In a way, risk management defines banking, and always has. It just wasn't always called that. Today, however, the science of risk management, thanks to the financial crisis aftermath, has become far more complex. Many community banks (and large banks for that matter) struggle with its principal components: quantifying the bank's appetite for risk; translating board dictates into procedures; stress-testing assets; guarding the bank's reputation—and all to regulators' satisfaction.
In principle, it doesn't have to be all-consuming. Todd Cooper, vice-president and general manager of Enterprise Risk Compliance business for Wolters Kluwer Financial Services, says enterprise risk management (ERM) boils down to doing two things well:
1. The bank's risk picture must be clearly defined in the boardroom and understood in the executive suite.
2. The bank must hold operational units accountable for staying within the defined risk perimeter.
Kenneth Proctor, managing director, Risk Management, for Abound Resources, recommends a third step: Setting contingency plans. "What happens if you actually achieve your objectives but the economy goes south?" he asks. "In 2005 everybody wanted to grow their loan portfolios and CRE. A lot of them did that—then the bottom fell out of the real estate market."
To avoid such catastrophes, he recommends risk-monitoring that looks forward rather than backward.
"Banks are good at looking at things that have already happened—monitoring past due and classified loans—but those are lagging indicators of risk," says Proctor.
Tracking leading indicators such as housing starts and employment figures can produce more useful predictions. Proctor recalls an Atlanta banker who recognized signs of trouble before the real estate market tanked three years ago; he stopped making loans for commercial real estate and construction.
"I'm sure his board was not that happy with him," says Proctor, "but his bank is going to survive."
One predictor of potential loss, stress-testing, is particularly challenging for community banks, because their loan portfolios are less consistent than those of larger banks, says Doug Johnson, vice-president, Risk Management Policy, American Bankers Association. Consequently, formulaic stress tests that may be appropriate for banks operating on a national scale can make little sense for small banks. "Community banks are very idiosyncratic—very specific to their markets," says Johnson. "That makes it difficult to have a one-size-fits-all approach."
Another risk factor unique to community banks is the number of loans they make by exception, perhaps at a higher loan-to-value rate than is prudent, because the bank knows the customer.
"Banks track those one at a time, but they don't always look at how many of those they have in their portfolio," says Proctor. "They can build up to too many and miss the fact that a lot of their loans are high-risk."
Community banks also need to be sure they stress-test frequently enough. "Most of the smaller banks use core banking systems," says Andrew Liegel, vice-president, FRSGlobal. "What they get is an extract at the end of the month—a quick Polaroid. But what if they decide to lower interest rates mid-month to match a competitor?" They would be better off, he says, if they could take a daily look at some of the stresses they've created.
Yet even frequent tests are meaningless unless they stress the right data. Some community banks think they're stress-testing their loans when they're really stress-testing only interest rates, says Proctor. "They're not really getting down into the fundamentals of individual credit."
For example, one income-producing property may have a major tenant who occupies 60% of the space. The possibility of the tenant moving out makes a loan for that property far riskier than a loan on a property with more tenants paying fairly equal rents.
"Two loans can look alike on the surface," says Proctor, "but when you start drilling down to things like tenants and rollover, the risks are very, very different."
Protecting your reputation
Reputational risk is probably a bank's biggest concern, says Holly Ford, senior vice-president, Risk Management, at $1.3 billion-asset Bank of Marin in Novato, Calif. "What a bank is really selling is trust," she says. "If our customers don't trust us, we have nothing." Yet a trustworthy bank's reputation can suffer if its customers don't understand risk.
Consider the Zeus Trojan, which infiltrates online cash management systems and fraudulently sends ACH files directing banks to transfer funds. By the time the customer realizes the loss, his money has been moved to Eastern Europe. "The bank says, 'We followed the contract, so we're not legally to blame for your loss'," says Proctor. "But it hits the news and there's the bank [portrayed as] not paying back a local charity or a small business."
Having faced that situation, Bank of Marin took steps to prevent its recurrence, says Ford. Customers onboarding for ACH and related products now must sign detailed protocol sheets, initial each line, and demonstrate that they have controls in place. Additionally, Bank of Marin offers educational materials and tools to help customers maintain security protocols.
"We've really upped our game in making this a public issue with our customers and making sure they understand not just the product's features and benefits, but the risks—and make their business decisions accordingly," says Ford.
Because Bank of Marin outsources quite a bit of its business, vendor risk also is an issue. Due diligence when onboarding vendors is straightforward; ongoing review, however, is tougher. The bank is presently implementing technology to gather documentation for tracking and monitoring vendors.
Coping with compliance
The biggest compliance challenge community banks face is positioning their institutions to meet escalating regulatory requirements, says ABA's Doug Johnson. To ensure that they're prepared for new risks and issues as they occur, he advises banks to focus on the capabilities of individuals managing risk, as well as the articulation of those risks and how they fit into the governance process.
It also is crucial that individual business units understand that they own their risk. "Risk and compliance officers can advise what the risks may be," says Johnson, "but it's up to the business units to manage that risk based on the risk tolerance set by the board."
Proctor recommends segregating functions. If, for instance, a senior lender has the authority to make a loan, put it on the books, and manage it, his bank is running a greater risk than a bank that makes lending, credit, and operations separate functions reporting to different officers.
"That's probably what gets most banks in trouble," Proctor says. "Lenders wind up with too much authority and start pushing through loans the bank should have avoided."
On the other hand, banks that panic over compliance requirements sometimes don't allocate resources according to risks. They may waste money focusing on an unimportant risk and not mitigate one that is less expensive, says Todd Cooper of Wolters Kluwer. Or, they overspend trying to produce regulatory reports that are perfect, instead of sufficient. "Those last dollars being spent are resulting in only the smallest incremental improvements and could be better used," he says.
Because a risk-management culture starts at the top, Cooper recommends tying executive pay to how closely business units stay within the risk structures. "Turning it into a positive program accelerates it, as opposed to making it as a drag," he says.
Perhaps the most important tool is remembering risk-management must be practiced daily. It is a continuous process, says Johnson, not one that's "won and done. Thoughtful institutions get that and are working to build that kind of environment."