HEIGHTENED RISK MANAGEMENT STANDARDS RISK MANAGEMENT ASSOCIATION AUGUST 2015.

HEIGHTENED RISK MANAGEMENT STANDARDS

RISK MANAGEMENT ASSOCIATION

AUGUST 2015

I. Market and Regulatory Focus

II. Implications of OCC Guidance

III. Heightened Standards Overview ● Tone at Top and Risk Culture● Governance and Structure● Risk Management● Independent Risk Review Functions● Linkage to Strategic, Capital and

Liquidity Planning

TABLE OF CONTENTS

I. MARKET AND REGULATORY FOCUS

4

THE ROOTS OF HEIGHTENED EXPECTATIONS

Post-financial crisis studies have pointed to the importance of real risk management

• Post mortem knowledge identified:• Risk Management wasn’t enough to prevent the problems• What was thought to be sufficient was not

• Risk management characteristics pre-financial crisis exhibited:• Responsibility without authority• Accountabilities for risk were unclear, at best• Poor culture, “tone at the top” not supportive• Poor data and information• Lack of independence, stature, and expertise in risk management

departments and Chief Risk Officers (“CRO”)• Ineffective Audit and other independent control functions

Many risk functions were little more than facades…

5

THE ROOTS OF HEIGHTENED EXPECTATIONS

Heightened Prudential Standards embody key themes, expectations and requirements for banks, thrifts and their holding companies

• Required by Dodd Frank, 12 CFR 252, and in Basel II and III• Contains themes, expectations, and requirements for financial

institutions • OCC Part 30 Guidelines lever aspects of 12 CFR 252 & formalize

Satisfactory-to-Strong (S2S)• Fed still working on their heightened standards• Debt Rating Agencies have their own views and standards

Many risk functions were little more than facades…

II. IMPLICATIONS OF OCC GUIDANCE

7

OCC GUIDANCE PILLARS

Formal Strategic Plans - Aspirations need to complement the bank’s processes for achievement

Risk Appetite Statement - Helps drive risk culture and desired behavior

Risk Management Roles, Responsibilities, Accountabilities - Clear expectations that banks are expected to employ risk assessment, identification and control on the “front lines” to manage risk in the business

Risk Data, Aggregation and Reporting - Timely and effectively captures, processes, aggregates and reports firm-wide and business specific risks to enable informed management, governance and oversight

Board Governance and Oversight - Board oversight and challenge is critical to an effective risk management framework and program

Sanctity of the Charter - Overarching pillar that highlights the need for charter specific governance and risk management

Banks and Thrifts will face increasing pressure to show, that they are “true” first line risk managers…

8

IMPLICATIONS

Bank vs. BHC (Parent Company) risk management frameworks• Each bank in a BHC needs to have its own risk management framework, unless their

risk profiles substantially the same as the BHC (95% Test)

Organizational Structure• Defines CRO and Chief Audit Executive (“CAE”) positions and establishes reporting

lines to CEO (dotted line) and Board (solid line)• Board risk committee requirements and program oversight• Responsibilities for employment decisions regarding CRO and CAE• CRO & CAE are independent from business lines as well as each other• Description of risk management responsibilities including:

1. “Front line” business units – execute identify, measure, monitor, report2. Independent risk management – direct, oversee, guide, provide framework,

independently assess and report, escalate/get in the way when needed3. Internal Audit and other independent risk review functions – policing the process

Record keeping and financial accounting based data infrastructures will be challenged

Banks and Thrifts will face governance, organizational, cultural and infrastructure pressures in achieving the heightened standards…

9

IMPLICATIONS

Stress testing will be used as Pre-emptive Prompt Corrective Action (PCA) to make the principles of risk management actually work

• Underinvestment in risk - will yield a failing grade• Data ● Governance• Technology ● Independent Reviews• Tools ● Frameworks• Expertise ● Constraints

The keys to successful stress testing are listed as pillars of risk management in the OCC’s new guidelines

Increased scrutiny from Boards, Board Risk Committees and independent review functions• Independent analysis and thinking by Boards and Committees• Credible challenge of management• Audit is a policing function for the Board – Not business facilitators, partners or consultants

High growth, acquisitive institutions will find their plans challenged/delayed

Mid-sized banks will be impacted

Banks and Thrifts will face governance, organizational, cultural and infrastructure pressures in achieving the heightened standards…

