Managing the retail portfolio through integrated risk Management

Two risk managers joined forces at RMA's 2002 Retail Risk Management Conference to present their takes on enterprise-wide risk management. This article, culled from their presentations, provides credit risk structure examples and discusses data issues and challenges facing today's risk manager.

Risk managers don't belong on the sidelines of the game--in fact, they should be star players. Banking has become much more complex, with risk managed at origination, in servicing, and in portfolio optimization activity. The direction of the Basel Committee's work in capital requirements reform has brought operational risk and market risk into the spotlight. As unexpected earnings volatility has weakened companies' credibility with shareholders and has been harshly punished in the market, there's no question about the need for active management of reputation risk and execution risk.

Leading banks have moved well beyond their former focus on credit policy and credit risk management. They understand the interaction between their various lines of business and further seek to understand the behavior of their customers and to optimize the mix of their businesses. They realize that their risk management structure is a clear reflection of their institution s corporate values and corporate strategy. They do not manage risk in functional silos, but for the enterprise.

Given the complexity of the business and the options available for managing risk, line-of-business executives must take ownership of and be held accountable for managing all types of risk in their businesses. That means that the line executive is not on offense while the risk manager is on defense; rather, they own and manage risk together as partners. Consistency of earnings can be better achieved by focusing on the proper balance of risks. Such focus requires integrated information and enterprise-level analysis. Risk leaders must have accountability to each other for managing risk across the enterprise.

Risk must become a core element of the planning process and the capital allocation process. Further, risk goals must be in everyone's performance plan and have a clear impact on compensation. In addition to the traditional risk roles that partner with businesses, certain functions should be elevated and centralized to ensure a more broad-based viewpoint. Functional leaders can be assigned to manage major risk categories across lines at the enterprise level.

Holistic, Strategic, Disciplined

How often have we set credit risk parameters that would have worked except for poor execution or a change in the market environment? Responsibility for the success of the enterprise cannot stop at the doorstep of the business (that is, just set the policies and monitor performance). Rather, the approach must be holistic. This entails skill sets that may be entirely different, and many "old dogs" just won't get the "new tricks." Risk managers must think about business execution, operational risks, and the interplay of origination and portfolio optimization. Different tracking and more intense focus on achieving results must be evident. Additionally, those goals and measurements must coordinate with those of the other businesses. It all comes down to developing strategies for creating predictable profitability.

Risk-taking must be strategic in nature--not an afterthought. For example, the risk forecast should not be added to the business plan as an appendix. Banks are in a risk business, and so risk is central to everything that is planned, from entering new markets, to adding new products, to expanding market share, to implementing new platforms, and to consolidating sites. Everyone must identify the risks and ensure they are recognized and mitigated. Volatility normally comes from a lack of planning and a lack of peripheral vision. Strategic objectives should reduce the volatility of risk, make partners of associates, and make the institution's businesses more profitable by improving the risk/return relationship.

It takes discipline to drive change in this more holistic environment. For many institutions, this requires a cultural change in how we think about risk. Processes need to be enhanced to get the expected results. Each business must set goals and metrics--grouped around customers, associates, and shareholders--that are tied directly to those of the enterprise. All goals are to be jointly derived, both between line and risk and also between businesses that interact. This integrates all goals, the enterprise objectives gain priority for resources, and the institution does not end up with competing goals. Metrics are key to this process, and progress needs to be measured regularly at the bank. In addition, managers' goals are to be reflected in performance plans set for functions under them, so it all ties together both vertically and horizontally.

Tracking Key Risks

Focus should be limited to a set of top risk issues confronting the businesses. These might be credit risks, but also might be the way customers are sourced, operational risks, or execution risks. It's important to build measurements around each risk and set goals and timelines for resolution. Resources can be prioritized around the top risks because of this focused consistency, and it feels good to build momentum on what have often been long-running and difficult issues to address.

Operational Risk

Operational risk is still not very well defined. In fact, it's basically defined as those risks that aren't credit or market. So it's "everything else." However, poor processes, human error, and systems that don't protect against defects or fraud result in all sorts of risk. Some may show up as credit losses. But risk managers have not typically measured these things over the years. We've accepted these risks as "spoilage" or "breakage," rather than an opportunity to strengthen our institutions. Measurement is necessary, because, as we've all learned, you can't manage what you don't measure.

Bad processes and systems not only drive losses, they also damage productivity, ruin customer experience, impede turnaround times, and frustrate associates.

So these deficiencies are very advantageous to fix. How often can you improve customer, associate, and shareholder experience with one correction? Plus, grappling with these processes helps an institution achieve such goals as Six Sigma.

Operational risk can show up in many ways. Here are some examples:

* Forgetting to close the existing home equity line when it is refinanced, resulting in two lines that are secured by the same property Frequently, the whole package of debts creates a real loanto-value problem.

