Industry Insights: Risk Management/Internal Audit

July 8, 2019
Enterprise Risk Management for the Boardroom
By L. Randy Marsicano, NCRM, CRISC, Professional Services Senior Manager, WolfPAC Solutions

Have you ever felt challenged while preparing for an ERM program presentation? Ever had one go badly?

Enterprise Risk Management, by definition, is a process itself, so the reporting of your program’s results by default is also considered a process. Your success in reporting engaging and simplified results has less to do with which report you choose to present than it does with better understanding your audience and how they consume data. Wouldn’t it be great if, during your preparation, you understood how to build a “reporting” narrative tailored to your audience’s consumption of information, in an organized and engaging manner? To do so, you’ll have to start by getting past some of the common myths surrounding ERM presentations.

Myth #1: All Communication is the Same
Imagine your car suddenly makes a funny noise. When you make an appointment with your mechanic, you describe the situation in great detail and participate in a mutual negotiation of what needs to be fixed, the timeline and acceptable payment terms. Now imagine updating your spouse on the car situation. Will you go into that same level of detail? Probably not. You may simply state that you had an issue, weighed out the potential solutions, agreed on a price and ask for a ride home! Take this scenario one step further – imagine explaining the same situation to your boss. Wouldn’t you simply say “My car is in the shop, I’m working from home today and am available on my cell if you need me”?

The same situation is described, but presented very differently depending on the audience and how they consume information. If you can get your head around that, you may also agree that you communicate ERM program results differently with the first line of defense, second line of defense and your board.

Myth #2: All People are the Same
In 1924, lawyer and psychologist William Moulton studied the concepts of will and a person’s sense of power, and their effect on personality and human behavior. Through this research, the DISC profile emerged. Today, we can benefit from understanding different personality types and how they consume information. At a high level, four DISC traits have been identified, each with their own communication style:

- Dominance (sometimes called the Eagle): A direct and results-oriented personality, this profile consumes information quickly and at a high level, without delving into details.
- Influence (sometimes called the Parakeet): With an outgoing, high-spirited and lively personality, this profile consumes high-level information but prefers a more personal approach.
- Steadiness (sometimes called the Dove): Known as having a calm and sensitive personality, this profile methodically consumes information and may desire direct involvement.
- Conscientiousness (sometimes called the Owl): As a reserved and analytical personality, this profile consumes logical and detailed information.

Understanding people’s specific personality types is important, because the right information presented the wrong way may distract from your message.

Myth #3: One Report Does it All
In helping people prepare for ERM boardroom presentations, I notice that some individuals simply ask which reports to print. Although the value of reports should not be dismissed, they are only a supporting player. According to the RMA Governance and Policies Workbook, “risk reports shouldn’t create paper, they should create dialogue. Information reported without context can be extremely dangerous.”

Providing constructive dialogue on ERM programs is essentially telling a good story – complete with a beginning, a middle and an end (or rather, with a process, results and conclusion):

- Process: This includes the period considered, what was covered and who participated
- Results: What did we learn, what are the threats to the business, are appropriate controls in place and are we safe?
- Conclusion: Lessons learned and action plans

Myth #4: You Can Put This Together Quickly
We all have a friend who waits until Christmas Eve to shop for gifts. But preparing a relevant, succinct and effective presentation is not the same as Christmas shopping – it takes time, and must be done over time. Discerning people will see right through a quickly pieced-together presentation.

Now that we have dispelled some of the myths around ERM programs, here is some simple yet effective advice for presenting your ERM program:

1. Start early. Begin by writing down the basic framework and key messages. Seek to understand early what information may be missing, and put together a plan to get it.

2. Make sure you understand how your audience consumes information. If you don’t have the opportunity ahead of time, be ready to quickly determine which trait you are talking to and adjust accordingly. When there is more than one personality in the audience, communicate to the highest ranking person in the room – most likely an “Eagle”. If the highest ranking person is not an Eagle, but someone of influence is, you may still need to start communicating in “Eagle-ease,” but quickly get to areas of detail to accommodate the other styles. Parakeets, Owls, and Doves tend to have more patience than an Eagle.

