Risk Is Our Business: A Supervisory Perspective on the Dynamics of Risk and Risk Management
by William Mark, Lead Examiner, Supervision and Regulation, Federal Reserve Bank of Chicago
Economist Peter Bernstein once remarked, “The word ‘risk’ derives from the early Italian risicare, which means ‘to dare.’ In this sense, risk is a choice rather than a fate. The actions we dare to take, which depend on how free we are to make choices, are what the story of risk is all about.”1 Warren Buffett’s brutally frank take on the matter is that “risk comes from not knowing what you’re doing.”2 No matter how you look at it, taking and managing risks — as well as balancing those risks against the rewards — is fundamental to the business of banking.
A bank’s risk appetite describes the level and types of risk that the bank’s board of directors and senior management are willing to assume in the bank’s business strategy. An effective business strategy aims to generate a profit without incurring undue risks or losses to the bank, consistent with safe and sound banking principles.
Risk identification and risk management are distinct yet interdependent activities that have significant bearing on the success of a bank. With this understanding, it is prudent for a bank’s board of directors to establish a “tone from the top” for managing risks by determining and conveying the organization’s risk appetite and profile. A discerning risk assessment process, together with an effective risk management program, helps position a bank to accomplish the vision of its leadership team in a safe and sound manner. However, some bankers still perceive risk management as a cost center instead of as a loss preventer or risk mitigant.
Failure to establish and maintain a management structure that effectively identifies, measures, monitors, and controls the risks inherent in a bank’s products and services has long been considered unsafe and unsound.3 This article explores the dynamics of risk and risk management and explains how examiners assess a bank’s risk position to determine the adequacy of its risk management.
Supervisory Guidance
The Federal Reserve System has always placed significant supervisory emphasis on the effectiveness of an institution’s risk management, evaluating four key elements: (1) board and senior management oversight; (2) policies, procedures, and limits; (3) risk monitoring and management information systems (MIS); and (4) internal controls.4
In practice, an institution’s business activities present various combinations, concentrations, and interrelationships of these risks depending on the nature and scope of the activity.5 Supervision and Regulation (SR) letter 16-11, “Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $100 Billion,” provides the principles for a bank’s risk assessment process and defines key types of risks.6 The SR letter applies to community and regional banking organizations and identifies six risk categories:7
- Credit risk typically stems from earning assets such as loans and investments; it represents the risk that a borrower or counterparty will fail to perform on an obligation.
- Market risk results from adverse movements in market rates or prices, such as interest rates, foreign exchange rates, commodity prices, or equity prices.
- Liquidity risk arises when a financial institution is unable to meet its obligations because of an inability to liquidate assets or obtain adequate funding (i.e., funding liquidity risk) or because it cannot easily unwind or offset specific exposures without significantly lowering market prices on account of market disruptions or inadequate market depth (i.e., market liquidity risk).
- Operational risk results from inadequate or failed internal processes, people, and systems or from external events. Operational risk can stem from a broad range of activities, typically those involving nonearning assets such as fixed assets and other real estate, as well as deposit and teller operations, information technology, human resources, and vendor management.
- Compliance risk is the risk of regulatory sanctions, fines, penalties, or losses arising from the failure to comply with laws, rules, regulations, or other supervisory requirements applicable to a financial institution, including formal and informal supervisory enforcement actions.
- Legal risk arises when activities, actions, or situations could potentially expose the institution to unenforceable contracts, lawsuits, legal sanctions, or adverse judgments that would disrupt or otherwise negatively affect its operations or financial condition.
