Enterprise Risk Management Navigating the Enterprise Risk Management Landscape Alp E. Can Director of Enterprise Risk Management, FHLBank Atlanta North Carolina Bankers Association August 31, 2016
Building FHLBank Atlanta s ERM Program
FHLBank Atlanta Goal: To help shareholder financial institutions make affordable home mortgages and provide economic development credit to their communities One of the 11 regional Banks in FHLBank System 2nd quarter 2016 dividend: 4.64% (LIBOR + 400 bps) 3
FHLBanks and ERM As a matter of sound practice, each FHLBank should have a risk management function or unit(s) with clearly defined responsibilities that reports directly to executive management and has regular reporting responsibility to the board of directors of a committee thereof. The risk management function should not report to business units that undertake risk positioning. Federal Housing Finance Agency Advisory Bulletin May 18, 2005 4
FHLBank Atlanta and ERM Years 1 and 2 (2007-2008) Early challenges Hiring of risk managers and analysts Development of Key Risk Indicators (KRIs) Continuous improvement (assessment quality, reporting) Year 3 and 4 (2009-2010) Committee refinement Model enhancement and methodology development Better analysis and focus on risk versus return (stress testing) Increased ERM personnel involvement on key projects 5
FHLBank Atlanta and ERM Years 5 through 10 (2011-2016) Expansion + increased credibility and trust of ERM team Development of risk appetite statement Created an ERM charter Involvement in strategic planning process Creating Model Risk Governance Group Implementing Dodd-Frank Act Stress testing Embed stress testing with strategic planning, risk appetite, and capital planning Future of ERM (2016-beyond) Business Intelligence Using new technology and big data to improve future risk assessments 6
Why ERM?
ERM Defined Enterprise Risk Management (ERM) is the capability of an organization to understand, control, and articulate the nature and level of the risks taken in pursuit of a risk adjusted return. Categories of risk: Credit Liquidity Strategic / Business / Reputation Market Operational Compliance / Legal Financial Capital Adequacy Source: Risk Management Association (RMA) 8
ERM Framework (Rooted in Culture) Ensure the company has significant capital in a stressed environment Stress Testing Develop a response plan to best manage risk Response Coverage Consider all current and potential risk facing business strategy and operations Assess how well the company manages risks Control Environment CULTURE Risk Appetite Determine the amount of risk the company is willing to accept Determine the size and scope of all risks Measurement & Evaluation Governance & Policies Create a strong foundation for risk management Risk Data & Infrastructure Ensure appropriate data is used to manage risk Source: Risk Management Association (RMA) 9
What Makes a Culture Strong? Honesty Tone at the top Integrity Trust CULTURAL VALUES Proper incentives Courage to speak up and act Independence of thought Openness / transparency Respect for the ideas of others Source: Toward Effective Governance of Financial Institutions,G30 Working Group, 2012. 10
Examples of Top Risks/Issues 11
Examples of Recent Risk Events CYBER RISK GEOPOLITICAL RISK June 2015 Exposed PII of over 20 million people June 2016, the U.K. votes to leave the EU Impacted global stock markets and currency valuation Negatively impacted forecasted GDP for U.K. and EU 12
ERM: Practical Implementation Steps
Three Lines of Defense Model Board / Risk or Audit Committees Senior Management 1 st Line 2 nd Line 3 rd Line Operational Management Internal Controls Risk management by business operations Risk Oversight Compliance Independent risk oversight and compliance Internal Audit Independent evaluation of risk management effectiveness E X T E R N A L A U D I T R E G U L A T O R 14
Risk Appetite Statement Strategic Plan Risk Assessment Capital Plan Incentive Comp Plan Risk Appetite Framework Internal Risk Policies Risk Committee Reports (i.e., ALCO) Other Key Internal Documents IT Risk Tolerance Statement 15
