Assessing risk in the post-financial crisis era
If anyone doubts that the American culture has undergone a fundamental shift where information and fact-based decisions have become king and queen, they should watch the film “Moneyball.” The movie charts the evolution of baseball in the digital age while General Manager Billy Beane transforms the Oakland Athletics into a powerhouse team despite modest resources and the lack of big name players. His weapon of choice was a mastery of specialized baseball statistics — called Sabermetrics — instead of gut instinct that has traditionally fueled most of major league baseball decision making.
A similar evolution has taken place in the discipline of risk management for financial institutions, where subjective feelings typically place business risks into traditional categories of low, medium and high risk. Sophisticated computer programs have made the use of analytics to make fact-based decisions accessible and possible. And the risk management function is more likely to be integrated into the financial management of the organization.
The Great Recession, of course, forced a change in the way financial institutions view risk management since risk exposures in lending, for instance, were missed or simply ignored pre-2008 and led to much of the economic misery that followed and continues today.
Increased scrutiny by regulators
Increased scrutiny by regulators has become a reality of doing business for credit unions after the causes of the Great Recession began to emerge and sink in. The May 2010 NCUA’s Letter to Credit Unions 10-CU-03 on concentration risk served as a warning shot that outlined how regulators will evaluate this type of risk as well as direction on how a credit union should manage and mitigate risk for their organization.
The letter was also a clear signal that regulators are expecting credit unions to enter a new era that will be ruled by predictive analytics. Found on page four of the letter was a section on “Maintaining Comprehensive and Accurate Data.”
Each credit union should have a data processing system, the letter says, that is “capable of warehousing data on various lines of business commensurate with its size and complexity to properly identify and measure concentration risk.” And if the credit union doesn’t have the data processing capability, it should contract with a third party to provide data warehousing and reporting, according to NCUA.
“Analytics can help you make fact-based decisions,” says Mona Leung, CFO of Alliant Credit Union, Chicago, Ill. Leung has been with the $8-billion credit union for five years. Before this time, she served in positions with Fortune 500 companies. Interestingly, for-profit companies tend to be more transparent than non-profits due to the need to justify actions with numbers, she says.
Having as much real-time data as credit unions can get will help them
divert trouble before it hits.
– Tara Skinner, Principal solutions Architect, SAS
“The difference between for-profits and credit unions regarding analytics is that with the former, performance is transparent and tied to financial metrics,” she says. “Scrutiny is significant because the financial services industry is very competitive and pressure is constant to earn profits.”
If you react to regulations for risk management you will be remiss, according to Leung. “Regulations tend to be ex-post, after the effect, and not forward looking. So, if you aim to just meet the regulatory requirements, then your risk management efforts are already behind.”
ERM as holistic approach
Credit unions have traditionally suffered from the perception that they react instead of being in front of events. They tended to manage their organization in silos, treating different business lines, parts of the portfolio and product offerings as separate entities. Enterprise Risk Management (ERM) takes a holistic approach. Each business line of the organization is viewed as part of a whole. Credit unions can track how they interact with each other as they measure and evaluate risk.
ERM views risk for all of the business units and how it affects the organization as a whole with a uniform metric to measure and evaluate. A classic example of how this works is a financial institution that has a bundle of mortgage-backed securities and also has traditional mortgages on the books, says Aaron Steinberg, executive editor of The Safety & Soundness Report and The Bank Safety & Soundness Advisor.
“These business lines may not look damaging individually, but together there may be some cause for concern with concentration risk,” says Steinberg. “ERM obligates you to regard both investments together.”
ERM’s goal is “getting smarter about risk and what types of risk are inherent in your organization,” says Steinberg. “For financial institutions, it helps you make sure that you are being effective in your risk management.”
Credit unions should analyze the rich data they already have.
– DAVID Wallace, GLOBAL FINANCIAL SERVICES MARKETING MANAGER, SAS
Credit unions are reacting to the new fact-based environment in underlying risk management in two major ways, says Steinberg. They are seeing the value of risk management, how it drives strategy and makes the organization more professional as well as more profitable. And credit unions are being asked by regulators to use analytics and ERM-like methods.
