Key Risk Perspectives for 2016

 Credit risk, once the primary risk watched by industry groups, was off the radar for both bank managements and regulators during the brief period after losses peaked and before loan growth rebooted.  However, the past two years have generated renewed attention to the myriad of risks associated with credit extension.  Concerns heightened when oil broke $40 a barrel.  At the same time, other risks continue to evolve and expand.

What should prudent managements and Chief Risk Officers pay attention to beyond the basics?  A few risk themes are presented below.

  1. STRATEGIC RISK.

    The past few years presented significant challenges to bank executives.  Once credit woes abated, profitability growth could be achieved through lower provisions and lower credit costs.  However, those had a finite life for most, and the yield curve, coupled with skyrocketing compliance costs, yielded a challenging environment.

    Pressures mounted as investors shifted their attention from balance sheet strength to revenue growth.  Anxiety for income has been growing, and, with it, stretch for yield.  Rising concerns about the viability of traditional business models added to the pressure.  It takes much managerial courage to rebuff these pressures as one revalidates and refines the underlying business model of the bank

    Regulators and industry observers alike noticed how banks are slowly modifying their risk appetite to facilitate loan and profit growth.  In addition, M&A activity is heating up, adding execution risk as well as potential credit issues in un-vetted portfolios.  Plus, banks are looking for yield enhancement in new products, all-too-often without adequate expertise, due diligence or appropriate risk controls and infrastructure.

    In sum, while bank strategies might not change much, strategic risk may and has been in many institutions.  There are ways to mitigate it, but CCOs and executives need to identify and manage that risk upfront.
     
  2. OPERATIONAL RISK

    Cybersecurity continues to be a prime risk for banks.  It is virtually impossible for systems to keep pace with changes and threats, especially given the thousands of excellent brains being used in the hacker community.  The regulators are working hard to raise awareness among their constituents and provide assessment tools.

    One important development in this area has been the shift from a moat approach (build a wall around our systems and hardware no one can mount) to a distributed risk approach (they will find a way in; now what do we do?)  The word “resilience” is now being used in that context, with regulatory expectations to incorporate resiliency considerations into governance processes to reduce overall organizational vulnerability.

    This approach is particularly relevant as banks launch new products and further leverage technology in response to customer demand and efficiency opportunities.  Bank executives are torn between the need to innovate and modernize, and the unknown risks associated with such actions.

    An example of such conflict was the introduction of ApplePay last year.  All banks but a handful were asked to make a decision whether to join the program within a very short timeframe and with no due diligence or contract negotiation capabilities.  Many delayed the decision as a result, but did not get additional information to make the decision better-informed.  What’s a prudent management team to do?  And which risk is greater:  the risk of being left behind and not meeting your customers’ needs or the risk of being compromised in new ways?

    As banks focus on cubersecurity risks, I believe they can find technological solutions that can reduce that risk.  Biometrics solutions are now available for a variety of biometrics including finger, face and, importantly, voice.  Authentication using reliable biometric information can help combat new cybersecurity risks and stay ahead of the bad guys.

    Regardless to the solution you choose, keeping this risk top-of-mind is essential.
     
  3. COMPLIANCE RISK

    Compliance risks continue to mount – in number, intensity, demands and zero tolerance.  I do not anticipate these will abate in any way in 2016.  “Old faithfuls” such as BSA/AML, Fair Lending and CRA are still high on the list, and new requirements are added often.

    The risk isn’t limited to compliance with specific regulatory requirements and guidelines.  Heightened expectations regarding “tone from the top,” “compliance culture” and other elements that are more difficult to nail down present significant risks as well.  Failure to evolve your compliance program, even if it received glowing reviews in your last examination, can be detrimental to executing the bank’s strategy effectively.  This is especially true when new products and customer groups are introduced.

    Compliance expertise is in such high demand that meeting regulatory expectations with proper staffing is challenging at best.  Yet non-compliance presents catastrophic risks to any organization.
     
  4. INTEREST RATE RISK

    This is another relatively dormant risk that is increasing in importance as the specter of rising rates is slowly converting into reality.  Concerns about vulnerability to rapidly rising rates are growing.  

    The industry has enjoyed abnormal deposit growth over the last few years, as rates were so low that moving money outside the bank did not offer sufficient value.  There is perceived risk to non-maturity deposits becoming more volatile and rate-sensitive than in past rate cycles, which requires additional analysis and stress testing to support underlying assumptions.

    Such analysis is especially tricky since we have no history to draw upon to project deposit behavior, given the unprecedented rate environment we’ve been in for at least 7 years.  

    Most banks have been wise enough not to extend maturities in search for yield, but some have, and those that have could face significant earnings pressure and capital erosion.

    These concerns spill into the wealth management space, where some asset managers have increased client portfolio yields by maturity extensions.  Their business risks are even greater.

The regulators are keenly aware of the risks above, and have set their examination priorities accordingly.  High priority items include:

  1. Governance
    • Strategic plans
    • Capital plans
    • Succession plans
    • Risk appetite
    • Review of new business opportunities in terms of future risks (e.g. M&A)
       
  2. Credit
    • Underwriting practices, with special emphasis on loosening standards
    • Slippage in structure and terms across portfolios and relative to industry benchmarks
       
  3. Operational risk
    • On-going assessment of this evolving risk
    • Robust cybersecurity vulnerability assessments
    • Focus on incident response programs
    • Contingency and disaster planning
    • Disruption handling
       
  4. Compliance
    • BSA/AML
    • Compliance program strength throughout the organization
    • New products and markets handling
       
  5. Interest rate risk
    • Robust assessment of IRR practices
    • Rigorous analysis of deposit and investment behaviors under different rate scenarios

Sounds ominous?  Our business is risk intermediation.  It is what we do best.  The definition of the risks and their consequences have changed dramatically in recent years, but considering that risk management is in our DNA I have faith that we will continue to find ways to mitigate these risks while turning a solid profit.