georgia bankers georgia banking school …resources.gabankers.com/event agenda pdfs/2017/georgia...
TRANSCRIPT
GEORGIA
BANKERS
ASSOCIATION
Georgia Banking School
2017 Georgia Banking School May 7-12, 2017
UGA Hotel & Conference Center Athens, Georgia
RISK MANAGEMENT FOR
BANKING INSTITUTIONS
John Houser Audit Committee Chairman
State Bank and Trust Company
ACKNOWLEDGEMENTS
Dr. Rob Hoyt, Chairman, Risk Management and
Insurance Program at the University of Georgia,
and
State Bank and Trust Company
4/18/2017 3
Georgia Banking School
Overview
• What is Risk ?
• Increasing attention on Bank Risk Management Programs
• Brief History of Bank Risk Management
• How to Manage your Bank’s Risk
• The Risk Management process at State Bank
• Current research and trends
• Important types of risk and insurance • Directors and officers liability
• Property Risks
4
Georgia Banking School
What is Risk ?
• Risk can be broadly defined as the likelihood of
a specified undesired event occurring within a
specified period or in specified circumstances.
4/18/2017 5
Georgia Banking School
• Risk is essentially, the probability that an
outcome may be damaging or result in a
loss. With risk, the outcomes of an event are
subject to uncertainty.
4/18/2017 6
Georgia Banking School
• Risk has been known to man ever since he first
faced adversity. The cave man’s/woman’s main
risk was an attack by a wild animal.
• This risk was mitigated (not eliminated) with the
discovery of fire. Risk can rarely, if ever, be
completely eliminated. Mitigation has now taken
the form hedging interest rate changes in the
future using forward contracts or options.
4/18/2017 7
Georgia Banking School
What is Financial Risk
• Financial risk is the probability that the actual return on a business or investment will be less than the expected return. Financial risk can arise through loan and investment transactions. Financial risks can be categorized as systemic or unsystematic.
4/18/2017 8
Georgia Banking School
• Systematic risk is the risk inherent to the
entire market or entire market segment.
Interest rates, recession and wars all
represent sources of systematic risk because
they affect the entire market and cannot be
avoided through diversification.
4/18/2017 9
Georgia Banking School
• Unsystematic risk refers to company or
industry specific risk that is inherent in each
investment. For example, a sudden drop in
residential loan demand. Unsystematic risk can
be mitigated through appropriate
diversification.
4/18/2017 10
Georgia Banking School
• Specific examples of financial risks applicable
to Banks include interest rate risk, credit risk,
liquidity risk, prepayment risk, inflation risk, etc.
4/18/2017 11
Georgia Banking School
Can You Match These Enterprise
Risks?
• A. Hazard/Insurable Risks
• B. Financial Risks
• C. Operational Risks
• D. Strategic Risks
• 1. Supply chain, IT, key managers, product quality
• 2. Natural disasters, injuries, deaths, product liability
• 3. Market demand, R&D, competitive strategies, reputation, customer need
• 4. Tax and interest rate changes, credit default, FX 12
Georgia Banking School
Attention on Risk Management • Google Search
– Risk Management – • 2006 & 2007: 3.2 million
• 2008 & 2009: 27.2 million
• 2011 & 2012: 81.4 million
• 2016 & 2017: 226.0 million
• “Audit committee members rank risk management as top worry”
– KPMG Survey of Corporate Directors
14
Georgia Banking School
Risk Management #1 Focus of
Public Company Boards
• What topics would they like to spend more time on? – 55% of board members at public
companies cite risk management more than any other area
– 61% believe their liability risk as a director has increased during the past few years
Source: BDO Board Survey
15
Georgia Banking School
• Banks are increasingly exposed to non-traditional risks (cyber risks, regulatory risks and new forms of macro risks)
• Regulators are increasingly skeptical about banks´ internal—and often complex and opaque—risk modeling and measurement approaches
• 80% of participating banks believe they successfully integrate stress testing into strategic decision making
• Potential for improvement is especially significant in capital-allocation and talent-management processes
• Source: McKinsey
16
Georgia Banking School
Impact of Risks on Firm Value
Strategic
Operational
Financial
Hazard
Source: Mercer Management Consulting
58%
31%
6%
0%
17
Georgia Banking School
• Recent survey by RIMS (review of proxy statements of companies in the DJIA) – 20% had a CRO (89% in banking sample)
– 64% mentioned ERM
– 27% describe Board’s oversight of risk management, but expect 100% in 2013
• Recent Deloitte survey – 91% of executives “plan to reorganize and
reprioritize their approaches to risk management in some form in the coming three years.”