III. HEIGHTENED STANDARDS OVERVIEW

11

ERM OVERVIEW

Never before has the interconnectedness and codependence between firm strategy, risk management and regulatory risk been greater…

Firm Strategy

Risk Appetite

& Tolerances

Risk Based Business

Plan

Stressed Liquidity and

Capital

Capital and Liquidity

Adequacy

“Tone at the Top”• Risk Culture• Risk Appetite• Executive Support• Board Expectations• Compensation and

Incentives• Risk Based Planning

• Capital• Liquidity

GovernanceAnd Structure• “3 lines of defense”• Authorities and

accountabilities• Board/Management

Committees• Credible Challenge• Independence• Stature• Expertise

Risk Management• Identify• Measure -Stress Testing• Report• Control - Capital

Adequacy

Risk Review Functions• Expertise• Independence• Stature• Effecting Change• Framework Assessment

Firm Risk

Credit

Liquidity

Market• IRR• Price

OpRisk

Compliance

Strategic and

Reputation

Business units must be involved,they are the first line of defense

TONE AT THE TOP: RISK CULTURE

13

PILLARS OF RISK MANAGEMENT

• The ERM framework should contain a description of risk philosophy and frame the organization’s desired risk and control culture

• The CEO must facilitate an organizational culture that supports risk management and establishes sound controls at all levels of the organization

• Accountability for risk should be evident in performance management and compensation programs (along with findings of internal audit independent risk review functions)

• Board and board committees regularly meet, in executive session, with risk, audit, compliance, and regulators

• Distinct expectations for businesses, Risk Management and Risk Review functions

• Enterprise risk framework will be ineffective without framing appetite and tolerance metrics against which risk can be measured, stressed, and reported

Culture, Tone at the Top, Risk Philosophy…

14

IMPORTANCE OF APPETITE, TOLERANCES AND LIMITS

• Risk Appetite Statements are the cornerstones of ERM frameworks and should determine the amount and type of risk a firm is willing and able to assume through its exposures and business activities

• These statements are generally expressed as stressed risk to earnings and/or capital

• Risk Appetite Statements use a combination of risk tolerance metrics as well as quantitative and qualitative limits to frame risk taking, risk profile and control adequacy expectations against which performance can be measured and reported

• Risk appetites, tolerances, limits, etc. place risks, trends, and control adequacy into perspective and context relative to expectations

– Provides the framework for risk reporting to management and the board to enable governance, oversight, and accountability

– Enables the development of other risk measures – Key Performance Indicators (“KPIs”) and Key Risk Indicators (“KRIs”)

Risk Appetite and Tolerances….

GOVERNANCE AND STRUCTURE

16


• Board oversight and governance roles and responsibilities should be clearly defined within framework/program documents

• Board of Directors and Board Committees - oversee the management of risk and the entirety of the risk program

• Establish risk appetite and tolerances, and accountability for adherence

• Approve key risk policies (e.g. Compliance, Audit, Risk, BSA/AML, Credit, etc.)

• Ensure adequate risk management resources, infrastructure, independence and program

• Regularly meet with Risk and Independent Review Leads in executive session to receive risk information that enables timely, informed governance and oversight

• Are informed of and approve Bank Strategy, major strategies and initiatives and significant new products and services

• Have knowledge of risk and risk concepts to provide credible challenge

• Dedicated committee(s) for risk, compliance, and audit

• Governance is evidenced in minutes and sustainability is measured in discussions & actions

Governance and Structure – Board…

17


• Business unit’s management owns and is accountable for the risks of the business

• Individual business unit risk management is overseen by Risk Management (second line of defense) and Risk Review Functions (Audit, Credit Review, Model Review, Compliance Testing - third lines of defense), respectively

• Risk Management sets the framework and boundaries for risk taking and independently oversees the businesses execution of risk management and risk controls on an ongoing basis

• Risk Management and Risk Review Functions are independent of the businesses and have appropriate stature and authority (both in culture and organizational structure)

• Risk Review Functions police the entirety of the process

• Effective governance by executive management exists to facilitate the implementation of recommendations from the risk disciplines to business units

• Management level committees are in place for major risk areas and the enterprise

