an ERM program fits into a banking organization, what a CRO should do to make it work, how a board may best oversee the process, and how the financial institution can draw maximum benefit from these activities.
ERM is a young discipline, and the role of a CRO is still being defined. Use of these elements will provide a basis for assessing enterprise-wide risk levels in connection with the business strategy and profitability goals. It communicates concisely to all with a need to know and provides the basis for crisper, more informed business decisions.
Have you found this series helpful? What else would you like to see about risk management? Email Executive Editor Steve Cocheo with views and suggestions.