3. Craft your story. Your presentation should start with the process, or how you got there. This will lay the groundwork and help your audience understand what it is they’re looking at. Results should be communicated with the appropriate detail, but be prepared to drill down into some of the higher-risk areas if asked. Always end with lessons learned and next steps, which can include how results will be used, remediation put in place and linkages to strategic programs.

A well-structured and communicated program shows value not only in the effort, but in the presenter as well. Good luck!

Disclaimer: The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of the Financial Managers Society.

About the Author

Randy Marsicano is a Senior Manager of Professional Services in the WolfPAC Solutions Group, overseeing all Enterprise Risk Management Advisory Services. He has nearly 30 years of experience designing and implementing risk management, vendor management, technology and operational management programs, and works closely with community institutions to create and improve their ERM programs and drive costs down.

April 8, 2019
Is Your Shadow IT Compromising Your Growth and Compliance?
By Joe Galletta, Sales Manager – Americas, ClusterSeven

With the financial crisis behind us and the much-debated rollback of some Dodd-Frank Act regulations underway, the focus of many financial institutions has finally shifted from managing compliance to managing the business. Issues such as cost management, optimizing business performance and the need for innovation have once again come to the fore.

The emphasis now is firmly on building the business across areas such as portfolio management, risk management and product development. Central to these goals are the models banks use to manage their business, and the technology they use to deliver the output of these models – typically spreadsheets, databases and visualization tools.

Regulators are “on the case”
Of course, the wide and varied use of models – together with the tools, calculators and the technology infrastructure that supports them – brings its own challenges. Unmonitored and uncontrolled, models can themselves pose risk factors that regulators are increasingly noting. The Current Expected Credit Losses (CECL) accounting standard is one such example where model management is a fundamental requirement for which institutions need to demonstrate full control and transparency. The FDIC too has its model risk management framework for financial institutions with assets over $1 billion, affecting around 700 banks in the U.S.

Hence, while financial institutions are keen to focus on developing and driving the business forward, effective compliance management remains an imperative. And judging by historical events, compliance appears to be a moving goal post.

Shadow IT a risk
Shadow IT (e.g., databases, development environments, management information systems and spreadsheets) today is extensively used to manage numerous business processes, in parallel with and integrated with corporate IT applications. In fact, these applications, especially spreadsheets, are often the preferred business and regulatory compliance modelling tool due to their ease of use and flexibility. They are powerful enough to run complex calculations and are easy to connect so that data seamlessly flows between the various models, tools and calculators, as well as the processes they support. Perhaps this is why these applications often start as a tactical fix for a business issue, and eventually become so embedded into a business-critical process that they can’t be easily removed.

Regulators are increasingly recognizing the importance of shadow IT to key business processes at banks and credit unions. There is nothing wrong with this as such, but it does mean that institutions need to have suitable visibility and controls in place. Without these controls, there’s no getting away from the operational, regulatory and reputational risks the unfettered use of these tools pose.

For example, a fat-fingered data entry can cause outcomes to be skewed. A lack of version control means that there can be multiple versions of the same file or spreadsheet in use at the same time, which can seriously impair decision-making and critical reporting. This can be exacerbated if these applications are linked to other applications, replicating the same problems across the business almost instantaneously. From a compliance standpoint, such situations can cause inadvertent misreporting, resulting in severe regulatory fines. Recently, a regulator in the UK imposed a $37 million fine on UBS for a decade of transaction misreporting errors, serving as a reminder of the potential risks involved – and a fine like this doesn’t begin to quantify the reputational risk involved.

From a business perspective, the impact can be equally serious. Poor quality information can lead to missed opportunities, or give an unrealistic view of potential returns on an investment. It can also expose an institution to contractual breaches or other issues that drive reputational risk.

