Reengineering risk management from the ground up

In a small European town during the middle ages, a strange affliction caused people to appear quite dead, when in fact, they were not.

The town council met, the question on everyone's minds being, "Are we burying people alive?"

One council member suggested a medical test to ensure the "dead" were actually dead. But that wasn't foolproof. So, another suggested installing a pipe in each grave to provide air. Another suggested that a bell be attached to the pipe so the "dead" could signal to be dug up. Another suggested that food and water be included in the coffin, as it might be some time before someone heard the bell.

Finally, a town elder rose. Why spend all that money on solutions to address the possibility that someone might be accidently buried alive, he asked. Perhaps all the town  needed was to install a spike in the lid of each coffin to pierce the person's heart when the lid was closed. That would eliminate any possibility that anyone would be buried alive.

Why open with this macabre mystery?

Many banks' react to the need for enterprise risk management in much the same way. They add on expensive pieces, partial solutions, and staff, continuing to trudge through the traditional approach to credit management, audit, and compliance without assurance that risk is truly, effectively managed.

I propose a radical rethinking and redesign of risk management instead. To drive a stake into the heart of this problem, I recommend the following:

1. Reorganize to manage risk.

2. Obtain resources and skills through outsourcing and co-sourcing.

3. Hold business units accountable for managing compliance and risk.

Let's look at each of these tasks.

Organize to manage risk management

Among the many challenges facing community banks today is determining who is in charge of enterprise risk management. Someone independent from day-to-day business line management is preferred, although for a small bank this may not be possible.

While not ideal, many community banks are expanding the roles of the chief financial officer or compliance officer's roles to include ERM. Others are chartering Risk Management Committees, comprised of the same senior officers that sit on most every other bank committee, to deal with issue.

Just layering responsibility for various aspects of ERM within the existing organizational framework is an ineffective, piecemeal approach. It might impress regulators, but it often provides minimal value to your bank-.

Before discussing an approach to reorganizing the risk management effort, let's look at the way risk management is generally organized today.

In a typical community bank, responsibility for risk management is dispersed among a number of officers and committees:

• The CFO typically handles interest rate and liquidity risk issues and they are overseen by the ALCO committee.

• The Compliance Officer is generally responsible for compliance risk, also managing BSA/AML and sometimes certain aspects of loan administration, such as maintaining the HMDA LAR.

• The Internal Auditor. Some banks employ a full-time auditor, others outsource the function. In either case, however, the Auditor is not truly responsible for operational risk. This risk category is loosely managed by a combination of line managers, security officers, and IT.

Attempts to coordinate risk management through a committee have had only marginal success. Such committees have little direct authority. Often they focus on specific operational issues, rather than broader risk issues.

• The Chief Lending Officer is typically responsible for credit risk, managing lenders, credit analysts, credit administration, and sometimes special assets, collections and loan operations.

Larger banks typically segregate responsibility for credit risk management from the Chief Lending Officer, placing it under an independent Chief Credit Officer. Smaller community banks typically cannot afford a full-time Chief Credit Officer position, though they recognize the improvement in control and risk management from this approach.

Should we change the org chart?

Adapting the typical organization, then, leaves something to be desired in addressing risk. So, if instead of layering risk management on top of an existing organization, trying to fit square pegs into round holes, perhaps we should be reorganizing around risk management needs instead. With many functions outsourced today this becomes a bit easier to accomplish.

Consider the chart below:

For a larger version of this chart, click on the image or click here.

A bit different than the traditional organization, but not radically so.

It does address relevant risk categories, segregates loan origination from credit risk management, and leverages the use of outsourced resources.

Credit risk, arguably the most significant risk to community banks, is now segregated from loan origination. Combined with controls like reviews of credit terms and conditions by Credit, co-approval limits between Credit and Lending and an effective pre-funding review of loan documents by Credit, credit risk management is greatly improved.

The alignment of these critical functions is illustrated in the following chart:

 

For a larger version of this chart, click on the image or click here.

The most significant change in the structure in my first chart (Risk Organization Alternative) is the Chief Risk Officer position. It proposes a combination of the responsibilities of a Chief Credit Officer and a Chief Risk Officer. If functions such as Audit, Compliance, and Loan Review are outsourced, the individual in the CRO position can function effectively in a community bank environment.

As the bank grows, these functions can be segregated into dedicated CRO and CCO positions and certain functions, such as Compliance, brought in-house.

