Course Materials

ENTERPRISE RISK MANAGEMENT

Dwight R. Larsen National Bank Examiner

Office of the Comptroller of the Currency Minneapolis, Minnesota

dwightlarsen@hotmail.com 202-597-1329

July 31, 2017

1

Enterprise Risk Management A Workable Process!

Dwight R. Larsen

Graduate School of Banking at the

University of Wisconsin, Madison, Wisconsin

ERM Session Objectives

• PART I - Understand why Risk Management(RM) and Enterprise Risk Management (ERM)are important.

• PART II - Gain a better understanding of whatRM and ERM is about. (definitions, process, etc.)

• PART III – Implementing (or enhancing) aneffective ERM at your institution. (how)

2

Who said it?

?

4

3

5

Strong Corporate Governance?

• Reduces overall risk.

• Enhances financial performance.

• Lower blood pressure (“peace ofmind”)– From 1/1/2009 through 4/24/15, the FDIC has asserted

individual claims against 1,195 directors and officers inconnection with failed banks.

– The FDIC’s claims generally consist of negligence, grossnegligence, can breach of fiduciary duty

– This does not include any civil money penalties!

4

PART I - Why is ERM Important?

1. Momentum for more formalization

2. Ongoing regulatory issues.

3. Part of many GSB presentations.

PART I - Why is ERM Important?(continued)

1. Momentum for more formalization

- Numerous Websites

- RMA changed their name!!!

- Corporate scandals have brought to the forefront theadequacy of “risk management systems” (corporategovernance, independence, etc.)

- Sarbanes-Oxley Act of 2002!!!

- Regulators, the Court Systems, and the general publicare looking for “ACCOUNTABILITY”

5

PART I - Why is ERM Important?(continued)

2. Ongoing regulatory issues (remember?)

a. “…lack of adequate risk mgmt systems” todescribe the root cause of identifiedweaknesses.

b. “…enhance the risk management processcovering…..”

c. FRB changed BOPEC ratings for Holding Comps:- “C” for composite rating- “R” for risk management- “F” for financial condition

PART I - Why is ERM Important? (continued)

3. Part of many GSB presentations

a. Many GSB presentation will cover variousaspects of risk management as they pertain tothat specific subject.

b. Examples include credit risk (Ruth, Wear, etc.),liquidity/funding risk (Farin, Larsen), interestrate risk (Koch, Larsen), etc.

c. This presentation is an overview of the conceptsof Risk Management, and how you canimplement an Enterprise Risk Managementprocess in your institution.

6

Adequate Risk Management?

Are you fullyaware of allof the majorrisks taking place in your institutiontoday?

7

PART II - What is ERM?(definitions, process, concept, structure, etc.)

1. Definitions, the Risk Management(RM) process, RM concept

2. A little history on formalizing ERM infinancial institutions

3. The Risk Governance Framework

3. A factor, situation, or course of action exposing one to danger;a hazard.

Definition – “Risk”

1. The potential for the occurrence of an adverse event.

2. The possibility of harm or loss.

8

Definitions

“Risk Management” (RM) – the ability to identify, measure, monitorand control RISKS impacting Earnings and Capital

16

Control;

Risk Management Process

RiskManagement

Process

Measure

MonitorControl

Identify

9

What Regulators Look for in the “Risk Mgmt Process”

(per Federal Reserve Bank’s SR 95-51)

• Active board and senior managementoversight;

• Adequate policies, procedures, andlimits;

• Adequate risk measurement,monitoring, and MIS; and

• Comprehensive internal controls.

Definitions

“Enterprise Risk Management” (ERM) – The process used to identify, measure, monitor, and control risks “across” the companythat could ultimately impact earnings and capital

10

Regulatory perspective and history on “Risk Management”

• In late 1980’s, Congress asked the Regulators tofind another way to identify and assess “risk” (inaddition to “CAMELS”)

• Not only looking at “financials,” look at “quality ofrisk management systems and internal controls.”

• Look behind financial numbers to see how thefinancial results are achieved (“forward looking”).

Regulatory Perspective on “Risk Management”(continued)

• Separate from CAMELS ratings, butimpacts “Management” rating (OCC)

• Federal Reserve has overall “RiskManagement” rating

11

Risk Assessment FactorsOCC FRB FDIC

Credit Credit

Price Market NONE

Liquidity Liquidity

Operational Operational Part of CAMELS

Compliance Legal

Reputation Reputational

Interest Rate

Strategic

“Risks” – FRB Definitions

• Credit – borrower or counterparty fails to perform.