Governance and Structure - Management…

RISK MANAGEMENT

19


• Risks associated with achieving strategic goals and objectives are defined and

assessed at business entities, by risk type, and at the enterprise level

• Metrics are developed for each enterprise risk category to measure both internal and

external risks, which are then assessed by probability and potential impact

• Risk identification and measurement methodologies (both quantitative and

qualitative) are determined that lead to the adoption of a common risk language, i.e.:

• Independent control functions (audit, risk review, compliance, etc.) have final say on

the identification and characterization of business entity risks

• Risk and Control Self - Assessments should be conducted at least annually• Inherent risk framed by metrics and environmental condition• Risk controls assessed for adequacy relative to mitigating inherent risks• Residual risks either accepted or further mitigated• Robust challenge process and centralized guidance, aggregation , and

interpretation

Identifying and Measuring Risk…

20


Identifying and Measuring Risk…

• Risk measures and metrics cover absolute levels of risk, risk level changes, and rates of change (trends and velocity)

• Risks are measured both absolutely and relatively (to peers, prior periods, expectations and limits, relative to capital, assets, income, etc.)

• Performance expectations, limits and triggers form standards against which all risks are measured

• Financial reporting systems are aligned, or mapped, to measure and report return criteria in a manner consistent with risk (economic capital or otherwise).

• KRI’s are used to measure non-financial and operating risks and are measured relative to pre-set performance thresholds

• Early warning indicators are used to supplement standard risk measures• Stressed measures are a component of early warning, risk appetite and limit, as

well as business and risk decisioning processes

21


• A hierarchy of risk reporting and monitoring requirements is defined by policy

• Policies clearly define parties responsible for reporting and monitoring risk either individuals (CEO, CRO, CCO, etc.) or committees (ALCO, ERC, Credit Committee, etc.)

• Board and board committee level reporting and monitoring requirements are also clearly defined

• Reports to the board are summarized and understandable to a “common person” standard

• Reports call out big and emerging issues• Internal and external threats and risks• Forward looking as possible• Absolute and relative to expectations, tolerances and limits, earnings/capital,

peers

Risk Reporting and Monitoring…

22


• Risk limits and review triggers are used for all measurable risks and are memorialized in policy, limits:

• Are absolute, their breach requires escalation to executive management and the board and a plan to bring the position that breached the limit back to acceptable levels within a short period of time

• Breaches require an independent review to determine root causes and develop lessons learned

• Triggers are established at predetermined levels below risk limits, and their breach requires escalation to determine whether action will be necessary to prevent limit breaches

• Strategies and operating plans, in and of themselves, serve as limit or trigger mechanisms (as plan expectations for growth, revenues and risk, are tracked and reported, with deviations investigated)

• Capital and liquidity availability, as allocated through the balance sheet management process, serve as de-facto limits and triggers

Risk Mitigation and Management …

23


• Risk acceptance criteria are in place for all significant asset and transaction types• These criteria articulate the character (financial or otherwise) of acceptable

assets and transactions

• Prohibitions are in place for assets and transaction types deemed too risky or otherwise inappropriate (arms financing, tax structuring, payday lending, structured investments and financing, regulatory arbitrage, politically sensitive persons, etc.)

• Underwriting and other risk mitigation and control criteria (Controls, Hedging, Guarantors, Insurance) are established that are appropriate to mitigate the character of risks being accepted

• Exceptions are explicitly reviewed and approved, receive heightened monitoring, and exception trends are tracked and reported at the transaction and portfolio levels

Risk Mitigation and Management - Transaction Level…

24


• Where mitigants (Derivatives, cash hedges, Guarantors, Insurance, etc.) are used to hedge nominal cash positions that exceed desired tolerances:

• Testing is performed frequently to ensure the continuation of the mitigants effectiveness • Positions are stressed to determine the extent of mitigant/counterparty liability to the bank

relative to their ability to pay under stressed conditions• Effectiveness and counterparty repayment capacity is regularly tested • Collateral is regularly reviewed for accessibility and sufficiency

• Diversification principles, by product, industry, geography, channel, etc. are used in combination with limits and mitigants to manage risks

• Transactional, product, and portfolio concentration limits are in place, regularly monitored and reported, and breaches escalated, analyzed and corrected.

• Portfolio and sub-portfolio correlations are measured and the results are incorporated into the concentration/diversification management process.

