New York Bankers Association 2014 Annual Technology, Compliance & Risk Management Forum May 13, 2014

RISK APPETITE AND TOLERANCE

Presented by:

Eric Holmquist Managing Director, Enterprise Risk Management

Risk Appetite and Tolerance • • • • •

The guardrails of risk management Establishing risk appetite and tolerance Operationalizing risk appetite Functional examples Q&A

© 2014 Accume Partners

2

Enterprise Risk Management

• Effective risk management is about establishing guardrails, not speed bumps • The two most important guardrails are: ─ The Strategic Plan ─ Risk Appetite Statements • Everything else should exist in the middle • The “make or break” factors: ─ Clarity ─ Consensus ─ Communication © 2014 Accume Partners

3

Understanding Risk Appetite Estimate this man’s risk appetite...

© 2014 Accume Partners

4

Understanding Risk Appetite Estimate this man’s risk appetite... …and now?…

© 2014 Accume Partners

5

Understanding Risk Appetite Estimate this man’s risk appetite... …and now?… …and now?

© 2014 Accume Partners

6

Understanding Risk Appetite Estimate this man’s risk appetite... …and now?… …and now?… …how about now?

© 2014 Accume Partners

7

Risk Appetite

• Clearly articulated risk appetite and tolerance statements should provide context for everything the bank does, from strategy to operations. • The process of coming to agreed upon statements forces you to address issues about culture, tolerance and capacity. • Risk management is so much more than the “life ending events.” It’s all the other stuff that’s actually harder to manage. © 2014 Accume Partners

8

Establishing Risk Tolerance

Definitions (yours may be different): • Risk Appetite: General statements about the level of risk that is considered acceptable within a given risk category or type. These should serve as guiding principles to be used when developing strategic plans, operational processes and business continuity plans. • Risk Tolerance: Tangible risk limits designed to set specific boundaries in which the business must operate. These must be measurable, realistic and capable of being monitored. © 2014 Accume Partners

9

Sample Risk Tolerances • Earnings ─ ROA/ROE will be maintained at no less than .xx% annually ─ Net Operating Income will remain above the median of banking peers

• Operational Risk: Technology ─ The bank will develop an annual strategic technology plan which reflects the business plan and includes an IT risk assessment and strategic objectives

• Compliance ─ The bank will at all times maintain satisfactory ratings with the regulators related to compliance ─ The bank will at times remain within one quarter of the stated compliance monitoring schedule © 2014 Accume Partners

10

Risk Appetite and Tolerance • These must be developed collectively with executive management. • Often they just bring together risk parameters that are already in place, but perhaps not fully defined. • Once you establish your tolerances, you must ask: ─ How will I measure this? ─ How will I monitor this? ─ How will I communicate (socialize) these appetites?

• Everyone agrees that these risks should be quantified, but usually struggles with how to do it.

© 2014 Accume Partners

11

Sample Risk Categories Business Categories

Risk Categories

• Capital

• • • • • • •

• Business Model • Strategic Initiatives • Growth • Earnings • Corporate Governance • Human Capital

Credit Concentration – Credit Concentration – Investments Liquidity Interest Rate Price/Market OpRisk – General – OpRisk – Technology

• Social Responsibility

– OpRisk – Third Party – OpRisk – Info security

© 2014 Accume Partners

12

• Reputation • Compliance

Establishing Risk Tolerance

© 2014 Accume Partners

13

Operationalizing Risk Tolerance

Operationalizing Risk Tolerances © 2014 Accume Partners

14

Socializing Risk Tolerance • Risk tolerances that never get communicated are basically worthless. • Communication is critical because of assumptions. • We have to look at our training. Am I telling you what to do or not to do, or am I telling you how to manage risk? ─ Managing a control is not the same as managing a risk

• Training reflects risk tolerance, but only indirectly. • We have to get past “do’s” and “don’ts” to “why.” ─ All risks and controls have context • TO EVERYONE THE “WHY” REALLY DOES MATTER. © 2014 Accume Partners

15

Assessing Risk • A good ERM framework should give both a strategic and operational view of risk. • Assessments of all types should be able to tie back to your risk statements. • In addition, operational units must be able to articulate their risk profile. • Op risks must be assessed based on processes, not on risk types. However, we need the risk types to connect to tolerance. This constitutes a dilemma.

© 2014 Accume Partners

16

Change Management

• One of the most profoundly powerful ways to operationalize risk tolerance. • The seeds of risk are always sewn in change. • Change always involves three key considerations. • How is change proposed? Vetted? Approved? • How is the risk profiled? • Are we truly honest with ourselves about the real risk profile? Do we truly understand the internal impact of the proposed change? © 2014 Accume Partners

17

Operationalizing Risk Tolerance

Functional Area Examples © 2014 Accume Partners

18

Lending

• One of the more straightforward areas for operationalizing risk tolerance. • Also a much slower moving area: ─ Do individual limits reflect overall tolerance? ─ Do the aggregate of limits reflect risk appetite? ─ Do sales incentives align with risk appetite? ─ Does everyone really understand operational risk? ─ Does the credit staff see beyond credit risk

© 2014 Accume Partners

19

Information Technology

• Historically, one of the biggest disconnects is between the business areas and IT. • The fundamental problem is one of language. • IT staff very often have different risk tolerance levels than others in the bank. • Unspoken assumptions are rampant, and they are dangerous.

© 2014 Accume Partners

20

Information Technology

• Operationalizing risk tolerance in IT requires: ─ A strategic technology plan ─ Risk metrics ─ Risk monitoring ─ Capability analysis ─ Language lessons ─ Getting to these unspoken assumptions

© 2014 Accume Partners

21

Information Security • Another key area of disconnect. • Fact: Senior management always says they have a “very low” risk appetite. News flash, you don’t. • Must have realistic and comprehensive risk assessment tools to truly understand the risk profile. • Requires deep, honest discussions with a lot of people to fully understand the risk. • In practice, this area scares people to the point of not being able to face it head on. That model will never successfully operationalize risk tolerance.

© 2014 Accume Partners

22

In Summary • This process must be deliberate. • The metrics get messy sometimes, do your best. • If senior management isn’t willing to look at the greasy, grimy mess that is the engine under the hood, they are kidding themselves about risk tolerance. • Risk lies in the assumptions, and the most dangerous assumption any organization can make is that people just “get” management’s intentions for risk tolerance. • Creating conversation that ensures a consistent view and approach to risk management is very good.

© 2014 Accume Partners

23

Thank You

For more information please contact: Eric Holmquist Managing Director, Enterprise Risk Management 341 New Albany Road Moorestown, New Jersey 08057 Mobile Phone: 215.817.2107 [email protected]

© 2014 Accume Partners

24