• Market – bank condition suffers from adversechange in market rates or prices (interest rates, FX,equity, etc.).

• Liquidity – unable to meet obligations due toinability to liquidate assets or obtain funding.

(per Federal Reserve Bank’s SR 95-51)

12

“Risks” – FRB Definitions(continued)

• Operational – potential that inadequate infosystems, operational problems, breaches in internalcontrols, fraud, and catastrophes result in losses.

• Legal – potential that unenforceable contracts,lawsuits, or adverse judgments can negatively affectthe operations or condition of the bank.

• Reputational – potential that negative publicity of thebank’s business practices, whether true or not, will causedecline in customers, costly litigation, or revenue reductions.

(per Federal Reserve Bank’s SR 95-51)

24

InherentRisk

RiskControls

ResidualRisk- =

Risk Assessment Concepts

Risk in the Activity! Policies, Procedures, Audits, etc. Risk left after controls- =

13

…have different perspectives on risk and risk management!

Different people, and different organizations….

Risk Governance Framework

Shared values, attitudes, competencies, and behaviors throughout the bank that shape decisions.

Written document that articulates the bank’s risk appetite and serves as the basis of risk governance framework.

Most banks have some type of this risk management system in place, but formality varies

14

Risk Culture

•Risk culture is theshared values, attitudes,competencies, andbehaviors throughout thebank that shape andinfluence governancepractices and riskdecisions.

•As a subset ofcorporate culture, riskculture pertains to thebank’s risk approach andis critical to a sound riskgovernance framework.

27

Risk Appetite•The bank’s risk appetite is theaggregate level and types of riskthat the board and managementare willing to assume to achievethe bank’s goals, objectives, andoperating plan, consistent withapplicable capital, liquidity, andother requirements.

•The development of a riskappetite should be driven by bothtop-down Board leadership andbottom-up managementinvolvement.

•Successful implementationdepends on effective interactionsamong the board, seniormanagement, IRM, and frontlineunits.

28

15

Risk Appetite Statement• Written document that provides for the common

understanding and communication of riskthroughout the bank.

• Includes both qualitative and quantitative limits.

– Qualitative – describes the general culture, howthe bank will assess and accept those risks thatare hard to quantify.

– Quantitative – risk limits from various internalpolicies

• Helpful to have a “Scoreboard” or “Dashboard” thatrecaps the various limits in the major risk areas(Credit, IRR, Liquidity, Compliance, Operational,etc.).

First Line of Defense

•The first line of defense is the frontline units, business units, or functions that create risk.

•These groups are accountable for assessing and managing that risk.

•These groups are the bank’s primary risk takers and are responsible for implementing effective internal controls and maintaining processes for identifying, assessing, controlling, and mitigating the risks associated with their activities consistent with the bank’s established risk appetite and risk limits.

30

16

Second Line of Defense

•The second line of defense is commonly referred to as Independent Risk Management (IRM), which oversees risk taking and assesses risks independent of the first line of defense.

•IRM complements the frontline unit’s risk-taking activities through its monitoring and reporting responsibilities, including compliance with the bank’s risk appetite.

•IRM also provides input into key risk decisions. Additionally, IRM is responsible for identifying, measuring, monitoring, and controlling aggregate and emerging risks enterprise-wide.

31

Third Line of Defense

The third line of defense is internal audit, which provides independent assurance to the Board on the effectiveness of governance, risk management, and internal controls.

32

• Independent of front and second lines units• Reports directly to the Board of Directors or Board committee• May be in-house, outsourced, or co-sourced• Maintains a complete/current inventory of material processes, product

lines, services, and functions (audit universe)• Uses the audit universe to develop and execute a risk-based audit

plan

17

PART III – An effective ERM system in your institution

1. Guidance on ERM

2. ERM Structure at Large Banks

3. Implementing ERM at smallerinstitutions.

Guidance on ERM

• Regulatory - Comptroller’s Handbook“Corporate & Risk Governance” (July 2016)

• Numerous sources on the Internet!!!

18

ERM at Large BHC’s/Banks

• Chief Risk Officer (or Chief “Worry” Officer)

• Structure of ERM varies– Part of audit, part of business line, etc.

• Measurement process is both quantitative andqualitative

• Most have ERM process for new products andservices

Implementing “ERM”at Small Institutions

• Most important point – need B.O.D. andManagement commitment to theprocess!!! (“Risk Culture”)

• Employees need to know their opinionsand ideas make a difference.

• Helpful to have a “process” to follow

19

“So, how do we put together a workable ERM?”

“A lot of froggin’ around?”

