GEORGIA BANKERS ASSOCIATION Georgia Banking School 2017 Georgia Banking School May 7-12, 2017 UGA Hotel & Conference Center Athens, Georgia
RISK MANAGEMENT FOR BANKING INSTITUTIONS John Houser Audit Committee Chairman State Bank and Trust Company
ACKNOWLEDGEMENTS Dr. Rob Hoyt, Chairman, Risk Management and Insurance Program at the University of Georgia, and State Bank and Trust Company 4/18/2017 3
Overview What is Risk? Increasing attention on Bank Risk Management Programs Brief History of Bank Risk Management How to Manage your Bank s Risk The Risk Management process at State Bank Current research and trends Important types of risk and insurance Directors and officers liability Property Risks 4
What is Risk? Risk can be broadly defined as the likelihood of a specified undesired event occurring within a specified period or in specified circumstances. 4/18/2017 5
Risk is essentially, the probability that an outcome may be damaging or result in a loss. With risk, the outcomes of an event are subject to uncertainty. 4/18/2017 6
Risk has been known to man ever since he first faced adversity. The cave man s/woman s main risk was an attack by a wild animal. This risk was mitigated (not eliminated) with the discovery of fire. Risk can rarely, if ever, be completely eliminated. Mitigation has now taken the form hedging interest rate changes in the future using forward contracts or options. 4/18/2017 7
What is Financial Risk Financial risk is the probability that the actual return on a business or investment will be less than the expected return. Financial risk can arise through loan and investment transactions. Financial risks can be categorized as systemic or unsystematic. 4/18/2017 8
Systematic risk is the risk inherent to the entire market or entire market segment. Interest rates, recession and wars all represent sources of systematic risk because they affect the entire market and cannot be avoided through diversification. 4/18/2017 9
Unsystematic risk refers to company or industry specific risk that is inherent in each investment. For example, a sudden drop in residential loan demand. Unsystematic risk can be mitigated through appropriate diversification. 4/18/2017 10
Specific examples of financial risks applicable to Banks include interest rate risk, credit risk, liquidity risk, prepayment risk, inflation risk, etc. 4/18/2017 11
Can You Match These Enterprise Risks? A. Hazard/Insurable Risks B. Financial Risks C. Operational Risks D. Strategic Risks 1. Supply chain, IT, key managers, product quality 2. Natural disasters, injuries, deaths, product liability 3. Market demand, R&D, competitive strategies, reputation, customer need 4. Tax and interest rate changes, credit default, FX 12
A World of Extremes (Attention on Risk) 13
Attention on Risk Management Google Search Risk Management 2006 & 2007: 3.2 million 2008 & 2009: 27.2 million 2011 & 2012: 81.4 million 2016 & 2017: 226.0 million Audit committee members rank risk management as top worry KPMG Survey of Corporate Directors 14
Risk Management #1 Focus of Public Company Boards What topics would they like to spend more time on? 55% of board members at public companies cite risk management more than any other area 61% believe their liability risk as a director has increased during the past few years Source: BDO Board Survey 15
Banks are increasingly exposed to non-traditional risks (cyber risks, regulatory risks and new forms of macro risks) Regulators are increasingly skeptical about banks internal and often complex and opaque risk modeling and measurement approaches 80% of participating banks believe they successfully integrate stress testing into strategic decision making Potential for improvement is especially significant in capital-allocation and talent-management processes Source: McKinsey 16
Impact of Risks on Firm Value 0% Hazard 6% Financial 31% Operational 58% Strategic Source: Mercer Management Consulting 17
Recent survey by RIMS (review of proxy statements of companies in the DJIA) 20% had a CRO (89% in banking sample) 64% mentioned ERM 27% describe Board s oversight of risk management, but expect 100% in 2013 Recent Deloitte survey 91% of executives plan to reorganize and reprioritize their approaches to risk management in some form in the coming three years. 18
Boards and Risk Management Boards are FULLY aware that risk management is a corporate governance issue Audit and Risk Committees continue to expand risk management awareness at Board level Board member participation in different companies spreads risk management awareness Boards more willing to replace senior management (evidence of more active role) 19
DISCUSSION: How has your Board s Interest In and Perspective on Risk Management Changed? 20