Out-source/co-source to obtain needed resources and skills

The CEO of a $177 million community bank in Texas recently noted that compliance costs at his bank had increased 204% over the past 5 years. A recent Minneapolis Federal Reserve Bank study indicates the impact of new regulations would reduce ROA by 4% in banks with assets from $500 to $1 billion. The impact on banks with assets of $50 million would be a 23% reduction in ROA.

Suffice to say that compliance costs are rising and threaten profitability.

I have heard the horror stories:

• ... of a $300 million community bank with a BSA staff of 17.

• ... of a $10 billion bank being advised to add 16 compliance personnel to its staff of 6.

• ... and more such.

It is clear that additional compliance and risk management resources are needed. However, banks can no longer afford to just throw bodies at the problem.

A new approach is needed that improves and assures compliance and risk management at a reasonable cost. Community and small regional banks must consider out-sourcing such functions as Compliance, Audit, and Loan Review.

In some cases, functions can be co-sourced, with the bank providing certain advice internally to management, but primarily serving in the role of managing out-sourced resources and coordinating the implementation of recommendations from these providers.

The out-sourced service provider does the heavy lifting, such as compliance, audit and IT security testing, training, and loan reviews, as well as providing needed "technical" expertise that could not be afforded on a full-time basis by the bank.

Hold business units accountable for managing risk

Is your bank's compliance department picking up others' slack?

I have performed over 350 risk reviews of banks in the U.S. Almost without fail, there is some function assigned to the Compliance Department because the operational unit originally responsible for it couldn't do it correctly.

The work was transferred to Compliance to "fix" it--and it never went back.

As a result, I have also seen both Audit and Compliance being inappropriately blamed for the failures of operational business units.

As the chart below illustrates for compliance risk, accountability for risk management and compliance has to be shifted back to the business units.

For a larger version of this chart, click on the image or click here.

The same holds true for risk management. Business units must be held accountable for identifying and managing risk in their business units. To do that effectively, however, they will need appropriate and sufficient staff, effectively designed business processes, and effective technology. Determination of whether these exist in each business unit will require an assessment of risk.

Assess risks--and risk management methods

Once someone is selected to lead the bank's ERM process, it is critical to begin identifying and assessing exposure to key risks, and the appropriateness and effectiveness of risk management methods. Risks should be summarized in accordance with the categories of risk promulgated by regulatory authorities, including:

• Credit risk

• Interest rate risk

• Market risk

• Liquidity risk

• Operational risk

• Compliance risk

• Reputation risk

• Strategic risk

Equally important, the bank should consider the following additional factors as it evaluates risk throughout the business units:

• Personnel. Does the business unit employ sufficient numbers of managers and staff to handle the risk associated with the unit's function? Do they have adequate experience, or appropriate training? Are they compensated in a manner that minimizes risk (i.e., lending officers)?

• Organization. Are personnel in the business unit properly organized? Are business functions appropriately included in the business unit? Or do they perform functions inappropriate to the business unit?

• Business process. Are business processes effective and efficient? Do all of the same steps need to be performed for each and every transaction, or can processes and controls be staged to reduce cycle times?

• Technology. Is the bank utilizing the technology it has effectively? Or does it need new or additional technology?

• Customers, products, and markets. Is the bank trying to sell the right products and services to the right customers in the right markets? Are they priced effectively and delivered efficiently in the manner customers desire?

As risk information is collected, it will be critical to maintain the information in a manner that all users who need it can access it; and when they do access it, they will have assurance it is the most current and accurate information available. This includes management, compliance, audit, security, SOX/FDICIA/FCPA compliance personnel, and others.

Instead of maintaining silos of this information, develop or acquire a common risk control database. This information will form a cornerstone of an effective ERM program. The next in this series of articles will look at risk management information systems.

Looking forward

Old, piecemeal solutions will not result in an effective, integrated, enterprise risk management function. As a congressman recently noted:

"You can put a tuxedo on a pig and call it Steve ... but it's still a pig."

From the arrangement of organizational roles and assignment of risk management responsibilities, to the development and maintenance or risk management information, a drastic re-thinking and restructuring ... re-engineering, if you will ... is required.

About the series 
This series by Abound's Ken Proctor appears at two-week intervals. You can learn of their posting by subscribing free to Banking Exchange Editors Report eletter.

• Part 1: Why risk management and strategic planning must synch  

• Part 3: Risk management systems that work.

 Download Abound's free risk management policy and program 

The final part of this series will examine risk management systems that work.