Stress Testing: A Fundamental ERM Tool Source: Supervisors Raising the Bar on ERM. Promontory, Sightlines in Focus, February 2013. 16
Final Thoughts Effective ERM = more intelligent risk-taking, fewer loss events Implementation takes years and commitment Pace toward maturity determined by CEO and board commitment and demonstrated value Developing a balanced risk/return culture is a journey Developing a comprehensive risk assessment that includes emerging risks 17
APPENDIX
Organizational ERM Structure/Team Board Board Risk Committee CEO CRO Independent ERM Units Credit Risk Team Market Risk Team Ops Risk Team Model Risk Team 19
Board Committee Structure BOARD OF DIRECTORS Overall Risks Business Risks Strategic Risks Reputation Risks Audit Finance Credit & Member Services Enterprise Risk & Operations Governance & Compensation Housing & Community Investment Financial Reporting Risks Overall Compliance Risks Fraud Risks Internal Controls Market Risks Liquidity Risks Capital Risks Earnings Risks Credit Risks Collateral Risks Enterprise-wide Risks Risk Appetite Operational Risks Emerging Risks Black Swans Human Resources Risks Disclosure Risks (CD&A) Affordable Housing Program Compliance Risks 20
Management Committee Structure IT Steering Committee Credit & Collateral Committee Asset/Liability Committee Enterprise Risk Committee IT Governance Committee Collateral Model Valuation Committee Financial Management Strategy Committee Operational Risk Committee Security Governance Committee Retirement Plan Committee Community Investment Services Committee Accounting Policy Committee Disclosure Committee 21
Risk Identification and Assessment 22
Risk Assessment: Key Risk Indicators and Trends 23
Key Risk Indicators: Focus Group vs. All Banks Risk Appetite Statement/Report (Community Bank Template) Sample Template Risk Category Capital Adequacy Market Risk / Earnings Credit Risk (Concentration) Liquidity Compliance / Regulatory Reputation/Strategic Operational Risk Risk Appetite Report As of Risk Level Risk Appetite Levels Risk Appetite Categories Current Previous Zero Low Moderate High Capital Adequacy Market Risk / Earnings Credit Risk (Concentration) Liquidity Compliance / Regulatory Reputation/Strategic Operational Risk 12.0 Regulatory Leverage Ratio (%) 120.0 Texas Ratio 12.0 NPAs / Assets (%) 9.0 90.0 9.0 6.0 60.0 6.0 3.0 30.0 3.0 0.0 2011Q2 2011Q3 2011Q4 2012Q1 0.0 2011Q2 2011Q3 2011Q4 2012Q1 0.0 2011Q2 2011Q3 2011Q4 2012Q1 All Banks (Avg) Focus Group (Avg) All Banks (Avg) Focus Group (Avg) All Banks (Avg) Focus Group (Avg) 4.0 Loan Loss Reserves / Gross Loans (%) 20.0 Net Non-Core Funding Dependence (%) 200.0 Efficiency Ratio (%) 3.0 15.0 150.0 2.0 10.0 100.0 1.0 5.0 50.0 0.0 2011Q2 2011Q3 2011Q4 2012Q1 0.0 2011Q2 2011Q3 2011Q4 2012Q1 0.0 2011Q2 2011Q3 2011Q4 2012Q1 All Banks (Avg) Focus Group (Avg) All Banks (Avg) Focus Group (Avg) All Banks (Avg) Focus Group (Avg) 24
Risk Appetite Statement/Report (Community Bank Template) Sample Template Risk Categories 1. Capital Adequacy 1.a. Achieve satisfactory CAMELS ratings for Capital Adequacy 1.b. Maintain Total Equity / Total Assets w ithin acceptable limits (%) 1.c. Maintain capital ratios above regulatory capital requirements 1.d. Maintain Leverage Ratio w ithin acceptable levels 2. Market Risk / Earnings 2.a. Achieve satisfactory CAMELS ratings for Sensitivity to Market Risk 2.b. Maintain Duration Gap above acceptable levels w ith up/dow n 100, 200, 300 bps rate shocks 2.c. Maintain EVE above acceptable levels w ith up/dow n 100, 200, 300 bps rate shocks 2.d. Maintain Interest Expense/ Avg. Assets w ithin acceptable limits (%) 2.e. Rate-sensitive Assets/Assets (%) 2.f. Rate-sensitive Liabilities/Assets (%) 3. Credit Risk (Concentration) 3.a. Achieve satisfactory CAMELS ratings for Asset Quality 3.b. Maintain NPA's (Non-Performing Assets) / Assets w ithin acceptable level (%) 3.c. Maintain NPL's (Non-Performing Loans) / Loans w ithin acceptable level (%) 3.d. Maintain ALLL w ithin