Credit unions need to measure their concentrations and the risks within those concentrations, then use those measurements to make strategic decisions about their portfolios on a regular, perhaps even a daily basis, says Tara Skinner, principal solutions architect for SAS. Economic indicators lag the strategy process, so having as much real-time data as credit unions can get will help them divert trouble before it hits, she says.
One of the results of the risk management evolution is that credit unions are realizing that they need to do a better job in making lending decisions, says a colleague of Skinner’s, David Wallace, global financial services marketing manager for SAS.
“Credit unions have often made lending decisions using third party credit scores, which aren’t an accurate predictor of loan default,” he says. “Credit unions should analyze the rich data they already have, and then they can come up with a more accurate set of predictors for loans that will have problems.”
The third party credit scoring models will build a model for credit unions that only reflect external information and rarely use internal data,” says Wallace.
There are other criteria to consider when evaluating applicants for credit: liens, judgments, average share balance, change in service fees and migration up or down FICO scores. Credit unions may want to lend to members with FICO scores of 740 or more. But there may be opportunities with those less than a 700 FICO score.
“The real range of opportunity may be with those having scores of in the 640 to 700 range,” says Steve Miller, director of operations/senior analyst, Twenty Twenty Analytics, Coral Gables, Florida. “You need to determine what the average FICO score is for your area. Some credit unions are letting opportunities go by, not drilling down into the data.”
Forging a positive relationship with regulators
Many credit unions consider a visit from the regulator as akin to a root canal; something to be feared and fretted about for months before and after the exam. It doesn’t have to be that way, according to Skinner, who suggests the following four strategies to ensure a positive relationship with regulators during the exam process.
- First and most important is to view your regulator as a partner, not an adversary. They are in business because you are in business. They want to see you succeed. As such, they oftentimes view themselves as consultants and advisors. Take advantage of that. They can sometimes see things you fail to see.
- Second, avoid being a passive participant in the examination process; be assertive. Review, discuss, and negotiate findings. Avoid assuming that just because a regulator said it, it has to be true. In the converse of the first strategy, you see things they can’t. If something doesn’t look right, challenge it. If you’ve developed a good relationship with them, push back is not only OK, it’s appreciated.
- Third, know your business. Typically, regulators will assume the worst if they find something odd during an examination. Track the things you need to know about your credit union at all times and ensure there are no surprises. Regulators tend to give you the benefit of the doubt, rather than jump to conclusions if they are comfortable with your knowledge and decision-making capabilities.
- Fourth, be comfortable with your team. Always know who the “go-to” people are for any of the items regulators track. If you can find information readily, and if you have competent people with strong skills to convey that information in their face-to-face time with the regulators, you’ll find that examinations don’t have to be painful.
Analytics can help you make fact-based decisions.
– Mona Leung, CFO, Alliant Credit Union
Changing the culture to fact-based decisions
Changing an organization’s culture can be likened to the trials of Sisyphus in Greek mythology who was condemned for eternity to push a boulder up a mountain, only to see it roll down again and again. It may seem to be an impossible task, so it helps to understand how attitudes toward data can affect behavior.
There are two types of people in organizations, according to Mona Leung. Those that are data prone and have a relationship with numbers and those that are experienced based and form their own opinions without numbers. The first type will embrace analytics while the latter will need a collaborative approach.
“Most people will do what’s best for the organization,” says Leung. “You introduce analytics one step at a time. You go slowly; it’s like changing the course of a big ship.”
A bottoms-up approach is needed, she says. “Just because the CEO says X, doesn’t mean people will do X.” To gain acceptance of analytics, there are three levels to consider, according to Leung.
Level One: How effective is the current data infrastructure that is in place? Work with your IT lead to align where you want to be from a data infrastructure perspective, and specifically how your data warehouse structure can fit into their IT strategy.
Level Two: Assess the effectiveness
of your current performance and risk review processes. Understand what worked and didn’t, and enhance the processes to drive transparency.
