To cope with market volatility and heightened regulatory pressure, bank boards must play a much more proactive role in risk management. For the past year, directors at U.S. banks and thrifts have been grappling with their new responsibilities in overseeing and controlling risk.
The Dodd-Frank Act significantly increases the compliance requirements of banks and imposes operational and financial restrictions that materially change how banks will be permitted to compete. Dodd-Frank makes it clear that boards need to play a greater role in improving risk policies, controls and systems.
Bank boards will have a larger role — and likewise, greater liability — in risk management. This role must evolve to reflect the complexity in the current financial system and the changing demands required by regulators, investors and debt holders. The challenge for bank boards is immense and many are not up to the task. Traditional audit committee processes, although important, are not currently designed to consider the complexity of how risks evolve, interrelate and affect the institution. This problem is not limited to big banks. As demonstrated in the downturn, smaller banks — including community banks — are subject to the same events as larger banks, but have fewer resources upon which to draw.
The interconnections and interdependencies exposed in the financial crisis highlighted how difficult it will be to stop the spread of future problems and how vigilant directors must be at effectively discharging their responsibilities. The potential for a major market such as mortgages to implode and spread financial contagion across the global network of banking institutions is now well established. The likelihood of other cascading scenarios is high, making the board‘s risk management role a critical and very visible line of defense.
Board members of financial institutions must be able to answer the following questions to achieve effective risk management governance: What can be learned from the downturn regarding risk? What are the effects of the regulatory response on individual institutions? And, most importantly, what should the board‘s role in risk management be going forward?
Lessons from the Real Estate Collapse
Looking back, many financial professionals and market observers were well aware that a bubble was building in residential real estate. Prices were increasing rapidly, investors were actively buying and selling properties, and there was overbuilding in many markets. Individuals were taking on greater leverage and banks were complicitly allowing for little or no equity in the mortgages that they were underwriting.
Indeed, an overheated real estate market and a potential drop in the subprime market factored into many institutions‘ risk decisions and risk models. What was not appreciated was the cascade of problems from the subprime market seeping into other sectors. Aggressive banks in the subprime market were the first to suffer. The first wave of subprime defaults resulted in foreclosures on homes which were then brought to market as distressed properties. This resulted in a further drop in market values of residential real estate, which affected the next tier of mortgage borrowers, eventually compromising Alt-A and even prime mortgage borrowers. The fallout from this sequence was a severe drop in construction, increased joblessness and mounting losses in credit card, personal loan and small business portfolios. Rarely does the proximate event result in the largest losses. Like a tsunami, it‘s the secondary and tertiary ripple effects which cause the greatest harm. Hence, many banks with limited subprime exposures in 2007 suffered significant losses in their other mortgage, small business and consumer credit portfolios as a result of the contagion.
“The lack of preparation for the rapid decline of the subprime market illustrates one of the core issues within risk measurement. Risk has historically been addressed according to product silos. However, as is all too apparent, risk does not respect silo boundaries.”
The lack of preparation for the rapid decline of the subprime market illustrates one of the core issues within risk measurement. Risk has historically been addressed according to product silos. However, as is all too apparent, risk does not respect silo boundaries. When there is a shock to the economy, we relearn that the models that function well in stable markets often are fundamentally flawed in highly turbulent markets. There are two primary reasons for this weakness. First, most models do not effectively incorporate changes in the relationship of different economic and market factors caused by a shock. For example, in a stable economy, equity and bond prices tend to move rather independently, but in a stressed economy, their prices typically move in closer alignment. Second, most models do not capture the cascade effect from an initial risk event. When subprime mortgage portfolios collapsed, the losses cascaded into other portfolios to a much greater degree than these models projected.
New Capital Requirements
Globally, regulators have responded to the downturn by revamping the decades-old rules on risk and developing new compliance requirements to which the banks must adhere. The Bank for International Settlements in Basel, Switzerland — the global body formulating international rules for risk measurement and management — acted quickly by adding to its Basel II capital guidelines the next generation of global risk guidelines, named Basel III. Basel III increases capital requirements by limiting what qualifies as Tier I capital and increases the minimum amount of capital that must be held. In addition, it adds a “capital conservation buffer” to be drawn from in periods of stress. Separately, a non-risk-based leverage requirement was established to ensure that banks always have sufficient capital against assets, even when those assets are perceived as low risk. These and other changes to capital and capital requirements, particularly for derivatives, are designed to counteract the worst effects of the recent and future downturns.
Basel III also establishes a set of new rules regarding liquidity, distinguishing it as a separate and independent financial resource from capital. That is, banks have two stockpiles of financial resources that they hold for periods of stress: capital and liquidity. The new liquidity rules require banks to hold a minimum of liquid assets that can be used to offset cash outflows experienced during stress periods.
