Menu
Banking Exchange Home
Menu

Why risk management & strategic planning must synch

Part 1 of a series on making risk management work in the real world

Why risk management & strategic planning must synch

I often ask bankers what they see as their bank's greatest risk. Almost universally I hear "regulations and compliance." But over my career, I have learned that the greatest risk is uninformed or poorly informed strategic decision-making.

The recent crisis emphasizes the need for bank management and boards to understand the potential risk consequences of strategic business decisions made today. As many banks learned over the last few years, just having strong net worth and earnings doesn't mean you've managed risk carefully. Earnings and capital can evaporate quickly in a severely plummeting economy.

Last round: how enterprise risk management failed

When many banks made the decision in the early 2000s to grow, they funded speculative acquisition, development, and construction loans with wholesale funds. But how carefully did the weigh the downside?

Did they actually understand whether the bank could survive the effects of a severe downturn in the real estate market?

Did they consider the impact on earnings and capital adequacy of a catastrophic decline of real estate market values? That, plus a coincident meteoric rise of foreclosures, collapse of construction, and high, long-term unemployment.

Many bankers did not do this, despite seeing a similar scenario play out in various markets in the late 80s and early 90s. Many thought that this economic "perfect storm" could not happen in their markets.

But that is exactly what happened.

The Case-Shiller home price index rose approximately 30% from 2004 to its peak in 2006. Just as abruptly, it fell almost 30% in the next three years. According to Realty-Trac, foreclosures increased from approximately 600,000 in 2004 to 3.9 million in 2011. U.S. Census Bureau data indicates that housing starts fell from a peak of 2.2 million in 2006 to just over 400,000 in 2009. Unemployment rose from roughly 5.5% in 2004 to 9.9% in 2009.

How did these economic changes impact bank loan portfolios?

Losses on construction and development loans rose from 0.73% in first quarter 2007 to 7.66% in fourth quarter of 2009. Losses on residential construction loans rose from 1.21% in the first quarter of 2007 to 9.52% in fourth quarter of 2009. Losses on construction and development loans rose from 0.87% in first quarter of 2007 to 8.08% in fourth quarter of 2009.

Thirty-two banks failed from 2004 through 2008. Bank failures skyrocketed in 2009 and 2010 to 140 and 157, respectively. Another 92 failed in 2011 for a three-year total of 389. Bank closings in 2012 decreased to 51.

On the bright side, if you can call it that, this is nothing compared to the 1,800 banks lost in the late 80s, early 90s crisis.

It is true that many bank' s earnings, non-performing loans, capital, and regulatory problems resulted initially from the economic downturn, but they were exacerbated by poor loan underwriting and credit risk management practices.

Embarking on high-growth strategies, developing significant commercial real estate loan concentrations, using wholesale funding without considering the attendant credit, interest rate, liquidity, compliance, operational and strategic risk implications was a primary cause of the crisis.

But from a top-down view, the problems have really resulted from an overall failure of enterprise risk management.

A solution in search of implementation

Management must make critical decisions about how the bank will build value.

In that regard, setting strategic business objectives calling for significant change, such as rapid growth, changes in focus of lending programs, or severe cost reductions to improve the efficiency ratio may require the bank to make significant operational changes. Likely, these changes will result in increased risk.

The strategic goals and objectives of the bank are critical in determining how much risk it can, or even must, take to achieve them.

On the flip side, it also aids in determining critical risk consequences that must be avoided. It is vital that management and the board consider the potential effects of strategic planning changes in the context of the bank's "risk appetite."

Unfortunately, many banks do not have a formal strategic risk management process. Decisions are made, strategies implemented, technology deployed, and products developed without sufficient assessment of future potential risk consequences. Failing to manage strategic risk exposes the bank to the possibility that it may not achieve its strategic business objectives: growth, earnings, safety, compliance, and increased shareholder value.

Risk management at most banks continues to be fragmented, expensive, and inefficient.

Even as the concept of enterprise risk management becomes more widely accepted, many banks are creating silos of analytical information and a hodgepodge of different solutions. While each database of information may be high in quality, they often lack the capability to interact with other solutions. This denies the bank a true picture of risk across the enterprise. Additionally, often the individual silos are inaccessible to management.

This shotgun approach to managing risk often causes management to focus on issues that truly have little significant impact on the bank' s strategic objectives and future viability.

How to redesign risk management

Banks increasingly turn to a strategic, enterprise-wide approach. The strategic approach to managing risk:

• Considers risk as a critical component in strategy formulation.

• Recognizes the interdependencies of risks among business units throughout the bank and among components of the balance sheet and p&l.

• Improves the bank's ability to identify and take advantage of future opportunities.

• Facilitates and improves communication about and understanding of risk.

The bank that implement a strategic approach to risk management can obtain these benefits:

• Helping the board and management in determining the risk, at a broad level, that is acceptable in the pursuit of the bank's strategic objectives and value.

• Improving the alignment between the strategic objectives and risk appetite.

• Defining risk tolerances and ensuring that risks taken are consistent with the level of risk acceptable to the bank.

• Ensuring that risk management strategies and controls employed are both appropriate and cost-effective.

When linked to appropriate information systems, management and the board are provided sufficient, timely, and appropriate information about risk positions and trends to make effective risk management decisions.

Risk appetite statement

A key component of taking a strategic approach to risk management approach is the development of a comprehensive Risk Appetite Statement. To survive and thrive in the future, banks must consider the future risks of strategic decisions made today. In short, they must be able to define the institution' s "risk appetite." This understanding is generally documented in a "risk appetite statement," part of the Strategic Business Plan.

