Enterprise Risk Management
Navigating the Enterprise Risk Management Landscape
Alp E. Can
Director of Enterprise Risk Management, FHLBank Atlanta
North Carolina Bankers Association
August 31, 2016
Building FHLBank Atlanta’s ERM Program
FHLBank Atlanta
•
Goal: To help shareholder financial institutions make
affordable home mortgages and provide economic
development credit to their communities
•
One of the 11 regional Banks in FHLBank System
•
2nd quarter 2016 dividend: 4.64%
(LIBOR + 400 bps)
3
FHLBanks and ERM
“As a matter of sound practice, each FHLBank should have a risk
management function or unit(s) with clearly defined responsibilities
that reports directly to executive management and has regular
reporting responsibility to the board of directors of a committee
thereof. The risk management function should not report to business
units that undertake risk positioning.”
Federal Housing Finance Agency Advisory Bulletin
May 18, 2005
4
FHLBank Atlanta and ERM
Years 1 and 2 (2007-2008)
•
•
•
•
Early challenges
Hiring of risk managers and analysts
Development of Key Risk Indicators (KRIs)
Continuous improvement (assessment quality, reporting)
Year 3 and 4 (2009-2010)
•
•
•
•
Committee refinement
Model enhancement and methodology development
Better analysis and focus on risk versus return (stress testing)
Increased ERM personnel involvement on key projects
5
FHLBank Atlanta and ERM
Years 5 through 10 (2011-2016)
•
•
•
•
•
•
•
Expansion + increased credibility and trust of ERM team
Development of risk appetite statement
Created an ERM charter
Involvement in strategic planning process
Creating Model Risk Governance Group
Implementing Dodd-Frank Act Stress testing
Embed stress testing with strategic planning, risk appetite, and
capital planning
Future of ERM (2016-beyond)
•
•
Business Intelligence
Using new technology and big data to improve future risk assessments
6
Why ERM?
ERM Defined
Enterprise Risk Management (ERM) is the capability of an organization
to understand, control, and articulate the nature and level of the risks
taken in pursuit of a risk adjusted return.
Categories of risk:
•
•
•
•
•
•
•
•
Credit
Liquidity
Strategic / Business / Reputation
Market
Operational
Compliance / Legal
Financial
Capital Adequacy
Source: Risk Management Association (RMA)
8
ERM Framework (Rooted in Culture)
Ensure the company has significant
capital in a stressed environment
Stress
Testing
Develop a response plan
to best manage risk
Assess how well the
company manages risks
Response
Coverage
Control
Environment
Determine the size and
scope of all risks
CULTURE
Measurement
& Evaluation
Consider all current and
potential risk facing business
strategy and operations
Risk Appetite
Governance
& Policies
Determine the amount
of risk the company is
willing to accept
Create a strong foundation
for risk management
Risk Data &
Infrastructure
Ensure appropriate data
is used to manage risk
Source: Risk Management Association (RMA)
9
What Makes a Culture Strong?
Honesty
Tone at
the top
Integrity
Trust
CULTURAL
VALUES
Proper
incentives
Independence
of thought
Courage to
speak up and
act
Openness /
transparency
Respect for
the ideas of
others
Source: Toward Effective Governance of
Financial Institutions,G30 Working Group, 2012.
10
Examples of Top Risks/Issues
11
Examples of Recent Risk Events
CYBER RISK
GEOPOLITICAL RISK
•
June 2015
•
•
Exposed PII of over
20 million people
June 2016, the U.K. votes to
leave the EU
•
Impacted global stock markets
and currency valuation
•
Negatively impacted forecasted
GDP for U.K. and EU
12
ERM: Practical Implementation Steps
“Three Lines of Defense” Model
Board / Risk or Audit Committees
Senior Management
Operational
Management
Risk Oversight
Internal Audit
Internal Controls
Compliance
Risk management by
business operations
Independent risk
oversight and
compliance
Independent evaluation
of risk management
effectiveness
R E G U L ATO R
3rd Line
AUDIT
2nd Line
EXTERNAL
1st Line
14
Risk Appetite Statement
Strategic
Plan
Risk
Assessment
Capital Plan
Risk Appetite
Framework
Internal Risk
Policies
Incentive
Comp Plan
Risk Committee
Reports
(i.e., ALCO)
Other
Key Internal
Documents
IT Risk
Tolerance
Statement
15
Stress Testing: A Fundamental ERM Tool
Source: Supervisors Raising the Bar on ERM.
Promontory, Sightlines in Focus, February 2013.