Banks have new, very specific requirements defining the amount of liquid assets that must be held against specific types and levels of cash outflows. Those cover two things: First, for most banks, Basel III increases the amount of high quality, low-yielding assets on bank balance sheets. Second, by defining liquidity requirements by type of account, Basel III changed the economics of many businesses. Most retail deposits will not require significant levels of liquid assets to be held, while most corporate and financial institution deposits will have to almost entirely be offset with liquid assets.
In total, Basel III establishes the new norm for capital and liquidity requirements that banks must incorporate into the design of risk models and risk management processes. Importantly, U.S. regulators have been applying global standards for risk management to a broader group of banks than what is required by international standards. Basel II rules that are applicable to large, internationally-active banks are being applied in many ways to banks that don‘t fall into this category. However, the stated intention is still to apply risk management standards commensurate with the size and complexity of the institution being evaluated.
New US Bank Regulations
Congress responded to the financial crisis by rapidly passing the most significant financial industry legislation since the Depression-era Glass-Steagall Act. Dodd-Frank has frequently been on board agendas and its aftermath will likely be driving those agendas for at least the next 18 months.
While Dodd-Frank covers a wide range of issues, there are two risk themes embedded in the act that boards should keep in mind as they enter 2012. First, regulators now have the authority and resources needed to develop forward-looking perspectives on the risks of individual banks and the financial industry as a whole. The axis of power resides in the newly-formed Office of Financial Research (OFR). This office gathers and interprets detailed bank portfolio information to develop views of the risk levels and trends within the system. With an effectively unlimited budget to do its job, OFR is systematically gathering transaction-level data on credit risk within the system and will soon have unprecedented insight into the state of financial institutions.
Second, there is a strong emphasis on giving regulators the tools and the authority to take action, as evidenced by the newly-formed Financial Stability Oversight Council, whose purpose, according to Dodd-Frank, is to “identify risks to the financial stability of the United States…to promote market discipline by eliminating expectations on the part of shareholders, creditors, and counterparties of such companies that the Government will shield them from losses in the event of failure…to respond to emerging threats to the stability of the United States financial system.” In other words, the regulators have been given authority to take preemptive action before the effects of risks are seen. These actions can be in response to evidence of building systemic risk that warrants actions affecting all institutions, whether or not those risks are outsized in any particular institution.
Bank Boards and Risk Management
The implication of these themes is that regulators will have better information to evaluate and anticipate risks, and the authority to take action to mitigate those risks. Banks will need to retool their risk measurement and management capabilities to look forward and align with their regulators. Both bankers and regulators will be talking a new language of potential risks and actions to mitigate losses and exposures before they occur. Boards must learn this language and have available to them the critical information to ensure compliance.
“Banks will now have very specific requirements that define the amount of liquid assets that must be held against specific types and levels of cash outflows. This does two things: First, for most banks, it increases the amount of high quality and, hence, low-yielding assets on bank balance sheets. Second, by defining by type of account how much liquidity must be held, they have changed the economics of many businesses.”
The regulatory requirements are resulting in changes to board committee roles, responsibilities and composition. At the same time, there are near-term challenges the banks will be facing as higher capital and liquidity requirements drain the profitability of various business lines and significantly change their profit dynamics. These changes are likely to cause major alterations to the businesses that many banks pursue.
Within this context, the board has four primary roles in risk management: 1) Set risk appetite, 2) establish suitable limits, 3) monitor compliance and 4) ensure that internal processes are effective and consistent with the institution‘s risk requirements.
Set risk appetite. Among the board‘s most important responsibilities is establishing the institution‘s risk tolerance. The board must set the risk policy, defining the level and type of risk that are suitable and consistent with the bank‘s strategy, capabilities and resources. It must balance the need to preserve capital, maintain liquidity and minimize losses with the exposure necessary to earn an appropriate level of return. The challenge for boards is to help management determine the right amount and composition of total risk.
The board must determine how the institution‘s strategy relates to the type and level of risk it takes on. A retail bank-focused strategy primarily results in credit risks associated with consumer and small business lending, real estate and other collateralized asset risks. The board‘s job is to determine the risk tolerance to defaults and to asset values. To do this, the board must understand how these risks relate to each other, and how much potential loss the bank faces under various economic scenarios.
The board should also determine what risks are inappropriate to the strategy. The retail bank strategy described above does not require a significant market risk exposure. If there is a significant market risk component, then management is either attempting to supplement core strategy returns or pursuing a separate strategy that results in significant market risk. The board must be able to discern the difference between these two reasons for market risk and determine the appropriateness of each.
Ultimately, the board must be able to develop an independent perspective on these risks in order to provide an effective counterpoint to management.
Establish suitable risk limits. Once a risk policy is established, risk limits must be set across the institution, by risk class, type and business line.