Certainly, there are other risk stripes or categories outside of the risks listed in SR letter 16-11. For instance, reputational risk can arise when a bank receives negative publicity regarding its poor business practices (i.e., operational risk), makes a public disclosure that it failed to comply with a law (i.e., compliance risk), or publicly divulges that it is a party to litigation (i.e., legal risk).8 Furthermore, other regulators view institutional risk categories through different but comparable lenses. For example, the Office of the Comptroller of the Currency (OCC) identifies nine risk categories for supervisory purposes: credit, interest rate, liquidity, price, foreign exchange, transaction, compliance, strategic, and reputation.9 As with the risk categories designated by the Federal Reserve, the OCC’s risk categories are not mutually exclusive, so any bank product or service may expose a bank to multiple risks. When translating to the Federal Reserve’s risk categories:
- credit, liquidity, and compliance risks correspond to the similarly designated categories;
- interest rate, price, and foreign exchange risks typically fall under the larger umbrella of market risk;
- transaction risk can be considered an aspect of operational risk; and
- strategic and reputational risks apply across all risk categories.
A Holistic View of Risk and Integrated Supervision
“Specialty” risk areas, such as information technology (IT), Bank Secrecy Act/anti-money laundering (BSA/AML) compliance, and fiduciary/trust services, can significantly contribute to the overall risk profile of an organization. These specialty activities influence multiple risk areas, and examiners typically review and assess these areas during a bank’s safety and soundness examination. The areas of consumer compliance and the Community Reinvestment Act, while not typically reviewed as part of a safety and soundness examination, are subject to standalone supervisory assessment and ratings and factor into the risk discussion; they primarily exhibit compliance risk but also have some legal and operational risk considerations.10
Depending on the nature and breadth of the identified deficiencies, weaknesses in managing the risks associated with a bank’s specialty areas could compromise the safety and soundness of the bank and, therefore, have a sizable effect on the overall supervisory assessment of a bank’s risk management program. For example, with the increasing reliance on technology in the banking sector, particularly in the high-profile area of cyber risk, the board of directors and management team are expected to effectively identify, monitor, and control the operational risks primarily associated with IT.11 Failure to comply with BSA/AML requirements would raise a bank’s operational, compliance, and legal risks.
Fiduciary activities also involve operational, compliance, and legal risks; however, the relative significance of these activities does not directly correlate to the value of assets under management. As these are off-balance sheet assets, the related risks do not typically translate on a dollar-for-dollar basis. Rather, risk exposure often depends on the types of trusts and underlying assets, the nature of governing documents, the extent of fiduciary discretionary powers, and the effectiveness of related risk management efforts. Poorly managed trust activities can result in lost revenues and lawsuits, which can negatively affect a bank’s earnings.
New Products and Emerging Risk Areas
With each new product or activity that a bank initiates, it is incumbent on its board of directors and senior management to understand the types of risks involved, determine whether the new products or services align with the bank’s risk appetite, and ensure that the underlying risks are properly identified and managed. In the case of risks emerging from external factors, the board and senior management should understand how these risks could impact the bank.
One example of an emerging, or perpetually evolving, external risk is cybersecurity, particularly through ransomware attacks and other endpoint breaches.12 From a risk assessment perspective, these emerging external risks are typically centered in the operational, compliance, and legal risk areas but often manifest in varying degrees. The uncertain and often high-profile nature of newer or emerging risks naturally necessitates board and senior management vigilance to ensure that the impact of these external factors is ascertained and addressed in a timely fashion. However, a bank should consider developments in the regulatory landscape that often accompany such risks.
The Federal Reserve’s Approach to Assessing Risk
While bankers and banking supervisors have aligned interests regarding the safe and sound condition of a bank, these parties often have differing perspectives. Bankers generally have a vertical perspective with intimate knowledge and understanding of the bank’s specific risk profile and related risk management practices; however, there is some subjectivity. Meanwhile, banking supervisors tend to have a horizontal perspective concerned with how risk and risk management are addressed across similar banks. Federal Reserve examiners employ the principles discussed in SR letter 16-11 and use a risk matrix (see Table) to systematically assess the risks and relative effectiveness of the risk management practices at a supervised bank.13 Examiners organize their assessment into four areas:
- Inherent risk represents the assessment of the risk level given the nature, complexity, and volume of an activity.