16
Final Thoughts
•
Effective ERM = more intelligent risk-taking, fewer loss events
•
Implementation takes years and commitment
•
Pace toward maturity determined by CEO and board
commitment and demonstrated value
•
Developing a balanced risk/return culture is a journey
•
Developing a comprehensive risk assessment that includes
emerging risks
17
APPENDIX
Organizational ERM Structure/Team
Board
Board Risk Committee
CEO
CRO
Independent ERM Units
Credit Risk Team
Market Risk Team
Ops Risk Team
Model Risk Team
19
Board Committee Structure
BOARD OF DIRECTORS
• Overall Risks
• Business Risks
• Strategic Risks
• Reputation Risks
Audit
• Financial
Reporting Risks
Finance
• Market Risks
• Liquidity Risks
• Overall
Compliance Risks • Capital Risks
Credit & Member
Services
• Credit Risks
Enterprise Risk &
Operations
Governance &
Compensation
• Enterprise-wide
Risks
• Human
Resources Risks
• Risk Appetite
• Disclosure Risks
(CD&A)
• Collateral Risks
Housing &
Community
Investment
• Affordable
Housing Program
Compliance Risks
• Operational Risks
• Fraud Risks
• Earnings Risks
• Emerging Risks
• Internal Controls
• Black Swans
20
Management Committee Structure
IT Steering Committee
IT Governance
Committee
Security Governance
Committee
Credit & Collateral
Committee
Collateral
Model
Valuation
Committee
Retirement Plan
Committee
Asset/Liability Committee
Enterprise Risk Committee
Financial
Management
Strategy
Committee
Operational
Risk
Committee
Community Investment
Services Committee
Accounting Policy
Committee
Disclosure Committee
21
Risk Identification and Assessment
22
Risk Assessment: Key Risk Indicators and Trends
23
Risk Appetite Statement/Report
(Community Bank Template)
Risk Appetite Report
As of __________
Sample Template
Risk Level
Risk Category
Current
Risk Appetite Levels
Risk Appetite Categories
Previous
Zero
Capital Adequacy
Capital Adequacy
Market Risk / Earnings
Market Risk / Earnings
Credit Risk (Concentration)
Credit Risk (Concentration)
Liquidity
Liquidity
Compliance / Regulatory
Compliance / Regulatory
Reputation/Strategic
Reputation/Strategic
Operational Risk
Operational Risk
Key Risk Indicators: Focus Group vs. All Banks
Regulatory Leverage Ratio (%)
Texas Ratio
120.0
12.0
9.0
90.0
9.0
6.0
60.0
6.0
3.0
30.0
3.0
0.0
2011Q2
2011Q3
All Banks (Avg)
2011Q4
2012Q1
2011Q3
All Banks (Avg)
Loan Loss Reserves / Gross Loans (%)
2011Q4
2012Q1
2011Q2
Focus Group (Avg)
Net Non-Core Funding Dependence
(%)
3.0
15.0
150.0
2.0
10.0
100.0
1.0
5.0
50.0
0.0
0.0
All Banks (Avg)
2011Q4
2012Q1
Focus Group (Avg)
2011Q4
2012Q1
Focus Group (Avg)
Efficiency Ratio (%)
20.0
2011Q3
2011Q3
All Banks (Avg)
4.0
2011Q2
High
0.0
2011Q2
Focus Group (Avg)
Moderate
NPAs / Assets (%)
12.0
0.0
Low
200.0
0.0
2011Q2
2011Q3
All Banks (Avg)
2011Q4
2012Q1
Focus Group (Avg)
2011Q2
2011Q3
All Banks (Avg)
2011Q4
2012Q1
Focus Group (Avg)
24
Risk Appetite Statement/Report
(Community Bank Template)
Sample Template
Risk Appetite Key Risk Indicators as of __________
Risk Categories
Internal
Sources
Current Previous Risk
Board
Level
Level
Trend Oversight
Risk Appetite Level Definitions
1. Capital Adequacy
1.a.
1.b.
1.c.
1.d.
Achieve satisfactory CAMELS ratings for Capital Adequacy
Maintain Total Equity / Total Assets w ithin acceptable limits (%)
Maintain capital ratios above regulatory capital requirements
Maintain Leverage Ratio w ithin acceptable levels
2. Market Risk / Earnings
Zero
Not w illing to accept risks under any circumstances
Low
Low
Not w illing to accept risks in most circumstances
2.a. Achieve satisfactory CAMELS ratings for Sensitivity to Market Risk
2.b.
2.c.
2.d.
2.e.
2.f.
