Highlights from the ABA Risk Management Forum in New Orleans: Enterprise risk management – Understanding risk in today’s complex banking environment

Banking industry hot topics

Grant Thornton LLP sponsored a panel discussion on enterprise risk management (ERM) at the annual conference of the American Bankers Association (ABA) — ABA Risk Management Forum — held in New Orleans in May 2012. The panelists included three of Grant Thornton’s ERM specialists:

• SteveGoldberg,FinancialServicesAdvisoryPrincipal• TariqMirza,BankRegulatoryNationalManagingDirector• ErinMorrow,FinancialServicesAdvisoryPrincipal

GiventheimmenseuncertaintyinthemarketandgrowingdemandsfromtheenactmentoftheDodd-FrankWallStreetReformandConsumerProtectionAct(Dodd-Frank)andfromshareholdersandcustomers,organizationsfaceanenvironmentof increased scrutiny on their ERM process and its role within theircompany.DespitethisrenewedawarenessofERM,manyarestillstrugglingtoimplementitsuccessfully.Someorganizationsdon’tfullyunderstandthevalueofERM,whileothersmayhaveconductedariskassessmentbuthavenotfolloweduponit,andstillotherssimplydon’tknowwheretobegin.Duringthisforum,ourpanelistsdiscussedthevalueofERM,theviewofERMfromaregulatoryperspective,andpractical tips for understanding ERM and implementing it in yourorganization.

I. Value of enterprise risk management Presented by Steve GoldbergSteve Goldberg has more than 25 years of business experience, including 20 years in financial services as an industry executive and management consultant. He has a strong focus on business strategy and operations, including risk management and business performance improvement.

What is the value of ERM?Arecentsurveyof3,000banks,conductedbyGrantThorntonLLPand Bank Director,foundthat34percentofrespondentsbelievedtheywouldneedtohireadditionalstafftomeettherequirementsofDodd-Frank,and21percentbelievedtheirfirmswouldneedtohireanoutsideadvisor,giventhatsomeoftheprovisionsareone-timeevents.Nearlyhalfofrespondentsthinktheoverallfinancialreformwillnotbeeffectiveatallindetectingthebroadriskstothefinancialsystem.OthersbelievethatkeyelementsofDodd-Frankcouldberepealed,giventheupcomingelectionsandresistancefromCongress. Theseresponsesraisethequestion:WhatisthevalueofERM?GiventhattheFederalReserveBoard(theFRB)andtheSECaremovingforwardwithDodd-Frankandexpecttofinalizetherulesandregulationsbythesummerorfallof2012,thereisdistinctvalueinimplementinganERMprogram. Historically,companieshaveviewedrisksin“silos,”witheachsilorepresentingaspecificrisk.Companieswouldanalyzeanddevelopstrategiesforeachrisk.ThegoalofERMistotakeaholisticapproachanddevelopanoverallstrategyformanagingriskacrosstheorganization.ERMimprovesthelikelihoodofsuccessinthestrategicplanningprocess.Italsopreventsorreduceshigh-impactrisksfortheorganizationandenablesittomaketimelyandinformeddecisions,withtheabilitytounderstandindividualrisksandhowtheyaffecttheorganization.Inthecurrentenvironment,regulatorsarelookingforacultureofcompliancewithinfinancialorganizations;ERMestablishesacultureoftransparencyandaccountabilityacrosstheorganization.Finally,ERMprioritizestheallocationofresourcestothemostsignificantrisks.Performingastructuredriskassessmentallowstheorganizationtoidentifytheareasthatrequirethemostattentionandinvestment.

What are the current drivers of ERM in the banking industry? Bankingregulators,boardmembersandbankmanagementarealldrivingtherenewedemphasisonERM.Bankingregulatorshaveincreasedtheirfocusonbroadriskmanagementintheirexams,includingexpectationsofboardandmanagementoversight,andlinkstointernalaudit.Boardmembers’accountabilityhasincreasedinthewakeofthefinancialcrisis;therefore,theyarerequestingriskupdatesandriskmonitoringtools. Bank management teams are also looking for tools to make theprocesseasierandgivethemmuchearlierwarningofriskevents,suchasstresstesting.

II. Regulatory perspective Presented by Tariq MirzaPrior to joining Grant Thornton, Tariq Mirza spent over 20 years with the Federal Deposit Insurance Corporation (FDIC) in various roles. Most recently, he served as senior advisor under former FDIC Chairman Sheila Bair, providing technical advice on a wide range of banking and regulatory issues. He spoke about ERM from the perspective of a former regulator.

