Community banks increasingly feel the pressure, and the need, to move further into enterprise risk management (ERM). The challenge, according to John Noonan, chief risk officer at Valley National Bank and former national bank regulator, is threefold: How to start, where to start, and what to do first. But he would add a fourth element: Discovering what not to do when starting out.
Noonan, initially a risk advisor and now CRO at $16 billion-assets Valley, Wayne, N.J., has been in bank risk management for a decade since leaving the Comptroller's Office as assistant deputy comptroller for midsized and credit card banks. He's involved with intra-industry risk management activities, and has observations and advice about getting going in ERM.
Many community banks, facing the need for improved risk management, consider hiring a consultant. Noonan advises against it—as most likely introducing too much, too soon to the bank's board and management.
"If you don't know where you are going," says Noonan, "a consultant will get you someplace. But it may not be where you want to be. Concepts may be introduced that the board and even management aren't familiar with." Receiving a detailed report may fulfill the consultant's promises, but it may not do much toward helping the board and management handle risk any better.
Noonan believes risk management, especially at the outset, must focus on the most critical issues—not bog down in huge amounts of data.
He advocates starting out with basic concepts. Simply using the CAMELS rating system, for example—something everyone in management and the boardroom knows—makes a good beginning, he explains. And it helps that it's a system the regulators also know well. Noonan says this approach helped him in his early work at Valley, when it was a smaller organization.
In addition, each federal regulator maintains its own focus on the categories of financial and other risks that banks face. These frameworks are public and readily built upon.
With fundamentals in place, other elements of risk management can be tackled. Noonan only supports seeking outside help when the bank's risk management challenges grow past its ability to address them adequately through internal resources.
Whose job is risk management?
Risk oversight belongs to a bank's board and its management, and will be addressed later, but understand now that risk management is very different. Noonan is the bank's CRO and you might think that risk management starts and stops with him and his staff, since he reports directly to the CEO. But Noonan believes a key principle of risk management is that each bank business unit should own—and manage—its own risks.
A bank's risk management function should provide tools, such as reporting mechanisms and measurements, but the unit where the risks are created are where they can be managed. The view that the CRO is the "chief risk manager" is incorrect, Noonan says. Even support functions, like marketing, have embedded risks that the department must police itself.
By contrast, a bank's professional risk managers are "risk monitors and risk advisors," says Noonan. A key element of sound risk management, he insists, is accountability—holding units that create risks responsible.
When the marketing department launches a new campaign, for example, it is responsible for making sure it doesn't run afoul of regulations. It can tap the resources of the bank's compliance function, but the duty remains in marketing. "And my job would be to ask questions before marketing completed its efforts," says Noonan. "I would ask, 'If you were the consumer, would you find this product fair? Is it worth the price that you are proposing they pay for it?' "
Why does risk management often become so opaque? Noonan blames some of this on experts. "We start throwing around buzz words," he says. He's seen consultants craft elaborate, "perfect" risk reporting systems that account for everything.
"It gets very complicated," says Noonan. "And it doesn't have to be, unless your bank is a very complicated organization." He says his own motto for risk management is KISS—"Keep It Simple, Stupid."
A bank that invests in only Treasury securities needn't craft a risk management system suitable for complex derivatives. T-bills aren't riskless, Noonan says, but "you wouldn't need very complicated risk metrics."
Facets of risk
Some elements of bank risk have long been measured and evaluated—like credit and interest-rate risks. By contrast, less-defined risks are a challenge. "The tougher ones are the ones not so easily quantified," says Noonan. These include operational risk, reputational risk, and strategic risk.
Such risks may be tougher, but aren't impossible. Many elements of operational risk can be counted and tracked, for instance, to highlight potential problems brewing. Connections between risk categories also must be considered. Noonan recalls a large New York City bank's ad campaign bragging, "We do more for you." It debuted just as the bank's ATM network malfunctioned, doubling the deductions made for withdrawals. The reputational damage undid any good from the campaign.
Fair-lending risk, a blend of regulatory and reputational risks, can arise in many ways and solutions vary. All entail taking care in program design and monitoring behavior in the loan production channels. Training can be a proactive risk management step, according to Noonan, as can performing the same portfolio tests that examiners use.
Role of the board
Defining a bank's risk culture requires the board's recognition of the risk attitude of the management team. An aggressive board working with aggressive management demands much stronger controls and risk reporting, says Noonan.
He cites the residential mortgage business. The same product can be offered through different channels and to different market segments, each dictating levels of risk oversight.
Continuing the example, Noonan explains that a bank that solely sources its mortgage from branches and telephone and its website has a relatively conservative risk profile, while an institution that relies heavily on mortgage brokers faces a different risk profile. A host of risks can result when working through a third party.
A bank approaching mortgage loan-to-value ratios conservatively has a different risk profile from one permitting high ratios, Noonan says, though he acknowledges the new qualified mortgage rules may eliminate that difference in the market.
While a good understanding of management and the business plan is essential, Noonan adds that the board's role must be properly understood. While boards are often referred to as setting risk appetites, "the board is really approving what management is recommending," says Noonan.
Between recommendation and approval, "the board's job is to bring 'credible challenge' to the process," Noonan explains. "That's the ability to say, 'What a minute, that sounds good, but what does it really mean?'"
After the challenges are answered, the board can pronounce a risk reasonable, or reasonable only if this or that additional measure is taken.
Noonan believes boards of banks moving into ERM should invest in a risk officer, and ideally one who only handles risk. A banker with broad experience is ideal. This person should report directly to the board, or to the board's audit committee, or, if it has one, the risk committee. There also should be the establishment of an executive risk committee, consisting of representatives of all key lines and support functions.
Talking about risk with the board
Noonan favors plain communication about risk, and points out that such simplicity will help the board understand what management means when strategy changes are being discussed.
Ideally, he says, risk oversight should be tied into the bank's strategic planning process, with the bank planning no more than five years out. A bank's management needs to be able to steer the bank around periodic storms, but the strategic plan represents the overall direction the helm must return to.
Noonan also believes that when risk appetite has been quantified in terms of certain thresholds, these must be taken seriously. "You don't just change your thresholds because you are approaching them," says Noonan—otherwise, why are they even there?
A good, plain, and clear way to help board members understand what the implications of a tactical or strategic change mean is to reduce the decision to dollars. Whether management is illustrating how much capital will be put at risk, or how much earnings will be put at risk, as a result of a given decision, speaking in percentages doesn't make things clear enough, Noonan says. Citing a specific dollar figure makes it clearer.
Insulating your bank against every risk is impossible, but Noonan thinks a misconception exists in the industry's risk thinking. "Many people think it is the 'black swan' that is going to hurt you," says Noonan. The "black swan," a term popularized by author Nassim Nicholas Taleb, is an unexpected, hard-to-predict event that can have a major impact.
Noonan acknowledges that "black swans" do exist. But what hurts more, he says, "is our thinking that we understand a [known] risk—which we really didn't—and then we get surprised."
An example of this, says Noonan, was subprime mortgage debt.
"Everyone got caught up in the idea that only the lower tranches held significant risk," he says. "That didn't turn out to be the case, and everyone took a pounding."
Experts had models demonstrating that such investments were actually safe, "and the models were wrong," says Noonan.
The message is clear: Stick with the fundamentals, add to them as necessary for your business model, and always question.