Bank Loan Risk Management
By: The Funding Team
It is easy to criticize banks for the lending shortage since their unwillingness has been portrayed as indifference in the media. But banks face many risks on every loan and therefore need to protect themselves first. If they engage in excessive risk-taking behavior, they might find themselves insolvent.
Every bank manages their risk in a different way and while most will not reveal exactly how they determine approvals, the Office of the Comptroller of the Currency Administrator of National Banks oversees their underwriting procedures. It is through this supervisory branch, that we gain insight on how risk is managed at the top level. A summary of their official Handbook is below:
From a supervisory perspective, risk is the potential that events, expected or unanticipated, may have an adverse effect on the bank’s earnings, capital, or franchise/enterprise value.3 The OCC has defined eight categories of risk for bank supervision purposes. These risks are: credit, interest rate, liquidity, price, operational, compliance, strategic, and reputation.4 These categories are not mutually exclusive; any product or service may expose the bank to multiple risks. Risks may also be interdependent—an increase in one category of risk may cause an increase in others. Examiners should be aware of this interdependence and assess the effect in a consistent and inclusive manner.
The presence of risk is not necessarily reason for supervisory concern. Examiners determine whether the risks a bank assumes are warranted by assessing whether the risks are effectively managed, consistent with safe and sound banking practices. Generally, a risk is effectively managed when it is identified, understood, measured, monitored, and controlled as part of a deliberate risk/reward strategy. It should be within the bank’s capacity to readily withstand the financial distress that such risk, in isolation or in combination with other risks, could cause.
If examiners determine that a risk is unwarranted (i.e., not effectively managed or backed by adequate capital to support the activity), they must communicate to management and the board of directors the need to mitigate or eliminate the excessive risk. Appropriate actions may include reducing exposures, increasing capital, and strengthening risk management practices.
Because market conditions and company structures vary, no single risk management system works for all companies. The sophistication of risk management systems should be proportionate to the risks present and the size and complexity of an institution. As an organization grows more diverse and complex, the sophistication of its risk management must keep pace.
Risk management systems of large banks must be sufficiently comprehensive to enable senior management to identify and effectively manage the risk throughout the company. Examinations of large banks focus on the overall integrity and effectiveness of risk management systems. Periodic validation, a vital component of large bank examinations, verifies the integrity of these risk management systems.
Sound risk management systems have several things in common; for example, they are independent of risk-taking activities. Regardless of the risk management system’s design, each system should:
- Identify risk: To properly identify risks, a bank must recognize and understand existing risks and risks that may arise from new business initiatives, including risks that originate in nonbank subsidiaries and affiliates, and those that arise from external market forces, or regulatory or statutory changes. Risk identification should be a continuing process, and should occur at both the transaction and portfolio level. A bank must also identify interdependencies and correlations across portfolios and lines of business that may amplify risk exposures. Proper risk identification is critical for banks undergoing mergers and consolidations to ensure that risks are appropriately addressed. Risk identification in merging companies begins with the establishment of uniform definitions of risk; a common language helps to ensure the merger’s success.
- Measure risk: Accurate and timely measurement of risk is essential to effective risk management. A bank that does not have risk measurement tools has limited ability to control or monitor risk levels. Further, more sophisticated measurement tools are needed as the complexity of the risk increases. A bank should periodically test to make sure that the measurement tools it uses are accurate. Sound risk measurement tools assess the risks of individual transactions and portfolios, as well as interdependencies, correlations, and aggregate risks across portfolios and lines of business. During bank mergers and consolidations, the effectiveness of risk measurement tools is often impaired because of the technological incompatibility of the merging systems or other problems of integration. Consequently, the resulting company must make a concerted effort to ensure that risks are appropriately measured across the consolidated entity. Larger, more complex companies must assess the effect of increased transaction volume across all risk categories.
- Monitor risk: Banks should monitor risk levels to ensure timely review of risk positions and exceptions. Monitoring reports should be timely, accurate, and informative and should be distributed to appropriate individuals to ensure action, when needed. For large, complex companies, monitoring is essential to ensure that management’s decisions are implemented for all geographies, products, and legal entities.
- Control risk: Banks should establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority. These limits should serve as a means to control exposures to the various risks associated with the bank’s activities. The limits should be tools that management can adjust when conditions or risk tolerances change. Banks should also have a process to authorize and document exceptions or changes to risk limits when warranted. In banks merging or consolidating, the transition should be tightly controlled; business plans, lines of authority, and accountability should be clear. Large, diversified companies should have strong risk controls covering all geographies, products, and legal entities to prevent undue concentrations of risk.
Board and Management Responsibilities
The board must establish the company’s strategic direction and risk tolerances. In carrying out these responsibilities, the board should approve policies that set operational standards and risk limits. Well-designed monitoring systems will allow the board to hold management accountable for operating within established tolerances.
Capable management and appropriate staffing are essential to effective risk management. Bank management is responsible for the implementation, integrity, and maintenance of risk management systems. Management must
- Keep directors adequately informed about risk-taking activities.
- Implement the company’s strategy.
- Develop policies that define the institution’s risk tolerance and ensure that they are compatible with strategic goals.
- Ensure that strategic direction and risk tolerances are effectively communicated and adhered to throughout the organization.
- Oversee the development and maintenance of management information systems to ensure that information is timely, accurate, and pertinent.
When examiners assess risk management systems, they consider the bank’s policies, processes, personnel, and control systems. If any of these areas is deficient, so is the bank’s risk management.
Policies are statements of actions adopted by the bank to pursue certain results. Policies often set standards (on risk tolerances, for example) and should be consistent with a bank’s underlying mission, values, and principles. A policy review should always be triggered when a bank’s activities or standards change.
Processes are the procedures, programs, and practices that impose order on the bank’s pursuit of its objectives. Processes define how daily activities are carried out. Effective processes are consistent with the underlying policies and are governed by appropriate checks and balances (e.g., internal controls)
Personnel are the bank staff and managers that execute or oversee processes. Personnel should be qualified and competent, and should perform as expected. They should understand the bank’s mission, values, policies, and processes. Banks should design compensation programs to attract, develop, and retain qualified personnel. In addition, compensation programs should be structured in a manner that encourages strong risk management practices. Mergers and consolidation present complicated personnel challenges. Any bank merger plans should lay out strategies for retaining staff essential to risk management.
Control systems are the tools and information systems (e.g., internal/external audit programs) that bank managers use to measure performance, make decisions about risk, and assess the effectiveness of processes. Feedback should be timely, accurate, and pertinent.
Measuring and Assessing Risk
Using the OCC’s core assessment standards5 as a guide, an examiner obtains both a current and prospective view of a bank’s risk profile and determines its overall condition. When appropriate, this risk profile incorporates the potential material risks to the bank from functionally regulated activities conducted by the bank or the bank’s functionally regulated affiliates (FRAs).6
The core assessment provides the conclusions to complete the OCC’s risk assessment system (RAS). Examiners document their conclusions regarding the quantity of risk, the quality of risk management, the level of supervisory concern (measured as aggregate risk), and the direction of risk using the RAS. Together, the core assessment and the RAS enable the OCC to measure and assess existing and emerging risks in large banks, regardless of their size or complexity. This risk assessment drives supervisory strategies and activities. It also facilitates discussions with bank management and directors and helps to ensure more efficient examinations.