Jeff Owen, The Rochdale Group September 2012 Delivering Clarity to Credit Unions Through Expertise and Experience Enterprise Risk Management Lending Execution and Risk Management Merger Strategy and Realization Credit Union Capital Markets Compliance Strategic Planning and Execution Regulatory Response Activity 1
AGENDA Introduction to ERM Roles and Responsibilities Risk Appetite Economic Capital Risk Centric Strategic Planning Implementing an ERM Program Introduction to ERM 2
What is ERM? a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Source: COSO Enterprise Risk Management Integrated Framework. 2004. COSO. 5 What is RISK? 6 3
Risk versus Return Risk and return is an inseparable concept Risk Adjusted Return Zone 1 Insufficient Risk Taking Zone 2 Optimal Risk Taking Zone 3 Excessive Risk Taking Risk Level 7 Traditional Risk Management Credit unions are in the business of risk taking Generally has been a silo d approach: Loan underwriting Asset liability management Business continuity Branch security Vendor management All reviewed independently by line management, internal auditors, external auditors and regulators 8 4
It is no longer, what did I know It is all about what SHOULD I have known! Risk checklist Compliance assessment Isolated technology solution One time project What ERM is NOT! 5
Just to level set, ERM is Strategic and bottom line oriented Much more than a compliance and regulatory activity Intended to provide access to better information in a more timely manner, allowing for enhanced decision making Why ERM? Provides comprehensive view of organizational risk for enhanced decision making Creates value by improving the financial/risk relationship Reduces regulatory burden and improves the relationship with auditors Minimizes organizational/personal liability 12 6
A Conceptual View of Risk Management Evolution of ERM Business environment Regulatory pressure Member/consumer expectations Technology Competition Political environment World wide economic crisis 7
Science of ERM Involves the methods and processes to identify, measure and manage risks and/or seize opportunities related to the achievement of the organization s goals and objectives Why it Makes Sense Opportunity for sustained success is only as good as the collective ability to make the right decisions Each improved decision positively impacts the brand and financial standing It is impossible to effectively manage what you don t see and measure 8
What to Expect from ERM Improved transparency Understanding risk profile Elimination of silos Improved strategic alignment Proactive focus on risk identification and goal accomplishment Risk weighted view of capital adequacy Improved understanding of return on capital deployment What it Takes Commitment of board and management Up front time commitment Establishment of risk management committee Implementation of risk repository and reporting system 9
ERM Opportunities Strategic Improve strategy execution and performance Understand capital adequacy Set risk tolerance Management Enhance financial returns Identify prospective emerging risks Provide organizational awareness and cross functional transparency Audit Establish risk weighted focus Support secondary review of controls/response mitigation Regulatory Vet risk management strategy Strengthen communication Justify processes in a practical, pragmatic manner Implementation Project Phase I Set the Stage Phase II Identify and Assess Exposures Phase III Measure and Manage Phase IV Mature 10
11
12
Economic Capital Failures of The Past Lack of transparency Minimal senior management engagement No Board commitment or involvement Reactive risk processes Immature and wavering risk tolerance and risk appetite 13
What Credit Unions Say Seize new opportunities (merger, indirect lending) Leverage the risks we are already taking Eliminate silos and brought management team together Provide the board with an enhanced understanding of strategic direction, risk profile of the organization and overall alignment of the organization Ensure appropriate deployment of resources (capital, human, etc.) Key Questions Is your organization consistently operating within an acceptable risk level? Can you confidently list major risks from all across the organization, address their impact on the organization and articulate the current responses to those risks? Do the other key decision makers in the organization agree on your assessment? Do you understand key risks in the current strategic direction and goals? Are you confident that you know all that you should know about your credit union? 14
In the End It s about improving financial returns on your efforts and maximizing the deployment of resources by delivering proactive and measured data Roles & Responsibilities 15
Fundamental Shift in Thinking 31 Board Key Management Focus Operations What could threaten our survival? What could undermine our strategy? What could derail our project? Strategic Flexibility Strategy Commitment Target Achievement Risk Centric Scenario Planning Strategy Assessment Tactical and Operational Execution Plans 32 16
The Board s Role Responsible for setting strategy to maximize member value in a prudent and financially sound manner Comes down to setting and managing objectives in light of key risks within acceptable tolerances ERM provides the information needed to improve strategy and monitoring of results 33 How Should the Board Support ERM? Set risk culture and tone Allocate necessary resources Ensure process diligence Validate risk appetite Understand and balance strategy and risk 34 17