18
Georgia Banking School
Boards and Risk Management
• Boards are FULLY aware that risk management is
a corporate governance issue
• Audit and Risk Committees continue to expand
risk management awareness at Board level
• Board member participation in different
companies spreads risk management awareness
• Boards more willing to replace senior
management (evidence of more active role)
19
DISCUSSION:
Does your Bank have a
separate Risk Committee
Why a separate Risk
Committee makes sense.
21
Georgia Banking School
A Brief History of Bank Risk
Management
• First generation – Insurance buyers
• Second generation
– Use multiple methods to manage hazard and financial risks
• Third generation – Continuous assessment of all areas of risk and
coordination with their Bank’s strategy
22
Georgia Banking School
Traditional View of Risk Management
• Silo management of risk
• Focus on risk transfer
• Limited integration with processes and
Bank policies
• Scope limited to financial & hazard risks
• Unclear link to corporate objectives
23
Georgia Banking School
How to Manage Your Bank’s Risk
• Create a Risk Conscious Culture
• Add Risk Items to Board’s Charter
• Modify banking operations
• Hire talent to manage risks
• Adjusting firm’s capital structure
• Continuously monitor Bank’s risk profile and
report to Board at least quarterly 25
Georgia Banking School
Categories of Risk Promulgated by
Regulatory Authorities in Banking
• Credit risk
• Interest rate risk
• Market risk
• Liquidity risk
• Operational risk
• Compliance risk
• Reputation risk
• Strategic risk
26
Georgia Banking School
• Business interruption and supply chain
• Market developments (volatility, competition)
• Cybercrime, IT failures, data breaches
• Natural catastrophes
• Changes in legislation and regulation
• Macroeconomic developments (commodity
price risk, inflation/deflation)
• Loss of reputation/brand loss
27
Georgia Banking School
The Risk Management Process
• Identifying exposures to loss
• Measuring/evaluating exposures • frequency
• severity
• Selecting a risk handling or treatment approach • avoidance
• retention
• control
• transfer (e.g., insurance, hedging)
• Implementation and monitoring of the risk management program
• Risk appetite
• Risk charter
28
Georgia Banking School
Risks Included in ERM • Hazard risks
– Damage to property, liability to others, injuries to employees, etc.
• Financial risks – Interest rate risk, credit risk, FX risk, commodity price,
etc.
• Operational risks – Supply chain, distribution system, how we do
business, etc.
• Strategic risks – What businesses we are in, where we do business,
political risk, reputation risk (brand), who we do business with, etc.
29
Georgia Banking School
Treasury & Risk Management
• Strategic risks still viewed as the most difficult to
assess and manage
• Biggest challenges to fully implementing ERM
– conflicting priorities
– difficulty quantifying risks
– difficulty embedding risk in culture
30
Georgia Banking School
Risk Characteristics as
Determinants of the Tool
Frequency Of Losses
Severity
Low High
Of Low Retention Retention
& Control
Losses High Transfer Avoidance
31
Georgia Banking School
Why ERM Adds Value to a
Financial Firm
• Better understand the aggregate risk inherent in different business activities
• Avoid duplication of risk management expenditures by exploiting natural hedges
• Benefit from being able to select investments based on a more accurate risk-adjusted rate
• Enables firms to better inform outsiders of their risk profile (especially financially opaque firms) and also serves as a signal of their commitment to risk management
• Growing interest by rating agencies (S&P, etc.) 32
OVERVIEW - STATE BANK’S RISK
MANAGEMENT PROGRAM
• Created to monitor all bank policies for assessing and managing risks. Policies must be approved by Board at least annually.
