Bank of America's new look at risk: An interview with Amy Brinkley

Risk. It's not for wimps. Nor is it for the foolhardy. At Bank of America Corporation, end-to-end management of risk is front and center in a new comprehensive plan whose bottom line is SVA--adding shareholder value.

Bank of America's enterprise-wide approach to risk management begins with risk partnerships between business risk managers and the bank's four major business lines, then employs a group of five functional risk executives, and then moves to Central Risk Analysis and Review. Increasingly sophisticated analytics and the introduction of Six Sigma provide a double shot of ensuring better risk predictions for the future.

Having served as chairman, Credit Policy, Amy Woods Brinkley soon will assume the role of chief risk officer for Bank of America. The 24-year veteran also serves on the bank's new Risk and Capital Committee, which oversees allocation of capital to business lines.

RMAJ: During Bank of America's November 28 Investor Day presentations, Bill Vandiver (Corporate Risk Management Executive, who is retiring) noted that risk is now "fully embedded front end to back end." He stressed a structure that provides "an independent view of risk," and spoke of "functional risk executives" who will ensure an enterprise-wide view of risk. What can you tell us about the changes that have come to risk management at Bank of America?

AWB: Some rather sweeping changes in Bank of America's approach to risk management is one piece in carrying out what our chairman, Ken Lewis, is trying to do in the company. The changes affect the way we approach management of risk, use of capital, and creating shareholder value.

Bank of America's primary focus on shareholder value added (SVA) has led to the concept of integrated business planning--we look holistically at strategic planning, financial planning, and risk management planning throughout the institution. In essence, then, we' re anticipating risk in advance, rather than doing our strategic planning, then doing financial planning around that, and planning for risk only at the end.

We are in the business of managing risk to achieve the best rewards for our shareholders. To do that, we need world-class risk management capabilities. We use a governance approach that allocates capital based on our strategic objectives and our appetite for taking risk We manage the variability of earnings from credit, market, and operational risk. The Risk and Capital Committee is chaired by Ken Lewis and includes Risk Management, our CFO, and the four top executives running our key business lines: Global Corporate and Investment Banking, Consumer/Commercial Banking, Consumer Products, and Asset Management.

No single risk should be viewed in isolation. Effective credit policy is not just about managing credit at the approval process and ongoing credit administration; it's strategies and planning around client selection, product selection, and structure selection. The end point, of course, is evaluating our outcomes and using what we learn to improve the process on the front end once again.

So integrated planning represents a cultural shift in several ways:

* Looking holistically at risk.

* Looking at end-to-end risk, rather than looking at the underwriting process in isolation; we consider how the business strategy, sales practices, or business development processes are affecting what is coming in to be underwritten.

* Using the evaluation process not only to improve the front end but to identify new business opportunities as well.

* Managing risk is clearly everyone's job--nor just that of a single unit. Our view is that the lines of business are our first line of defense and they are also ultimately responsible for our risk/reward results. The core risk management organization is considered the second line of defense. And the test functions (audit, compliance, and so forth) are our third line of defense.

The bank has initiated a three-pronged approach to Risk Management by creating business risk partnerships, five new positions called functional risk executives, and a Central Risk Analysis and Review function.

1. Risk management partnerships. Our risk management partnerships align with each of the four business areas mentioned earlier. Senior banking executives, who are independent of the business areas, participate day to day with the business executives in assessing, planning for, measuring, and managing all risk--credit, market, and operational.

Each partnership is responsible for understanding risk end to end, that is, understanding risk that takes place from the beginning to the end of any business process. We assess each step of the business process and identify the risks inherent in that process.

These are true partnerships, and we are literally "putting our money where our mouth is" through our compensation packages. Across the company, managing the volatility of earnings is a component of virtually all management compensation. It's not about compensating people purely on revenues or components of a P&L; it's looking at the comprehensive P&L, including the effectiveness of managing risk, and incenting actions that create SVA and disincenting those that do not.

2. Functional risk executives. Another innovation in our risk management processes is the creation of five functional risk executives. This part of the organization is more content-intensive than people-intensive. Whereas our business partnerships look at all risks within a line of business, the risk executives see how an individual risk affects us across the entire organization. They then determine what actions we might need to take and also look to see if there are best practices that can be shared across the enterprise.

The risk executives cover consumer credit, large corporate credit (including the upper end of middle market), centralized business credit (the lower end of middle market and small business), market risk, and operational risk.

3. Central Risk and Review. The final area, Central Risk and Review, uses more high-powered analytics and review functions to look at portfolios across the organization. Central Risk and Review determines which risk mitigation techniques might he employed and also uses analytics to improve our forecasting techniques.

RMAJ: Can you give some examples of how this change has influenced the bank's decisions about which businesses it will exit or enter?

AWB: As I mentioned earlier, we have performed comprehensive risk assessment of all our lines of business. If a plan aligns with our risk appetite, we then ensure that we have the appropriate processes and measures in place to evaluate and manage the risk/return.

Subprime lending was not a business that met our long-term strategic objectives when it came to risk and return. First, it's more dependent on indirect sources and, therefore, more difficult to execute on a relationship strategy. Second, it's difficult to remain competitive in this business within a banking environment. So we elected to exit that business.

At the same time, we have elected to allocate more capital to business lines that do meet these objectives, such as further strengthening our staffing in asset management and furthering our distribution of insurance products. We also are increasing the distribution channels for different types of consumer real estate products. Our credit card business does one of the better jobs of looking at risk and return together versus looking at risk in a vacuum, and it makes strategic sense to expand segments of that line of business.

If you look at the managed loan book [see chart, next page], our business is about 50% commercial and 50% consumer. If you look at revenues, our mix is more 33% commercial and 66% consumer.

