In banking, as in life, people have two ways of learning. One comes from making mistakes and learning to change to avoid them. The other comes from seeing what’s happening to other banks and taking preventive and proactive measures. Enterprise risk management fits this scenario perfectly.
Sometimes the direct, personal lessons come out of left field. During a recent roundtable discussion about ERM among selected members of ABA’s Community Bankers Council, all participants reported increasing emphasis from federal regulators. But this didn’t always surface during a safety and soundness exam. Two bankers got their wake-up calls through the compliance exam process.
“We had a compliance examiner who just hammered us big time, and we got slammed into risk analysis through that exam,” says Mike Marhenke of IAB Financial Bank. For the $942.6 million-assets bank, based in Fort Wayne, Ind., the planets had lined up. It lost its compliance officer around the same time as the exam and hired a consultant to help it through the exam. The exam results, and advice from the consultant, got the bank moving on ERM.
“We’re kidding ourselves if we don’t think examiners are going to start pushing on ERM,” says Marhenke, president and CEO. “I equate it to the ALCO process back in the early 1980s.” Back then, Marhenke says, as individual banks began moving deeper into ALCO on their own, examiners took what they were seeing there and looked for it in other banks. “The more they saw,” he recalls, “the more they expected other banks to have policies and procedures in place. And then they wanted to know what you were actually doing with it.”
IAB has gotten ERM religion, at both the board and staff level. The board now has an ERM committee—in addition to loan and audit committees. The audit committee concentrates on financial risk, and the loan committee focuses on credit issues, leaving other risks to ERM. On some issues, the committees meet jointly.
IAB maintains an officer risk committee internally that comprises both senior and middle managers. A key task is periodic risk profiling. Marhenke says this can be a frustrating process, though educational. The more the internal committee digs, the more it finds there is to see.
“But I think that’s what examiners want you to do,” says Marhenke. “Because the more you talk about it, the more things begin to materialize.”
ERM demands management attention because, clearly, it will be on regulators’ radar more as the industry continues to move forward beyond the post-crisis atmosphere, says Jim Cornelsen, president and CEO at Old Line Bancshares, Bowie, Md.
“Credit continues to improve, and it won’t be an uber-focused area for the examiners,” Cornelsen explains, “and so they are going to concentrate somewhere else—they always do. ERM may be an area where they gravitate to.”
Building new and adding on
Roundtable bankers broadly agreed that regulatory expectations will evolve as examiners have the opportunity to see more and more institutions move forward on ERM.
“Four or five years ago, examiners asked if we had an ERM process in place, and I asked them for an example. They still haven’t given me an answer,” says Bryan Luke, executive vice-president at $621 million-assets Hawaii National Bank, Honolulu. “But they have been asking more risk-based questions.”
As a result, the bank established a staff risk committee, choosing not to appoint a chief risk officer because management wants to be sure everyone “gets” the risk issue. “We’ve definitely formalized things more because of the regulators’ increasing attention,” Luke says.
Merger and acquisition activity ushered in increased risk management emphasis at $1 billion-assets Inland Bank & Trust, Oakbrook, Ill.
“We’ve done three deals in five years,” says Howard Jaffe, president and CEO. Having come from a larger bank background, Jaffe says he was savvy to the need for ERM. He says having a program in place seems to satisfy many examiners. In his case, the program is a blend of internal effort and selected outsourcing.
Inside, Jaffe continues, the head of internal audit doubles as risk manager. A key part of this officer’s job is coordinating the outsiders, which include companies to which the bank has outsourced loan review, operational audit, and compliance audit. This officer directly handles FDICIA requirements for controls and financial reporting, which predate the Sarbanes-Oxley requirements affecting public community banks.
Another key part of this officer’s job is coordinating risk reviews of proposed new products, new software, and any other fresh initiatives that could carry an element of risk.
“We require a risk analysis before any of that goes into place,” says Jaffe.
For new bank, “heat map” helps
Growth underscores the ERM strategy of a young bank in the group that decided to adopt ERM on its own.
Started in 2007 in Florida’s Tampa Bay market, USAmeriBank has already grown to $2.8 billion in assets, serving parts of Florida as well as Alabama. President Thomas “Brad” McMurtrey says that two years ago, management decided to be proactive and establish a board ERM committee. McMurtrey brought in Crowe Horwath to help the bank devise a structure and program.
A key overall element of the effort is a “heat map” that helps pinpoint the bank’s most significant risk areas. In part, this helps identify emerging risks so the bank isn’t blindsided. Another element is a form used whenever something new is proposed. The backer of the idea must complete the form and walk through the risk analysis—right through to the vendors the bank would tap for help.
Only after that exercise is completed can the banker bring the matter to USAmeriBank’s staff-level risk committee, which the chief operations officer chairs.
Having grown so much in about seven years, according to McMurtrey, “you know that you’d better have your stuff together.”
Danger of “over engineering”
The roundtable bankers point out that ERM shouldn’t be coming as a wholly new idea to anyone in the business. After all, risk management, by definition, is what banks have always had to do.
Nevertheless, having just wrapped up an OCC exam, Texas banker Geoffrey Greenwade says it’s plain that ERM “is hot on the table” for regulators. His $1.7 billion-assets Green Bank, N.A., Houston, has grown aggressively and chiefly organically over the last five years. He says there is a pattern in examinations that he refers to as “the seminar of the year.” Examiners receive training and suddenly that becomes the new focus of their visits. He sees an element of this in ERM.