- Adequacy of risk management characterizes the effectiveness of a bank’s risk management processes relative to its degree of inherent risk.
- Composite risk represents the residual risk level after the application of risk management.
- Trend indicates the likely change to the bank’s risk profile over the subsequent 12 months.
Assessment of Inherent Risk
In the risk matrix (Table), examiners identify three levels of risk for each risk type at the bank:14
- High risk describes cases in which the activity is significant or the positions are large in relation to the institution’s resources or peer group, there are a substantial number of transactions, or the nature of the activity is inherently more complex than normal. Thus, the activity could potentially result in a significant and harmful loss to the organization.
- Moderate risk describes cases in which positions are average in relation to the institution’s resources or peer group, the volume of transactions is average, and the activity is typical or traditional. Thus, while the activity could potentially result in a loss to the organization, the loss could be absorbed in the normal course of business.
- Low risk describes cases in which the volume, size, or nature of the activity is such that, even if there are internal control weaknesses, the risk of loss is remote or would have little negative impact on the overall financial condition of the bank.
There are various factors that examiners consider when rating a community bank’s inherent risk as high, moderate, or low. As expected, high risk levels require more attention from the board of directors and senior management and result in a greater focus by examiners. Certain banking activities, when combined with elevated exposure or activity levels, would usually warrant a high inherent risk level at a community bank. The determination of elevated inherent credit, market, and liquidity risks is often tied to quantitative measures, while elevated inherent operational, compliance, and legal risks are typically associated with more qualitative factors. One common quantitative metric typically used as a default starting point to suggest elevated inherent risk at a bank is the concentration metric rule of thumb in which an exposure or activity exceeds 25 percent of tier 1 capital plus the loan loss reserve.15
For example, from a credit perspective, high inherent risk could include significant concentrations in commercial real estate loans as well as notable levels of subprime lending vehicles and uncommon investments, such as unrated municipal securities. From a funding or liquidity perspective, high risk could arise from a concentration in brokered deposits, heavy reliance on net noncore/volatile funding sources, elevated balance sheet optionality, or insufficient deposit segmentation. Furthermore, an examiner may designate a bank as having high inherent market risk if the bank experiences extreme earnings changes from relatively conservative basis point changes in model stress tests.
Certain qualitative factors could suggest high inherent operational, compliance, and legal risk at a bank. For example, a bank may have high operational risk stemming from active merger and acquisition strategies, inadequate computer systems, or high incidences of fraud. Further, inherently high compliance risk can result from prolonged noncompliance with formal and informal supervisory actions,16 chronic BSA/AML issues, or an inability to comply with the applicable laws related to consumer protection. Finally, inherently high legal risk could manifest from pronounced fiduciary exposures with discretionary powers, complex trust structures, or conflicts of interest arising from the dual role of fiduciary and bank officer.
Bankers can mitigate high levels of inherent risk by establishing strong risk management practices or controls before engaging in an activity. For example, very conservative underwriting parameters for higher-risk credit facilities can reduce the bank’s inherent credit risk. Moreover, the inherent liquidity risks associated with some brokered deposits can be mitigated through bank participation in the Certificate of Deposit Account Registry Service. In addition, a bank could temper its operational risk with a robust and flexible due diligence process for vetting prospective vendors and service providers.
Table: Risk Matrix
Type of Risk |
Inherent Risk |
Adequacy of Risk Management |
Composite Risk |
Trend |
---|---|---|---|---|
Credit |
|
|
|
|
Market |
|
|
|
|
Liquidity |
|
|
|
|
Operational |
|
|
|
|
Compliance |
|
|
|
|
Legal |
|
|
|
|
Overall |
|
|
|
|
Composite Risk and Risk Trending
In addition to inherent risk, the risk matrix provides a structured tool for examiners to assess a bank’s composite or residual risk considering the strength of the bank’s risk management. As with inherent risk levels, composite risk levels are assessed using the same three assessment designations and related definitions (Table). The assessment criteria are designed to highlight the relative effectiveness of a bank’s risk management systems and processes.