A risk-sensitive approach to managing shadow IT
These shadow IT challenges can be overcome by taking a risk management led approach to its usage. At its core, it requires establishing a framework for “business as usual” shadow IT management, which should include:

Creating a comprehensive inventory of the shadow IT tools and processes is an obvious place to start.

2. Risk-based tiering
Not all the tools and processes will be equally materially important to the business. Based on a defined criteria and the institution’s appetite for risk, tiering the shadow IT processes and models helps identify the ones that pose the most operational, regulatory, compliance and reputational risk to the business.

3.Understanding the data connections
Especially for high-risk processes, identifying and understanding the data linkages and lineages across the landscape is crucial to ensuring data quality and accuracy – and thereby integrity – of the processes and models.

4.Managing and monitoring
Based on a shadow IT user policy, the business-critical models and processes can then be monitored and managed for version and change control, as well as review, approvals and authorizations, to ensure that the data is accurate and can hold up to scrutiny at all times.

Institutions often resort to manual processes to govern their shadow IT estate, but despite the best will in the world, they’re fighting a losing battle due to the vast expanse and complexity involved. Achieving full transparency for an estate (to the stringent requirements of auditors and regulators) that is complex and grows organically due to lack of controls is next to impossible to achieve manually.

Therefore, automation is often the preferred solution for taking care of everything end-to-end. From scanning the IT infrastructure to locate the spreadsheets and other files to exposing the underlying data sources and relationships across the landscape to risk-checking the critical files and models, automation can help to provide continuous monitoring and control without being a drain on resources. In doing so, it also presents a reliable and demonstrable way to assure stakeholders – including senior management, auditors and regulators – that the institution’s shadow IT is subject to the same level of scrutiny that its enterprise IT is.

Disclaimer: The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of the Financial Managers Society.

About the Author

Joe Galletta has over three decades of experience in business development and partner management, with extensive work with financial services organizations, banks, asset managers and insurers.

November 19, 2018
How to Determine Millennial Borrowers' Credit Worthiness
By Joseph Lowe, Marketing Manager, Sageworks

When assessing the potential risks a borrower presents an institution’s portfolio, the typical starting point for most lenders is the “five Cs of credit” – capacity, character, capital, collateral and conditions. But as a younger generation, burdened with excess debt, becomes the prime demographic for commercial and consumer loans, community banks and credit unions may want to reconsider that approach if they want to capture this increasingly important segment.

Judging by the numbers, the American economy is on an uptick. The national unemployment rate sits at its lowest rate since 2000 (3.9%), the average FICO credit score is at its highest point ever (704) and median household income is at its highest mark in over 30 years ($61,372). In addition, young borrowers’ share of the lending market is growing.

Despite these positive figures, however, the financial outlook for young borrowers is not on par with the national averages. For example, the average FICO credit score for young borrowers (ages 21-34) is 638, while the average income for Millennials is $35,592.

Given these disparities, it will be difficult for community institutions to grow revenue if they choose not to factor in metrics other than the five Cs when analyzing young borrowers. Let’s take a look at the five Cs of credit in consideration with the young borrower market.

Capacity – Young borrowers earn an average salary of $35,592 and owe an average of $25,000 in student loan debt alone, making for a poor debt-to-income (DTI) ratio.

Character – Young borrowers’ average credit score of 638 is considered fair or poor for most financial institutions that rely on credit scores as the only gauge of character.

Capital – Young borrowers are spending more on bills than previous generations, leaving less money to put toward loan payments.

Collateral – Young borrowers are postponing major purchases such as homes and cars, opting instead for renting and public transportation.

Conditions – Young borrowers are starting new businesses, which, due to their limited credit history and high debt burden, can be too risky of a loan for community banks and credit unions to offer.

In light of these realities, community financial institutions looking for a share of the up-and-coming young borrower market may consider including supplemental factors within their credit analyses and implementing technology to better evaluate credit risk.