DISCUSSION: Does your Bank have a separate Risk Committee Why a separate Risk Committee makes sense. 21
A Brief History of Bank Risk First generation Insurance buyers Second generation Management Use multiple methods to manage hazard and financial risks Third generation Continuous assessment of all areas of risk and coordination with their Bank s strategy 22
Traditional View of Risk Management Silo management of risk Focus on risk transfer Limited integration with processes and Bank policies Scope limited to financial & hazard risks Unclear link to corporate objectives 23
DISCUSSION: How has is Risk Management Organized in your Bank? 24
How to Manage Your Bank s Risk Create a Risk Conscious Culture Add Risk Items to Board s Charter Modify banking operations Hire talent to manage risks Adjusting firm s capital structure Continuously monitor Bank s risk profile and report to Board at least quarterly 25
Categories of Risk Promulgated by Regulatory Authorities in Banking Credit risk Interest rate risk Market risk Liquidity risk Operational risk Compliance risk Reputation risk Strategic risk 26
Business interruption and supply chain Market developments (volatility, competition) Cybercrime, IT failures, data breaches Natural catastrophes Changes in legislation and regulation Macroeconomic developments (commodity price risk, inflation/deflation) Loss of reputation/brand loss 27
The Risk Management Process Identifying exposures to loss Measuring/evaluating exposures frequency severity Selecting a risk handling or treatment approach avoidance retention control transfer (e.g., insurance, hedging) Implementation and monitoring of the risk management program Risk appetite Risk charter 28
Risks Included in ERM Hazard risks Damage to property, liability to others, injuries to employees, etc. Financial risks Interest rate risk, credit risk, FX risk, commodity price, etc. Operational risks Supply chain, distribution system, how we do business, etc. Strategic risks What businesses we are in, where we do business, political risk, reputation risk (brand), who we do business with, etc. 29
Treasury & Risk Management Strategic risks still viewed as the most difficult to assess and manage Biggest challenges to fully implementing ERM conflicting priorities difficulty quantifying risks difficulty embedding risk in culture 30
Risk Characteristics as Determinants of the Tool Frequency Of Losses Severity Of Low High Low Retention Retention & Control Losses High Transfer Avoidance 31
Why ERM Adds Value to a Financial Firm Better understand the aggregate risk inherent in different business activities Avoid duplication of risk management expenditures by exploiting natural hedges Benefit from being able to select investments based on a more accurate risk-adjusted rate Enables firms to better inform outsiders of their risk profile (especially financially opaque firms) and also serves as a signal of their commitment to risk management Growing interest by rating agencies (S&P, etc.) 32
OVERVIEW - STATE BANK S RISK MANAGEMENT PROGRAM Created to monitor all bank policies for assessing and managing risks. Policies must be approved by Board at least annually. Created a risk matrix for Board and management review Quarterly review of benchmarks and matrix for major risk exposures by XO s and Board Review reports at all Board meetings on selected risk topics selected by Board. 33
Hired outside experts to review highest risk areas of Bank operations to asses risk levels, i.e. IT gap analysis. Insure all Bank policies and internal audit reviews include a risk assessment review and report. 34
Annual meeting of compensation committee with risk committee to review executive compensation to insure compliance with risk objectives. Developed and periodically review bank s risk appetite statement Review Bank s capital allocation and ALLL reports quarterly with risk committee Review concentration and credit risk profiles quarterly 35
Current Research: Changes in Risk Reporting
2008 Q1 2008 Q2 2008 Q3 2008 Q4 2009 Q1 2009 Q2 2009 Q3 2009 Q4 2010 Q1 2010 Q2 2010 Q3 2010 Q4 2011 Q1 2011 Q2 2011 Q3 2011 Q4 2012 Q1 2012 Q2 2012 Q3 2012 Q4 Georgia Banking School 60 50 40 BP 2008-2012 Quarterly Report Pages 100% increase in length No direct mention of oil spills or ocean drilling prior to 2012 Q2 30 Report Length 20 10 4/20/2010 Deepwater Horizon explodes and sinks 0 37
Banks and Risk Reporting Number of times the term risk management was used in firm s 10-K (2005 v. 2013) Financial Institution Times used in 2005 Times used in 2013 Percent increase Bank of America 85 171 101.2% BB&T 13 24 84.6% JP Morgan 92 167 81.5% PNC 83 133 60.2% SunTrust 51 74 45.1% Wells Fargo 34 137 302.9% 3 had CROs in 2005, all 6 had CROs in 2013 38