Is there light at the end of the tunnel?

Overview of “Workable ERM Process” at Small Institutions

1. Department/Employee Self Assessment2. Senior Management Review3. Reduce to “Top 10 Risks” at BHC/Bank4. Determine adequacy of monitoring

tools and plans for improvement5. Ongoing process for updating6. Process for new products/services

20

“ERM” Benefits(for the Chief “Worry” Officer AND the institution)

• Get clearer picture of risks and staff’sknowledge of their areas.

• “Cross Pollination” and “TeamBuilding”

• Use as a “forum” to take action anddeal with long standing issues

Enterprise Risk Management at Small BHC’s/Banks (Step #1)

• Department “self assessment”– Identify 10 major department risks (prioritize)

– Identify consequences, risk mitigators,monitoring tools, etc.

– Is “action/timeframe needed” to reduce therisk?

– Level and Trend of Risk?

Refer to “Blank” handout!!!

21

A “Format” Suggestion

• Refer to Blank “Risk ManagementMatrix- Top 10”

• This “Form” is to provide “structure” tothe process

• Can be tailored to how you want toconduct the process.

Risk Management Matrix

Risks 1 2

Consequences

Risk Mitigators

Monitoring Tool(s)

What are the risks?

Are they “reasonable” and under your control?

Refer to next slides for more points on identifying “risk” in departments or in your bank.

BE SPECIFIC!!!!!

22

Tips for Identifying “Risk”

• Every department/area has risks!– What worries you the most? (succession,

technology failure, training, etc.)

– Where do you spend most of your time?

– What causes you to lose sleep?

– What gives you a headache???

Tips for Identifying “Risk”(continued)

• Listing no risks is not accurate!– Risk management process loses

credibility.

23

Tips for Identifying “Risk” (continued)

• All “risks” do not need toimmediately be addressed (low risk andpriority).

Risk Management Matrix

Risks 1 2

Consequences

Risk Mitigators

Monitoring Tool(s)

If the risk occurs, what are the consequences?

Ex: lose money, customer dissatisfaction, violation of law or regulation, hurt reputation, loss of productivity, hurt morale, etc.

24

Risk Management Matrix

Risks 1 2

Consequences

Risk Mitigators

Monitoring Tool(s)

What items/issues “mitigate” the risk and the consequences of it happening?

Ex: training, written policies and procedures, audit review, committee/board review, external review, firewalls, etc.

Risk Management Matrix

Risks 1 2

Consequences

Risk Mitigators

Monitoring Tool(s)

What type of tools allow staff and management to monitor these risks?

If the risk is “identifiable” and “reasonable” you should be able to monitor and measure it!!!!!

Ex: daily exception reports, “error messages”, reconcilements, internal/external audit reports, customer complaints, proof errors, etc.

25

Risk Management Matrix

Plans for Improvement

Status

OverallRisk Level

Trend of Risk 1 2

If you find a risk issue that does not have adequate mitigators and monitoring tools, probably should have some type of plan to remedy this!!!!!!

- Have a timeframe for resolution!!!

Addressing “Risks”

• Focus on the “root cause” not the“symptom”

• Ask the

“hard questions”

26

Don’t just “rig”

something together to address a problem orrisk issue!!!

Risk Management Matrix

Plans for Improvement

Status

OverallRisk Level

Trend of Risk 1 2

If there are “Plans for Improvement,” there should be some tracking mechanism to track progress and make someone accountable for “the action.”

27

Risk Management Matrix

Plans for Improvement

Status

OverallRisk Level

Trend of Risk 1 2

Somewhat subjective (High, Moderate, Low), but provides a baseline for future assessments of this risk.

Risk Management Matrix

Plans for Improvement

Status

OverallRisk Level

Trend of Risk 1 2

Again, somewhat subjective (Increasing, Stable, Decreasing), but provides a baseline for future assessments of this risk.

- Ideas? Increasing activity/volume,changing customers or personnel, etc.

28

Enterprise Risk ManagementStep #2 – “Sr. Mgmt Review”

• Sr. Mgmt reviews all self assessmentsfrom every department

• WILL REQUIRE SOME TIME!– May need clarification from staff to clearly

understand each of the risks

– Every risk should be clearly understood!

Enterprise Risk ManagementStep #3 – Determine “Top 10”

• Need to reduce all risks identified in thedepartment to “Top 10”

• After review of all, reduce to a “MostSignificant Risks” list

• Will probably require senior mgmt to “multi-vote” to reduce to “Top 10” (and then“Prioritize” the final list)

29

Step #3 – Determine “Top 10”(continued)

• USE OF MULTI-VOTING:– Is a way of reducing a large number of items

down to a workable amount.