Maintain Duration Gap above acceptable levels w ith up/dow n 100, 200, 300 bps rate shocks
Maintain EVE above acceptable levels w ith up/dow n 100, 200, 300 bps rate shocks
Maintain Interest Expense/ Avg. Assets w ithin acceptable limits (%)
Rate-sensitive Assets/Assets (%)
Rate-sensitive Liabilities/Assets (%)
Moderate
Willing to accept risks in certain circumstances
High
Willing to accept risks in most circumstances
3. Credit Risk (Concentration)
3.a.
3.b.
3.c.
3.d.
3.e.
3.f.
3.g.
Achieve satisfactory CAMELS ratings for Asset Quality
Maintain NPA's (Non-Performing Assets) / Assets w ithin acceptable level (%)
Maintain NPL's (Non-Performing Loans) / Loans w ithin acceptable level (%)
Maintain ALLL w ithin acceptable level
Maintain Commercial Real Estate (CRE) Loans / Total RBC w ithin acceptable level (%)
Maintain Residential 1-4 w ithin limits to RBC (%)
Maintain C&I w ithin limits to RBC (%)
4. Liquidity
4.a.
4.b.
4.c.
4.d.
4.e.
4.f.
Achieve satisfactory CAMELS ratings for Liquidity
Maintain satisfactory Net Non-Core Funding Dependence (%)
Maintain satisfactory Net Short-Term Liabilities / Assets (%)
Maintain satisfactory FHLB funding availability
Maintain acceptable liquidity ratios (%)
Maintain acceptable levels of pledged securities
5. Compliance / Regulatory
5.a.
5.b.
5.c.
5.d.
5.e.
5.f.
Achieve a satisfactory exam report
Number of Internal audit reports less than satisfactory (%)
Number of external audit reports less than satisfactory
Number of customer complaints
Number of new or proposed regulations or legislation
Minimize Bank Secrecy Act / Anti-Money Laundering related losses ($000s)
6. Reputation/Strategic
6.a.
6.b.
6.c.
6.d.
6.e.
6.f.
Achieve satisfactory CAMELS ratings for Management
Number of active litigation matters
Community Reinvestment Act activities
Tone of new s reports (positive/negative)
Succession planning in place for senior management / key personnel (%)
Achievement of strategic goals
7. Operational Risk
7.a. Number of material w eaknesses
7.b.
7.c.
7.d.
7.e.
7.f.
Maintain acceptable level of operational losses ($000s)
Maintain high level of critical system availability (%)
Maintain adequate insurance coverage (e.g. flood / hazard) (%)
Maintain optimal level of employee headcount (%)
Minimize confidential data breaches
Legend
Aggregate Risk Score
- 95 - 100
90 - 94.9
- 85 - 89.9
- 80 - 84.9
Individual Risk Level
Acceptable
At Risk
Unacceptable
Increasing Risk
Stable Risk
Decreasing Risk
- Less than 80
- n/a
Internal Documents
BP B udget P lan
CP Capital P lan
ICP Incentive Co mp P lan
IP Internal B ank P o licies
Board Committees
AC Audit Committee
CC Credit Committee
ERC Enterprise Risk
Committee
FC Finance
Committee
GCC Governance &
Compensation
Committee
25
Risk Appetite Statement/Report
(Community Bank Template)
Risk Appetite Key Risk Indicators as of ___________
Sample Metrics / Data
1. Capital Adequacy
1.a. Achieve satisfactory CAMELS ratings
for Capital Adequacy
3. Credit Risk
1
3
3.a. Achieve satisfactory CAMELS
ratings for Asset Quality
4
1
3
10.9
10.7
3.b. Maintain Non-Performing Assets /
Assets within acceptable level (%)
1.b. Maintain Total Equity / Total Assets
within acceptable limits (%)
17.5
1.c. Maintain capital ratios above
regulatory capital requirements (%)
6
10.3
5.6
4
6
5.9
17.7
6.0
3.c. Maintain Non-Performing Loans /
Loans within acceptable level (%)
8
10.4
155
1.d. Maintain Leverage Ratio within
acceptable levels (%)
4
5.5
20
159.6
3.d. Maintain ALLL within acceptable
level ($000s)
30
379.5
378.2
2. Market Risk / Earnings
2.a. Achieve satisfactory CAMELS ratings
for Sensitivity to Market Risk
1
3
4
.12
2.b. Maintain Duration Gap between
acceptable levels with up/down 100, 200,
300 bps rate shocks (years)
-8
3.e. Maintain CRE Loans / Total RBC
within acceptable level (%)
300
400
3.f. Maintain Residential 1-4 within
limits to RBC (%)
100
200
3.g. Maintain C&I within limits to RBC
(%)
100
150
.12
-7
+7
+8
4. Liquidity
2.c. Maintain EVE above acceptable levels
with up/down 100, 200, 300 bps rate
shocks
4.a. Achieve satisfactory CAMELS
ratings for Liquidity
0.99
0.89
2.d. Maintain Interest Expense/ Avg.