• Risk control self-assessments are performed for financial and non-financial (operational) risks, and the process requires controls to be effective and residual risks to either be specifically mitigated or accepted and monitored

• Policy exceptions are tracked on a portfolio basis, absolute, relative, and performance

• Risk Based pricing is retained on balance sheet (ALLL and/or Capital)

Risk Mitigation and Management - Portfolio Level…

25


• Formal contingency planning and management processes are in place for financial and non-financial risks (liquidity, capital management, BCP, compliance or cyber incident , etc.)

• These processes, required by policy, are designed to identify vulnerabilities under a variety of stress scenarios

• Measure potential risks, and develop actionable alternative plans to meet funding and capital needs, and/or respond to other contingencies and crises

• Stress scenarios are plausible, but sufficiently pessimistic to understand the various vulnerabilities and demands on the institution

• MIS and forecasting capability is sufficiently granular and frequent (i.e. daily cash flow reports, balance sheets, etc.) to measure and project asset, liability and capital categories of the balance sheet under a variety of stressed conditions

• For liquidity and capital, action plans designed to generate liquidity and/or capital during the contingency, are NOT aspirational, rather they are executable within a pre-defined period of time, and their amount is measurable

Risk Mitigation and Management – Contingency Management…

INDEPENDENT RISK REVIEW FUNCTIONS

27


• Independent Risk Review Functions (Audit, Credit Risk Review, Model

Review, Compliance Testing, other) are policing functions, but not police

states

• Eyes and ears of the board

• NOT consultants, partners, business enablers

• Independence, stature, expertise, and mission clarity are key

• Clear line of sight to and reporting expectations of the board, unfiltered

• Leaders and staff have expertise and resources to do the job

• Businesses have respect for Credit Risk Review, act when issues are

identified

• Credit Risk Review independence is as much independence of thinking

as it is independence in form (“following the market syndrome”)

• Input to compensation and performance management

Independent Risk Review Functions…

28


• Clearly supported by CEO and CRO, and Board

• Low tolerance for untimely or ineffective resolution of Risk Review findings

• Resolution is actively tracked and individuals are accountable for timely resolution

• KRIs are set for totality of issues and time to resolve

• Reports are clear and objective

• Periodic independent validation of efficacy of Risk Review functions

Independent Risk Review Functions…

LINKAGE TO STRATEGIC, CAPITAL AND LIQUIDITY PLANNING

30


• Regulators look to ERM to provide a risk road map for each of their constituents

• Strategic business plans are translated into projected, risk based, balance sheets, income statements and capital and liquidity plans sufficient for the desired risk profile

• Major asset, liability, revenue and expense components are stressed to determine whether capital will remain sufficient

• If capital is insufficient, regulators will expect adjustments to planned risks and capital

• Limit/shrink growth and positions

• Change risk profile

• Restrain capital distributions

• Raise capital

• This process represents pre-emptive PCA

Strategic Performance - Risk and Capital Management

© Copyright 2013. Alvarez & Marsal Holdings, LLC. All rights reserved. ALVAREZ & MARSAL®, ® and A&M® are trademarks of Alvarez & Marsal Holdings, LLC.

Dave Gibbons

32

David Gibbons is a Managing Director with Alvarez & Marsal Financial Industry Advisory Services in Chicago, specializing in all aspects of Enterprise Risk Management (ERM). He possesses a unique blend of public and private sector experiences, as a bank regulator, a practicing Chief Risk Officer and financial services consultant.

He brings more than 36 years of public and private sector experience in banking and bank regulation and is widely recognized as a leader and expert in matters relating to bank supervision, regulatory relations and troubled institution remediation, ERM and credit and compliance risk management activities.

Most recently, Mr. Gibbons was a Managing Director and Coordinator of Enterprise Risk, Enforcement Advisory and Credit Risk Services for Promontory Financial Group, where he served for five years. There, he advised banks, thrifts, private equity and other financial firms in the areas including: troubled bank rehabilitation and regulatory relations remediation, ERM program and component evaluation and development, credit and whole bank due diligence; liquidity contingency funding and capital plan development.

Prior to that, Mr. Gibbons was the Chief Risk Officer for HSBC Holdings for North America from 2004 through 2007. There, he led the implementation of advanced risk management practices and programs to include advanced credit and operational risk management approaches (consistent with Basel II), economic capital, and enterprise risk reporting to management and board members. He also represented HSBC North America with regulators (The Board of Governors of the Federal Reserve System and Office of the Comptroller of the Currency), rating agencies, significant trade associations, and “the hill,” and he served as Chair of the Enterprise Risk Management Group for the American Bankers Association and the Chief Risk Officer Roundtable of the Risk Management Association.