• Created a risk matrix for Board and management review
• Quarterly review of benchmarks and matrix for major risk exposures by XO’s and Board
• Review reports at all Board meetings on selected risk topics selected by Board.
4/18/2017
33
• Hired outside experts to review highest
risk areas of Bank operations to asses
risk levels, i.e. IT gap analysis.
• Insure all Bank policies and internal
audit reviews include a “risk
assessment” review and report.
4/18/2017
34
• Annual meeting of compensation committee with risk committee to review executive compensation to insure compliance with risk objectives.
• Developed and periodically review bank’s risk appetite statement
• Review Bank’s capital allocation and ALLL reports quarterly with risk committee
• Review concentration and credit risk profiles quarterly
4/18/2017
35
Georgia Banking School
BP
0
10
20
30
40
50
60
20
08
Q1
20
08
Q2
20
08
Q3
20
08
Q4
20
09
Q1
20
09
Q2
20
09
Q3
20
09
Q4
20
10
Q1
20
10
Q2
20
10
Q3
20
10
Q4
20
11
Q1
20
11
Q2
20
11
Q3
20
11
Q4
20
12
Q1
20
12
Q2
20
12
Q3
20
12
Q4
2008-2012 Quarterly Report Pages
Report Length
100% increase in length
No direct mention of oil spills or ocean drilling prior to 2012 Q2
4/20/2010 Deepwater Horizon explodes and sinks
37
Georgia Banking School
Banks and Risk Reporting • Number of times the term “risk management” was used
in firm’s 10-K (2005 v. 2013) Financial Institution Times used in 2005 Times used in 2013 Percent increase
Bank of America 85 171 101.2%
BB&T 13 24 84.6%
JP Morgan 92 167 81.5%
PNC 83 133 60.2%
SunTrust 51 74 45.1%
Wells Fargo 34 137 302.9%
3 had CROs in 2005, all 6 had CROs in 2013 38
Georgia Banking School
Important Types of Risk and
Insurance
• Categories/Types of Risk and Insurance
• Physical property and business continuity risk
• Legal risk
• Management liability risk
• Human resources risk (including BOLI and COLI)
• Environmental risk
• Crime and Cyber risk
• Fleet risk
39
Georgia Banking School
U.S. Insured Catastrophe Losses $
7.5
$2
.7
$4
.7
$2
2.9
$5
.5
$1
6.9
$8
.3
$7
.4
$2
.6
$1
0.1
$8
.3
$4
.6
$2
6.5
$5
.9 $1
2.9
$2
7.5
$6
.7
$2
7.1
$1
0.6
$1
3.8
$3
5.9
$3
5.0
$1
2.9
$1
5.3
$1
6.1
$6
1.9
$9
.2
$0
$10
$20
$30
$40
$50
$60
$70
89
90
91
92
93
94
95
96
97
98
99
00
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
Source: Property Claims Service/ISO; Insurance Information Institute
$ Billions
Sandy $18.8B
40
Most Costly Disasters in U.S. History
(Insured Losses, 2012 Dollars, $ Billions)
$7.8 $8.7 $9.2$11.1
$13.4
$18.8
$23.9 $24.6 $25.6
$48.7
$7.5$7.1$6.7$5.6$5.6$4.4
$0
$10
$20
$30
$40
$50
$60
Irene (2011) Jeanne
(2004)
Frances
(2004)
Rita
(2005)
Tornadoes/
T-Storms
(2011)
Tornadoes/
T-Storms
(2011)
Hugo
(1989)
Ivan
(2004)
Charley
(2004)
Wilma
(2005)
Ike
(2008)
Sandy*
(2012)
Northridge
(1994)
9/11 Attack
(2001)
Andrew
(1992)
Katrina
(2005)
Hurricane Sandy became the 5th costliest event
in US insurance history
Includes Tuscaloosa, AL,
tornado
Includes Joplin, MO, tornado
12 of the 16 Most Expensive Events in US History Have Occurred Over the Past
15 Years
Sources: PCS; Insurance Information Institute inflation adjustments to 2012 dollars using the CPI.
