georgia bankers georgia banking school …resources.gabankers.com/event agenda pdfs/2017/georgia...

GEORGIA

BANKERS

ASSOCIATION

Georgia Banking School

2017 Georgia Banking School May 7-12, 2017

UGA Hotel & Conference Center Athens, Georgia

RISK MANAGEMENT FOR

BANKING INSTITUTIONS

John Houser Audit Committee Chairman

State Bank and Trust Company

ACKNOWLEDGEMENTS

Dr. Rob Hoyt, Chairman, Risk Management and

Insurance Program at the University of Georgia,

and

State Bank and Trust Company

4/18/2017 3


Overview

• What is Risk ?

• Increasing attention on Bank Risk Management Programs

• Brief History of Bank Risk Management

• How to Manage your Bank’s Risk

• The Risk Management process at State Bank

• Current research and trends

• Important types of risk and insurance • Directors and officers liability

• Property Risks

4


What is Risk ?

• Risk can be broadly defined as the likelihood of

a specified undesired event occurring within a

specified period or in specified circumstances.

4/18/2017 5


• Risk is essentially, the probability that an

outcome may be damaging or result in a

loss. With risk, the outcomes of an event are

subject to uncertainty.

4/18/2017 6


• Risk has been known to man ever since he first

faced adversity. The cave man’s/woman’s main

risk was an attack by a wild animal.

• This risk was mitigated (not eliminated) with the

discovery of fire. Risk can rarely, if ever, be

completely eliminated. Mitigation has now taken

the form hedging interest rate changes in the

future using forward contracts or options.

4/18/2017 7


What is Financial Risk

• Financial risk is the probability that the actual return on a business or investment will be less than the expected return. Financial risk can arise through loan and investment transactions. Financial risks can be categorized as systemic or unsystematic.

4/18/2017 8


• Systematic risk is the risk inherent to the

entire market or entire market segment.

Interest rates, recession and wars all

represent sources of systematic risk because

they affect the entire market and cannot be

avoided through diversification.

4/18/2017 9


• Unsystematic risk refers to company or

industry specific risk that is inherent in each

investment. For example, a sudden drop in

residential loan demand. Unsystematic risk can

be mitigated through appropriate

diversification.

4/18/2017 10


• Specific examples of financial risks applicable

to Banks include interest rate risk, credit risk,

liquidity risk, prepayment risk, inflation risk, etc.

4/18/2017 11


Can You Match These Enterprise

Risks?

• A. Hazard/Insurable Risks

• B. Financial Risks

• C. Operational Risks

• D. Strategic Risks

• 1. Supply chain, IT, key managers, product quality

• 2. Natural disasters, injuries, deaths, product liability

• 3. Market demand, R&D, competitive strategies, reputation, customer need

• 4. Tax and interest rate changes, credit default, FX 12


A World of Extremes (Attention on Risk)

13


Attention on Risk Management • Google Search

– Risk Management – • 2006 & 2007: 3.2 million

• 2008 & 2009: 27.2 million

• 2011 & 2012: 81.4 million

• 2016 & 2017: 226.0 million

• “Audit committee members rank risk management as top worry”

– KPMG Survey of Corporate Directors

14


Risk Management #1 Focus of

Public Company Boards

• What topics would they like to spend more time on? – 55% of board members at public

companies cite risk management more than any other area

– 61% believe their liability risk as a director has increased during the past few years

Source: BDO Board Survey

15


• Banks are increasingly exposed to non-traditional risks (cyber risks, regulatory risks and new forms of macro risks)

• Regulators are increasingly skeptical about banks´ internal—and often complex and opaque—risk modeling and measurement approaches

• 80% of participating banks believe they successfully integrate stress testing into strategic decision making

• Potential for improvement is especially significant in capital-allocation and talent-management processes

• Source: McKinsey

16


Impact of Risks on Firm Value

Strategic

Operational

Financial

Hazard

Source: Mercer Management Consulting

58%

31%

6%

0%

17


• Recent survey by RIMS (review of proxy statements of companies in the DJIA) – 20% had a CRO (89% in banking sample)

– 64% mentioned ERM

– 27% describe Board’s oversight of risk management, but expect 100% in 2013

• Recent Deloitte survey – 91% of executives “plan to reorganize and

reprioritize their approaches to risk management in some form in the coming three years.”

18


Boards and Risk Management

• Boards are FULLY aware that risk management is

a corporate governance issue

• Audit and Risk Committees continue to expand

risk management awareness at Board level

• Board member participation in different

companies spreads risk management awareness

• Boards more willing to replace senior

management (evidence of more active role)

19

DISCUSSION:

How has your Board’s

Interest In and Perspective

on Risk Management

Changed?

20

DISCUSSION:

Does your Bank have a

separate Risk Committee

Why a separate Risk

Committee makes sense.

21


A Brief History of Bank Risk

Management

• First generation – Insurance buyers

• Second generation

– Use multiple methods to manage hazard and financial risks

• Third generation – Continuous assessment of all areas of risk and

coordination with their Bank’s strategy

22


Traditional View of Risk Management

• Silo management of risk

• Focus on risk transfer

• Limited integration with processes and

Bank policies

• Scope limited to financial & hazard risks

• Unclear link to corporate objectives

23

DISCUSSION:

How has is Risk Management

Organized in your Bank?