Before HSBC, Mr. Gibbons served in several senior-level positions for the Office of the Comptroller of the Currency (OCC) for 27 years. From 1997 to 2002, he served as Deputy Comptroller for Credit Risk where he evaluated credit risk in the national banking system (NBS) and the broader financial services sector, and developed and implemented appropriate supervisory and policy responses.

From 2002 to 2004, he served as Deputy Comptroller of the Currency for Special Supervision (troubled institutions) where he managed troubled bank rehabilitation and resolutions in the NBS, and led the “loss free” resolutions of several of the largest, most complex troubled institutions. Mr. Gibbons also served as the Examiner-in-Charge of Chase Manhattan Corp., Fleet Financial Group and Shawmut National.

Mr. Gibbons earned a bachelor’s degree in economics and finance from Alfred University in Alfred, New York. He has been widely published on matters relating to his subject matter expertise.

55 W Monroe St., Suite 400Chicago, IL 60603

Direct: +1 847 707 4279E-mail: [email protected]

Managing Director

Financial Industry Advisory Services (FIAS)

33

Thomas Dujenski

Managing Director

Financial Industry Advisory Services (FIAS)

Thomas Dujenski is a Managing Director with Alvarez & Marsal Financial Industry Advisory Services in Atlanta, with more than 31 years of leadership experience in the regulatory arena and financial services industry. He has assisted many banking organizations in resolving complex challenges associated with the financial and economic turmoil of the past few years. He focuses on working with financial institutions to develop bank-specific, action-oriented strategies to create successful problem resolutions.

Mr. Dujenski has extensive knowledge of bank regulation, strategic planning, program management and business performance improvement. His experience includes troubled bank remediation and regulatory relations, enterprise risk management, regulatory compliance risk management, and regulatory due diligence and post-acquisition regulatory support.

Before joining A&M, he served with the FDIC in a variety of key executive leadership positions, including Regional Director of the Atlanta Region and Dallas Region operations. In his Atlanta role, he supervised nearly 1,000 institutions in seven states with assets totaling over $1 trillion, leading a staff of over 600 employees.

During the recent financial crisis, the FDIC asked Mr. Dujenski to lead the Atlanta Region, which had the highest number of troubled and failing banks in the nation. He supervised programs for risk management, compliance, CRA, fair lending, information technology, capital markets, trust, fraud, bank secrecy act, accounting, and loss share. He was also responsible for managing the largest state non-member bank in the nation through a continuous examination program, as well as several other large banks.

He has worked with some of the largest technology service providers in the U.S., handling numerous compliance issues, including fair lending and unfair and deceptive practices. He helped to resolve complex issues during the banking crisis involving technical and sensitive matters. Other FDIC positions include: Deputy Regional Director Kansas City Region, Acting Executive for Regional operations in San Francisco and Chicago Regions. During the financial downturn of the late 1980s and early 1990s, he was involved in several complex and troubled bank examinations, including serving as the Deputy Managing Agent of a $2 billion insolvent savings and loan.

Mr. Dujenski has appeared before Congress on matters of regulatory policy and bank supervision and has extensive experience in criminal and administrative hearings, including significant testifying experience. He has represented the FDIC at numerous media and outreach events across the globe, including on subcommittees of the Basel Committee on Banking Supervision and the Financial Stability Institute. He frequently speaks on banking, bank supervision and regulatory issues at industry conferences and trade associations.

He earned a B.S. in finance from State University of New York (Fredonia), an MBA from St. Bonaventure University, and graduated with distinction from Stonier Graduate School of Banking, University of Delaware. He also graduated from the Federal Executive Institute and the Senior Managers in Government program, Harvard University, John F. Kennedy School of Government, Executive Education.

Mr. Dujenski is a Certified Fraud Examiner (CFE), a Certified Anti-Money Laundering Specialist (CAMS), a Certified Forensic Interviewer (CFI), and a Certified Regulatory Compliance Manager (CRCM).

3424 Peachtree Road NE, Suite 1500Atlanta, GA 30326

Direct: +1 404 661 6881E-mail: [email protected]

HEIGHTENED RISK MANAGEMENT STANDARDS RISK MANAGEMENT ASSOCIATION AUGUST 2015.

Documents