TraceRiskUncategorized

Uncategorized

Risk Rating Impact

Example: Impact Rating System

Rating 1 – Fully Controlled: Factors such as cost, time, delivery, quality and security are virtually not affected. Little or no exposure to dollar losses, compliance issues, customer complaints, capital decay, insufficient liquidity or reputational damage. Value-at-Risk (VaR) is slight and well within the bank’s stated risk appetite. Risk events will not negatively affect the bank’s financial, operational, compliance or reporting objectives. The annual rate of loss expectancy is very low.

Rating 2 – Largely Controlled: Losses concerning cost, time, delivery, quality and security are inconsequential and can be absorbed when adverse events or conditions occur (think: “the cost of doing business”) and routine remediation is appropriate. There is very modest exposure to dollar losses, compliance issues, isolated customer defection and reputational damage. Value-at-Risk is acceptable and remains within the bank’s stated risk appetite. Risk events could have a negligible effect on the bank’s financial, operational, compliance or reporting objectives, as applicable. Loss expectancy remains well within acceptable limits.

Rating 3 – Adequately Controlled: Losses concerning cost, time, delivery, quality and security can be managed when adverse events or conditions occur but preventative and corrective remediation is required. There is measurable exposure to one or more of dollar losses, compliance issues, capital decay, insufficient liquidity, possible customer defection and reputational damage. Value-at-Risk remains acceptable but is at the limit of risk appetite and the bank will likely be criticized by regulatory supervisors. Risk events could have a negative effect on the bank’s financial, operational, compliance or reporting objectives, as applicable. Loss expectancy is at the bank’s tolerable limit.

Rating 4 – Inadequately Controlled: Losses concerning cost, time, delivery, quality and security are almost a certainty when adverse events or conditions occur and prompt preventative and corrective remediation is warranted. There is meaningful exposure to one or more of dollar losses, regulatory criticism and lawsuits stemming from non-compliance with laws and regulations, and an increasing likelihood of capital decay, insufficient liquidity, customer defection and reputational damage. Value-at-Risk exceeds the bank’s stated risk appetite and risk tolerance levels are stressed. The bank will be criticized by regulatory supervisors and shareholders. Risk events will have a negative effect on the bank’s financial, operational, compliance or reporting objectives, as applicable. Loss expectancy exceeds the bank’s tolerable limit.

Rating 5 – Uncontrolled: Losses concerning cost, time, delivery, quality and security are profound when adverse events or conditions occur and immediate preventative and corrective remediation is warranted. There is significant exposure to dollar losses, regulatory censure and civil money penalties stemming from non-compliance with laws and regulations. There is a strong likelihood of one or more of customer defection, capital decay, insufficient liquidity and reputational damage. Value-at-Risk critically exceeds risk tolerance levels and could prove fatal. Risk events will have a severe and unpredictable negative effect on the bank’s financial, operational, compliance or reporting objectives, as applicable. Loss expectancy far exceeds the bank’s tolerable limit.


Risk Rating Probability

Example: Probability Rating System

Rating 1 – Optimal: Threats and vulnerabilities have been identified and control processes are aligned with strategic plans, cost-benefit analyses and corporate governance objectives. Fully leveraged technologies, personnel and processes minimize the probability of an adverse event or condition and operational, compliance, financial and reporting objectives are always met. The likelihood of an unforeseen adverse event or condition is slight. Historical performance has been strong with the annual rate of problematic occurrences being very low.

Rating 2 – Managed: Threats and vulnerabilities are measured quantitatively and technologies, personnel and processes are routinely effective causing operational, compliance, financial and reporting objectives to be typically achieved. Current risk management and internal control practices anticipate and address potentially problematic conditions. The likelihood of an unforeseen adverse event or condition is relatively low and when such occurs, it is manageable. Historical performance has been very good with the annual rate of problematic occurrences being sufficiently below the bank’s acceptable limit.

