Revealing the faces of risk

My many years in banking have taught me that the basis of our success lies in sound practices consistently and conservatively applied over time. This is the sort of performance—predictable performance—that owners and examiners value most. We can’t control the weather or the actions of our customers or competitors—but we have the tools to better manage our performance and measure our risks.

Performance versus risk

One such tool, the Uniform Bank Performance Report (UBPR), has been around for more than 30 years. I’ve been leading an on-line class for quite a while dealing with the analysis of bank performance. While we use the UBPR to analyze financial performance, it has occurred to me recently that consistent performance of a high order is also a reliable indicator of the level of certain types of risk residing within the enterprise.

The relationship between performance and risk, I believe, is an inverse one: high performance consistently achieved suggests a relatively low level of risk.

The UBPR metrics are not reliable indicators of all types of banking risk. Reputation, compliance, legal, and strategic risks are not showcased in the numbers. But credit risk, liquidity risk, and capital risk—and to a degree, market risk and operational risk—are all discernable in terms of the longer-term record of financial performance they leave behind.

Parenthetically, I should note I’ve been surprised over the years that the UBPR is not a more widely used tool. It has considerable analytical value, yet with some boards and managements it rarely, if ever, sees the light of day.

The UBPR permits two methods of performance assessment—internal and external.

• “Internal” is the comparison of information of the bank itself, such as quarterly or annual data.

• “External” is the comparison of a particular bank with a group of peer banks, those sharing similar environments including size, geography, and product line.

The external comparisons to the peer groups are where the major value lies in terms of measuring relative performance.

Risk management versus risk rewards

To me, a reasonable definition of a “high performance” bank is one that consistently performs among the upper percentiles, say, within the top quartile, on a consistent basis of each major performance metric compared to a group of peer banks. One does not, for example, achieve a consistently strong ROE record with a high appetite for risk.

 Prudent risk taking, carefully managed over a multi-year period, is a necessary precondition to a high-performance result. And I believe it’s also a proxy for the relative level of risk that the bank’s management has undertaken.

Too many banks seem to operate with business models that periodically require at the bottom of economic cycles to give back all or most of the earnings of the pervious several quarters of the business cycle. Hopefully, there’s a better way.

Factors hampering risk management

Sometimes risk is exacerbated by “small” thinking. Many smaller banks struggle to justify the seemingly heavy expenditures in systems to keep the bank on the competitive cutting edge. Often, as a result, these banks fail to take appropriate steps to assure the long-term viability of the enterprise.

That’s a “poor boy” attitude. It tends to constrict horizons as well as in some cases, pose an existential risk.

When I was a youngster in the business, operational risk was largely viewed as existing in the threats of natural disasters or fraud. Today, an appropriate way to view operational risk is in reference to making the business as productive and as profitable as possible consistent with sound banking practice. “Hand cranked” reports or patchwork networks of legacy systems are major sources of operational risk.

Risks usually present themselves in two basic ways.

• First, they may arise from sub or outright poor performance in one or more of the bank’s product lines or systems.

• Second, they may arise from “Black Swan” events, those rare but highly consequential events over which management has little or no control.

Do you remember several years back when Southwest Airlines discovered that certain safety inspections were not being completed on the fuselages of their aircraft but a few rogue employees certified that they had been done?

The news was embarrassing. But Southwest immediately grounded the fleet and within days, the needed inspections were accomplished.

The incident has all but been forgotten. But what if one of those planes had crashed and an investigation uncovered the fact that the inspections hadn’t been done and had likely contributed to the disaster?  

Something like that could have literally killed the company.

How your bank can cope with today’s risks

There are two appropriate and concurrent responses for today’s challenges.

One is an aggressive commitment to internal controls and systems. Dodd-Frank can be understood, in part, this way.

The other is a back-to-basics response to the training and proficiency of our staffs.

We need to attend to the basics and pay close attention to all the little things we regularly do—both large and small—that roll up into the numbers of revenue and expense. If we’re consistently doing that, then many areas of day-to-day risk management are being taken care of on a real-time basis.