Management s Role Understand and communicate risk culture and tone Deploy necessary resources Ensure process diligence Define risk appetite Proactively identify and manage risks Ensure process transparency (vertically and horizontally) Staff s Role Open and honest communication of key risks Awareness of emerging risks Implementation of responses to address unmitigated risks 18
Audit and Regulators Review of responses to ensure they are performing as intended Feed key risks back into ERM process BREAK 19
Risk Appetite Risk Appetite How much we are willing to lose in one event (setting of individual limits) How much we are willing to risk losing in total (general risk philosophy) What is our general appetite for risk in different risk categories 40 20
Risk Appetite Quantitative vs. qualitative We will and/or will not do Bands vs. hard stops Expectations of members Dialogue establish over time 41 Risk Appetite 42 21
Risk Appetite 43 Risk Appetite 44 22
Risk Appetite In summary While there are a range of outcomes the credit union could experience, there are limits that help define the preferred risk appetite While we all desire and hope for the most positive outcome(s), in most cases that success is interconnected with increased opportunity for loss The process of thinking through and assessing the willingness to accept certain types of risk provides general direction to the credit union as it strives to achieve its objectives 45 Risk Appetite Slightly favor existing over prospective members 23
Risk Appetite Example Risk Statements: Credit Union will fully understand program risk before launch Credit Union has a very low risk tolerance to regulatory non compliance, but will not back down from challenging examiners when appropriate Credit Union seeks to exploit technology by rapidly deploying stable technologies Credit Union seeks to be innovative in process and conservative in practice 47 Risk Appetite Prepare risk appetite statements within each of the risk areas: Strategic: Offer a reasonable range of services, at average prices, with a concentration on existing members. Provide examples of actions that match/conflict with the statements, trying to tie in some of the credit union s actual exposures: This might fit the appetite: Offer indirect lending rates within 0.25% of competitor rates This doesn t fit the appetite: Advertise loan specials that undercut competitor rates by 1% or more 24
Risk Appetite Exercise Risk categories o Strategic o Transaction o Compliance o Reputation o o o Credit Liquidity Interest Rate What are some example risk statements of high willingness to accept risk under each category, and examples of low willingness to accept risk under each category What are some examples of actions within each 49 Economic Capital 25
Introduction to Economic Capital Economic capital is an estimate of the equity needed to survive a near worst case loss scenario Financial institutions assess economic capital for several reasons Multiple approaches to economic capital 51 Economic Capital Ratio Recommend comparing a credit union s actual capital to its economic capital: Economic Capital Ratio = Actual Capital / Economic Capital A credit union s risk appetite helps determine the target level for each credit union You could use economic capital in conjunction with your risk appetite to set an overall risk limit for the credit union 52 26
Economic Capital Ratio Assume you have $16 million in capital, $200 million in assets and economic capital of $10 million (Ratio of actual to economic capital = 1.60) Next, assume your risk appetite is such that the lowest capital class you would accept even after a near worst case loss scenario is undercapitalized, or a minimum net worth ratio of 4% 53 Economic Capital Ratio Risk and capital calculations: Current capital $16 million Less: Economic capital 10 million Less: minimum capital level at 4% 8 million Excess (Deficit) capital ($2 million) This means that the credit union has insufficient capital given its risk level and risk appetite 54 27
ERM and Strategic Planning Risk Centric Strategic Planning Uses long term orientation Identifies key risk scenarios that might affect the credit union s business model, results or other operating parameters Identifies impact, likelihood and velocity of each scenario Considers ability of current strategic positioning to address each scenario Arrives at key focus issues to ensure long term success 28
Risk Centric Strategic Planning Take a few minutes to work individually Identify and write down 10 long term issues for credit unions Rate the potential impact of each issue: From 1 (low) to 10 (high) Assess the likelihood of each situation over the next 10 years: From 1 (unlikely) to 10 (certain) Estimate the velocity of occurrence: From 1 (the issue will occur slowly) to 10 (quickly) Afterward, we will discuss the various issues and severity (I x L x V) of each scenario Follow up Compare the long term scenarios identified against the current environment at your credit union: Strategic objectives and implementation plans Existing risk responses at the credit union Assess the degree of alignment of the objectives and responses in addressing the key scenarios Make changes in the strategic objectives, implementation plans, and risk responses to better position the credit union to focus on and address the scenarios 29