acceptable level 3.e. Maintain Commercial Real Estate (CRE) Loans / Total RBC w ithin acceptable level (%) 3.f. Maintain Residential 1-4 w ithin limits to RBC (%) 3.g. Maintain C&I w ithin limits to RBC (%) 4. Liquidity 4.a. Achieve satisfactory CAMELS ratings for Liquidity 4.b. Maintain satisfactory Net Non-Core Funding Dependence (%) 4.c. Maintain satisfactory Net Short-Term Liabilities / Assets (%) 4.d. Maintain satisfactory FHLB funding availability 4.e. Maintain acceptable liquidity ratios (%) 4.f. Maintain acceptable levels of pledged securities 5. Compliance / Regulatory 5.a. Achieve a satisfactory exam report 5.b. Number of Internal audit reports less than satisfactory (%) 5.c. Number of external audit reports less than satisfactory 5.d. Number of customer complaints 5.e. Number of new or proposed regulations or legislation 5.f. Minimize Bank Secrecy Act / Anti-Money Laundering related losses ($000s) 6. Reputation/Strategic 6.a. Achieve satisfactory CAMELS ratings for Management 6.b. Number of active litigation matters 6.c. Community Reinvestment Act activities 6.d. Tone of new s reports (positive/negative) 6.e. Succession planning in place for senior management / key personnel (%) 6.f. Achievement of strategic goals 7. Operational Risk 7.a. Number of material w eaknesses 7.b. Maintain acceptable level of operational losses ($000s) 7.c. Maintain high level of critical system availability (%) 7.d. Maintain adequate insurance coverage (e.g. flood / hazard) (%) 7.e. Maintain optimal level of employee headcount (%) 7.f. Minimize confidential data breaches Risk Appetite Key Risk Indicators as of Internal Sources Current Level Previous Level Risk Trend Board Oversight Risk Appetite Level Definitions Zero Not w illing to accept risks under any circumstances Low Not w illing to accept risks in most circumstances Moderate Willing to accept risks in certain circumstances High Willing to accept risks in most circumstances Aggregate Risk Score - 95-100 90-94.9-85 - 89.9-80 - 84.9 - Less than 80 - n/a Internal Documents Legend BP Budget Plan CP Capital Plan ICP Incentive Comp Plan IP Internal Bank Policies Individual Risk Level Acceptable At Risk Unacceptable Increasing Risk Stable Risk Decreasing Risk Board Committees AC Audit Committee CC Credit Committee ERC Enterprise Risk Committee FC Finance Committee GCC Governance & Compensation Committee 25
Risk Appetite Statement/Report (Community Bank Template) Sample Metrics / Data Risk Appetite Key Risk Indicators as of 1. Capital Adequacy 3. Credit Risk 1.a. Achieve satisfactory CAMELS ratings for Capital Adequacy 1.b. Maintain Total Equity / Total Assets within acceptable limits (%) 1.c. Maintain capital ratios above regulatory capital requirements (%) 1.d. Maintain Leverage Ratio within acceptable levels (%) 1 3 4 3.a. Achieve satisfactory CAMELS 1 3 4 ratings for Asset Quality 10.3 6 10.4 10.7 8 10.9 20 30 3.b. Maintain Non-Performing Assets / Assets within acceptable level (%) 17.5 17.7 5.9 6.0 3.c. Maintain Non-Performing Loans / Loans within acceptable level (%) 3.d. Maintain ALLL within acceptable level ($000s) 155 159.6 5.5 5.6 4 6 378.2 379.5 2. Market Risk / Earnings 3.e. Maintain CRE Loans / Total RBC within acceptable level (%) 300 400 2.a. Achieve satisfactory CAMELS ratings for Sensitivity to Market Risk 2.b. Maintain Duration Gap between acceptable levels with up/down 100, 200, 300 bps rate shocks (years) 2.c. Maintain EVE above acceptable levels with up/down 100, 200, 300 bps rate shocks 2.d. Maintain Interest Expense/ Avg. Assets within acceptable limits (%) 2.e. Rate-sensitive Assets/Assets (%) 1 3 4.12.12-8 -7 +7 +8 0.89 0.99 32.2 33.1 63.7 63.9 3.f. Maintain Residential 1-4 within limits to RBC (%) 3.g. Maintain C&I within limits to RBC (%) 4. Liquidity 4.a. Achieve satisfactory CAMELS ratings for Liquidity 4.b. Maintain satisfactory Net Non-Core Funding Dependence (%) 4.c. Maintain satisfactory Net Short- Term Liabilities / Assets (%) 100 200 100 1 3 4 7.0 9.5 5.8 7.0 150 2.f. Rate-sensitive Liabilities/Assets (%) Legend 4.d. Maintain satisfactory FHLB funding availability 28.6 29.4 Green Yellow Red Risk is within acceptable threshold Increase in risk as threshold has been breached Increase in risk as threshold has been breached Current Level 12 - month Avg 4.e. Maintain acceptable liquidity ratios (%) 4.f. Maintain acceptable levels of pledged securities 30.6 31.5 26