Analyzing a young borrower’s entire relationship through global cash flow
Global cash flow refers to a lender or credit analyst’s ability to review a borrower’s financial relationships with his or her peers in the community and, more importantly, the financial institution. Rather than solely focusing on the borrower’s financial history as a key determinant of creditworthiness, financial institutions can determine how businesses, properties and family members connected to the young borrower will affect credit risk for the institution.

For example, consider a loan application from a young borrower named Jack for a $5,000 commercial loan to pay equipment costs for a moving business. When analyzing his financial statements, you see that not only does Jack make a lower-than-average income of $29,000 per year, but he also owes a total of $25,000 in student loans. Your initial reaction is to deny the line of credit. However, upon reviewing the global cash flow analysis, you realize that his student loans have a guarantor on the account – his mother, Linda. Linda earns an income of $110,000 annually and has a credit score higher than 750. She co-owns two businesses with other prominent community members and has banked with your institution for 20 years.

By considering relationships through global cash flow, you have more evidence to potentially justify the line of credit and offer the loan to Jack based on conditions that mitigate his credit risk. By using global cash flow analysis, lenders can identify opportunities, increase defensibility of loan decisioning and take informed, calculated risks.

Using technology to determine credit worthiness
In a recent article published by the Wharton School of the University of Pennsylvania, Benjamin Keys, Wharton professor of real estate, and Richard K. Green, director of the University of Southern California’s Luck Center for Real Estate, both pointed to technology as a way for banks and credit unions to pull in other factors during credit analysis to provide supplemental evidence that borrowers can repay loans.

Implementing credit analysis technology allows lenders to identify portfolio risks based on both internal factors (such as probability of default) and external factors (such as data from other financial institutions) through automated credit risk models and APIs. APIs layer on another source of bank data for lenders to include within credit analysis as well – third-party data.

An automated commercial credit risk model can determine credit worthiness using predictive financial factors and limited data entry from lenders or credit analysts. Furthermore, automated credit risk models can quickly compare probability of default with broader industry trends and examine the industry’s risk to the institution. For young adults with limited access to capital, a better understanding of industry trends can provide another factor to be taken into account when examining credit.

As the demographics of community financial institutions’ customers shift to younger borrowers with less credit history and higher DTI than previous generations, it’s important for banks and credit unions to focus on more ways to help them find good risks that represent profitable growth from a core of young borrowers.

Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the Financial Managers Society.

About the Author

As a commercial lending marketing manager at Sageworks, Joseph Lowe helps educate bankers on ways to optimize their lending and credit risk processes.

August 20, 2018
Model Risk Management: How to Be Prepared in a Data-Driven World
By Meredith Piotti, Internal Audit Senior Manager, Wolf & Company, PC

Financial institutions’ reliance on harnessing the power of data through models and using analytics to create reports continues to increase. As a result, regulatory bodies including the FDIC, OCC and the Federal Reserve have issued guidance and increased criticism within exams regarding proper model oversight.

Reliance on poorly designed models or errors in model output could result in missed opportunities or prevent management from identifying major threats on the horizon. Testing model inputs, calculations and outputs can give an institution’s management confidence that their decisions are being based on reliable information.

Creating a Model Risk Management Program
The first step to a strong program is to have a Model Risk Management Policy that ensures all departments within the institution are applying the same definition and oversight of models. This policy should outline the methodologies for the following, along with other regulatory requirements:

-Identify who is responsible for the oversight and execution of the policy
-Describe the step-by-step process for new model creation
-Classify end-user computations versus models for inclusion in the institution’s model inventory
-Develop a standard model risk assessment framework
-State the frequency and extent of model validation based on risk
-Establish ongoing oversight

Identifying and Assessing Models
Institutions should identify which programs, analytics and end-user computations are in use to compare to the policy’s model definition. An inventory should be created to capture all of these that meet the model definition, with end-user computations catalogued separately. Although end-user computations are not as complex or relied upon to the same degree as models, it is important that they are incorporated in audits to verify the completeness of inputs and the accuracy of calculations.