* Forgetting to close a home equity line that has been paid off. This might happen with a payoff that comes into a branch office. The payoff letter gets separated from the check. The check might then be posted, but the line is not closed and blocked, resulting in a large, unsecured line.

* Mishandling criteria for credit insurance coverage--for example, mortgage insurance. Frequently, insurers rely on the bank to follow policies very closely or even add some rules of its own. In a large origination process, exceptions might be made either consciously or by mistake. Either way, the bank abrogates the insurance. If the insurance is the primary reason for feeling comfortable with the product, rejected claims are unpleasant surprises.

* Mishandling flood coverage verification and then force-placing coverage unnecessarily.

* Entering an incorrect legal description on the mortgage, especially on home equity products on which an attorney or title agent does not close the loan.

* Incorrect payment filing, missing signatures, or just bad processing that leads to an unperfected auto lien.

Bank credibility diminishes when the lender forgets to close paid-off lines, especially when the bank then sends solicitations to the customer to use the line. (Of course, for some borrowers, those actions rank right up there with Christmas and birthdays.) Credibility also suffers when a bank adds forceplaced flood insurance to a mortgage after the customer has already provided proof of coverage, or when the bank can't produce an auto title when the customer sells the car. Customers don't want to deal with these things.

Closing duplicate accounts, negotiating rejected claims, and redrawing mortgages all create unnecessary work for the bank. Rework means bad productivity, higher cost of origination, lower profits, and miserable associate experiences in handling angry customers and fixing other associates' errors. Plus, some of these mistakes create losses. Some customers give in to the temptation to use those undercollateralized or noncollateralized lines. Some homes or automobiles cannot be repossessed in a default. Some insurance claims must be abandoned.

Operational errors can account for a significant percentage of total losses for some products. These losses can be tracked with the help of collections partners. It's hard enough to forecast losses without having to somehow incorporate "self-inflicted" losses. Completing the loop and identifying the reason for each loss is important. It's like composting, because the risk manager is using today's waste product to accomplish something good in the future.

Equally important to the integration of the business unit and risk partners are effective risk management leadership, a successful risk management evolutionary development plan, and robust data.

The development of a credit culture and true credit risk operating structure within Washington Mutual (WaMu) has occurred at a rocket-propelled pace within the past three years. (See Figure 1.) Conceptually, the risk management structure is broken into core line and corporate components. Each business unit has a chief credit officer reporting directly to the business unit head as well as on a dotted-line basis to the corporate chief credit officer. WaMu has attempted to remove some of the traditional barriers to collaboration between the traditional corporate-versus-line responsibilities.

In effect, corporate credit risk works both in a service-providing mode to the business units and in an oversight mode. Members from corporate credit risk serve on each business unit s senior management staff on a dotted-line basis in an effort to assist in the execution of business strategies. In this way, corporate credit risk management can provide value-added services while having a detailed understanding of the risk and opportunities that the business unit faces. Through the enhancement of these relationships, corporate credit risk team members are no longer viewed as the "Credit Police."

Risk Management Leadership

Success in risk management can be measured in several ways. The implementation of a new scoring model or a new decisioning system may constitute success in some risk managers' eyes. Other risk managers will point to the delinquency and losses of the late 1990s as proof of their successes, although those results more likely were part success and part luck. However, the true measure of success might be in creating the changes necessary to instill a credit culture within the organization.

Most senior retail risk managers are very intelligent and usually have advanced technical or quantitative degrees. However, this high level of technical and statistical proficiency can often come across as arrogance to line partners. Practicing a working discipline of knowledge transfer balanced with humility is required in order to develop and nurture these relationships. Another technique that can be effective is to try avoiding the use of technical and statistical lingo in an effort to demonstrate capabilities and intelligence. Line partners will appreciate this, and to do otherwise usually results in poor communication and understanding.

Nonetheless, in my observation, the most critical cause for delayed success in a risk manager's career is a lack of strategic discipline, and the results are painfully obvious--missed project deadlines, delayed policy changes, and a general absence of substantive progress on critical activities. Two characteristics symbolize the challenge of having effective strategic discipline:

1. Creativity can often be blind to practical considerations of implementation. A good example of this is overengineering a decisioning system to get that extra 1% of benefit, but missing the initial implementation target by six months. Often, a phased implementation of a critical technology is the best course of action. Identify those features that are most critical to your organization and ensure that they are implemented in a timely fashion. It is tempting to try and create the system that will do it all, but resist that temptation, as a continuous improvement process can yield results more quickly.

2. Lack of focus can be the kiss of death. Each business manager should concentrate on no more than three to five key strategic initiatives. Over committing to multiple projects can challenge not only you, but your precious resources that are susceptible to being acquired by the competition if you do not manage them well.