WiththeimplementationofDodd-Frank,regulatorsarealsoholdingthemselvestothesamestandardstowhichtheyholdfinancialinstitutions.Infact,theFDICrecentlyappointeditsownchiefriskofficer.Someregulatorsfromotheragenciesarelookingtodothesame,indicatingthatregulatorsarealsolookingatERMwithintheirownorganizations.AccordingtoMirza,regulatorsarenotonly“talkingthetalk,butalsowalkingthewalk.” MirzalaidoutabasicframeworkforwhattheFRBexpectsfrombanks’riskcommittees.TheFRB’sproposalindicatesthatriskcommitteesmustapproveariskmanagementframeworkthat includes the following: • Risklimitationsforeachbusinessline• Establishingsystemsforidentifyingandreportingrisks,

including emerging risks• Monitoringcompliancewiththerisks• Ensuringeffectiveandtimelyimplementationofcorrective

actions• Integratingriskobjectivesintomanagement’sgoalsand

compensation

Finally,Mirzadiscussedhigh-impactrisk.Fromhisperspectiveasaformerregulator,high-impactriskstemmingfromaweakornonexistentERMprogramcouldbeanenforcementaction,suchasaceaseanddesistorder,consentorderorcivilmoneypenalty.Theseregulatoryactionsareinthepublicdomainandmayresultinsubstantialreputationalriskfortheinstitution.Theultimatehigh-impactriskofaweakERMprogramisfailure;sincebeginningoftherecentfinancialcrisis,therehavebeenmorethan430bankfailures.

III. Understanding ERM, embedded risk management, risk intelligence and ERM implementation Presented by Erin MorrowErin Morrow is a principal in Grant Thornton’s Financial Services Advisory practice, and serves as the firm’s Governance, Risk and Compliance Solution leader for the Northeast Region. Morrow is the outsourced internal audit leader for two regional banks. She is also works in an advisory capacity on topics in internal audit and risk management with other banking and financial services organizations ranging from local banks to global institutions.

DespitetheadventofDodd-Frankandincreasedpublicandregulatoryscrutiny,ERMstillappearstobeveryimmatureandlooselyadopted.In2010,NorthCarolinaStateUniversitysurveyed460seniormanagementexecutivesacrossdifferentindustriesaboutthecurrentstateofenterprisewideriskoversight.FindingssuggestthatthereisroomforimprovementinERMprocessesacrossmostorganizations,withover50percentofrespondentsdescribingriskoversightascasualorunstructured.One-thirdofrespondentssaidtheywerenotatallsatisfiedorminimallysatisfiedwiththeirERMprograms.

Why are organizations having trouble maturing their ERM programs?Thereareseveralissuesthatappeartobepresentingsignificantchallenges in implementing ERM. One of the leading issues seemstobethatERMnevergotembeddedinthecultureorbusinessprocessoftheorganization.Thereasonsforthismightincludefailuretogetexecutivesponsorship,orabsenceofgovernanceoraccountability,orperhapstherewassimplynoawarenessofortrainingforERMintheorganization.Anotherchallenge is the lack of focus. Perhaps ERM was not properly definedorfocusedandbecametoobig.Someorganizationsmayhavesufferedparalysisthroughanalysisoraddressedonlyrisksymptomsratherthanrootcauses.Finally,thereisastillagenerallackofinformationandintelligenceaboutERM.Insomecases,ERMprogramswerenotforwardlookingenough,andmanagementdidnotreceiveusefulortimelyinformationtorespond to emerging risks.

Banking industry hot topics

2

OneoftheleadingissuesseemstobethatERMnevergotembeddedinthecultureorbusinessprocessoftheorganization.

3

Understanding ERMOne of the keys to understanding ERM is learning theterminology.Thereisacommon“languageofriskmanagement”thatmanyprofessionalpracticingERMhavecometoadopt.MorrowdefinedalistofkeyERMterms,whichincluded these: • Risk–TheCommitteeofSponsoringOrganizationsofthe

TreadwayCommission(COSO)hasdescribedriskas“thepossibilitythataneventwilloccurandadverselyaffecttheachievementofobjectives.”

• Enterprise risk management–AreportfromCOSOdescribesERMasanongoingprocess,implementedbyanentity’sboardofdirectors,managementandotherpersonnel,appliedinstrategy-settingandacrosstheenterprise,designedtoidentifypotentialeventsthatmayaffect the entity.1

• Inherent risk–Thisreferstothe“natural”levelofriskassociatedwithdoingbusiness.Inherentriskisnotnecessarilyabadthing,giventhatmostactivitiesbanksengage in to make money are inherently risky. Inherent risk isnotstatic;itcanrisebecauseofexternalfactors.

