TOPICS

Friday, April 10, 2020

Risk Appetite Statements

QUESTION
We are a lender all states and we have a large servicing platform. We are owned by a large regional bank. We are often confronted with risk challenges in many lines of business and certainly in our portfolio and servicing end. To ensure that we are considering all risks, I wonder if you would provide some feedback on the implications of risks. My question is, what are some typical risks a company like ours faces? And, what are the typical features of these risks?

ANSWER
A financial institution such as yours should be conducting a risk appetite review. Contact me to discuss risk appetite audits, as it seems to me you need one. We are experts in risk appetite statements. If you want to discuss risk appetite, click HERE and we’ll contact you.

It is a mission-critical feature of management to develop a risk identification process to aggregate risks for evaluation and consideration relative to the Board’s risk appetite. To effectively carry out an ongoing risk aggregation process, institutions need to develop a method for defining and categorizing risks throughout the institution. Educated risk based on sound principles of evaluation is, or should be, the most responsible approach for management to make decisions.

I am providing a brief overview that, hopefully, will provide feedback on how different types of risk are generally defined and categorized. Based on the brief description of your company, and because we have not conducted a risk appetite evaluation of your institution, my response is generalized. I will set forth these risks in a categorical outline.

Market Risk
Market risk arises from changes in the value of the portfolios of financial instruments due to adverse movement in market rates or prices is called market risk. Factors that should be considered include interest/exchange rate-sensitive activities, accounting treatment, market conditions, and potential losses, such as:
  • Portfolio (i.e., investment concentrations, durations, correlations)
  • Trading account or inventory risk
  • Hedge effectiveness (improper or lack of hedging)
  • Interest rate-sensitive activities (i.e., mortgage servicing rights, value-based fees)
  • Modeling errors (i.e., assumptions, values)
  • Foreign exchange rates (i.e., foreign letters of credit, forward contracts)

Operational Risk
Operational risk is especially related to loss associated with inadequate or failed internal processes, people, systems, or external events. This risk includes:
  • Internal processes (i.e., financial reporting misstatements, inadequate reconcilements, errors and omissions, missing/incomplete documentation, improper safeguarding of assets, inadequate or insufficient internal controls, failed processor settlement, improper markups)
  • People (i.e., embezzlement and asset misappropriation, authorization/approval limits, keying/input error, management override, unethical acts (real or perceived))
  • Systems (i.e., IT systems failure, inappropriate information security access)
  • External events (i.e., external fraud (real or perceived), legal liability, outsourcing, check kiting, counterfeit transactions, natural disasters)

Reputation Risk
Reputation risk can be unbelievably devastating to a company. It arises due to negative publicity or public opinion (either real or perceived) that may adversely affect the institution’s brand image. Reputation risk can impact clients, employees, communities, or shareholders and is often a secondary result of one of the other general risk categories:
  • Corporate scandals (i.e., accounting irregularities, governance)
  • Industry-related risk (i.e., insurance, mutual funds)
  • Inherent nature of business (i.e., payday lending)
  • Third-party relationships (i.e., clients, service providers)
  • Employee morale (i.e., layoffs, corporate change)
  • Employee activities (i.e., emails, rogue social media)
  • Regulations (i.e., fines, violations, untested regulations)
  • Litigation
  • Client service (i.e., system availability, processing errors)

Strategic Risk
Strategic risk is a core risk because it arises where an institution’s business strategy and objectives do not allow the institution to achieve its vision, mission, and purpose. The responsibility for managing this risk rests with the Board and senior management. Any inability to execute the corporate plan generally is a result of one of the other general risk categories and may focus on such areas as:
  • Financial goals
  • Business, product, delivery channel, or geographic directions
  • IT plans (i.e., outsourcing, hardware, and software solutions)
  • Organizational structure
  • Succession plans
  • Relationship management
  • Customer service

While the foregoing risks are vital to risk evaluation, they are the types of risks that apply to many business enterprises; however, there are risks that apply to financial institutions. I will give you a few examples of these types of risks.

Credit Risk
Credit risk arises from a borrower’s or counterparty’s inability or unwillingness to repay its financial obligations as agreed. Components of credit risk can include collateral, market conditions, concentration, cash flow, credit ratings, portfolio, and product issues. Credit risk extends beyond traditional lending and includes both on and off balance sheet commitments. Examples of credit risk include:
  • Investment securities
  • Loan default (failure to meet the terms of the obligation)
  • Loan losses and non-performing assets
  • Subprime lending
  • Off balance-sheet exposures (i.e., derivatives and letters of credit)
  • Electronic payments (ACH, wire transfers, and online banking)
  • Controlled disbursement accounts
  • Overdrafts and return items
  • Official checks (issued for customers)

Legal and Compliance Risk
Legal and compliance risk is the risk that arises from violations or nonconformance with laws, rules, and regulations (federal, state, or local), or prescribed practices that govern the institution’s business activities. This type of risk encompasses all laws as well as prudent governance and ethical standards and contractual obligations. It includes exposure to litigation from all types of financial services activities, both banking and non-banking. Legal and compliance risk also arises in situations where the laws, regulations, or rules governing certain products or services offered or customer activities may be ambiguous or untested. These risks could expose the institution to fines, damages, civil penalties, or prosecution.

Regulatory agencies that have a direct bearing on the institution’s legal and compliance risks include:
  • Federal Reserve Bank, Federal Deposit Insurance Corporation
  • State banking departments and government agencies
  • Securities and Exchange Commission, Consumer Financial Protection Bureau New York Stock Exchange, and National Association of Securities Dealers regulations and rules

Significant federal and state banking laws include:
Bank Secrecy Act, Fair Credit Reporting Act, the range of Acts, rules, regulations, and practices relating to mortgage loan origination and servicing (i.e., RESPA, TILA, et alia), Privacy Act, Financial Institution Reform, Recovery and Enforcement Act, Federal Deposit Insurance Corporation Improvement Act, Gramm-Leach Bliley Act, USA PATRIOT Act, Sarbanes-Oxley Act, state and local banking and consumer financial protection laws and regulations

Types of legal and compliance risk include:
  • Contract negotiations and disputes
  • Regulatory examinations and enforcement
  • Litigation and administrative proceedings
  • Fiduciary responsibilities
  • Generally Accepted Accounting Principles (GAAP)

Liquidity Risk
A business that lacks liquidity faces significant risk to its survival. Liquidity risk is the risk that a given security or asset cannot be traded quickly enough in the market to prevent a loss (or make the required profit). It rises from issues with meeting commitments when they come due because of the inability to liquidate assets or obtain adequate funding, or the inability to offset specific exposures due to inadequate market depth or market disruptions, without incurring unacceptable consequences.

Factors that contribute to liquidity risk involve regulatory requirements, accounting treatment, market conditions, and potential losses, including:
  • Significant or unplanned loan growth
  • Funding limitations (investment portfolio, commercial paper)
  • Incorrect matching of assets and liabilities
  • Overreliance on brokered deposits or run on deposits
  • Concentration ratios (i.e., public funds, customers, and so forth)
  • Overdrafts and similar facilities
  • Inability to make a settlement payment 

I have only scratched the surface of risk evaluation. Try to look at risks in the context of an identification process that focuses on establishing a common set of risk definitions. That’s part of the risk appetite approach we suggest, and risk management is exactly what we do!

Common risk definitions are fundamental to evaluating risk because without such a procedure, “risk” may end up being nothing more than an opinion rather than a dependable categorical description. Some companies are totally averse to risk, while others have a higher tolerance, and each often claims to manage risk. Yet each will take a different approach based on its particular perspective.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group