On the face of it, this seems easy to do. Isn't it simply the institution's capital structure and solvency needs which determines its ability to withstand shocks, or risks, and therefore represents its risk appetite? Can't we just run simple capital, credit, interest rate and liquidity stress models?

Not if you want to get it right.

That approach will get you partway there. And it is an integral part of managing ongoing risk. But determining risk appetite is a bit more complicated affair and goes right to the heart of setting the institution's strategic business strategy and its risk governance, compliance, and risk management structure.

Defining a bank's risk appetite goes beyond just considering the potential future consequences (i.e., losses) of a single strategic decision. Other issues must be considered as well. How, for example, would the planned growth be funded? What are the implications of the chosen funding strategy on future liquidity and the net interest margin?

Illustrating the process

Pictured below is a representation of the risk appetite setting process.

http://www.bankingexchange.com/images/BriefingImages/61413_riskmanagement.jpg

For a larger version of the chart, click on the image or click here.

As the model illustrates, setting the risk appetite is an iterative process. Start with setting strategic objectives and evaluate the related risk consequences of those objectives. Essentially, run Best, Worst, and Expected case scenarios. Identify the probability of each of those possible future states.

Determine if the results is acceptable. If not, recast the strategic objectives and re-rerun the scenarios.

Done well, this process requires consideration of the various components of the balance sheet (i.e., what loan types, in what amounts, over what terms, funded from which sources and at what rates) as well as costs of any resources required to achieve the stated objectives.

How the statement becomes a tool

The risk appetite statement goes beyond a simple projection of losses and assessment of capital adequacy. Properly crafted, the risk appetite statement considers a range of other issues that might impact the bank' s ability to achieve its strategic business objectives, including the alignment of the following:

• Personnel and organizational structure: Does the bank have the right people to pursue the identified strategic objectives? Do they have sufficient experience and training? Are there enough of them? Too many of them? Are they organized correctly? Are they paid sufficiently and in a manner that promotes achievement of the bank's goals?

• Business processes: Are they effective and efficient? Will they be appropriate given the changes anticipated in products, services, customers, etc.? Are they staged properly? Or does every single transaction follow exactly the same path? Do they need to be "reengineered"?

• Technology: Is the bank using its existing technology effectively? Is additional or other technology needed to ensure achievement of strategic business objectives?

• Customers, markets, products, and services: Is the bank attempting to sell the right products and services to the right customers in the right markets? Are they priced effectively for risk and competition? Are they properly aligned with the bank's objectives and risk appetite? (That is, are funds generated appropriate for the way they will be loaned or invested, considering term and rate)? Are they delivered in the appropriate manner, such as branch office or electronic delivery channel?

Keeping strategy and risk management on course

Considering these change issues permits management to start identifying data or measures I refer to as "success factors" for managing the risk going forward.

For example, if training is critical to the success of a particular strategic objective, then the hours of training provided or number of people trained can be tracked as part of the risk management information system.

Similarly, if business process factors are critical to the success of a particular strategic initiative, such as the growth of mortgage loans, other related criteria can be tracked, including, calls made, applications generated, length of time between application and approval, number of applications withdrawn, number of applications rejected vs. approved.

As management considers why the projected growth is not being achieved, this data will be critical to addressing the problem.

In addition, the process of developing the risk appetite statement, and the iterations of analysis, yield additional criteria, or conditions for success.

What additional "success factors," such as economic conditions, must be present in order for the bank to maximize its success?

Again, if mortgage loan growth is a key strategic objective, then outside economic factors that could negatively impact this objective must be identified and tracked. These might include, home prices, numbers of potential buyers, average incomes, interest rates, new home starts, selling periods, inventory of unsold homes, employment rates, apartment occupancy and rental rates, etc. As management considers why growth is below projections, this data will be critical.

The risk appetite statement also provides the basis for determining specific risk tolerances. These risk tolerances must be incorporated into bank policies and approved by the board. These policies then contain clear guidelines on how much and what type of risks the bank finds acceptable. They also provide guidance on how management should respond to changes in risk and exposure.

These guidelines, along with the other success factors previously described, provide the key sources of data to be tracked in risk management information systems, such as Key Risk Indicator Dashboards.

Looking ahead

A strategic approach to risk management focuses on the broader spectrum of risks that potentially threaten the achievement of the bank's strategic business objectives and provides a means to analyze the bank' s ability to achieve the goals.

Taking the strategic approach improves the alignment of risk with strategic goals and permits the bank to approach risk management in a more holistic, cost-effective manner.

Integrating this strategic risk management approach with risk governance results in three benefits:

• Improved, more consistent earnings.

• Resilience to the effects of future problems.

• Ultimately, more-satisfied and better-served shareholders and customers.

Ken Proctor

Ken Proctor is managing director, risk management, at Abound Resources. He is both a certified public accountant and a certified bank auditor. He brings 40 years of professional banking and consulting experience to Abound, where he heads up the risk management practice. Before joining Abound Resources, Proctor managed the efforts of four financial institutions to comply with regulatory enforcement actions, including consent agreements and written agreements. Additionally, he has completed BSA/Anti-Money Laundering compliance assessment, GLBA 501b information security reviews and IT audits for a number of U.S. financial institutions. Ken created the risk management practice areas for two national consulting firms during his tenure with those organizations. He also served as a senior consultant with two international risk management consulting firms. He served as an internal consultant with a major regional bank, held responsible management positions in the auditing departments of two southeastern regional commercial banks, and worked as a public accountant.

back to top

Sections

About Us

Connect With Us

Resources