Get under the ERM dome

By Mike Guglielmo, Darling Consulting Group

The regulatory community is clearly on a mission to provide a cushion for all anticipated risks. Financial institutions of all sizes and structures need to develop more substantive capital planning and stress-testing processes that extend beyond what is traditionally being performed. Proactive capital planning that incorporates substantive financial and operational risk assessments is rapidly becoming the new norm.

Past tense, present tense

The capital planning exercise for most organizations has traditionally been an extension of the budgeting process—with a longer-term, two-to-three year time horizon.

In more recent times, organizations that experienced financial challenges during the 2008 Great Recession or institutions that exhibited concentration risks of some form were asked by regulators to do more by assessing the potential risks and the related impact those risks have on capital.

More than ever, organizations need to develop more of a dynamic and ongoing process that is forward-looking. Furthermore, they need to make their process inclusive of changes in a bank’s strategic focus, risk tolerance levels, business plans, and operating environment.  In addition, banks need to evaluate other factors or events that may materially affect capital adequacy and develop a “recovery playbook” that specifies how management can successfully overcome a potential crisis. Or, better still, prevent it.

As organizations evolve risk management practices and develop more enterprise-wide risk assessments, the capital planning process should become an integral part of this exercise. Banks must learn to quantify potential risks in terms of capital impact.

In addition, potential vulnerabilities such as concentration risks; rapid changes in the economic and financial environment; and events that could occur outside the normal planning cycle, such as natural disasters, need to be part of this evaluation.

Ultimately, the capital planning process is going to become the platform for holistic financial and operational risk assessment and stress testing.

Examiners’ new yardsticks

Regulators are weighing in on both capital planning and stress testing. For example, guidance for evaluating capital planning and adequacy (OCC Bulletin 2012-16) and the interagency guidance on stress-testing for banks $10B-$50B (as in OCC Bulletin 2012-14) and community banks (OCC Bulletin 2012-33) collectively provide a clear directive.

Examiners are expecting a very different capital planning process that includes a “war gaming” mentality as organizations approach this exercise.  

You may not have to scrap your current process. However, organizations that hope the continued use of their traditional approach is going to suffice in the eyes of examiners will put their banks at risk of criticism or regulatory action.

More importantly, if little is done to improve upon the current process and more substantive stress testing is not performed, your institution may ultimately be constrained by the Basel capital buffers that will be coming relatively soon. The impact of these buffers could eventually impede future asset growth, earnings, dividend payments, and executive compensation; particularly as those buffers are increased for perceived noncompliance.

Increased emphasis on stress testing

Many organizations are taking the time now to reassess and enhance their current capital planning process and are starting to incorporate some form of stress testing into the exercise.

Larger organizations have already started on this journey. They have been actively working to meet the Dodd-Frank Act Stress-Testing (DFAST) guidance with their first-time results being reported to regulators in March. Much will be learned from these efforts as prescriptive guidance that stipulates specific methods expected was notably absent from the regulations.

We have learned already that more expansive modeling that includes quantifiable stress assumptions is expected of these banks. However, the methods by which these assumptions are derived have varied from simple top-down historical look-back exercises to sophisticated statistical/stochastic simulations that require significant expertise in statistical modeling.

Start with some common sense

Recognize that it does not require a rocket scientist to begin the process.

The first step can be to qualitatively identify and inventory your organization’s key vulnerabilities. 

• What is your bank’s “perfect storm”?

• What set of circumstances or events that could most impact earnings and cause an ultimate loss of capital?

While an obvious capital killer is credit risk, taking the extra step of evaluating what could lead to the credit event can be very insightful. This information can lead to the development of substantive and informative Key Risk Indicators. That represents an early warning system that can effectively alert risk managers of a potential threat.

Having gone through that exercise, many organizations are taking the time to look deeper and are realizing that the information that can be used to inform this early warning system or their stress test parameters is not being adequately maintained or easily accessible.

Now is the time to assess your ability to evaluate your underlying risks like credit concentrations (such as single borrower, industry, credit ratings, LTVs, geography, etc.) and funding concentrations (such as retail, commercial, and wholesale) and economic or financial market risks.

In addition, deeper dives into the various operational risks and their potential impact are starting to emerge through Enterprise Risk Management (ERM) initiatives. Over time, this more qualitative look-back exercise will evolve into a more forward-looking approach with quantifiable assumptions.

Seek out your weak spots

In the absence of quantified assumptions, organizations can apply some level of qualitative assumptions, supplemented by “reverse stress testing.” This is a mathematical exercise that simply measures the maximum allowable loss before a guideline or hard limit gets broken. 

This combination would allow stakeholders to understand the potential impacts relative to a maximum capital buffer. At a minimum, this exercise would allow management and the board to assess the potential impacts of various risks and rank these risks by likelihood and impact severity.

This effort can help stakeholders prioritize their efforts and determine the investment needed to further understand and address the key risks identified.

Don’t just stick a label on it

The process should not end with the risk assessment.

When risks are identified and the capital impact is quantified, your institution needs to develop recovery scenarios that illustrate your ability to withstand the stress or events and overcome their impact over a reasonable timeframe.

Along with these simulations, well-documented contingency plans need to be developed that include key roles and responsibilities, potential actions taken, and a description of any of the additional reporting and communication protocols that may be triggered.

In other words, regulators want you to act like Boy Scouts: “Be prepared.”

Organizations that invest the time to develop this “war gaming” mentality are going to be well served when it comes to strategic risk management. As the processes, data, and technology improve, enterprise risk management will evolve into a true forward-looking risk evaluation and tactical resolution process. 

About author Mike Guglielmo

Guglielmo is managing director at Darling Consulting Group. With over 25 years in asset liability and strategic risk management, he provides both technical and strategic consulting to a diverse group of financial institutions in the U.S. and abroad. Prior to joining DCG, he managed the asset liability management and strategic planning process for a regional bank in the northeast.