Rating 3 – Defined: Most threats and vulnerabilities are identified and remedied but adverse events or conditions can arise suddenly and with unpredictable consequences. Technologies, personnel and processes are sometimes ineffective and operational, compliance, financial and reporting objectives are not always met. There is an increasing likelihood that an unforeseen adverse event or condition will happen due to occasional lapses in applying sound risk management techniques or internal controls and, if such occurs, the situation must be carefully managed. Historical performance has been good but there is room for improvement and the annual rate of problematic occurrences has reached the bank’s acceptable limit.

Rating 4 – Intuitive: Threats and vulnerabilities are not always identified and/or remedied and adverse events or conditions are largely unpredictable. Technologies, personnel and processes are often ineffective and operational, compliance, financial and reporting objectives are infrequently met. Adverse events or conditions will very likely occur because controls are largely people- reliant and risk management techniques are often weak or absent. Historical performance indicates that the annual rate of unforeseen problematic incidents exceeds the bank’s acceptable limit.

Rating 5 – Hazardous: Threats and vulnerabilities are not identified or even recognized and problematic situations and loss exposure will almost surely result. Technologies, personnel and processes are ineffective and operational, compliance, financial and reporting objectives are almost never met. Adverse events or conditions will very likely occur because controls are largely people- reliant and risk management techniques are weak or absent. The historical annual rate of unforeseen problematic incidents well exceeds the bank’s acceptable limit and it reflects poor corporate governance by the Board and management.


Audit Scope and Frequency

Audit Scope and Frequency

Typically, the schedule of audit is cyclical. In reviewing the annual plan, the auditor should determine the appropriateness of the institution’s audit cycle. Audit planning and scheduling is also based upon the outcomes of risk assessments performed at least once annually on the listed Subjects. Generally, when residual risk is equal to or exceeds the institution’s stated risk appetite for a given Subject, best practices suggest that the Subject be audited no less than once annually and more often as deemed necessary. Subjects rated Low Risk should be audited at least once every 18 months; Subjects rated Moderate Risk should be audited at least once annually; and, Subjects rated High Risk should be audited once every 6 months until the residual risk rating is less than 5 for at least six months. As a general rule, any Subject assigned a Risk Appetite of Moderate or High should be audited at least once annually regardless of its residual risk rating. Also, the scope, timing and frequency of audits may also be influenced by the existence of a regulatory order, i.e., MRA, MOU or Consent Order.


Risk Narratives

Risk Narratives are expected from regulators and examiners.  They are the “show me” vs “tell me” aspect of how your FI came to reach ints understadning of risk in a particular area.  Its critical to ensure that this narrative is socialized from Board to Baseline Staff.  In essence, How did we reach this conclusion and can our entire staff tell the same story of risk about it?

 

Items to consider in a risk narrative:

  • Inherent Risk
  • Residual Risk:
  • How we mitigate risk (brief description of controls):
  • Exceptions noted in last audit/exam (indicate date):
  • Gaps (differences between where we are and where we should be):
  • Corrective action taken:
  • Other factors regarding mitigation/controls:
  • Training:
    Supervision:
    Procedures:
    Staffing:
    Technology:

Risk Management System

Risk Management Systems: Risk Management Systems[1] should accomplish the following:

 

  • Identify Risk – To properly identify risks, the Board and management must recognize and understand existing risks or risks that may arise from new business initiatives. Risk identification should be a continuing process, and risks should be understood at the transaction (or individual) level and the portfolio (or aggregate) level.
  • Measure Risk – Accurate and timely measurement of risk is essential to an effective risk management system. The bank should periodically test its measurement tools to make sure they are accurate. Sound risk measurement tools assess the risks at the transaction and portfolio levels.
  • Monitor Risk – Banks should monitor risk levels to ensure timely review of risk positions and exceptions. Monitoring reports should be timely, accurate and informative and should be distributed to appropriate individuals to ensure action, when needed.
  • Control Risk – Banks should establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority. These limits should serve as a means to control exposures to the various risks associated with the bank’s activities. The limits should be tools that management can adjust when conditions or risk tolerances change. Banks should also have a process to authorize and document exceptions or changes to risk limits when warranted. To control risk, the bank should employ the following:
  • Policies are statements of actions adopted by a bank to pursue certain objectives. Policies often set standards (on risk tolerances, for example) and should be consistent with the bank’s underlying mission, values and principles. A policy review should always be triggered when the bank’s objectives or standards change.
  • Processes are the procedures, programs and practices that impose order on a bank’s pursuit of its objectives. Processes define how daily activities are carried out. Effective processes are consistent with the underlying policies and are governed by appropriate checks and balances (such as internal controls)
  • Personnel are the bank staff and managers who execute or oversee processes. Personnel should be qualified and competent and should perform appropriately. They should understand the bank’s mission, values, principles, policies and processes. Banks should design compensation programs to attract, develop and retain qualified personnel. In addition, compensation programs should be structured in a manner that encourages strong risk management practices.
  • Control Systems are the functions (such as internal and external audits, risk review and quality assurance) and information systems that bank managers use to measure performance, make decisions about risk and assess the effectiveness of processes. Control functions should have clear reporting lines, adequate resources and appropriate authority. Management information systems should provide timely, accurate and relevant feedback.