Scenarios From Past Credit Union Conference Scenario Average Impact Average Likelihood Average Velocity Response Count I x L x V Access to market liquidity 9.00 10.00 8.00 1 720 Technology Security 8.55 7.36 6.64 11 418 Succession Planning BOD/Mgt. 7.83 8.56 6.00 18 402 Long term Rate Depression 6.83 8.33 6.67 6 380 Over Regulation 7.26 8.14 6.09 43 360 NCUSIF Losses 6.00 6.00 9.00 1 324 Inflationary / Rising Rates 7.27 6.95 6.36 22 322 Loss of Mortgage Agencies 9.00 5.50 6.50 2 322 Profitability Concerns 7.12 7.00 6.06 17 302 Technology Mobile 7.60 8.30 4.70 10 296 Terrorism 6.60 6.80 6.40 5 287 Increased BOD Requirements 6.00 8.25 5.75 4 285 Inability to maintain loan growth 7.61 5.78 6.39 18 281 Economic Recession 7.04 6.15 6.35 48 275 Charter consolidation (CU& Bank) 7.29 7.71 4.86 7 273 Environmental crisis 6.80 5.20 7.67 15 271 CU mergers 7.40 6.20 5.90 10 271 Technology Web 5.92 7.67 5.92 12 268 Membership Lose Boomers 6.92 6.75 5.58 12 261 Membership Attract Gen Y 5.75 8.67 5.17 12 257 Increased Non Traditional Competition 7.14 6.71 5.14 7 247 59 BREAK 30
Implementing an ERM Program: Taking it Back Functional Area Risk Assessment Identify significant operating/admin areas Conduct ERM session for each area, including a discussion of the risks that can influence the area s or the credit union s ability to meet its objectives 62 31
Risk Identification Identify the material events, having negative consequences, that can transpire within the functional area s responsibility: Exposures, uncertainties and missed opportunities Consider internal and external factors: Natural disasters to employee fraud Develop scenarios to demonstrate each risk Primary Risk Categories Potential impacts on earnings or capital from: Reputation Strategic Adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes Negative public opinion or perception Compliance Violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards Liquidity Operational/ Transaction Fraud or error that results in an inability to deliver products or services, maintain a competitive position, and manage information Credit Failure of obligor to repay loan or investment Inability to meet obligations when they come due, without incurring material costs or unacceptable losses Interest Rate Changes in interest rates and rate relationships 64 32
Assessment Factors Impact Potential magnitude, in the absence of responses, measured consistently against assets and capital Likelihood The frequency with which an event may occur in a given time period, again in the absence of responses Mitigation The degree to which the organization s responses manage down the impact or likelihood 65 66 33
Controls Over Responses Actual processing often differs from documented procedures Controls help ensure that responses to risks are carried out as intended Examples include policies and procedures, internal audit reviews, etc. During the sessions, you will likely discuss the controls that support the responses: However, the initial ERM implementation is not intended as an audit of the controls over risk responses Inherent Versus Residual Risk Inherent Risk = Impact x Likelihood: This is the exposure before responses Residual Risk = Inherent Risk x Mitigation: Exposure after responses The difference is the benefit of the responses This approach supports cost benefit analysis of the credit union s responses 68 34
Global Scenarios Some risks affect all areas of the organization: Business continuity events Significant changes in external factors that influence the credit union The ERM team should ask all areas to assess the potential impacts of and responses to such scenarios The result will be valuable information to support the BCP and ALM processes Risk Management Committee Forum to discuss risk issues Cross-functional composition to provide multidimensional view across credit union Monthly or quarterly meetings Generally reports to the Board or a Board committee Often combined with ALCO, business priorities, credit or other committee 35
Periodic ERM Reporting Reporting usually involves two primary mechanisms: Risk Management Committee packets Board and senior management ERM reports RMCO packets: Agenda Minutes Risk Action Plan (list of key risks being monitored with updates) 36
Board and Senior Management Reports Goal is to present the credit union s overall risk profile Begin report with a brief narrative of the overall risk position, status of ERM process, and major increases and decreases in exposures Next, include several additional ERM reports: Strategic area heat map Largest Residual Risk Exposures by Risk Category report Emerging Risks report Residual Risk by Risk Unit report Qualitative Measures Risk Action Plan 37
38
39
ERM Policy Department Procedures Training Materials ERM Reporting Templates ERM Committee Materials Other Key Components 40
To Summarize: It s about improving financial returns on your efforts and maximizing the deployment of resources by delivering proactive and measured data Start somewhere Begin small and allow the process to mature over time Get board, management and staff engaged Questions Jeff Owen The Rochdale Group www.rochdalegroup.com 800 424 4951 jowen@rochdalegroup.com 41