• Residual risk – This refers to the remaining risk after management’s controls are taken into account.

• Key risk indicator (KRI) – This is a measure used in managementtoindicatethelevelofriskcurrentlyinplace.Itgivesaquantifiableviewoftheriskthebankisadopting.

• Risk appetite–AccordingtoCOSO,riskappetiteis“theamountofrisk,onabroadlevel,anentityiswillingtoacceptinpursuitofvalue.”Bankmanagementmaysaytheyhavenoappetiteforrisk,butinordertogrowandmakemoney,banksneedtotakeonsomerisk.

• Risk response–Onceakeyriskisidentified,managementwillevaluatetheriskandformulatearesponse.Riskresponses are grouped into four categories.

What are the types of risk responses? Thepurposeofriskresponseistobringtherisktotheacceptablelevelofriskappetite.Thefourcategoriesareacceptance,transfer,avoidanceandmitigation.Acceptance simplymeanstotoleratetherisk;managementmayrealizesomethingisariskbutperhapsnothingcanbedoneatareasonablecosttomitigateit,orthelikelihoodandimpactoftheriskoccurringisatanacceptablelevel.Transfer is a form ofriskreductionwherebytheriskistransferredtoathirdparty.Themostcommonexampleofrisktransferisinsurance.Apremiumispaid,andtheinsurancecompanytakesontherisk. Avoidancemeansjustthat:avoidingorexitingactivitiesthatgiverisetorisk,suchasariskymarket,productorlineofbusiness.Mitigationinvolvestheprocessofdevelopingoptionsandactionstoreducetherisksbyputtingcontrolsandmonitoringinplacetodetectandpreventand/orcontrolrisk.This is the most common risk response.

Embedded risk managementERMnotjustaproject:itneedstobepartoftheday-to-dayoperationsofthecompanyanditsdecision-makingprocesses.Merely putting ERM components in place is also not enough tocreatevalueortoavoidcorporatefailure;thekeytomakingERMvaluableistoembeditintheorganizationwhereitmustbeacceptedandunderstood.Sohowcanmanagementachievethis?Embeddingriskmanagemententailsperformingariskassessment,installingamonitoringsystem,anddevelopingaprocessforrespondingtochangingrisklevelsquickly.Furthermore,riskmanagementownershipandparticipationisanenterprisewideendeavor.Everyoneintheorganization,rangingfromtellerstoloanofficerstothepresidentandboardofdirectors,ownssomeportionofrisk. Riskmanagementshouldalsoberelevanttoyourorganization.Thereisnosinglewaytodoriskmanagement.However,underDodd-Frank,ifanorganizationhasover$10billioninassets,itmusthaveaboardriskcommittee.Theboardcommitteemustbeindependentofothercommitteesandalsohaveanindependentdirectorwithexperienceinriskmanagement.Theboardriskcommitteehasoversightofriskstrategyandtolerance,andoverallriskeffectiveness.

Banking industry hot topics

1 Source: The Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management – Integrated Framework, September 2004.

4

Another important element in the ERM process is installing a management risk committee. The management risk committee ischairedbythechiefriskofficer,anditsmembersusuallycomprisetheCFO,andlegalandcompliancepersonnel.Itsroleistoreviewriskpolicies,implementriskstrategiesandmakerecommendations to the CEO.

Risk intelligence Riskintelligencemeansbeingeffectiveandefficientatmanagingriskstobothexistingassetsandfuturegrowth.Banksshoulduse risk intelligence to monitor and respond to risks on a constantbasis.MonitoringinvolvesdeterminingKRIforeachriskinthewatchlist,determiningaprocessforreportingKRIs,anddevelopingaprocessforcommunicatingriskevents. ThedevelopmentofeffectiveKRIscanbeachallengeformostcompanies.Financialinstitutionsusuallyhavealargeamountofcreditriskandmarketriskindicators,andmostofthemhaveasoundsystemforaddressingthem.Butthereareadditional“soft”indicatorsthatgobeyondthebasicsofcreditriskandinterestrateriskthatmanypeopleoverlook.Theseinclude the following:

• Financial market turmoil/Unemployment — An increase inunemploymentcanbeanindicatorofincreasedfraudrisk.

• Client dissatisfaction — Low client satisfaction scores can forecastanerosionofrevenue.

• Staff turnover —Highlevelsofstaffturnovercanpredictreducedcustomerserviceand/orquality.

• Open compliance cases — An increase in open compliance casesmightindicateachangeintheriskprofileofclientsorstaffingnotkeepingpacewithgrowth.

• Loan growth—Significantloangrowthcanindicateaneedfor additional hiring to keep pace.