RMAJ: Has your enterprise-wide view uncovered any risk surprises?

AWB: Not surprises, really, but we have definitely gained a much better grip on how risks can be magnified across an organization. As an example, we undertake similar types of credit risk in multiple businesses. So it becomes important not only to take the line-of-business perspective on risk but the enterprise perspective as well. That enables us to do a better job of concentration management across many different dimensions-by industry, by product, by borrower, by geography, and so forth. Once we moved to an enterprise-wide view, the awareness and understanding of the level of risks across the organization were substantial.

Part of our risk assessment planning process has been to look at the amount of change going on throughout the company and the interdependencies among different parts of the company that must he addressed to successfully implement change. This approach is dramatically increasing our understanding of the importance of doing so. For example, we may count on revenue growth in a business but there is increased risk associated with that if people in several parts of the company are not trained and brought along in preparation for that growth. So we are not just looking at risk from a loss perspective but from a revenue perspective as well. Ours is a dynamic and evolving business, so understanding all the different types of changes going on is important to managing the volatility of earnings. We must ensure that revenues not only grow but also can be sustained.

RMAJ: What types of tools is Bank of America employing to help in its enterprise-wide approach to risk?

AWB: Our analytics are in various stages of development. Obviously, we're using more tools, both external and internal. KMV's Portfolio Manager[TM] is an example of an external tool; a more granular and statistically driven internal risk-rating system is an example of an internal tool. We also are developing new forecasting models and performing more portfolio stress-testing. We are using and/or looking at more capital markets solutions, from standard CLOs, to derivative products, to more complex insurance tools.

RMAJ: Bank of America allocates capital to each line of business. Tell us how this works?

AWB: Businesses essentially apply for capital when they present their strategic plans and supporting financial and risk plans. The Risk and Capital Committee then determines which businesses represent the best use of our capital to return value to our shareholders. In many financial institutions, including ours, capital had been more of a residual calculation. We use SVA as a primary metric. Ensuring that we appropriately allocate capital to specific activities is an ongoing process. John Walters (SVP, Risk Capital and Portfolio Analysis), who has worked on RMA's response to proposed changes in the Basel Accord, is very involved in creating the analytics to help us in the deliberation process.

The Committee meets monthly or as needed. Most recently, our efforts have been most focused on the new integrated planning process, which went very smoothly. Our focus will continue to be on SVA creation and how we're doing against our goals and looking at where we may need to make strategic adjustments. The group looks at any new strategic opportunities and innovations, such as a new product, a new strategic partnerships, or a new outsourcing opportunity. And, of course, we are continuing to follow the Basel Reform process.

RMAJ: You talked a little about operational risk when you were talking about interdependencies throughout the organization. Operational risk is an increasingly important facet of risk management. Near the end of 2001, the bank named a new executive to Operational Risk. What changes are being contemplated or implemented specific to Operational Risk?

AWB: We begin the management of risk by listing the risks associated with managing the volatility of earnings. Operational Risk then encompasses all those things that don't fit within the definitions of credit and market risk. The objective is to bring more definition to those things that, in most instances, we already are doing every day, and determining which elements we must manage more actively.

As we've gone through our first pass of the integrated planning process, which includes a comprehensive risk assessment for each business, we have identified the major risks we are taking in every business. The risks that are not market or credit begin to fall into certain categories that we consider most relevant to our enterprise:

* People risk.

* Business process risk.

* Systems and technology risk.

* Legal and regulatory risk.

* Reputation risk.

* External events risk.

Now we are developing metrics for those different risks and having those measured as part of our business planning. Some of the risks lend themselves more readily to metrics that can be expressed in financial terms--for example, fraud losses. Others will evolve over time as we find the right correlations of these metrics to other financial metrics--for example, we can correlate associate attrition with revenues.

RMAJ: By the time this interview appears, it will have been about a year since the onset of the recession. What advice would you give banks large and small at this stage?

AWB: The biggest challenge currently is the uncertainty of the economic environment. There's no particular category of risk that concerns us more than another. The best course of action is vigilance and very proactive management of risk on all fronts. We're fortunate that the banking industry is in a solid position to handle these challenges. It's important to keep in touch with customers and clients to understand what is going on with them. And it's important to identify leading indicators of risk and get a handle on each risk as it arises. It all boils down to good people and good processes.

Martin is director of Regulatory Relations and Communications at RMA; Foster is editor of The RMA Journal.

Diverse Portfolio

Consumer: 50%

Commercial: 50%

Residential Real Estate Secured      31%
Bankcard                              7%
Other Consumer                       12%
Real Estate                           7%
Transportation                        3%
Business Services                     2%
Media                                 2%
Equipment and General Manufacturing   2%
Agribusiness                          2%
Health Care & Pharmaceuticals         2%
Telecom                               2%
Autos                                 2%
Other Commercial (nothing > 1.5%)    26%

RELATED ARTICLE: Discipline New Credit Risk Strategies

* From originate-to-hold to originate-to-distribute.

* Centralized underwriting and monitoring of commercial loans.

* Improved commercial risk-rating system.

* Portfolio analysis.

* Use of credit capital and SVA.

* Six Sigma tools.

Fast Facts (from 2000 Annual Report)

* Compensation aligned to SVA.

* No. 1 debit card issuer in the U.S. (nearly 16 million cards).

* Serves one out of every six small businesses (up to $10 million in annual revenues) within the 21-state franchise.

* Named "Best Supplier of Banking Services to Small Business" by Small Business Computing magazine.

* Lead arranger of $1.05 billion loan to finance construction of new airport in Hong Kong.

COPYRIGHT 2002 The Risk Management Association
COPYRIGHT 2005 Gale Group