3. Statistics is an exercise in prediction, with known error probabilities. Given this, why do we strive for 100% perfection in all of our projects? This is not to say that Six Sigma and quality are not important, but we must always consider the benefits of concentrating on three to five key activities that can generate 80% or more of the benefits that we expect to see in a year. What is the additional benefit of having an off-the-shelf system that provides 95% of the benefits in place six months or more before the "perfect" customized system, which ends up having some significant flaws of its own?

The Risk Management Competency Index

One way to strategically build team competency is to use transitional phases of competence that are important to you. An example would be the risk management competency index. In its purest form, this index is nothing more than a three-level scale of risk management competencies--basic, mature, and advanced.

1. For the basic level, think of using proprietary custom decisioning models in a dual-score matrix mode with a generic tool, such as FICO. At this level, we concentrate on probabilities of default, and we have basic competencies in scoring, forecasting, decisioning, portfolio analysis, and account-based decision strategies. Typically, the dimensions scale to the business unit level with only moderate business line partnership interactions.

2. The mature level introduces targeting and acquisition channel segmentation to the equation. Essentially, we begin the introduction of collaboration between risk, marketing, and the line of business.

3. At the advanced level, a requirement of Basel, we add customer, capital, regulatory compliance, and profitability dimensions. The advanced level moves beyond forecasting simple probabilities of default to forecasts of expected loss to derive economic capital requirements to drive a RAROC process.

No Easy Row to Hoe

The advanced level of risk management competency is difficult to obtain. Customer-level data are elusive, economic capital modeling is in its infancy, sophistication at some business-unit levels does not translate across the enterprise, silos get in the way, and resources are not always allocated in the best manner possible. Expectations for key business metrics drive our monthly forecast process at WaMu. These metrics include balances, active accounts, attrition, line utilization, delinquency, etc. We reforecast and recalibrate our strategies monthly, with risks and opportunities identified and managed by the lines of business and the corporation. We also perform financial sensitivities to determine return-on-equity and profitability impacts.

Data issues, resource constraints, and internal politics pose the greatest challenges in moving to the advanced level. One way to overcome these challenges is to invest in developing an internal culture focused on an integrated business planning framework (Figure 2). The concept itself is relatively straightforward. Essentially, key business metrics drive a forecasting process in which all stakeholders and service providers participate. The business unit objectives, measured by key metrics, are reached jointly Monthly visibility of these key metrics allows us to update our forecasts and shift strategy or course as needed. The end result is a series of forecasts that everyone owns. Moreover, the framework is dynamic, allowing for

rapid recalibration to capitalize on changing market conditions or opportunities.

Data Management

Data issues are perhaps the most challenging obstacle to overcome in reaching the advanced level. For data management, the current state of the financial services industry shows a lack of data standards, varying reporting keys, large numbers of disparate loan systems, operational challenges, and poor balance and control processes.

Financial services is one of the most merger-intensive industries in the U.S. Clearly, all of these mergers create data challenges from poor integration and the lack of industry standards for data or systems. Managers wishing to make an "impact" often revert to the systems that they know, without evaluating the capabilities of the systems that they are inheriting. Furthermore, a lack of operational controls and systems edits creates pockets of absent or invalid data. Meanwhile, we often see challenges in siloed, product-based divisions, each choosing and operating its own information system. The results, of course, are poor customer-based integration and data integrity issues.

Other challenges in data management include:

* The use of month-end (versus transactional) data and loan-level (versus customer) data.

* Disparate data sources.

* Lack of user-friendly tools.

* Inflexible OLAP (online analytical processing) systems.

* Flat-file data structures.

* Purging or lack of data capture (REQ [real-estate owned] expenses, charge-offs, and so forth).

Databases should be designed as they are used. Far too often, systems capture daily extracts of information when they should be building linked files with critical arrays for balance, credit limit, delinquency status, or risk rating.

Conclusion

As senior risk managers, we must advance as models of success for those following in our footsteps, and we must also create the capabilities to evolve our organizations to the levels that allow our respective corporate enterprises to compete in an ever-changing environment. This can only be accomplished through effective organizational structures, capable management, and accurate and robust data. Goals must be tied to corporate objectives and oriented toward the customer, associate, and shareholder. And there must be at least a quarterly review process to make course corrections in a timely manner.

[FIGURE 1 OMITTED]

[FIGURE 2 OMITTED]

Contact Lavoie at [email protected]; contact Hillis at [email protected]

[c] 2002 by RMA. Lavoie recently retired from Bank of America, where he was SVP and risk management executive for Consumer Real Estate, Consumer Banking Center, and Premier Banking. Hillis is SVP, Corporate Credit Risk Management, at Washington Mutual Bank, where he is responsible for technical and analytical oversight of all consumer, mortgage, and commercial product lines.

COPYRIGHT 2002 The Risk Management Association
COPYRIGHT 2005 Gale Group