Certain types of risk are relatively easy to identify, size and establish meaningful limits. For example, credit and market risks are regularly measured and reported during normal business operations. Organizations are typically well versed in working with risk standards and limits in these areas. At the same time, all of these risks are embedded in transactions that were not explicitly created to take a credit or market position. Credit risk, for instance, can be found in loan portfolios, investment portfolios, vendor arrangements and insurance contracts, among others. Banks must be able to identify the collective credit risk of these sources as well as consistently measure the risk from each. Market risk is embedded in investment portfolios, but also in loan portfolio valuations for securitizations or as collateral, and in embedded optionality (e.g. a bond that gives the issuer the option to call the bond early or convert it into equity), which affects the overall asset/liability position.
Measuring and setting limits for operational and liquidity risks is more complex and can cause severe damage to a bank. Two well-known forms of operational risk are model risk and rogue trader risk. Both of these are outgrowths of natural business activities of a bank and both require a combination of process evaluation and continual oversight. While a regulatory framework has been established for liquidity risk, the actual calibrations of the framework remain uncertain, and are still actively under debate.
In establishing risk limits, the board should frame issues in terms of the two primary warehouses of financial protection that financial institutions hold: capital and liquidity. The Bank for International Settlements makes the point on capital and liquidity by establishing separate regulatory requirements for these resources. Historically, capital was subject to regulation, but in recognition of the effects of liquidity on financial institutions in the recent downturn, new requirements have been established. This reinforces the point on interrelationships of markets, institutions and risks in today‘s global economy.
Monitor compliance. With these definitions and limits in place, management and the board must find ways to communicate in a clear and concise way. Management must report to the board the specific measures of compliance, along with supporting information that provides insight as to how risks are evolving and what types of risk events could occur in stressed environments. One of the most valuable initiatives management undertakes is formulating the reporting structures and information that permits the board to effectively monitor the risks and maintain effective control.
Ensure effective internal processes. Although process management is critical to an institution‘s success, it is often overlooked by the board and relegated to lower levels in the organization. While there are a wide range of processes, few are as important to risk management as those related to compensation, compliance and clout.
The board should have a strong hand in setting the compensation principles of the institution and how those principles affect the size and types of risk being taken. As Dodd-Frank recognizes, people tend to do what you pay them to do. In the case of incentive compensation, if there is limited downside to aggressive risk-taking and significant upside, there is very little question what will happen.
This logic carries through to other roles within the institution and requires thoughtful balancing of risk concerns with the strategic objectives of the institution and the realities of doing business. Senior managers in credit businesses compensated on volume are going to behave differently than those compensated on risk-adjusted return. Most likely the former will be pushing to the edge of their credit limits while the latter will be working with the risk team to find ways to get greater return from their business while lowering the risk content.
Another area where alignment is often challenged is in systems and process support. Sarbanes-Oxley went a long way in raising visibility of this issue and in establishing compliance processes, but it does not obviate the need for active board involvement and oversight of how systems and process infrastructure affect risk.
“Banks are functioning in a highly complex and interconnected environment. As demonstrated in the recent downturn, problems that were assumed to be contained in one sector can cascade into other markets and portfolios, causing much greater damage than anticipated by most banks for even the most severe scenarios.”
Infrastructure oversight is particularly important in periods of rapid growth or significant cost cutting. Rapidly growing businesses are routinely given outsized influence in recognition of their success, which often results in less stringent compliance. Unfortunately, the most successful businesses are those that amass the greatest power and ultimately create the most significant risk to the institution. Conversely, cost cutting presents near-term earnings benefits but can create increased long-term risk exposure by removing or not implementing “costly” checks and balances. New capabilities that reduce long-term risks, but also have short-term costs, are difficult to fund in cost reduction periods.
The board has the ultimate responsibility for risk in the organization and ensuring that the processes in place are sufficient and effective under all conditions.
Banks are functioning in a highly complex and interconnected environment. As demonstrated in the recent downturn, problems that were assumed to be contained in one sector can cascade into other markets and portfolios, causing much greater damage than anticipated by most banks in even the most severe scenarios. Bank risk measurement and management processes fell far short of envisioning the breadth and depth of the downturn. Taken together, traditional banking risks combined with a highly-leveraged and intertwined economy make for complex business risks. To contend with this environment, banks must pair sound fundamental capabilities with the capacity and culture to convert their capabilities into strong strategic decisions.
For these reasons, the board‘s role in risk management has been and continues to be critical to the long-term value of the institution. Bank boards should be intimately familiar with risk management issues affecting the institution, and ensure that they have the tools to anticipate and control the effects of both internal and external risk factors. Doing so requires a highly disciplined and effective framework. Few boards fully meet this standard, making future enhancements critical to their effectiveness. In short, bank boards have a very busy future in risk management, and can potentially have a very significant affect on the success — or failure — of their institutions.
Steve Turner is a Partner in the New York office of Novantas LLC, a management consultancy.