Home » Publications & Resources » Article Library » 2009-10 » Why Is Risk Such a Bad Thing?

Publications & Resources

July/August 2009
Focus: Risk Management

 

Why Is Risk Such a Bad Thing?

By Ken Proctor

It's difficult to be one of the best, to be great, to consistently exceed the performance and profitability of your peers. It takes vision, focus, commitment – and in banking – it takes risk. Risk is a daily, essential part of the business of banking. 

However, there is the general belief that risk is bad. Just ask those who are picking through the rubble of AIG’s credit default swap debacle. That belief, however, is a misconception. It is the management of risk that is most often bad. That is were bankers also come up a bit short. 

My mother told me beer was bad. But after the first couple in college, I was pretty sure she was wrong. The next morning though, after the having consumed several more, I was convinced I should have listened to her. As my college experience taught me, risk in moderation is the best plan.

Just as there are misconceptions about risk, there are similar misconceptions about risk management. Many bankers do not look far beyond credit or interest rate risk management. Some think risk management is primarily a compliance issue. Others believe risk management involves purchasing insurance, installing security equipment, or adding internal controls.  In truth, it includes, but goes far beyond, each of these issues. 

Risk management is a process involving the board, management, and pretty much everyone else at the bank. Its goal is to identify and manage those events that may impair the bank’s ability to achieve its strategic business objectives. Unfortunately, there is often a poor link between where the bank is trying to go strategically and how much risk it must or can take to get there. 

Beyond the lack of a strategic link to risk, bankers don’t have the tools in place to identify and respond to emerging risks. They will pile on the commercial real estate loans, or some other type of loan that is producing high interest rates or fees (think sub-prime mortgages) with loss potential that far exceeds what the bank can support. As they stake out this high risk position, they lack the tools to tell them the cliff is approaching. 

As a risk manager told me recently, “Bankers have done an extraordinary job of driving the car while looking in the rearview window.”  I suppose that approach works, as long as the road ahead is straight and level. As 2008 clearly demonstrated, the road is full of potholes and sudden, sharp turns. To survive the current period and succeed in the coming years, bankers must sharpen the tools and learn a bit of discipline.

What is Risk Management?

To determine what effective risk management is, maybe we should examine some of what it is not. Risk management is not a task that is assigned to someone to complete. No one person or department  “manages” risk. Just because someone completes an annual risk assessment, it does not mean the risk is managed.  

Instead, risk management is a discipline incorporated in the business management process. Policies approved by the board should contain clear guidelines on how much and what type risks the bank finds acceptable. For example, how much in terms of Tier 1 capital do we want to be exposed to particular types of loans? 

The bank may need the revenue from higher risk loans, such as income producing commercial real estate loans or indirect mobile home or auto loans. That may be the risk required to reach the  bank’s strategic business objectives. But it is prudent to ask, what is the loss potential on these types of loans...now, today and in the future...and will the bank be able to determine if that loss potential increases over time? It is also timely to ask, how much exposure can the Bank tolerate in relation to capital on these type loans?  

Accordingly, policies should also provide guidance on how management should respond to changes in risk and exposure. If, for example, the aggregrate internal risk rating on loans of a particular type, collateral, or industry decline, what action should be taken to protect the bank from future losses. Should the bank stop making similar loans to new customers at that point? Should it stop making them entirely? Should it begin reducing the amount of such loans, and the related loss exposure? 

Risk management is not just setting policies. Policies are only as effective as the controls and processes that assure and monitor compliance with them. The bank must establish effective underwriting guidelines and controls to ensure the quality of the loans being made. The aggregate exposure to those loans and their performance, must be monitored closely by management and the board. Exposure to loans approved as exceptions to underwriting guidelines and scores must be tracked, not just loan by loan as they are approved, but in the aggregate.

The Broader Picture

It is pretty clear that one outcome of the current “banking” crisis will be an increased scrutiny of banks’ risk management practices, processes and systems by regulators. Bankers will have to step up to the plate on this issue as they did in the ‘80s and ‘90s, managing interest rate risk (think GAP analyses and rate shock analyses) and the ‘90s and early 2000s, managing financial reporting risk (think FDICIA and SOX). 

From the credit perspective, underwriting controls and credit administration practices require significant improvement. In short, lessons learned in the ‘80s and early ‘90s were forgotten in the run-up to this crisis. But beyond that, policies, systems, and tools for monitoring the quality of the loan portfolio and potential loss exposures will require significant improvement. Just as the GAP analysis was a blunt instrument for managing rate risk, so are many of the tools used today to monitor credit and other risks in banking. Stress testing systems will be required for credit risk management, as well as improved monitoring of leading credit risk indicators. More sophisticated tools will also be necessary to monitor the other categories of banking risk: liquidity, compliance, operational, strategic, and reputational risk. 

No single person can “manage risk” in a bank. Risk management must become part of the bank’s culture, part of a balanced strategic approach. Its execution must become part of the ongoing business process. Discipline will be essential. 

Risk indices and dashboards of leading and lagging key risk indicators will become essential management tools in the future. For these to be effective, new systems and tools must be deployed.

Risk itself is not a bad thing. As the old saying goes...No Guts, No Glory. Banks profit from taking risks. But the risk management process has to be effective. The banking industry can no longer afford to be driving down the road looking in the rear view mirror. 

Ken Proctor is director of risk management at Brintech in Amherst, N.H. He can be reached at 800-929-2746 or KProctor@Brintech.com. Proctor will present a Directors & Risk Workshop on June 2 in San Francisco.

---

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.

© 2012 Western Independent Bankers, All Rights Reserved.