[1] Ref: OCC Community Bank Supervision


Silos of Risk

Silos of Risk

Compliance (Legal) Risk. Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the bank’s clients may be ambiguous or untested. This risk exposes the institution to fines, civil money penalties, payment of damages and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential and lack of contract enforceability.

Credit Risk. Credit risk is the current and prospective risk to earnings or capital arising from an obligor’s failure to meet the terms of any contract with the bank or otherwise perform as agreed. Credit risk is found in all activities where success depends on counterparty, issuer or borrower performance. It arises any time bank funds are extended, committed, invested or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet.

Foreign Exchange Risk. Foreign Exchange risk is the current and prospective risk to capital or earnings arising from the conversion of a bank’s financial statements from one currency to another.  It refers to the variability in accounting values for a bank’s equity accounts that results from variations in exchange rates which are used in translating carrying values and income streams in foreign currencies to U.S. dollars.

Liquidity Risk. Liquidity risk is the current and prospective risk to earnings or capital arising from a bank’s inability to meet its obligations when they come due without incurring unacceptable losses. Liquidity risk includes the inability to manage unplanned decreases or changes in funding sources. Liquidity risk also arises from the failure to recognize or address changes in market conditions that affect the ability to liquidate assets quickly and with minimal loss in value.

Market (Price) Risk. Market risk is the current and prospective risk to earnings and capital arising from adverse movements in market rates or prices such as interest rates, foreign exchange rates or equity prices. Repricing risk, basis risk, yield curve risk and options are the types of risk to be considered.  Interest Rate Risk considerations should include the effect of a change in interest rates on both the bank’s accrual earnings and the market value of portfolio equity.

Operational Risk. Operational risk is the current and prospective risk to earnings and capital arising from poor customer service, errors and the inability to efficiently deliver products or services due to weaknesses in systems, processes or people. Additionally, policies and procedures and forms that are absent, out-of-date, poorly drafted, overlooked or not used can lead to operational exposure.

Reputation Risk. Reputation risk is the current and prospective impact on earnings and capital arising from negative public opinion. This affects the institution’s ability to establish new relationships or services or continue servicing existing relationships. This risk may expose the institution to litigation, financial loss or a decline in its customer base. Reputation risk exposure is present throughout the organization and includes the responsibility to exercise an abundance of caution in dealing with customers and the community.

 Strategic Risk. Strategic risk is the current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, weak corporate governance or lack of responsiveness to industry changes. This risk is a function of the compatibility of an institution’s strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks and managerial capacities and capabilities and a strong “Tone at the Top” attitude.

Transactional Risk. Transactional risk is the current and prospective risk to earnings and capital arising from fraud, error, and the inability to deliver products or services, maintain a competitive position, and manage information. Risk is inherent in efforts to gain strategic advantage, and in the failure to keep pace with changes in the financial services marketplace. Transaction risk is evident in each product and service offered. Transaction risk encompasses product development and delivery, transaction processing, systems development, computing systems, complexity of products and services, and the internal control environment.