24


How to Manage Your Bank’s Risk

• Create a Risk Conscious Culture

• Add Risk Items to Board’s Charter

• Modify banking operations

• Hire talent to manage risks

• Adjusting firm’s capital structure

• Continuously monitor Bank’s risk profile and

report to Board at least quarterly 25


Categories of Risk Promulgated by

Regulatory Authorities in Banking

• Credit risk

• Interest rate risk

• Market risk

• Liquidity risk

• Operational risk

• Compliance risk

• Reputation risk

• Strategic risk

26


• Business interruption and supply chain

• Market developments (volatility, competition)

• Cybercrime, IT failures, data breaches

• Natural catastrophes

• Changes in legislation and regulation

• Macroeconomic developments (commodity

price risk, inflation/deflation)

• Loss of reputation/brand loss

27


The Risk Management Process

• Identifying exposures to loss

• Measuring/evaluating exposures • frequency

• severity

• Selecting a risk handling or treatment approach • avoidance

• retention

• control

• transfer (e.g., insurance, hedging)

• Implementation and monitoring of the risk management program

• Risk appetite

• Risk charter

28


Risks Included in ERM • Hazard risks

– Damage to property, liability to others, injuries to employees, etc.

• Financial risks – Interest rate risk, credit risk, FX risk, commodity price,

etc.

• Operational risks – Supply chain, distribution system, how we do

business, etc.

• Strategic risks – What businesses we are in, where we do business,

political risk, reputation risk (brand), who we do business with, etc.

29


Treasury & Risk Management

• Strategic risks still viewed as the most difficult to

assess and manage

• Biggest challenges to fully implementing ERM

– conflicting priorities

– difficulty quantifying risks

– difficulty embedding risk in culture

30


Risk Characteristics as

Determinants of the Tool

Frequency Of Losses

Severity

Low High

Of Low Retention Retention

& Control

Losses High Transfer Avoidance

31


Why ERM Adds Value to a

Financial Firm

• Better understand the aggregate risk inherent in different business activities

• Avoid duplication of risk management expenditures by exploiting natural hedges

• Benefit from being able to select investments based on a more accurate risk-adjusted rate

• Enables firms to better inform outsiders of their risk profile (especially financially opaque firms) and also serves as a signal of their commitment to risk management

• Growing interest by rating agencies (S&P, etc.) 32

OVERVIEW - STATE BANK’S RISK

MANAGEMENT PROGRAM

• Created to monitor all bank policies for assessing and managing risks. Policies must be approved by Board at least annually.

• Created a risk matrix for Board and management review

• Quarterly review of benchmarks and matrix for major risk exposures by XO’s and Board

• Review reports at all Board meetings on selected risk topics selected by Board.

4/18/2017

33

• Hired outside experts to review highest

risk areas of Bank operations to asses

risk levels, i.e. IT gap analysis.

• Insure all Bank policies and internal

audit reviews include a “risk

assessment” review and report.

4/18/2017

34

• Annual meeting of compensation committee with risk committee to review executive compensation to insure compliance with risk objectives.

• Developed and periodically review bank’s risk appetite statement

• Review Bank’s capital allocation and ALLL reports quarterly with risk committee

• Review concentration and credit risk profiles quarterly

4/18/2017

35

Current Research:

Changes in Risk Reporting


BP

0

10

20

30

40

50

60

20

08

Q1

20

08

Q2

20

08

Q3

20

08

Q4

20

09

Q1

20

09

Q2

20

09

Q3

20

09

Q4

20

10

Q1

20

10

Q2

20

10

Q3

20

10

Q4

20

11

Q1

20

11

Q2

20

11

Q3

20

11

Q4

20

12

Q1

20

12

Q2

20

12

Q3

20

12

Q4

2008-2012 Quarterly Report Pages

Report Length

100% increase in length

No direct mention of oil spills or ocean drilling prior to 2012 Q2

4/20/2010 Deepwater Horizon explodes and sinks

37


Banks and Risk Reporting • Number of times the term “risk management” was used

in firm’s 10-K (2005 v. 2013) Financial Institution Times used in 2005 Times used in 2013 Percent increase

Bank of America 85 171 101.2%

BB&T 13 24 84.6%

JP Morgan 92 167 81.5%

PNC 83 133 60.2%

SunTrust 51 74 45.1%

Wells Fargo 34 137 302.9%

3 had CROs in 2005, all 6 had CROs in 2013 38


Important Types of Risk and

Insurance

• Categories/Types of Risk and Insurance

• Physical property and business continuity risk

• Legal risk

• Management liability risk

• Human resources risk (including BOLI and COLI)

