Getting to Strong What Banking Organizations Need to Know

Transcription

1 Getting to Strong What Banking Organizations Need to Know

2 An enterprisewide, coordinated approach is needed to enable an institution to emerge from this business cycle with the ability to balance the need to reward its people for seeking growth together with the institution s stated and accepted risk appetite. As financial institutions emerge from the most severe economic rupture in generations, many are struggling to respond to the heightened expectations of multiple stakeholder groups. Among these expectations is the drive captured by the regulatory phrase Getting to Strong (GTS). While this term stems primarily from the U.S. Office of the Comptroller of the Currency s (OCC) method for evaluating large banks risk management practices, the concept is broader and describes the urgent expectation of many stakeholders. This white paper defines GTS initiatives and activities as enterprisewide risk management (ERM) concepts. An enterprisewide, coordinated approach is needed to enable an institution to emerge from this business cycle with the ability to balance the need to reward its people for seeking growth together with the institution s stated and accepted risk appetite. Beyond just defining and supporting the use of the concept, we suggest three key considerations and a business case for GTS. This includes providing the indicators that should be used by executive management, the board of directors (board) and regulators to evaluate achievements and define sustainable progress. In addition, we put forward the implications of the external environment on GTS and characteristics for when and how financial institutions might know if they have achieved Strong. THE ORIGINATION OF GETTING TO STRONG Escalating regulatory pressures are driving a structural shift in how financial institutions approach their ERM and assurance activities. The following include a sampling of regulatory guidance focused on defining and building a strong risk management culture. The OCC has historically published a Large Bank Supervision handbook, 1 where it details the standards by which examiners should review a banking organization s risk assessment for six of the eight risks (credit, interest rate, liquidity, price, operational, and compliance). Specifically, the OCC guidance indicates that each of these risks should be evaluated by: Quantity of risk the level or volume of risk that exists (High, Medium or Low) Quality of risk management how well risks are identified, measured, controlled and monitored (Strong, Satisfactory or Weak) Direction of risk assessment of the probable aggregate risk movement over the forward-looking 12 months (Decreasing, Stable or Increasing) 1 Large Bank Supervision, Comptroller s Handbook, OCC, January 2010: PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 1

3 It is the second area, the quality of risk management, that is the primary focus of GTS efforts. Each of the six risk areas has a corresponding set of risk factors by which regulators evaluate each institution. These factors lead to a Strong, Satisfactory or Unsatisfactory definition for each risk area. The result of each assessment will then provide the overall quality of that area s risk management with either a Strong, Satisfactory or Weak determination. In addition to evaluating the quality of risk management in each of the risk areas noted above, regulators also review the internal control and audit environments. Their evaluation of these environments is based on a set of factors that define internal controls rated as Strong, Satisfactory or Weak. Their evaluation of the internal control environment enhances the risk management picture for the institution and the extent to which the institution s internal controls function as intended. The Federal Reserve takes a similar approach in its Bank Holding Company Supervision Manual. 2 The Manual requires examiners to review bank holding companies (BHCs) using a composite C rating, based on the BHC s managerial and financial condition and future risk outlook. The BHC risk system is a set of factors and is RFI/C (D), where R is risk management, F is financial condition, and I is potential impact of the parent company on the subsidiary institution. I focuses on the downside risk of a negative impact from the BHC on a subsidiary institution. The fourth component, D, is for the subsidiary depository institution and typically mirrors the rating by its primary regulator. There are subcomponents of each factor. However, since the focus here is on risk management, we will include the R subcomponents: board and executive management oversight; policies, procedures and limits; risk monitoring and management information systems (MIS); and internal controls. Each is utilized to assess the effectiveness of the banking organization s risk management and controls. Ratings for each area and their subcomponents are based on a weighted fivepoint scale: Rating 1 (Strong): Indicates management effectively identifies and controls all major types of risk posed by the BHC activities. Management is competent at managing new risks and the board is fully engaged in forward-looking risk management activities. There are appropriate policies, limits, risk appetite, reporting, and MIS infrastructure to provide management and the board with timely analysis and decision-making information. Internal controls and audit procedures are comprehensive and appropriate to the institution s size and complexity. Risk management processes are fully effective in identifying, monitoring and controlling risk. Rating 2 (Satisfactory): Indicates risk management is mostly effective but lacking in some areas. Management demonstrates the ability to be responsive and manage existing and foreseeable risks. However, the institution shows some areas of risk management weakness, which have been identified and are being remedied. The policies, limits, risk appetite, reporting, and MIS infrastructure are considered satisfactory to provide management and the board with the ability to ensure a safe and sound institution. Internal controls may display some weaknesses but are correctable in the normal course of business. Weaknesses are noted by the regulators. Rating 3 (Fair): Risk management practices are lacking in some important ways. One or more of the four elements of sound risk management (active board and executive management oversight; adequate policies, procedures and limits; adequate risk management monitoring and MIS; and comprehensive internal controls) are less than acceptable. Risk management practices need to be improved to ensure the ability to manage risks. Internal controls may be lacking and weaknesses could have adverse effects on the safety and soundness of the institution if corrective action is not taken. 2 Bank Holding Company Supervision Manual, Board of Governors of the Federal Reserve System, July 2012: PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 2