The trend in the various risk categories highlights the potential changes to a bank’s risk profile that the bank’s board of directors and senior management should consider when refining the bank’s risk management protocols. With the risk trend, examiners assess the cumulative impact of prospective changes to each risk category’s profile for the subsequent 12-month time horizon based on factors such as a bank’s strategic plans (e.g., expansionary activity, new products), economic conditions, and the notable effectiveness or deficiencies in the bank’s risk management efforts. Projections of increasing or decreasing risk would reasonably have a more than nominal or incremental potential effect on the referenced risk.
Conclusion
“The essence of risk management,” according to Peter Bernstein, “lies in maximizing the areas where we have some control over the outcome while minimizing the areas where we have absolutely no control over the outcome.”17 An accurate risk assessment lays the groundwork for a bank to build and maintain an effective risk management program. This article highlights how Federal Reserve examiners execute a methodical and consistent approach to evaluating a community bank’s risk exposure. From an examiner’s perspective, banks with effective risk management practices have measures in place to control or mitigate the bank’s inherent risk profile. As an effective risk management program is informed by past experiences and future strategic business goals, community bankers should expect examiners to focus on assessing a bank’s preparedness to manage risks now and in the future.
- 1 See Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk, 1996, available at https://archive.org/details/againstgodsremar00pete_0.
- 2 See Zack Friedman, “Here Are 10 Genius Quotes from Warren Buffett,” Forbes, October 4, 2018, available at www.forbes.com/sites/zackfriedman/2018/10/04/warren-buffett-best-quotes/?sh=6d20eea14261.
- 3 See 12 C.F.R. part 208, Appendix D-1, available at www.federalreserve.gov/supervisionreg/reghcg.htm.
- 4 See Supervision and Regulation (SR) letter 16-11, “Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $100 Billion,” available at www.federalreserve.gov/supervisionreg/srletters/sr1611.htm.
- 5 See SR letter 16-11.
- 6 For additional information, see the Federal Reserve’s Commercial Bank Examination Manual, available at www.federalreserve.gov/publications/supervision_cbem.htm, and Bank Holding Company Supervision Manual, available at www.federalreserve.gov/publications/supervision_bhc.htm, as well as the relevant Federal Financial Institutions Examination Council examination manuals.
- 7 See SR letter 16-11.
- 8 See SR letter 95-51, “Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies,” available at www.federalreserve.gov/boarddocs/srletters/1995/sr9551.htm.
- 9 See the Comptroller's Handbook, “Community Bank Supervision,” September 2019, available at www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/community-bank-supervision/index-community-bank-supervision.html.
- 10 See Consumer Affairs (CA) letter 13-19, “Community Bank Risk-Focused Consumer Compliance Supervision Program,” available at www.federalreserve.gov/supervisionreg/caletters/caltr1319.htm.
- 11 See SR letter 16-11.
- 12 See Ahmed Hussain, William Mark, and Anthony Toins, “Endpoint Security: On the Frontline of Cyber Risk,” Community Banking Connections, Third Issue 2021, available at www.cbcfrs.org/Articles/2021/I3/endpoint-security-on-the-frontline-of-cyber-risk.
- 13 See section 1001.1 of the Commercial Bank Examination Manual, available at www.federalreserve.gov/publications/files/cbem.pdf.
- 14 See section 1001.1 of the Commercial Bank Examination Manual.
- 15 See SR letter 20-8, “Joint Statement on Adjustment to the Calculation for Credit Concentration Ratios Used in the Supervisory Approach,” available at www.federalreserve.gov/supervisionreg/srletters/SR2008.htm.
- 16 Informal supervisory actions include supervisory letters, board resolutions, and memoranda of understanding (MOU). Formal supervisory actions include cease and desist orders and written agreements.
- 17 See Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk.