Where's risk? EWRM knows!

A few years ago, everyone was searching for Waldo. Now everyone's looking for Risk. And Risk is a lot harder to find than Waldo ever was. Today's sleuth requires enterprise-wide risk management. In a two-part article complete in this issue, a consultant creates an EWRM framework. Then a practitioner s view-point is presented through a case study.

A Practical Approach in Establishing an Enterprise-Wide Risk Management Program

James Lam

The Chinese saying, "May you live in interesting times," (1) is an understatement for today's business world. Another saying, one that well serves the practice of risk management, is "Expect the unexpected."

Risk management is no longer strictly a credit administration or corporate insurance function. It is widely recognized, by bankers and regulators alike, as a core competency that deserves the highest level of management attention. An approach toward this core competency that is being adopted by both institutions and regulators is enterprise-wide risk management (EWRM).

EWRM is the integrated measurement and management of credit risk, market risk, and operational risk, involving all of the company's internal control and risk functions, such as credit, asset-and-liability management, audit, compliance, and insurance. EWRM focuses on enhancing shareholder value through better business strategies, relationship management, product pricing, capital management, and risk transfer.

Risks, by their nature, are highly interdependent. For example, the quality of a bank's loan documentation (operational risk) will likely be tested when there are loan defaults (credit risk). The bank will suffer greater loan losses if loan documentation is poor or collateral protection is not well established. Interdependent risks cannot be segregated and managed in isolation.

Oversight functions must work together to be effective. Most companies have control functions other than risk management, such as finance/treasury, audit, security and compliance. When each operates in a silo, a major risk can easily fall through the cracks. Just as the U.S. homeland security initiative is meant to integrate the information from, and coordinate the activities of, key U.S. intelligence agencies, an EWRM framework should do the same for a company's oversight functions.

Regulators are taking an EWRM approach. Basel II is prompting banking regulators worldwide to take an EWRM approach to both its minimum capital requirements (Pillar I) and examination processes (Pillar II). While the full implementation of Basel II is a few years away, companies must act now to integrate their risk functions and develop the necessary systems and data to meet the new standards and requirements. Leading companies that are early adopters of EWRM may even help shape the final implementation of the proposal. Lagging companies will be ill prepared and will likely face greater regulatory scrutiny and higher capital charges (or worse).

A practical five-step approach to EWRM includes the following:

1. Establish the business case.

2. Secure the best resources.

3. Develop a framework.

4. Use pilots and prototypes.

5. Stay the course.

Establish the Business Case

As a multiyear effort, EWRM requires dedicated resources, coordination between different internal control and risk management functions, and support from line managers. The business case for EWRM must be well established to obtain (and maintain) support from the board, senior management, and other key stakeholders. A business case should do the following:

Create a compelling vision. What does EWRM look like and why is it different and better? The business case should first establish a compelling vision of the target state of risk management. This vision is not just a "motherhood/apple pie" mission statement, but rather a clear articulation of how EWRM will be practiced--the reports, processes, systems, and management decisions and actions. To develop the target state of EWRM and identify existing gaps, the company should use benchmark information of best practices used by leading banks as well as best-in-class practices used by peer banks.

Sell the pain and the gain. As with any internal marketing effort, the business case should clearly lay out the expected benefits (the gain) of EWRM and the negative consequences (the pain) of inaction. Expected benefits include increased awareness of risk issues, better risk measurement and reporting, lower losses, more efficient capital allocation, and improved profitability and stock valuation. Negative consequences include events that may damage the bank's reputation or cause a significant financial loss. As mentioned, regulatory initiatives, including SR99-18 and Basel II, will mandate the integrated measurement and management of all bank risks. These benefits and consequences can be illustrated through the use of real-life case studies of such financial disasters as those at Barings and Allfirst, as well as best-practice examples.

Develop a plan. The plan should provide an overall road map of how the company will move from the current state to the target state, including specific milestones along the way. Individual roles and accountabilities (for example, steering committee, project manager) should be clearly defined to ensure follow-through on specific project initiatives. An overall risk budget should be established for the bank's risk program, with an allocation for the EWRM initiative. An ex-regulator argued that smaller banks should allocate a higher portion of funds for their risk budgets (for example, $2.5 million or 5 basis points of assets for a $5 billion bank, versus $20 million or 1 basis point of assets for a $20 billion bank). Another key component of the plan is a monitoring process, which includes tracking performance against established measures of success.

The business case provides the blueprint for EWRM. It can also be used to establish an "open kimono" policy by communicating what senior management plans to do and why. As with any corporate-wide initiative, there will be natural resistance from line units. A well-thought-out business case goes a long way in overcoming such resistance.

Get the Best Resources

Establishing an EWRM program is not a part-time job. Numerous EWRM initiatives with good intentions have failed because the company did not allocate the right level and/or mix of resources. For example, a bank may appoint a full-time or part-time project manager and organize a task force or committee to meet every week or month. Issues are discussed, but soon everyone gets frustrated because nothing ever gets done and the issues remain unresolved. The lesson from these failed initiatives is to get the best resources in the first place.

Allocating the appropriate resources to the EWRM initiative begins with an assessment of the bank's current capabilities, highlighting areas where the bank lacks experience and resources. Most banks are comfortable with their financial risk management (credit risk and market risk) skills, given their development over many years. However, they may want to incorporate more advanced financial risk techniques, such as a robust risk-rating system, economic capital, active portfolio management, and use of securitization and hedging strategies. Many banks lack data, experience, and resources in operational risk--the risk of loss due to failures in people, processes, and systems, or from external events--and EWRM, the integration of all risks and their interrelationships.

Based on an assessment of the bank's capabilities and gaps, management should get the best resources with respect to internal staff and, if necessary, new hires and external consultants. In the early stages of an EWRM project, there are three key reasons to "over-hire" or bring together a more senior and higher level of resources than is needed on an ongoing basis.

1. A senior team will more likely gain the organizational buy-in, establish the right vision and plan, and get the initial momentum for the EWRM program.

2. It normally takes more resources to build than to maintain the infrastructure (policies, systems, reports) that supports EWRM.

3. A senior level of management cooperation is required, especially at the beginning, to link risk management and business processes such as strategic planning, capital management, and product and portfolio management.

To ensure success for their EWRM programs, companies have appointed senior line and staff executives (for example, divisional presidents, CFOs) as their first chief risk officers (CROs). Other companies have retained former CROs and consulting teams to advise them on their EWRM strategies. While the use of external consultants can provide useful benchmarks, best practices, and pitfalls to avoid, there should clearly be an exit plan in which critical knowledge is transferred and the internal team is fully prepared to implement the overall EWRM program. In short, the consultants should work themselves out of a job within a predetermined timeframe. Management should always have full ownership of the EWRM program.

Develop an EWRM Framework

The process of measuring and managing enterprise-wide risks is too complex to do without a systematic framework. There are a variety of EWRM frameworks developed by industry groups, regulatory agencies, and consulting firms. Management should either adopt one of these frameworks or develop a customized approach based on the risk profile of the bank. Regardless, an EWRM framework should address seven key components of internal control and risk management. Each of these components must be developed and linked to work as an integrated whole.

1. Corporate governance to ensure that the board of directors and management have established the appropriate organizational processes and corporate controls to measure and manage risk across the company.

2. Line management to integrate risk management into the revenue-generating activities of the company, including business development, product and relationship management, pricing, and so on.

3. Portfolio management to aggregate risk exposures, incorporate diversification effects, and monitor risk concentrations against established risk limits.

4. Risk transfer to mitigate risk exposures that are deemed too high or are more cost /effective to transfer out to a third party than to hold in the company's risk portfolio.

5. Risk analytics to provide the risk measurement, analysis, and reporting tools to quantify the company's risk exposures as well as track external variables.

6. Data and technology resources to provide the data management and processing capabilities.

7. Stakeholder management to communicate and report the company's risk information to its key stakeholders, such as investors, rating agencies, and regulators. (2)

Use Pilots and Prototypes

While the development of an EWRM framework, policies and limits, and enterprise-wide risk reporting is naturally a top-down process, it is important to get early feedback from the business units so that their input and business requirements are incorporated in the initial stages. The use of pilots and prototypes can be very important in this regard.

Pilot programs at business units should be used to test the specific components of the EWRM program. These pilots include review and feedback on risk management policies and limits, application of proposed risk management processes and methodologies, and implementation of risk measurement and reporting requirements. Pilot units can provide useful and practical feedback on appropriate adjustments to the EWRM strategies, as well as how to best roll out the overall program to the rest of the organization. Moreover, early successes and measurable benefits can be used to demonstrate the value-added aspects of EWRM.

Prototype reports and system interfaces should be used to drive the development effort for EWRM data, systems, and reporting initiatives. Too many risk system initiatives fail because they are too ambitious. Banks try to get all of the necessary data in one place, such as a central data warehouse, build all of the system functionality and develop full reporting capabilities. Critics relate these initiatives to "boiling the ocean" because they are never completed. Instead, a bank should use rapid prototyping to test and refine the efforts to collect the necessary data, build the appropriate systems, and develop the integrated risk reports. Remember the 80/20 rule when developing risk systems and reports. (3)

Stay the Course

Any bank embarking on an EWRM program needs to stay the course. Expect obstacles and setbacks along the way, including:

* Lack of buy-in from the board, senior executives, or line managers.

* Ineffective and inconsistent risk measurement and reporting by different units.

* Redundancies and gaps across different risk and oversight functions.

* Insufficient human, systems, and data resources.

* Failure to clearly demonstrate "early wins" and sustainable benefits.

Strategies to overcome these obstacles are discussed in this article and the following case study.

Each bank must also tap into its own organizational levers to ensure overall success, such as performance measurement and incentive programs or winning the support of key board members and senior executives.

Numerous institutions have already reaped tangible benefits from EWRM, regardless of their size or business mix. EWRM is one way to ensure that "interesting times" remain more fully within our control. When we not only expect the unexpected but are prepared for it as well, we--and our shareholders--can sleep better at night.

(1.) An Internet investigation of this saying led to www.openface.ca/~dstephen/chprov.htm#107 and the following observation: Although the expression "May you Jive in interesting times" is often referred to as a "popular Chinese curse," do not recall having heard that, at least not in that form. There is a saying, "I'd rather be a dog in peaceful times, than live as a man (woman) in turbulent times." Interesting times may be a variant of turbulent times.

(2.) For a full discussion of these seven components, see "Enterprise-Wide Risk Management: Staying Ahead of the Convergence Curve," The Journal of Lending and Credit Risk Management, June 1999.

(3.) Vilfredo Pareto (1848-1923) was an Italian economist who, in 1906, observed that 20% of the Italian people owned 80% of their country's accumulated wealth. Over time, this analytic has come to be used in other ways, such as: 20% of an institution's products account for 80% sales or 80% of customer complaints arise from 20% of an institution's products or services.

RELATED ARTICLE: A Case Study in Establishing an Enterprise-Wide Risk Management Program

Michael J. Litwin

Things appeared to be good--very good. The key word is appeared. Heller Financial, Inc. had finished 1998 with write-offs and nonearning assets at the low ends of our forecasted ranges and with record profits for the year. The credit strategies we implemented in 1997 when I became Heller's Chief Credit Officer seemed to be working!

The near record credit-quality performance notwithstanding, there were charges that flowed through the write-off line that weren't directly related to credit defaults of our borrowers. For example:

* We marked-to-market our CMBS portfolio in the fourth quarter of 1998. The loss of value of those bonds flowed through our profit-and-loss statement as write-offs.

* We also took some write-offs that would not have occurred had we not committed some operational errors.

--We had failed to renew a UCC filing, which caused us to lose our secured status in a bankruptcy proceeding.

--We had failed to amend a UCC when a borrower moved, which caused us to lose our security interest in collateral in that location.

--Documentation that didn't adequately describe our security interests caused us to incur incremental legal fees in the bankruptcy proceedings.

--Miscalculated interest charges in connection with a payoff request were discovered subsequent to the loan payoff.

I was concerned. Just because the problems we discovered were small and inconsequential didn't mean that large problems couldn't surface in the future. I remember the exact moment of my "enterprise-wide epiphany" as the time when I concluded our problems were a result of our not having a comprehensive risk management program in place that identified, prioritized, and mitigated credit, market, and operational risks. I saw that we were spending too much time engaged in quality control (fixing the rejects) and virtually no time in preventive maintenance (making sure those rejects didn't occur in the first place).

The good news was that the write-offs were inconsequential. The bad news was that we rationalized each occurrence as a onetime event, and we spent a lot of time fixing the problems we discovered instead of addressing the cause of those problems. So those little, annoying problems continued to crop up everywhere.

That realization set the stage for a two-and-a-half-year initiative that changed Heller's culture, dramatically reduced the amount of operational errors occurring within the company, and improved Heller's risk and earnings profile.

Gaining Support for EWRM

I was concerned about how I would be able to garner the resources and management support to gain the competencies that would be required to change the way we viewed and managed risk within our company. Our credit costs were low. The economy was strong. We were earning record profits. And our people were, for the most part, managing the growth of our business as opposed to dealing with problems. I could hear reactions of "We're not broke, so don't try to fix us." I knew I had to make a strong case for support to implement an EWRM frame- work. Without that support, the effort surely would fail.

So my first challenge was to convince our chairman that this initiative would reduce credit costs, improve operational efficiency, and increase profitability. As a result, we also would enhance our standing with the regulators, rating agencies, equity analysts, and shareholders. I was gratified that he bought into EWRM hook, line, and sinker and pledged his enthusiastic support.

Next, I needed to gain the support of our business unit and staff managers. I would be asking them to change their practices and engage in a multiyear effort that would require financial and human resources. Able to establish a solid business case that supported my vision, I accomplished two things:

1. I proved there were opportunities for improvement everywhere. No one could claim they were exempt and would not benefit from these initiatives.

2. More importantly, I was able to present this effort as a value-creation exercise as opposed to a defensive initiative. I was able to prove that a successful EWRM effort would increase earnings, improve returns, and increase market capitalization. I reasoned that if we could reduce operational write-offs, we could take on more credit risk. The decreased write-offs and incremental growth would fuel more earnings. The confidence we gained from the regulators, rating agencies, and shareholders would surely result in improved credit ratings and higher PIE multiples. In turn, that would result in increased share prices and add value to everyone's stock options! That got everyone's attention.

The logic was compelling: We could accomplish all of this by establishing an EWRM approach. Once our people bought into it, the initiative gained momentum.

With senior management firmly on my side, the next step was to get buy-in from the rest of the company and begin to develop an EWRM framework.

Developing a Framework

We asked James Lam to help us develop EWRM at Heller. We asked him to review all of our risk management practices and rate them against best practices. He called this a "gap" analysis, which proved to be very helpful:

* It confirmed many areas where we felt we were already operating at best-practices level. This was important because we wanted our people to know that, for the most part, we were in good shape.

* While identifying the areas where we were not at best-practices level, we were also able to spell out what needed to be done to get us there.

One of the key accomplishments of the project was the implementation of an operational risk management framework. We discovered that nearly a third of our credit losses were in fact operational risk losses. Based on this insight, we designed operational risk measurement and reporting processes and developed new risk-mitigation strategies. Moreover, we appointed a head of operational risk management: a senior executive who had the confidence and respect of all of our senior management and reported directly to our Audit Committee.

Having a road map enabled us to achieve consensus on what we needed to do and create strategies on how to accomplish those objectives. We called it our "EWRM Cookbook." We identified 65 initiatives that spanned credit, market, and operational risk. We prioritized all initiatives, assigned responsibilities, set realistic timelines, and created strategies to ultimately achieve best practice in each of those areas.

As we began to address these areas, we started to feel the culture changing. We were evolving from an environment that was transaction oriented to one that was focusing on process improvement and quality. Our goal initially was to take little steps, pick the low-hanging fruit, and get some early successes. There's nothing like success to maintain momentum in a long-term initiative. We decided that only after the project attained some positive momentum would we tackle some of the more complex areas.

Piloting

A project like this had the potential to overwhelm the organization if we tried to accomplish too much too fast or stretch our people too thin. We had identified several areas that would require significant time and resources to get us to best practices. Some required systems investment, some needed statistical evaluation, and others required training.

We created pilot projects for each area to use our resources most efficiently, learn as we progressed, and develop best practices to be used on future projects. Also, our efforts could be better focused, and our successes along the way could be communicated.

Feedback

Whenever possible, we tried to quantify the improvements. We found that half of our gains were in decreased write-offs and half were in reduced expenses. Reduced expenses were in some instances the result of improved productivity; in others, they were the result of increased efficiencies, because fewer resources were devoted to addressing operational problems. This is what ultimately gave die EWRM initiative credibility. We were able to prove our progress and see tangible results.

EWRM Generates Excitement

In my 30-year career at Heller, the last three were the most exciting and rewarding as we conceptualized and implemented an EWRM framework. I became Heller Financial's EWRM evangelist. I articulated our vision and communicated our progress to our employees, management, board, and external stakeholders. I celebrated our successes. I was the one who made certain we remained committed to this effort. I was the one who pointed out the improvement in our earnings and credit quality as a result of those efforts.

Our values started to change. Our vocabulary changed. Our operational risk management initiatives were beginning to be recognized as leading practices among our peer-group competitors. In addition, it was very exciting to confirm that our earnings, returns, and market capitalization were, in fact, being positively impacted by our EWRM efforts. My excitement was shared throughout the organization.

Many institutions will need to adopt an EWRM framework for compliance purposes; others will choose to do so more for competitive purposes. The end result is the same: a smarter, safer, better operating organization positioned to excel. It was the right decision at the right time for Heller. My hope is that this article can be helpful for other institutions now considering the move to an EWRM framework.

Contact Litwin by e-mail at mlitwin@exchange.ml.com

Lam may be reached by e-mail at jameslam@attbi.com

[c] 2002 by RMA. Lam is president of James Lam & Associates, an independent risk advisory firm based in Wellesley, Massachusetts. Litwin is managing director and chief credit and risk officer of Merrill Lynch Capital, a division of Merrill Lynch Business Financial Services, Inc. Litwin retained Lam's services on an enterprise-wide risk management project, with a focus on operational risk management, when Litwin held a similar position at Heller Financial.

COPYRIGHT 2002 The Risk Management Association
COPYRIGHT 2005 Gale Group