Each model in the inventory should be risk assessed annually using the institution’s framework. Factors that should be incorporated into this framework include, but may not be limited to:

-Input volatility
-Model use
-Financial impact
-Business decision impact
-Model design

Each model should be given a final risk score that will determine the frequency of required validations.

Proactively Monitoring Models
In conjunction with the annual risk assessment process, institutions should develop a standard “annual touch” questionnaire. The annual touch should be reviewed with the model owner to determine if there are any changes to the model’s design, oversight and inputs or other additional factors to be considered when determining the model’s validation frequency.

In addition to verbal responses, documented support should be obtained to corroborate responses, including mapping documentation, evidence of model owner review and assumption documentation. The reviewer should also follow up on any prior validation comments to ensure they have been remediated and discuss any user overrides to the model. Significant changes or overrides may result in the need for an earlier model validation.

Model Validation
Historically, regulators have primarily focused on requiring independent validations of automated AML software models only. However, regulatory scrutiny has increased to require that all models have a validation schedule and to verify adherence with that schedule.

Model validations should verify that the model is performing as expected and in accordance with its business use. It is critical that the validation is performed by someone independent of the oversight of that particular model with the appropriate expertise to validate the model. The extent of the validation will depend on the complexity of the model and the potential risks pertaining to the model.

Establishing a comprehensive model risk program can deter future problems and allow management to get back to banking

Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the Financial Managers Society.

About the Author

Meredith Piotti is a Senior Manager in the Internal Audit Services group at Wolf &Company, responsible for overseeing the firm’s data analytics group and delivering internal audit services to financial institutions.

April 2, 2018
Applications of Risk Ratings
By Alison Trapp, Sageworks

Risk rating is integral to underwriting and managing commercial loans. Regulators expect that lending institutions not only assign risk ratings in an accurate and timely manner, but also that they use them in their processes.¹ Institutions should benefit from this expectation, as aligning processes to risk rating can impact their financial performance and human resource efficiency – particularly when used in the following areas.

New Originations
Risk rating is a means for ensuring an institution is originating and renewing loans in a safe and sound manner. For that reason, the underwriting process should include an assessment of risk rating early, rather than leaving it for a “check-the-box” exercise right before approval (or worse, closing). Accurate rating within the Pass grades is important to ensure that other processes are correlated to the proper risk levels.

An institution may also tie approval authority levels to risk rating. In this instance, so as to avoid biased results, it is especially important that the person responsible for assigning the risk rating is not influenced by the person with the approval authority.

Risk rating may also govern commitment and hold levels, when a guarantor is required, or what structures are available to a given borrower. For example, some borrowers have weaker cash flow that would result in an unacceptable rating unless there are structural enhancements that reduce that risk.

Loan Pricing
Intuitively, risk managers and lenders understand that higher-risk loans should have higher fees or interest, or a shorter tenure. Explicitly tying loan pricing to risk rating allows an institution to implement these structural elements more consistently. It also allows the institution to evaluate any exceptions to the pricing policy within a framework. In certain cases – for instance, the institution may deem it advantageous to stray from its own policy for a bigger purpose – having the policy in the first place allows it to understand the cost of such a move.

Resource Management
Risk rating can be a powerful guide for managing resources. A starting point is to align experience levels with accounts from different risk grades. A more experienced analyst should be the lead on lower-rated assets, while less experienced analysts may have a secondary role on these accounts or a lead role on more highly rated assets with oversight.

When the portfolio is managed with risk rating, the institution can use data to understand how changes to the portfolio will affect the resources required to manage the assets effectively. For example, if the institution is planning to acquire a portfolio of loans and it knows (a) the risk rating distribution of those assets and (b) the amount of a full-time resource that each risk grade requires to manage to its standards, it can estimate the additional resources it will need. The institution can thereby determine if it has enough current resources to absorb the acquisition, if it needs to find efficiencies (perhaps through the use of software or by streamlining processes) or if it needs to hire additional resources.