41
Georgia Banking School
Key Lessons and Issues
from Recent Catastrophes
• Flood risk remains a big issue – NFIP
• Business interruption is one of the biggest issues facing businesses – and it is poorly assessed and addressed
• Increased concerns from inland risks (tornados, hail, winter storms)
• Data Centers, utilities, supply chains …
42
Georgia Banking School
Directors and Officers Legal Liability
• Exposure to loss
– basic functional duties
– fiduciary duties
– types of suits
• D&O insurance
– coverages
(Side A, Side B and Side C)
– common policy features
94% of the U.S. M&A deals in 2013 over $100 million were challenged in shareholder lawsuits
43
Georgia Banking School
The FDIC’s Perspective on
D&O Insurance
• Purchase of D&O insurance is a legitimate
business activity
• Must be aware of exclusionary language
• The bank can’t buy coverage that
reimburses D&Os for civil money penalties
• The FDIC urges each board member and
executive officer to understand this
coverage
44
Most Frequently Cited D&O Issues
12.7%10.9%
7.8%
0.0%
2.0%
4.0%
6.0%
8.0%
10.0%
12.0%
14.0%
Wrongful
Termination
Inadequate /
Inaccurate
Disclosure
Mergers and
Acquisitions
45
Georgia Banking School
Cyber Liability Insurance
• Coverage (may include):
• reimburse immediate clean up costs (forensics, notification,
setting up call centers, paying for credit monitoring)
• legal fees
• cost of hiring crisis management firm
• Estimated cost in 2013 of a data breach was $188
per compromised record (only upfront clean up costs)
• Maximum capacity in the insurance market estimated
at $300 million (Target had $100 million)
47
Georgia Banking School
Industry Developments Increased awareness of FI security/breach procedures following 2011
Citi breach
Oct 2011 SEC guidance/disclosure obligations relating to “cyber security” risks and incidents
Number of large FI’s purchasing first-time privacy insurance increased substantially in the last 12 months
Coverage Overview Privacy related liability/litigation from disclosure of client information
Regulatory action defense, fines and penalties, consumer redress fund
Loss mitigation expense (including notification/call center, credit monitoring, cost to reissue credit/debit cards, client identity restoration, discovery/data forensics, crisis management/PR firm)
No distinction as to cause of breach (e.g. laptop, hacked systems, malicious insider)
Coverage also includes breaches of bank’s data from outsourced suppliers
Morgan Stanley $200MM
Bank of America $120MM
PNC $100MM
Ally $100MM
SunTrust $75MM
Fifth Third $60MM
Goldman Sachs $60MM
US Bank $50MM
Keycorp $50MM
Bank of NY Mellon $30MM
Wells Fargo $25MM
Average FI Limit $80MM
FI Benchmark – Privacy Limits
Privacy / Cyber Security Liability
48
Georgia Banking School
Key Operational Risk Areas of Focus
Technology Risk
Supplier Risk
Regulatory/ Litigation
Risk
“Given the complexity of today’s banking markets and the sophistication of technology that underpins it, it is no surprise that the OCC deems operational risk to be high and increasing. Indeed, it is currently at the top of the list of safety and soundness issues for the institutions we supervise.”
- Thomas Curry, Comptroller of the Currency, Speech from May 16, 2012
49
Georgia Banking School
Complacency is an Enemy of Risk
Management
• “It’s never happened before.”
• “It can’t happen here.”
• “We can handle it.”
• “Ignore it and it will go away.”
50