Assets within acceptable limits (%)
1
3
7.0
9.5
4.b. Maintain satisfactory Net Non-Core
Funding Dependence (%)
33.1
32.2
4
5.8
2.e. Rate-sensitive Assets/Assets (%)
63.7
63.9
7.0
4.c. Maintain satisfactory Net ShortTerm Liabilities / Assets (%)
2.f. Rate-sensitive Liabilities/Assets (%)
4.d. Maintain satisfactory FHLB
funding availability
Legend
Green
Risk is within acceptable threshold
Yellow
Increase in risk as threshold has been breached
Red
Increase in risk as threshold has been breached
28.6
Current Level
4.e. Maintain acceptable liquidity ratios
(%)
12 - month Avg
4.f. Maintain acceptable levels of
pledged securities
29.4
30.6
31.5
26
Risk Appetite Statement/Report
(Community Bank Template)
Sample Metrics / Data
Risk Appetite Key Risk Indicators as of _______________
5. Compliance / Regulatory
5.a. Achieve a satisfactory exam report
2
1
3
5.b. Number of Internal audit reports less 0
than satisfactory (%)
1
0
0
1
75.2
25
5
10
7.b. Maintain acceptable level of
operational losses ($000s)
0
3
6
7.c. Maintain high level of critical
system availability (%)
0
5
9
7.d. Maintain adequate insurance
coverage (e.g. flood / hazard) (%)
0
250
0.17
0
5.f. Minimize Bank Secrecy Act / AntiMoney Laundering related losses
($000s)
0
0
7.a. Number of material weaknesses
500
99.85
50
90
5
10
1
0
100
98
5
7.e. Maintain optimal level of employee
headcount (%)
9
80
0
0
50
7.f. Minimize confidential data
breaches
100
99.98
1.2
1
0
0
5
0
0
5.c. Number of external audit reports less 0
than satisfactory
5.e. Number of new or proposed
regulations or legislation
4
3
2
5.d. Number of significant customer
complaints
7. Operational Risk
2
98
90
100
0
0
1
2
6. Reputation / Strategic
6.a. Achieve satisfactory CAMELS ratings 1
for Management
6.b. Number of active litigation matters
3
0
100
4
200
*
6.c. Community Reinvestment Act
activities
Outstanding or
Satisfactory
Substantial
Noncom pliance
Needs to Im prove
*P rio r R a t ing
6.d. Tone of news reports
(positive/negative) - qualitative measure
Legend
95
6.e. Succession planning in place for
senior management / key personnel (%)
0
50
85
98
100
Green
Risk is within acceptable threshold
Yellow
Potential increase in risk as threshold has been breached
Red
Increase in risk as threshold has been breached
Current Level
12 mo. Average
6.f. Achievement of strategic goals
27
Risk Appetite Statement/Report
(Community Bank Template)
Risk Appetite Additional Information as of ____________
Sample Template
Risk Appetite Preamble
The Bank’s board of directors and management have established this risk appetite statement and risk metrics for
controlling and escalating actions based on the seven continuing objectives that represent the foundation of the Bank's
strategic and tactical planning:
Current Key Issues
3.b. Maintain Non-Performing Assets / Assets within acceptable level (%) Continue to monitor.
Capital Adequacy
Maintain adequate levels of capital components that protect against the risks inherent on the Bank’s balance sheet and
provide sufficient resiliency to withstand potential stressed losses.
Market Risk / Earnings
3.e. Maintain CRE Loans / Total RBC within acceptable level (%) - Continue to
monitor.
Market risk exposure should be managed in such a way that a significant disruption in rates and spreads would not result
in a loss that would threaten the Bank's capital plan.
Credit Risk (Concentration)
Avoid credit losses by managing credit risk exposures within acceptable parameters. Achieve this objective through datadriven analysis (and when appropriate perform shareholder-specific analysis), monitoring and verification. Monitor through
enhanced reporting any elevated risk concentrations, and when appropriate, manage and mitigate the increased risk.
Liquidity Risk
Maintain sufficient liquidity and funding sources to allow the Bank to meet expected and unexpected obligations.
Compliance / Regulatory
Comply with all applicable laws and regulations.
Reputation / Strategic
Recognize the importance of and advance positive awareness and perception of the Bank.
Operations
Manage the key risks associated with operational availability of critical systems, the integrity and security of the Bank’s
information, and the alignment of technology investment with key business objectives.
28
Questions and Answers
Alp E. Can
Director of Enterprise Risk Management
FHLBank Atlanta
[email protected]
Tel: 404.888.5574