Portfolio Rhythms
An institution should align distinctions in risk ratings to its ongoing portfolio management processes. For example, the institution can tie the frequency of review to risk ratings. An institution with five grades of Pass along with Special Mention, Substandard, Doubtful and Loss might set account review frequency as follows:

Additionally, the institution can use its data to understand how changes to a process will impact it. For example, if an institution with the above structure decided it was spending too much time in meetings and wanted to move Pass 3 from a semi-annual review to annual, it could estimate how much time would really be saved. Performance of the Pass 3 credits should then be monitored separately for a time to make sure that the change did not have a detrimental impact to overall portfolio quality.

Allowance for Loan & Lease Losses (ALLL)
There is a logical correlation between risk rating and ALLL as supported by the OCC calling risk rating the underpinning of ALLL.² Embedding risk rating in the ALLL process explicitly systematizes what institutions would be doing instinctively – aligning reserve levels with risk levels. Most institutions are already using risk rating in their ALLL process, while those not currently doing so are likely contemplating including it as part of the transition to their upcoming Current Expected Credit Loss (CECL) calculation.

By developing a robust risk rating policy and applying it consistently to all loans, financial institutions can glean benefits across the life of the loan, from origination to portfolio risk management.

¹ page 2
² page 2

Disclaimer: The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of the Financial Managers Society.

About the Author

Alison Trapp leads the credit risk practice for Sageworks’ Advisory Services team, with expertise in the areas of credit administration, risk rating development and policy implementation.

December 5, 2017
Can Risk Management Be Profitable?
By Alec Hollis, Director – ALM Strategy Group, ALM First Financial Advisors, LLC

As regulated as the banking industry is, risk management can seem like a “check-the-box” activity. In a great piece titled “The Profitable Side of Risk Management,” Michael Giarla rejects the perception of risk management as a necessary evil that detracts from bank profitability, and instead promotes the idea that proper risk management is an important factor to an institution’s success. While overregulation certainly is a hot topic today, proper risk management remains a timeless element in long-run profitability.

Central to most risk management programs is managing interest-rate risk (IRR), although strategies to manage and target this risk vary across the industry. Ultimately, an institution’s tolerance for IRR is set by its board. Given that some institutions are comfortable operating with higher levels of IRR than others, it’s worth asking whether higher levels of IRR are correlated with higher levels of profitability.

The answer is not so straightforward. There are many other, more material factors driving long-run profitability, such as lending standards and cost management. As such, one can see IRR management not so much as a profit center, but as a natural hedging response of a business focused in financial intermediation. Great institutions have strong risk governance programs in place, allowing them to scale and grow in a safe manner, and continue to do what they do best – serve their customers and their institutions without betting on interest rates.

As with any risk management program, minimizing risk isn’t a valid goal, all else equal. Risk avoidance can create shortfall risk, which can be detrimental to profitability. Instead, asset-liability management (ALM) programs should focus on quantifying risk and managing it to ensure the institution is making informed decisions. Ultimately, earning adequate reward per unit of risk is the name of the game. High-performing institutions often do this by integrating risk management with strategic planning, through the development of new products, services and processes.

High-performing institutions are also very aware of the current profitability and risks of their product lines. As the old saying goes, “a bank’s assets are its liabilities, and its liabilities are its assets” – meaning a stable cost of funds is a valuable asset, and credit concerns stemming from the asset side can bring a bank down. Having superior expertise in managing credit risk is extremely important to long-run profitability, which is why many institutions rely on risk-adjusted return on capital analysis.

Keeping track of all the risk-adjusted analysis acronyms might be harder than understanding the techniques themselves – RAROC, RORAC and RARORAC to name just a few. But despite the potential confusion, the goal is to get to a risk-adjusted return on allocated capital, which can in turn help the institution become a better capital allocator.