– Involves each person having a set number ofvotes that are cast (one per item).

– Influential person or persons in authority alwaysvote last (no exceptions).

Example: If “80” total “risks”, each person gets 15 votes the first round. “Groupings” will occur!

Step #3 – Determine “Top 10”(continued)

• USE OF MULTI-VOTING: (continued)

• If “80” total “risks” are identified throughout the organization,each person gets 15 votes the first round. Certain “risks” willbe selected by more than one person; these “risks” will formthe “Most Significant Risks” list, which may total 20+.

• To reduce “Most Significant” list to the “Top 10”, eachindividual will now get “8” votes (always less than the numberyou’re seeking). Object is to ensure that each individual makesclear what they feel are the biggest risks to the bank.

EXAMPLE:

30

Step #4 – Adequacy of Risk Management for the “Top 10”

• Need to review the adequacy of riskmanagement system for the “Top 10”

• Are current “risk mitigators” adequate?

• If not, what should be done? Timeframes forimprovement?

• Management Reports? Board Reports?

“We can't solve problems by usingthe same kind of thinking we used when we created them."

Albert Einstein

31

Step #4 – Adequacy of Risk Management for the “Top 10”

(continued)

• Refer to “Top 10 (Sample Only)”Risk Management Matrix

Step #5 – Ongoing Process to Update the “Top 10”

• Very dependent on institution, but annually atleast.

• Probably does not need to be completed “fullscale” every year unless material changesoccur.

• Consider “not” doing this at the same time asstrategic planning activities! (at least the 1st time)

32

Step #6 - ERM for New Products and/or Services

• Worthwhile to have some type of RMprocess to ask/answer the “hardquestions”

• Formality depends on the complexity ofthe new product/service to be offered.

Step #6 - ERM for New Products and/or Services

(from OCC 2004-20)

• Due Diligence (identify risks, in-house expertise,background of 3rd parties, etc.)

• What “controls” need to be implemented?(policies, training, limits, develop MIS to identify,measure, monitor and control risk)

• “Performance Monitoring” (benchmarks todetermine success, process to review, “exit time”)

33

New Products & ServicesRemember!!!

• Don’t create a “new” problem by tryingto solve an “old” problem!

• And, don’t create new risks by trying tosolve old problems!

Example: “We need to increase revenues, so lets expand into the XXXXX area!”

The “Banking Graveyard” contains manyheadstones from those trying to save orquickly increase the bottom line!!!

AG OilComm.

R.E.

Annuities

MutualFunds

Insurance

34

Certain plansmay initiallyseem like a good idea, but when trying to implement, itbecomes quiteapparent the risks outweighthe potential reward!

Recap of “Enterprise Risk Management”

• Why it’s important, What it is, How toimplement and/or enhance RM and ERM

• Not a new concept, but formalization ofERM will “trickle down” to all banks.

• Having a more formalized process hasmany benefits to institutions

35

Additional Questions, Comments?

• Give me a call!– 202-597-1329

– dwightrlarsen@hotmail.com

Please complete your course evaluations…we value your feedback!!!

Risk Management Matrix – “Top 10” (Department or Bank-Wide)R

isk

s

1 2 3 4 5 6 7 8 9 10

Co

ns

eq

ue

nc

es

Ris

kM

itig

ato

rsM

on

ito

rin

gT

oo

l(s

)

Pla

ns

for

Imp

rov

em

en

tS

tatu

sO

ve

rall

Ris

kL

ev

el

Tre

nd

of

Ris

k

1 2 3 4 5 6 7 8 9 10

Risk Management Matrix – “Top 10” (Sample Only!!!!!)Bank: Somewheresville State BankBanker: Jamie Q. Banker

Ris

ks

Borrowerdefaults on loan

1

Internet attack ofbank website

2

In-houseprocessing “fails”

3

Improperlyperfected liens

on loan collateral

4

Actions by staffthat are

inappropriatefrom a personalor legal basis

5

Not performingall account

reconcilementson a routinebasis and

documenting allexceptions

6

Failure tocomplete routine

internal auditprocedures

7

Inaccurate oruntimely filing of

regulatoryreports (callreports, FR

2900, sales anduse tax quarterlyreporting, BHCreports, income

tax filings)