There is a dual element to ERM, he elaborates. On the one hand, it is something like an umbrella insurance policy; it’s an attitude sitting over all the individual management areas of banking. On the other hand, in concept, ERM can be likened to “just looking ahead,” as a good banker ought to be doing instinctively.
“I think we have a danger here of overly engineering banking,” says Greenwade. “I mean, there’s really only a handful of things—credit risk and cybersecurity being two—that you need to watch every day. And if you do watch them, then you’re in pretty good shape.” But he’s concerned about going overboard.
That’s also a concern for Robert Stephenson, president and CEO at $1 billion-assets First Dakota National Bank, Yankton, S.D. His bank has a chief risk officer. In some areas, he thinks the bank’s ERM effort is strong; in other areas, it needs beefing up. Using a dashboard approach helps keep tabs on things that bankers think they know intuitively, but that can still sneak up.
An ERM program also brings a measure of consistency to the process, according to Stephenson. However, as CEO, he’s found that some balancing must go on. Operations staffers have an extremely low tolerance of risk, for instance.
No one likes to lose money, Stephenson explains, “but do we need to spend $40,000 a year to mitigate a $50,000 loss that might happen once every ten years?”
Must we have a meeting?
Ohio banker Paul Siebenmorgen buys the “umbrella policy” view, to a degree, for his $928.4 million-assets Farmers and Merchants State Bank, Archbold, Ohio. The bank has both an officer risk committee and a chief risk officer, who reports to that group. The committee members focus on risk areas represented by its membership. Siebenmorgen, president and CEO, says the chief risk officer tends to “stop the odd-ball stuff that you end up getting into when his nose detects it, such as frauds.”
However, Siebenmorgen believes the ERM effort “helps keep everyone in the bank focused on the same page.” Bankers can’t help but concentrate on their areas of responsibility, so, Siebenmorgen continues, “monthly risk meetings help get everybody thinking, ‘Hey, maybe something I’m doing here affects something over there.’”
Cornelsen points out that Old Line’s culture is anti-meeting and that it stresses one-on-one, timely communication instead.
While McMurtrey says his risk group will not meet if there is not something to be addressed, he resists piecemeal communication. “If you’ve got five different parts of the bank that need to have input on something, sometimes it’s easier to sit down and meet. That’s as opposed to running around and everyone getting a different story.”
IAB’s Marhenke acknowledges that there’s logic in having two people talk and solve an issue before sparks catch and cause a fire. But sometimes, he says, more sparks could arise later.
“Unfortunately,” at times, Marhenke points out, “the more people you have talking about such issues, the better off the organization ends up being.”
“Risk appetite” vs. “risk tolerance”
IAB’s Marhenke recently heard a consultant describe bank risks as “bear risks” and “mosquito risks.”
At first, it would seem like the bear risk is the one to watch, letting the bugs look out for themselves. But according to Marhenke, the consultant warned his listeners to focus instead on the mosquitoes.
Maybe ten people get killed by bears, the consultant argued, according to Marhenke, but many thousands die of mosquito-borne diseases. It’s the risks you may ignore that get you, not the ones you know well to watch out for.
But each bank must set its own radar for risk. This is one of the basics of ERM—setting risk appetite, risk tolerance. Some use the terms synonymously; some make a distinction.
“Maybe you end up in the same spot, but I think of risk tolerance as something you have,” risks that go with operations, says Farmers’ Siebenmorgen. “Risk appetite is something you look for,” in terms of seeking and taking on new business.
However you define it, risk tolerance should come from the board, according to many experts. But the roundtable bankers uniformly rejected that belief.
Greenwade says he received an email the night before the roundtable that illustrated his own attitude. A borrower wanted the bank to accept an 85% loan-to-value ratio and threatened to walk if the bank didn’t go along.
“It comes down to: Can we mitigate that risk? Will we accept such risk?” says Greenwade. “I don’t think your board can give you direction on that, other than to ‘just use common sense.’” Part of the risk evaluation would entail the bank’s experience with that borrower, he says.
More broadly, Old Line’s Cornelsen sees the board’s role as quite general. “We play to our strengths and stay away from our weaknesses,” he explains.
During ABA’s 2013 Directors Forum, a speaker compared board members to the crew chalking out the boundaries for a football game.
However, Marhenke rejects that analogy as too simplistic. “In our shop, they would pretty much approve the lines,” he explains. “Management would recommend where we think the lines need to be, and then they’d okay that. I’m not sure that directors have enough knowledge to set the lines themselves.”
Indeed, “I think risk appetite and risk tolerance really hinge on the exceptions, not on the parameters you set up,” says USAmeriBank’s McMurtrey.
Where do you find a CRO?
One of the bank executives posed this question to fellow roundtable members: Where do you find a good chief risk officer?
Most that have one, by title or at least functioning in that role, say they filled the post internally.
Cornelsen says the position evolved at Old Line. “I found very talented people in our company, and the person who was elevated to the post was a perfect fit,” he says. “He’s got a good game and is fully skilled in audit and in compliance. And he also thinks outside of the box.”
The need to find someone who hasn’t worn a groove into his job, but has strived to stay fresh and keep his training up is also encouraged when looking inside.
McMurtrey, whose bank found its chief risk officer outside, separates technical ability and organizational skill. People with special skills—lending, compliance, audit, etc.—all own a piece of risk management.
“But to me, the CRO is like a coach,” McMurtrey says. “You need someone who can pull the process together, and then drive it. That’s the key, because it truly is an enterprise-wide function.”