Technology Risk. Technology risk is the current and prospective risk to earnings and capital arising from the failure to identify, measure, control and monitor technological activities. The institution should: 1) plan for use of technology; 2) assess the risk associated with technology; 3) decide how to implement the technology; and, 4) establish a process to measure and monitor the risk that is taken on. The risk identification and management process for technology-related risks is not complete without consideration of the overall IT environment in which the technology resides. Management may need to consider risks associated with IT environments from two different perspectives: 1) if the IT function is decentralized, and business units manage the risk, then management should coordinate risk management efforts through common organization-wide expectations; and, 2) if the IT department is a centralized function that supports business lines across shared infrastructure, management should centralize their IT risk management efforts.

Vendor Risk. Vendor risk is the current and prospective risk to earnings and capital arising from the bank’s use of third parties to achieve its strategic goals when that party performs functions on the bank’s behalf; when it provides products and services that the bank does not originate; and, when it “franchises” the bank’s attributes by lending its name or regulated entity status to products and services originated by others or activities predominantly conducted by others. Third-party relationships should be subject to the same risk management, security, privacy and other consumer protection policies that would be expected if the bank were conducting the activities directly.


Common Risk Terms

Risk Universe: The full range of risks which could impact, either positively or negatively, on the bank’s capabilities.

Risk Capacity: The amount and type of risk the bank is able to support in pursuit of its business objectives.

Risk Target: The optimal level of risk the bank wants to take in pursuit of a specific business goal.

Risk Limit: Thresholds to monitor that actual risk exposure does not deviate too much from the risk target and stays within the bank’s risk tolerance/risk appetite. Exceeding risk limits will typically trigger management action.

Risk Management Culture: This addresses the extent to which the board (and its relevant committees), management, staff and regulators understand and embrace the risk management systems and processes of the bank.

Risk Management Processes: This refers to the extent to which there are processes for identifying, assessing, responding to and reporting on risks and risk responses within the bank.

Risk Capacity: The resources, including financial, intangible and human, which a bank is able to deploy in managing risk.

Risk Management Maturity: The level of skills, knowledge and attitudes displayed by people in the bank, combined with the level of sophistication of risk management processes and systems in managing risk within the bank.

Risk Capability: A function of the risk capacity and risk management maturity which, when taken together, enable a bank to manage risk in the pursuit of its long-term objectives.

Propensity to Take Risk: The extent to which people in the bank are predisposed to undertaking activities the impact, timing and likelihood of which are unknown, and which is influenced by financial, cultural, performance and ethical considerations.

Propensity to Exercise Control: The extent to which people in the bank are predisposed to take steps to change the likelihood, timing or impact of risks, influenced by financial, cultural, performance and ethical considerations.


Risk Tolerance

Risk Tolerance: Risk Tolerance is the maximum acceptable level of variation that management and the Board is willing to allow for any particular risk in pursuit of objectives. Generally, this is the amount of risk that cannot be exceeded because the Value at Risk is simply too great (VaR is exposure to dollar losses, customer defection, capital decay, insufficient liquidity or reputational damage).


Risk Management

Regulatory examiners assess risk using the following approach:

  • Quantity of Risk is the level or volume of risk that the bank faces and is characterized as low, moderate or high.
  • Quality of Risk Management is how well risks are identified, measured, controlled and monitored and may be characterized as strong, satisfactory or weak.
  • Aggregate Risk is a summary judgment about the level of supervisory concern. It incorporates judgments about the quantity of risk and the quality of risk management. Examiners weigh the relative importance of each and characterize aggregate risk as low, moderate or high.
  • Direction of Risk is a prospective assessment of the probable movement in aggregate risk over the next 12 months and is characterized as decreasing, stable or increasing. The direction of risk often influences the supervisory strategy, including how much validation is needed. If risk is decreasing, the examiner expects, based on current information, aggregate risk to decline over the next 12 months. If risk is stable, the examiner expects aggregate risk to remain unchanged. If risk is increasing, the examiner expects aggregate risk to be higher in 12 months.

Risk Assessment

Risk Assessment: This refers to the bank’s identification of inherent risk, the probability of adverse events or conditions, the impact of such events or conditions, the resultant residual risk, an explanation of how risk conclusions were reached and what actions are planned or taken relative to the level of residual risk.