RespondingtotheKRIsinvolvesdeterminingstrategicresponsesthebusinesswouldtakeifrisktoleranceisexceeded.Oftenthiscomprisesasetofresponsesforprogressivelymoreseveretolerancethresholds.Inaddition,theorganizationneedstodecidewhentheriskthresholdhasbeenmet,andthenitneeds to implement the appropriate strategic response. Banks shouldleverageriskintelligencetocontinuouslyupdateandimprovetheERMprogram.Whentherearechanges,eventsandindicatorsthataffecttheorganization,managementshouldinternallyorexternallyreviewthecurrentriskassessment(todetermineiftherearenewemergingriskstoaddress),theERMstrategy,communicationsprotocolsandriskresponses.

ERM implementation – Key stepsThe process of implementing an ERM solution can seem overwhelming;however,wehavefounditlessdauntingforsomeclientstobreakdowntheprocessinto“bite-sized”steps:

1. Definetheorganization’sriskuniverse,andrankeachriskbyimpactandlikelihood.

2. Selectaframeworkthatfitstheorganization’sculture.Considerhowthebankworksandpeoplecommunicate,andstructuresomethingthatwillbesuccessfulforthatgroup.

3. Establishboardorrelatedboardcommitteeresponsibilitiesforriskoversightsotheyunderstandtheirresponsibilities.Althoughthereisnoonedocumentthatdefineshowtomanagerisk,havingaproceduremanualthattalksaboutthewholeriskprogramcanbeveryuseful.

4. Appointachiefriskofficerand/oraninternalmanagementrisk committee and related charter with roles and responsibilities.

Banking industry hot topics

5

5. Developamanageableriskandriskeventuniversefocusingonkeyinternalandexternalfinancial,legal,compliance,operationalandstrategicrisks.Theriskuniversecanrangefrom20itemstoover800insomeextremecases.Thereisno“right”number;itdependsontheorganizationandthelevelof detail the risk committee is willing to determine.

6. Rateeachriskeventaccordingtoimpactandlikelihood,andidentifycurrentcontrols.Thedefinitionof“likelihood”isnotstaticandcanchangeovertime.Bankslookatthedefinitionof“impact”intermsofvalueandreputation.Mostbanksfocusonthevalueandhowmuchdirectlossitisexposedtobyeachrisk.Althoughreceivinglessattention,the reputational impact is also important. Banks should considertheregulatoryimpactofspecificrisksandthepublic’sreaction.

7. Createaninitialresidualriskprofileandthenreviewtodetermineriskresponses,suchastransferringtherisk,avoidingtheriskbyexitingaspecificbusinessoractivityand/orinstallingmoremitigatingcontrols.Inmostinstances,mitigationisthesolution.

8. Identify necessary risk responses to address risks and prepareanupdatedresidualriskprofiletopresenttomanagement.

9. Enhancekeymonitoringreports,scorecardsandprocessesinplace.Establishaperiodicreviewprocesstoreviewresidualriskratings,sharedetailedanalysiswithinternalaudit,andrequestanindependentassessmentthatcontrolsthathavebeenconsideredinresidualriskratingareinplaceandoperatingeffectively.

Amidextraordinaryuncertaintyandinstability,whenbankfailuresandfinanciallossesseemtobefrontpagenewsonadailybasis,riskhasneverbeenahottertopicthanitistoday.However,it’snotasecretthatinordertomakemoney,financialinstitutionshavetoacceptsomelevelofrisk.Therefore,thegoalofERMisnottoeliminaterisk,butrathertoultimatelyhelppreserveandenhancevalue.ERMcanhelpachievethisbyprovidinginstitutionswithbetterinformationtomanagerisks,whichleadstobetterdecision-making.Implementing an integrated ERM program at your institution cangiveittheabilitytobettertodealwithadversitywhilepursuingopportunitiestocreatevalue,andhopefullystayingout of the papers.

Banking industry hot topics

Contact information

For more information about the topics covered at this event, contact:

Nichole JordanNational Banking and Securities Industry LeaderGrant Thornton LLPT 212.624.5310E nichole.jordan@us.gt.com

Visit www.GrantThornton.com/financialservices.

© Grant Thornton LLP All rights reservedU.S. member firm of Grant Thornton International Ltd

AcknowledgementsMolly Curl, Steve Goldberg, Tariq Mirza, Erin Morrow, Dominika Chartier

Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information on the issues discussed, consult a Grant Thornton client service partner.

The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at www.GrantThornton.com.

Jack KatzNational Managing PartnerFinancial Services IndustryGrant Thornton LLPT 212.542.9660E jack.katz@us.gt.com