Where’s ERM heading?

By Drew H. Boecher, CFA, Darling Consulting Group 

Enterprise Risk Management has made significant advances in the banking industry over the past decade or so. Let’s trace that progress, and see where ERM could be headed, as an increasingly essential discipline applying to more and more of a bank’s operations.

Scandal brought ERM out of academia

At a time when mistrust of executives and financial reporting was rampant, Enterprise Risk Management began its evolution beyond the business school setting. The time of the major corporate accounting scandals in the early 2000s—think back on Enron, Tyco, and WorldCom—accelerated the expansion of rudimentary ERM at many corporations.

The political reaction to these corporate scandals was the passage of the Sarbanes-Oxley Act of 2002. SOX chiefly focused significant accounting reform and improved investor protection. Bankers quickly pointed out that the corporate scandals motivating SOX didn’t involve banks, and most bankers opposed SOX as unduly burdensome and an example of regulatory overreach.

By 2004, conversation around the importance of ERM was accelerating in industry, consulting, and regulatory circles. The Committee of Sponsoring Organizations   published the COSO Integrated Framework of ERM in September 2004, which expanded upon a prior “internal controls” framework. This was part of its role in ERM thought leadership.

In that same year bank regulatory conferences began to feature ERM as an important emerging topic and consultants began developing products and services associated with ERM. However, ERM was not widely embraced at community banks. Back then, community bank executives considered ERM overkill—after all, they had a good handle on all their risks, right?

Executives at large banks, for their part, often viewed the topic of ERM with the same enthusiasm with which they’d greeted SOX. At this time, many large banks did begin to hire chief risk officers—however, these individuals were often viewed much as management saw regulatory compliance officers.

Specifically, chief risk officers received neither the recognition nor the compensation of key executives. By 2007, there was clear divergence between banking executives and regulators regarding the importance of ERM.

In fact, there were similar disagreements on the level of risk in the financial system within and across regulatory agencies. I know, because I was there.

Regulatory “war gaming”

FDIC periodically conducts secret large bank failure simulations or “war gaming” exercises to assess the relative health of the industry and to prepare for the potential resolution of large financial institutions. In 2007, while an FDIC employee, I participated on the team that develops such large-bank failure simulations.

While the simulations considered the balance sheet realities of many large U.S. banks, we named a particular fictitious institution the Andrea Gail Disaster Bank. “AGD Bank” brought to mind the historic 1991 mega-storm off northeastern Massachusetts and the centerpiece of the later book and movie “The Perfect Storm.”  

This was the time of proliferating “pay option ARM” loans and various sub-prime and Alt-A credit securitizations. Development team members could envision a convergence of factors, including a decline in real estate prices, which would cause severe financial distress at many of the largest U.S. banks.

In fact, the predicted losses of the fictitious “AGD Bank” were amazingly aligned with what actually occurred in late 2008 and early 2009.

To be sure, the simulation did not foresee the Lehman failure and had a different catalyst event (monoline bond insurers failed in the regulatory simulation). Yet the predicted impact after the catalyst event was quite accurate.

The financial panic and crisis peak in the real world in the fourth quarter of 2008 was a time of profound change in banker perceptions around the importance of ERM.

Executive humility rose, particularly at the largest banks, as bankers found that they had missed risks that seem obvious in retrospect. Following the crisis, banking industry executives began a prominent push toward advancing ERM programs and Chief Risk Officer (CRO) compensation became more commensurate with that of other senior executives.

Political and regulatory response

Banking regulators now profoundly understood the benefits of ERM and stress testing (and some even understood the benefits of war gaming).

Moreover, regulators had been humbled by their institutional inability during the financial crisis. As a result, they eagerly proposed legal antidotes to improve regulatory oversight and reduce the risk of poor regulatory performance in the next cycle.

Risk reduction became the order of the day, with particular “flavors” aligned with each regulatory and political institution’s appetite for risk:

• For FDIC, this meant reduced costs associated with large bank failures and expansion of rhetoric declaring an end to bailouts.

• For the Federal Reserve (and OCC, with an onsite presence at the largest banks), this primarily meant the reduction of systemic risk in the banking system.

• For Congress, the 2010 passage of the Dodd-Frank Act moved the spontaneous and improvisational Supervisory Capital Assessment Program (SCAP) toward the more formal Comprehensive Capital Analysis and Review (CCAR) for banks over $50 billion.

• More recently, Dodd-Frank Act Stress Testing (DFAST) expanded regulatory required credit stress testing to banks over $10 billion.

The latter has been a costly endeavor for banks over $10 billion. OCC community bank stress testing guidance (effective May 2012) has clarified community bank expectations and community bankers would be well advised to read the regulatory stress-testing guidance for banks over $10 billion (effective July 2012).

(After a long pre-amble clarifying that the guidance only applies to banks over $10 billion, the first sentence of the actual guidance begins “All banking organizations should have the capacity to fully understand their risks.” And the second sentence includes a reference to guidance clearly applicable to community banks.)

