I've been having a sense of déjà vu. All the talk about enterprise risk management reminds me of another risk-inspired regulatory shift, something out of the long past.
Days of "riskless" exams
It's been nearly 40 years since the Comptroller's Office went on its campaign to insist that banks have formal credit policies.
The idea came from a study by one of the major accounting firms of the day, Haskins and Sells, on how the Comptroller should revamp the way bank examinations are conducted.
I was a very young banker back then but I remember those exams. The crew would come in just before closing on a Friday and the first thing they did was balance out each teller and the negotiable collateral in the vault.
When that was done, the tellers and clerks could go home. Sometimes that was pretty well into the evening.
The emphasis on the first night was determining a precise rendering of certain bank assets, not necessarily a bad objective, but not a risk adjusted one. Hours of time were consumed balancing out currency, a job that bank auditors also did periodically. The rest of the exam had a similar emphasis on precision, but no surgical sense of looking for where risk might be concentrated and prioritizing of needed improvement.
The accounting firm recommended that safety and soundness exams be conducted with a risk orientation to them--that time and effort be appropriately spent in seeking out risk of a material nature consistent with limited examination resources.
I recall that about at this time I was enrolled in the Stonier Graduate School of Banking.
One of our instructors was the chief banking officer of Manufacturers Hanover Trust Company, one of the very largest of the New York banks at the time. His topic one day was to discuss the credit policy of his bank. He distributed a one-page document and I recall that it was a "do good and avoid evil" kind of statement. The procedures that implemented the policy were prodigious and where all the detail was.
The ultimate point of the study was this:
Banks need to be formal about how they underwrite and administer credit risk; but for examiners to do their jobs, it's essential that the bank document its standards (and for examiners to concur with their adequacy) and then be able to audit against those standards for overall quality.
While Manufacturers Hanover's credit processes were well documented, a large number of smaller banks in those days were not. OCC made formal, written policies a matter of regulatory necessity and within a matter of two or three years, the job was largely accomplished.
Bank supervisory agencies, including the state banking departments, FDIC, and the Federal Reserve participated in this industry-wide effort. There then followed an emphasis on independent loan review with a focus on the proper risk rating of individual credits within the portfolio. These joint initiatives, now in place for more than a generation, are largely recognizable still as the template of safety and soundness examination processes relating to credit risk.
Age of "ERM" for everybody
Since the Great Recession, there is a new regulatory emphasis and it's broader than just credit. It's the idea of simultaneously managing various types of risk across the enterprise: credit risk, liquidity risk, market risk, capital risk, operational risk, and strategic risk.
The very large banks have staffs of mathematicians. They employ sophisticated models to predict and detect credit and liquidity risks and just about anything else that can be quantified in running a complex business enterprise.
But what do community banks do? With simpler business models and product lines than their major counterparts and competitors, are all the big bank solutions and applications relevant for a smaller community bank?
I think the historical comparison between the credit policy initiative in the 1970s and the enterprise risk management that's become prevalent today in regulatory thinking is striking.
The similarity between the two periods is that methodologies that may be appropriate for a big bank don't necessarily have much to do with the day-to-day experiences of the community banker.
How should we bridge this divide?
What's out there that's good?
There's a new cottage industry of consultants today who are responding to the market opportunity that Earnings Risk Management presents. The result looks remarkably like what I remember about credit policies many years back. Notice at the next gathering of bankers you attend how much chatter there is about risk management. It's the latest broad supervisory initiative and it's vitally important for the long-term health of our banks and our monetary system.
No doubt many of you have taken the time to "Google" the subject of ERM to see what you might glean from others in the quest to assemble a framework for overall risk management for your banks. I recently did that. Frankly, I did not see very much useful "how to" information or direction applicable to the level of staff experience in smaller community banks.
In fact, much of the purported expert guidance seems to me to be so much "silo thinking." Sure, it's organized and packaged like it's something different but I'm skeptical of its real value to many users. I think much of it lacks an intellectual premise of where to start. If I were the CEO of a community bank today, here's how I'd approach the process.
Focus on ROE--and risks to its improvement
Community banks need something to shoot for, and I think I've got it.
The most important metric of long-term performance is Return on Equity (net income divided by equity capital). A long-term survivor today needs to generate sustainable and consistent performance of a high order. ROE should be attractive and probably needs to be in the upper quartile of performance as measured by a bank's peer group.
And it needs to be consistent.
The real question is how does one optimize ROE?
Which of the now well-known categories of risk contains the seeds of trouble in maintaining a long-term sufficiently attractive trend line of ROE?
The easy answer to this is not necessarily the most insightful.
If you answered "credit risk" you'd not be wrong but you'd miss the risks embedded in obsolete or inadequate systems. You'd miss the risk of error in excessive manually generated process outcomes. And you'd miss the existential risk of failing to attract sufficient long term capital.
This is functionally a description of operational risk.
Community banks and operational risk
Let's redefine operational risk in terms that community bankers can use in everyday life.
Let's call it the risk to income and capital of not being as profitable as one can be over time in a sustainable, replicable way.
Every process, every system, virtually every transaction should be done with a view to excellence and best practices.
Banking is a risk-averse business. Yet we don't always apply the same rigor to everything that we do.
We are inconsistent and sometimes make important decisions having strategic implications for the wrong reasons, or for reasons that are not part of any "gestalt."
Set your sights on a consistent, relatively high percentile of ROE and make sure everything you do is done with that result in mind. That way you'll improve the odds of superior performance for the benefit of virtually every major constituency of your business.
You'll still have to figure out how to integrate your bank's thinking about the other categories of risk into a comprehensive whole but if you keep the consequences of operational risk constantly in mind, you'll have a rationale for developing a broader and more solid foundation of results.