When making capital allocation decisions, capital is best allocated to its most efficient use. Efficiency is an idea discussed in modern portfolio theory, and one that applies to building a balance sheet. The general rule is that for any two investments (capital allocation decisions) with the same level of risk, the institution should choose the option with the higher expected return; conversely, given the same expected return, the investment with lower risk should be chosen. Additionally, the investment’s risk-adjusted expected return – adjusted for the associated marginal operating and credit costs – should exceed the marginal financing costs of the institution.

The table above shows a return on capital comparison of three potential investments – two loans and a securitized product. Despite the disparity between the three assets, all potential investments should be boiled down to their marginal impact on return on allocated capital to allow for cross-comparison. While an asset may have a lower gross yield, it may demonstrate a higher return on allocated capital after accounting for its risk-adjusted expected return, its marginal costs and its leverage resulting from the required capital allocation.

Such is the case in the following hypothetical example – the agency CMBS product has a lower yield than the auto loan, but after adjusting for expected credit cost, operational expense and capital allocation, it ultimately has a higher return on capital. Just as one shouldn’t judge a book by its cover, don’t judge an asset by its yield.

Risk management is important for many reasons, and shouldn’t be reduced to a regulatory task or seen as solely playing defense. To the contrary, proper risk management can provide CFOs and management with the confidence needed to support a robust offensive strategy. As history has shown, crises come and go – risk management should serve to protect the institution from the fluctuations of the business cycle, which is why risk-adjusted product profitability analysis is paramount.

Disclaimer: The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of the Financial Managers Society.

About the Author

Alec Hollis is a Director in the ALM Strategy Group at ALM First, where he performs asset-liability management strategy research, implements firm-wide ALM modeling procedures and helps execute balance sheet hedging programs for financial institutions

May 24, 2017
Five Ways to Unlock the Full Value of Loan Review 
By  Ancin Cooley, Principal, Synergy Bank Consulting and Synergy Credit Union Consulting

If you grew up north of the equator, you can probably remember the excitement you felt playing in the freshly fallen snow each winter. As you bounded toward the front door, ready to throw yourself into a fluffy pile of wintertime fun, you were stopped by a parent, ready to burden you with a heavy coat, gloves, scarf and hat. As the layers piled on, you wondered who could possibly have fun in all of this. However, once outdoors, you realized that your protection made the snowy adventure even more enjoyable.

A similar analogy can be drawn about loan review. Attempting to quickly grow your loan portfolio or move into new areas of business without a fully functioning loan review program is like trying to play in the snow without a coat on. You’ll never enjoy the snow if you’re not equipped to withstand the freezing temperatures that will undoubtedly accompany it. Likewise, you’re unlikely to see the sustained growth you seek for your institution if you fail to implement key processes that protect you from the imminent pitfalls associated with growing or integrating a new loan product.

Even the most conservative institutions pin growth and profitability as primary goals. However, in order to maintain healthy growth, institutions must keep a reliable pulse on the performance of their loan portfolio and accompanying credit risk issues. Effective loan review keeps that pulse by consistently monitoring the risk management function. With a strong loan review department to keep things on track, the institution will have the freedom to explore new products and industries with confidence.

If it’s true that loan review is the key to monitoring risk, then where was it during the last major downturn? Amid the slew of potential issues that crippled loan review and lead to the last downturn, these primary issues took precedence, and in many cases their continued presence is still putting institutions in jeopardy:
- Insufficient analysis to support the risk rating
- Failure to document major issues and the answers leading to their conclusion
- Failure to discuss credit administration weaknesses
- Insufficient numbers and experience of staff
- Failure to discuss and address portfolio risks
- Organizational and hierarchical missteps
- Lack of follow-up

Today, commercial real estate levels are back to where they stood pre-downturn. Institutions that have a strong early warning system – built by loan review – are able to identify and remediate problems faster.