Level Three: Train your team, and prepare your talent pool to help you execute your vision. This is a long term change and not a six-month project.
Risk management committees
Another change in the wind is the establishment of risk management or enterprise risk management committees to review and evaluate emerging exposures. Texas Dow Employees Credit Union, Lake Jackson, Texas, has an ERM committee that is composed of five directors and seven management staff.
The $1.6 billion credit union’s ERM committee typically meets quarterly and advises management and makes decisions.
“The committee’s goal is to create risk awareness throughout the organization,” says Michael Hubbell, risk manager. “We review credit, interest rate and concentration risk. We have expanded the scope of the committee to include liquidity, compliance and operations risk. The committee helps us to view risk as a whole.”
The credit union also has a regulatory watch committee that allows the organization to be more proactive concerning new regulations. “We are able to discuss what is coming down in terms of regulations,” says Hubbell. “We also respond to regulations that are being written and we make sure the credit union is in compliance with existing regulations.”
As one of their duties, risk management and ERM committees will evaluate technology purchases for risk management purposes. To obtain the best value for limited resources, David Wallace suggests that technology should ensure that the:
- Data is of high quality and is current.
- Data system is flexible, as one credit union’s needs are different from another’s.
- Users know that data is accessible, usable and reliable.
- Delivery of data is easily accessible by multiple levels of the organization and provides information that each level needs; boards and some management may just need summaries while others may need to drill down and need more detail.
- Implementation of the risk management application is flexible to accommodate specific needs of credit union.
- Method of how you pull the data is pre-defined.
Improved risk assessments
Given the evolving regulatory and economic environment, it would not be far-fetched to consider new and improved risk assessment practices. Regulators are requiring that credit unions, regardless of size, have an effective risk management framework for identifying, assessing, monitoring and mitigating risks as part of their approach to risk management, says Tara Skinner.
“Regulators are also evaluating the credit union’s risk management policies, procedures, and practices ensuring that there are appropriate mechanisms in place which allow them to keep apprised of any new risk management developments at the credit union,” she says.
A risk management policy should define and state the credit union’s philosophy concerning risk, says Brad Stewart, enterprise risk manager, IBM Southeast EFCU, Boca Raton, Fla., $855 million assets.
“The responsible parties need to be outlined,” he says. “Concerning concentration risk, you would also need to outline what your limits are for concentration, credit and interest rate risk. The limits and guidelines are in place for management use as well as to make the specific risks more transparent to the board and NCUA.”
One aspect of IBM Southeast EFCU’s risk management practice is to do a loan portfolio review by a third party. “They review all loans, look at the FICO score migration of the borrower, collateral values and other areas to help define where your credit risk resides,” says Stewart. “With more than 30,000 loans, it would be difficult to do this manually. The third party also assigned risk values to loans and allowed us to target high-risk loans to actively manage our risk.”
Projecting the future with analytics
The Fed plans to keep interest rates low for the next two years. After that time, when the yield curve changes credit union balance sheets and income statements will need to be reset.
Alliant Credit Union is an organization that will be well prepared for these changes because of its use of predictive analytics. They use systems that produce six economic scenarios: each scenario has 200 econometrics. The credit union models its balance sheet and income statement for three to five years out into the future, according to Mona Leung. After completing projections and modeling, they determine what reserves are needed.
You need to outline what your limits are for concentration,
credit and interest rate risk.
– Brad Stewart, Enterprise Risk Manager, IBM Southeast EFCU
With these exercises firmly in place Alliant writes a plan based on its business model, which is recast and reforecast each quarter. The credit union will be ready for the environment that it faces for the next three years and will be more adept and able to manage and mitigate those risks that are presented.
By using analytics to make fact-based decisions, more credit unions are heeding Alliant Credit Union’s example by taking a proactive approach to assessing, evaluating and mitigating risks, which helps their organization to be both more professional and more profitable. And by assuming a holistic approach to risk management, a visit from the regulator is no longer something to be dreaded but welcomed with open arms.
Jim Jerving is a freelance business writer who has written extensively about credit unions and banking.