• Environmental risk

• Crime and Cyber risk

• Fleet risk

39


U.S. Insured Catastrophe Losses $

7.5

$2

.7

$4

.7

$2

2.9

$5

.5

$1

6.9

$8

.3

$7

.4

$2

.6

$1

0.1

$8

.3

$4

.6

$2

6.5

$5

.9 $1

2.9

$2

7.5

$6

.7

$2

7.1

$1

0.6

$1

3.8

$3

5.9

$3

5.0

$1

2.9

$1

5.3

$1

6.1

$6

1.9

$9

.2

$0

$10

$20

$30

$40

$50

$60

$70

89

90

91

92

93

94

95

96

97

98

99

00

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

Source: Property Claims Service/ISO; Insurance Information Institute

$ Billions

Sandy $18.8B

40

Most Costly Disasters in U.S. History

(Insured Losses, 2012 Dollars, $ Billions)

$7.8 $8.7 $9.2$11.1

$13.4

$18.8

$23.9 $24.6 $25.6

$48.7

$7.5$7.1$6.7$5.6$5.6$4.4

$0

$10

$20

$30

$40

$50

$60

Irene (2011) Jeanne

(2004)

Frances

(2004)

Rita

(2005)

Tornadoes/

T-Storms

(2011)

Tornadoes/

T-Storms

(2011)

Hugo

(1989)

Ivan

(2004)

Charley

(2004)

Wilma

(2005)

Ike

(2008)

Sandy*

(2012)

Northridge

(1994)

9/11 Attack

(2001)

Andrew

(1992)

Katrina

(2005)

Hurricane Sandy became the 5th costliest event

in US insurance history

Includes Tuscaloosa, AL,

tornado

Includes Joplin, MO, tornado

12 of the 16 Most Expensive Events in US History Have Occurred Over the Past

15 Years

Sources: PCS; Insurance Information Institute inflation adjustments to 2012 dollars using the CPI.

41


Key Lessons and Issues

from Recent Catastrophes

• Flood risk remains a big issue – NFIP

• Business interruption is one of the biggest issues facing businesses – and it is poorly assessed and addressed

• Increased concerns from inland risks (tornados, hail, winter storms)

• Data Centers, utilities, supply chains …

42


Directors and Officers Legal Liability

• Exposure to loss

– basic functional duties

– fiduciary duties

– types of suits

• D&O insurance

– coverages

(Side A, Side B and Side C)

– common policy features

94% of the U.S. M&A deals in 2013 over $100 million were challenged in shareholder lawsuits

43


The FDIC’s Perspective on

D&O Insurance

• Purchase of D&O insurance is a legitimate

business activity

• Must be aware of exclusionary language

• The bank can’t buy coverage that

reimburses D&Os for civil money penalties

• The FDIC urges each board member and

executive officer to understand this

coverage

44

Most Frequently Cited D&O Issues

12.7%10.9%

7.8%

0.0%

2.0%

4.0%

6.0%

8.0%

10.0%

12.0%

14.0%

Wrongful

Termination

Inadequate /

Inaccurate

Disclosure

Mergers and

Acquisitions

45

Who Sues Officers and Directors? (2001-2010)

46


Cyber Liability Insurance

• Coverage (may include):

• reimburse immediate clean up costs (forensics, notification,

setting up call centers, paying for credit monitoring)

• legal fees

• cost of hiring crisis management firm

• Estimated cost in 2013 of a data breach was $188

per compromised record (only upfront clean up costs)

• Maximum capacity in the insurance market estimated

at $300 million (Target had $100 million)

47


Industry Developments Increased awareness of FI security/breach procedures following 2011

Citi breach

Oct 2011 SEC guidance/disclosure obligations relating to “cyber security” risks and incidents

Number of large FI’s purchasing first-time privacy insurance increased substantially in the last 12 months

Coverage Overview Privacy related liability/litigation from disclosure of client information

Regulatory action defense, fines and penalties, consumer redress fund

Loss mitigation expense (including notification/call center, credit monitoring, cost to reissue credit/debit cards, client identity restoration, discovery/data forensics, crisis management/PR firm)

No distinction as to cause of breach (e.g. laptop, hacked systems, malicious insider)

Coverage also includes breaches of bank’s data from outsourced suppliers

Morgan Stanley $200MM

Bank of America $120MM

PNC $100MM

Ally $100MM

SunTrust $75MM

Fifth Third $60MM

Goldman Sachs $60MM

US Bank $50MM

Keycorp $50MM

Bank of NY Mellon $30MM

Wells Fargo $25MM

Average FI Limit $80MM

FI Benchmark – Privacy Limits

Privacy / Cyber Security Liability

48


Key Operational Risk Areas of Focus

Technology Risk

Supplier Risk

Regulatory/ Litigation

Risk

“Given the complexity of today’s banking markets and the sophistication of technology that underpins it, it is no surprise that the OCC deems operational risk to be high and increasing. Indeed, it is currently at the top of the list of safety and soundness issues for the institutions we supervise.”

- Thomas Curry, Comptroller of the Currency, Speech from May 16, 2012

49


Complacency is an Enemy of Risk

Management

• “It’s never happened before.”

• “It can’t happen here.”

• “We can handle it.”

• “Ignore it and it will go away.”

50

DISCUSSION:

What Other Questions Or

Comments Do You Have

Regarding Risk Management

For Your Bank?

51

georgia bankers georgia banking school …resources.gabankers.com/event agenda pdfs/2017/georgia...

Documents