Once your institution realizes the full value of the protection offered by a high-functioning loan review team, you may actually look forward to having an independent group of professionals hand you a pair of gloves, fit you with a coat and wrap you tightly in a scarf before sending you off to your next deal. To make sure your institution is getting the full value out of its loan review process, be sure to pay close attention to these five practices:

Craft a Risk Appetite Statement
The risk appetite statement helps your institution determine the direction of its lending program in an effort to grow more intentional portfolios that will bolster its overall health. When crafted as part of your yearly strategic planning process, your institution will be primed to grow portfolios by aligning your goals with your unique risk appetite.

This statement serves as a crucial guide by outlining the institution’s risk appetite, risk capacity and risk profiles, driving your institution’s decision-making over the next year.

While risk appetite refers to the amount of risk your institution is willing to accept in pursuit of loan growth, risk capacity quantifies the maximum risk that the firm is able to withstand. Risk capacity is based on metrics like capital, liquid assets and borrowing capacity, among others. Target risk profile represents the allocation of appetite to risk categories (e.g., how many home equity or car loans you will grant?). Actual profile represents risks that are currently assumed.

When gathering information that will eventually become the risk appetite statement, it’s important to engage with and incorporate the input of parties such as the board, CEO, CFO, lenders and internal auditors.

Align Loan Review with Risk Monitoring
For some institutions, this maxim is already a no-brainer. While past industry-wide practices have placed loan review within the purview of internal audit, forward-thinking institutions are making the shift toward aligning loan review with risk management. In fact, loan review is increasingly being referred to as credit risk review, thus highlighting the shift in thinking about the functionality of loan review.

When loan review is repositioned within the organization’s hierarchy, this seemingly small organizational shift can have a seismic effect on the overall effectiveness of the loan review function. This is achieved through utilization of independent authorities that perform candid, unbiased reviews.

Put simply, a loan reviewer must be able to safely “speak truth to power.” The reporting structure should be organized in a manner that allows for both the formulaic testing and critical, open-ended examination allowed under risk management.

Further, compensation levels are another key component of loan review effectiveness. Because the loan review position is critical to the success or failure of a financial institution, the institution must hold it in esteem for internal controls and for external appearances. By providing loan reviewers a proper place in the hierarchy of the organization, the institution communicates the seriousness and intrinsic value of the loan review position and its responsibilities.

Apply Strategy to Price Monitoring
A “one size fits all” approach just doesn’t work in the land of lending. Building a strategic pricing system through close monitoring of loan administration is critical to maintaining a healthy portfolio.

Even after a borrower has been with you for some time, things like credit worthiness, collateral values, and deposit balances all change over time, requiring a change in strategy on the part of the institution. Utilized fully, your loan review department can help keep an eye on these many changes and help steer the institution toward the best set of solutions.

Hone In on Small, Targeted Reviews
While broad, sweeping reviews are seemingly effective, getting down into the devilish details can expose smaller issues before they become significant problems. Specifically, performing deep dives into your appraisal management, special asset and loan administration function create tangible value and ROI.

Perform Post-Mortems on Large Charge-Offs
There really is no better vision than hindsight. Looking at your largest losses incurred over the last three years will allow you to identify whether there are any core themes that recur throughout. When armed with knowledge about what hasn’t worked, you can mitigate similar losses in the future. This is undoubtedly a best practice.

Before implementing these practices, make sure they are codified in a strong loan review charter or policy that is signed by the board of directors. Memorializing these practices solidifies loan review as a strategic asset, and equips the loan review team to objectively and independently unlock the strategic value of loan review.

Disclaimer: The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of the Financial Managers Society.

About the Author

Ancin Cooley, Principal, Synergy Bank Consulting and Synergy Credit Union Consulting
Ancin Cooley is the Principal of Synergy Bank Consulting and Synergy Credit Union Consulting, both of which specialize in loan review and strategic planning.  He can be reached at