Current state of ERM

Concurrent with the growth of regulatory stress-testing expectations, ERM has enjoyed heightened prominence and attention. Today most banks over $10 billion have an ERM policy, a CRO, and staff associated with an ERM department. Smaller institutions have fewer staff associated with ERM; however, staffing in ERM is growing at banks of all sizes.

Risk management focus: A matter of “heritage”?

Today’s ERM programs are solidly focused upon risk management, including current and emerging risks. Risks covered in ERM programs include financial risks (interest rate risk, liquidity risk, and credit risk) and non-financial risk (for example, operational risk, cyber risk, and model risk).

CROs come to the job from various backgrounds. Some CROs have credit background or broad financial background and tend to emphasize financial metrics in risk assessment frameworks. Other CROs have compliance or audit backgrounds and tend to use risk assessment frameworks that document answers to questions around risk. Both financial metrics (for financial risks) and question-based assessments (particularly for non-financial risks) can be important components of an effective ERM program.

ERM staff (including CROs) is commonly viewed as the second line of defense between business unit risk takers (first line of defense) and audit function (third line of defense).

For those familiar with SWOT analysis used in strategic planning, today’s ERM programs largely focus upon the right side of the SWOT:  Weaknesses and Threats.

Non-financial risks are often viewed as external threats or inherent weaknesses. Today a majority of CROs are rightly concerned with cyber risk, most often viewed as an external threat. Model risk management is most often viewed as an inherent risk associated with models, most often viewed within the weakness box.

Model Risk Management: Quality control for manufactured risks

This is often a central focus of ERM departments and deserves special attention. Supervisory guidance on model risk management requires proper governance and policies.

ERM departments often govern the model risk management function and typically maintain model inventories. Model validations required by regulatory guidance are overseen by an ERM manager.

ERM departments at the largest institutions (over $50 billion) often contain a large team of quantitative model validators.

Smaller banks (under $50 billion) are more likely to outsource model validation work in part or entirely. ERM managers remain responsible for the quality of external validations.

Opportunities with “Enterprise Strategy Management”

While ERM as a discipline has made significant strides, the coming decade holds more promise for ERM improvement and positive impact on strategy. Returning to SWOT analysis, we can think of ERM as a subcomponent of broader “Enterprise Strategy Management,” as shown below:

ESM involves both the management of risk and opportunities on the way to value preservation and value creation.

Bringing the silos closer

Fully integrated financial risk management systems are a next logical step for many institutions.

Too often credit risk measurement systems are separate from interest rate risk (and liquidity) measurement systems. While a silo approach to financial risk measurement permits focus and depth, a view of the interrelationships is important as well.

Regulatory DFAST and CCAR exercises have moved integrated risk measurement in a positive direction. However, there is much further to go.

Advances with reverse stress testing (or even war gaming) could prove productive. In brief, reverse stress testing requires a company to determine what could cause it to fail. From that assessment, management is asked to work out how avoidance of failure from that cause would be accomplished.

It’s akin to “reverse engineering,” when a technician looks at a complex gadget and strives to figure out how it was made.

While regulators have not widely enforced the reverse stress testing provisions of the 2012 stress testing guidance, bankers should prepare for this as a regulatory expectation at some point.

It may sound a bit “out there” to some bankers. But beyond potential regulatory requirements (or the lack thereof), reverse stress testing is particularly useful in capital planning. For example, by contemplating perfect storm scenarios that “break the bank,” management can more profoundly develop capital preservation and recovery playbooks.

Opportunity management advances

More importantly, the use of integrated stress-testing models to evaluate strategic opportunities is a bright spot for prospective value creation.

Expansion of scenarios and assigning probabilities to a more exhaustive range of potential scenarios could lead to more robust capital planning.

• What probability would management assign to the regulatory baseline, adverse, and severely adverse scenarios? 

• Do these total 100%? 

• If not, what other envisioned scenarios (likely less severe) can get us toward a 100% probability for capital planning purposes? 

The use of current scenarios (and prospective scenarios) can be strategically useful when contemplating mergers or acquisitions.

Top-down quantitative models can demonstrate whether an acquisition target would pass regulatory stress scenarios and if the acquisition improves an organization’s risk and return profile.

And top down quantification of competitors in baseline and more likely scenarios can highlight strategic opportunities. For example, if an environmental factor moves a competitor’s concentration levels toward limits, this could present lending expansion opportunities.

Ultimately, understanding the history and rapid evolution of ERM provides context for the current state of our ERM programs. Adding a strategic view to processes already developed can move us toward ESM. Capital planning becomes more profoundly related to value creation and value preservation.

Thinking strategically, our second lines of defense (ERM manager and CRO) can likely make important contributions on offense.

About the author

As a managing director at Darling Consulting Group, Drew Boecher brings over two decades of experience evaluating asset liability management and assessing bank credit risk. He combines regulatory experience at FDIC and private sector experience to provide modeling insights to improve strategic decisions. As a consultant, Boecher’s experience spans the spectrum from top Fortune 500 firms to very small firms. He has guided improvements in asset liability management at large banks, including a global systemically important financial institution.