Risk Appetite Statement/Report (Community Bank Template) Sample Metrics / Data 5. Compliance / Regulatory 5.a. Achieve a satisfactory exam report 5.b. Number of Internal audit reports less than satisfactory (%) 5.c. Number of external audit reports less than satisfactory 5.d. Number of significant customer complaints 5.e. Number of new or proposed regulations or legislation 5.f. Minimize Bank Secrecy Act / Anti- Money Laundering related losses ($000s) Risk Appetite Key Risk Indicators as of 7. Operational Risk 1 3 4 5 7.a. Number of material weaknesses 0 1 2 3 0 5 10 7.b. Maintain acceptable level of 0 operational losses ($000s) 0 0 250 500 0 3 6 7.c. Maintain high level of critical 0 50 90 system availability (%) 0 0.17 1 1.2 0 5 9 7.d. Maintain adequate insurance 0 5 10 coverage (e.g. flood / hazard) (%) 1 1 98 98 0 5 9 7.e. Maintain optimal level of employee headcount (%) 80 90 100 0 0 2 2 0 0 25 75.2 0 0 0 50 100 7.f. Minimize confidential data 0 1 2 breaches 99.85 99.98 100 6. Reputation / Strategic 6.a. Achieve satisfactory CAMELS ratings for Management 1 3 4 6.b. Number of active litigation matters 0 * 100 200 6.c. Community Reinvestment Act activities Outstanding or Satisfactory Needs to Improve Substantial Noncompliance *P rior Rating 6.d. Tone of news reports (positive/negative) - qualitative measure Legend 6.e. Succession planning in place for senior management / key personnel (%) 0 50 85 95 98 100 Green Yellow Red Risk is within acceptable threshold Potential increasein risk as threshold has been breached Increase in risk as threshold has been breached Current Level 12 mo. Average 6.f. Achievement of strategic goals 27
Risk Appetite Statement/Report (Community Bank Template) Sample Template Risk Appetite Additional Information as of Risk Appetite Preamble The Bank s board of directors and management have established this risk appetite statement and risk metrics for controlling and escalating actions based on the seven continuing objectives that represent the foundation of the Bank's strategic and tactical planning: Capital Adequacy Maintain adequate levels of capital components that protect against the risks inherent on the Bank s balance sheet and provide sufficient resiliency to withstand potential stressed losses. Market Risk / Earnings Market risk exposure should be managed in such a way that a significant disruption in rates and spreads would not result in a loss that would threaten the Bank's capital plan. Credit Risk (Concentration) Avoid credit losses by managing credit risk exposures within acceptable parameters. Achieve this objective through datadriven analysis (and when appropriate perform shareholder-specific analysis), monitoring and verification. Monitor through enhanced reporting any elevated risk concentrations, and when appropriate, manage and mitigate the increased risk. Liquidity Risk Maintain sufficient liquidity and funding sources to allow the Bank to meet expected and unexpected obligations. Compliance / Regulatory Comply with all applicable laws and regulations. Reputation / Strategic Recognize the importance of and advance positive awareness and perception of the Bank. Operations Manage the key risks associated with operational availability of critical systems, the integrity and security of the Bank s information, and the alignment of technology investment with key business objectives. Current Key Issues 3.b. Maintain Non-Performing Assets / Assets within acceptable level (%) - Continue to monitor. 3.e. Maintain CRE Loans / Total RBC within acceptable level (%) - Continue to monitor. 28
Questions and Answers Alp E. Can Director of Enterprise Risk Management FHLBank Atlanta acan@fhlbatl.com Tel: 404.888.5574