Important Types of Risk and Insurance Categories/Types of Risk and Insurance Physical property and business continuity risk Legal risk Management liability risk Human resources risk (including BOLI and COLI) Environmental risk Crime and Cyber risk Fleet risk 39
89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 $7.5 $2.7 $4.7 $5.5 $22.9 $16.9 $8.3 $7.4 $2.6 $10.1 $8.3 $4.6 $26.5 $5.9 $12.9 $27.5 $9.2 $6.7 $10.6 $13.8 $12.9 $15.3 $16.1 $27.1 $35.9 $35.0 $61.9 Georgia Banking School U.S. Insured Catastrophe Losses $ Billions $70 Sandy $18.8B $60 $50 $40 $30 $20 $10 $0 Source: Property Claims Service/ISO; Insurance Information Institute 40
Most Costly Disasters in U.S. History (Insured Losses, 2012 Dollars, $ Billions) $60 $50 Hurricane Sandy became the 5 th costliest event in US insurance history $48.7 $40 $30 $20 $10 $4.4 Includes Tuscaloosa, AL, tornado $5.6 $5.6 $6.7 $7.1 Includes Joplin, MO, tornado $7.5 $7.8 $8.7 $9.2 $18.8 $13.4 $11.1 $23.9 $24.6 $25.6 $0 Irene (2011) Jeanne (2004) Frances (2004) Rita (2005) Tornadoes/ Tornadoes/ T-Storms T-Storms (2011) (2011) Hugo (1989) Ivan (2004) Charley (2004) Wilma (2005) Ike (2008) Sandy* (2012) Sources: PCS; Insurance Information Institute inflation adjustments to 2012 dollars using the CPI. Northridge 9/11 Attack (1994) (2001) Andrew (1992) Katrina (2005) 12 of the 16 Most Expensive Events in US History Have Occurred Over the Past 15 Years 41
Key Lessons and Issues from Recent Catastrophes Flood risk remains a big issue NFIP Business interruption is one of the biggest issues facing businesses and it is poorly assessed and addressed Increased concerns from inland risks (tornados, hail, winter storms) Data Centers, utilities, supply chains 42
Directors and Officers Legal Liability Exposure to loss basic functional duties fiduciary duties types of suits 94% of the U.S. M&A deals in 2013 over $100 million were challenged in shareholder lawsuits D&O insurance coverages (Side A, Side B and Side C) common policy features 43
The FDIC s Perspective on D&O Insurance Purchase of D&O insurance is a legitimate business activity Must be aware of exclusionary language The bank can t buy coverage that reimburses D&Os for civil money penalties The FDIC urges each board member and executive officer to understand this coverage 44
Most Frequently Cited D&O Issues 14.0% 12.0% 10.0% 8.0% 6.0% 4.0% 12.7% 10.9% 7.8% 2.0% 0.0% Wrongful Termination Inadequate / Inaccurate Disclosure Mergers and Acquisitions 45
Who Sues Officers and Directors? (2001-2010) 46
Cyber Liability Insurance Coverage (may include): reimburse immediate clean up costs (forensics, notification, setting up call centers, paying for credit monitoring) legal fees cost of hiring crisis management firm Estimated cost in 2013 of a data breach was $188 per compromised record (only upfront clean up costs) Maximum capacity in the insurance market estimated at $300 million (Target had $100 million) 47
Privacy / Cyber Security Liability Industry Developments Increased awareness of FI security/breach procedures following 2011 Citi breach Oct 2011 SEC guidance/disclosure obligations relating to cyber security risks and incidents Number of large FI s purchasing first-time privacy insurance increased substantially in the last 12 months FI Benchmark Privacy Limits Morgan Stanley $200MM Bank of America $120MM PNC $100MM Ally $100MM SunTrust $75MM Coverage Overview Privacy related liability/litigation from disclosure of client information Regulatory action defense, fines and penalties, consumer redress fund Loss mitigation expense (including notification/call center, credit monitoring, cost to reissue credit/debit cards, client identity restoration, discovery/data forensics, crisis management/pr firm) No distinction as to cause of breach (e.g. laptop, hacked systems, malicious insider) Coverage also includes breaches of bank s data from outsourced suppliers Fifth Third Goldman Sachs US Bank Keycorp Bank of NY Mellon Wells Fargo Average FI Limit $60MM $60MM $50MM $50MM $30MM $25MM $80MM 48
Key Operational Risk Areas of Focus Technology Risk Supplier Risk Regulatory/ Litigation Risk Given the complexity of today s banking markets and the sophistication of technology that underpins it, it is no surprise that the OCC deems operational risk to be high and increasing. Indeed, it is currently at the top of the list of safety and soundness issues for the institutions we supervise. - Thomas Curry, Comptroller of the Currency, Speech from May 16, 2012 49
Complacency is an Enemy of Risk Management It s never happened before. It can t happen here. We can handle it. Ignore it and it will go away. 50
DISCUSSION: What Other Questions Or Comments Do You Have Regarding Risk Management For Your Bank? 51