8

Lack ofadequatepersonnel

backup in proofarea

No writtenprocessingprocedures

9

Compliance withBank SecrecyAct and Patriot

Act

10

Co

ns

eq

ue

nc

es

Reduce reservefor loan losses

May requireprovision,reducesearnings

Large number ofweb requests

prohibitscustomer accessto their accounts

Inability toprocess bankand customer

work

Customerdissatisfaction

Bank cannottake control ofcollateral in theevent of default;loan losses will

occur

Loss ofcustomers andpossible legal

liability

Financials out ofbalance—

research andcorrectionrequired

Make inaccurateconclusions

Limits check foradequate

separation ofduties,

independentinternal controls

& policycompliance

Inaccuratereports lead topotential civil

money penalties;tax penalties

Missing keyperson could

delaydaily/weeklyprocessing

Untimely postingof debits/credits

Miss processdeadline at FRB

Non compliancewith regulationsexposes bank to

financial loss,regulatory fines,

bad presscoverage

(reputation)

Ris

kM

itig

ato

rs

Conservativelending

Loan policy

Board approvalof loans >$150M

Low historicallosses

Firewalls

Customers have“security certs”

on homecomputers

Daily offsitestorage

“Hot Site” inplace and tested

Work withreputable/known

vendors

Periodic reviewof vendorfinancials

Standardizedloan documents

Loan docsreviewed by

officer prior toclosing

Funds notdisbursed untilall docs are inthe loan file

Continual stafftraining on

pertinent issues

Individual andgroup meetings

where issues arediscussed

Individualperformancereviews that

addressproblems

Reconcilementsreviewed by deptmanager daily,

weekly, monthly.

Internal auditreviews

External auditspot check

External Auditfirm’s annual

review ofdepartments

Risk assessmentanalysis

G/L softwarereconcilesregulatory

reports

back-uppersonnel

trained to ensuretimely andaccurate

completion

Key person veryhealthy and a

loyal employee,but is not gettingany younger!!!

EmployeeTraining

Policy andProcedures

Audit Program

New Acct &wires screened

SARS filed

Mo

nit

ori

ng

To

ol(

s)

Past Due List

Problem LoanList

TechnicalExceptions List

Exam Reports

Daily FirewallReports

Periodic testsconducted bythird parties

“Error Message”to operators

“Non-posteditems” report

“IncidentTracking

Reports” withvendor

TechnicalException

Report

Exam Reports

Monthly salesand contact

reports

Customercomplaints(formal and

informal)

Copies ofreconcilements

Internal AuditReports

External Auditfindings and

reports

Internal AuditSchedule

Audit Reports tothe Board

Tickler system inplace with due

dates

Customercomplaints

Proof Machineerrors

Sick Daystaken?

New CustomerReports

Large Trans.Reports

MaintenanceReports (unusual

activity)

Audit Reports

Pla

ns

for

Imp

rov

em

en

tAdd more“objective”factors to

internal riskratings

Implement loanreview system

Continueupgrading

Firewalls asneeded

None Specific

Continueworking withvendor “if”frequent

problems occur

Initiate use of“File Checklist”

which willinclude ensuringappropriate lien

perfectiondocuments

Increasedattention to sales

objectives andreports

Review andimplementautomated

reconcilementsoftware, if

needed

Board tocommence

reviewing auditschedule

quarterly, andcomparing to

existing reports

Ensure allrelated

personnel knowdue dates and

softwareapplications

Cross-trainanother

employee,Dennie Emmans

in proof area

Complete auditchecks. Update

policies asneeded.

Sta

tus Current -

Proposedobjective factorsdue by Dec 31

N/A N/A

In process; willdesign and

implement byJanuary 1

N/AIn process; doneby November 30

In process;Board Chairmanto start quarterlyreviews of audit

schedule inDecember

In-process;training to be

heldNov 11th at

11AM

In-process; willrotate Dennie

into proofstarting Dec 1

Ongoing

Ov

era

llR

isk

Lev

el

Moderate Moderate Stable Moderate Low Low Moderate Low Low Low

Tre

nd

of

Ris

k

Increasing

1

Increasing

2

Low

3

Stable

4

Stable

5

Stable

6

Increasing

7

Stable

8

Increasing

9

Stable

10

Ris

ks

Borrowerdefaults on loan

Internet attack ofbank website

In-houseprocessing “fails”

Improperlyperfected liens

on loan collateral

Actions by staffthat are

inappropriatefrom a personalor legal basis

Not performingall account

reconcilementson a routine

basis

Failure tocomplete routine

internal auditprocedures

Inaccurate oruntimely filing of

regulatoryreports

Lack ofadequatepersonnel

backup in proofarea

Compliance withBank SecrecyAct and Patriot

Act