4 Rating 4 (Marginal): Risk management practices are deficient and they fail to identify, monitor and control significant risk exposures in many material aspects. One or more of the sound risk management elements are not functioning and require immediate corrective action. Rating 5 (Unsatisfactory): Risk management practices are absent. One or more of the risk management elements are considered wholly deficient and management and the board have not demonstrated the capability to address these deficiencies. Deficiencies require immediate and close supervisory action. The seeds of GTS are contained in the regulatory expectations contained in the OCC and Federal Reserve handbooks. Jointly, these expectations for risk management have similar risk management themes and principles. These expectations lay out the foundation for an institution to understand the requirements of GTS and should be considered by institutions of various sizes, and be applied commensurate with the complexity and size of the institution. Regulatory expectations will be one triangulation point for executive management in determining their path to GTS. CURRENT ENVIRONMENT HOW GETTING TO STRONG IS EVOLVING While the foundation for GTS is rooted in U.S. regulatory guidance, there have also been domestic rulemaking (Dodd-Frank Wall Street Reform and Consumer Protection Act) and global organizations attempting to influence the role of risk management and institutions control environments. These include the Basel Committee on Banking Supervision (Basel Committee), the Financial Stability Board (FSB), as well as others. The pronouncements, studies and/or regulations produced from these various entities must be reviewed and addressed with sufficient urgency, but the limited coordination of these initiatives can prove quite challenging for banking organizations. However, the main goal is the same: to ensure that financial institutions better manage their risk and prevent another systemic financial meltdown. The U.S. regulatory environment is still seeing multiple levels of rulemaking as a result of the Dodd- Frank Act. One proposal affecting banks risk management is the Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies (Regulation YY). 3 This proposed rule covers a broad range of complex issues, including: risk-based capital and leverage limits; liquidity requirements; single-counterparty credit limits; risk management and risk committee requirements; stress testing; debtto-equity limits; early remediation frameworks; transitional compliance arrangements; and Federal Reserve authorities. The language contained in the proposal around the risk management portion focuses on a strong risk management framework including the chief risk officer (CRO), risk appetite, risk committees, risk reporting and risk accountabilities. Globally, the Group of 30 (G30) and Basel Committee have both released guidance focusing on corporate governance. In 2012, the G30 released a special report titled Toward Effective Governance of Financial Institutions, 4 which focuses on banking governance. The publication utilizes lessons from the financial crisis and focuses on the financial institution s board to strengthen governance. The report discusses the values that influence behavior of those with governance responsibilities, and considers that the key to reform is to promote changes in the ways in which these individuals think about their responsibilities and executive management s support. 3 Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies (Regulation YY), Federal Register, January 5, 2012: For more information, see the Protiviti white paper, The Financial Version of Competing in a Marathon? Comments on the Enhanced Prudential Standards Proposal, available at 4 Toward Effective Governance of Financial Institutions, G30 Working Group, 2012: PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 3

5 The Basel Committee released Principles for Enhancing Corporate Governance, 5 which also focuses on lessons learned from the financial crisis. This document discusses enhancing governance through the board s roles, qualifications, depth of organizational and compensation system understanding and responsibilities; importance of an independent risk management function; the monitoring of risks on an ongoing firm-wide and individual entity basis; and requires banks to have an internal audit function with sufficient authority, stature, independence, resources and access to the board. Additionally, the financial crisis has focused attention on the third line of an organization s defense: internal audit. While the Principles for Enhancing Corporate Governance 6 lays out certain expectations for internal audit, the Basel Committee s recent publication, The Internal Audit Function in Banks, 7 builds on the prior publication and details 20 guiding principles to re-emphasize the role of a strong internal audit function. The Federal Reserve in early 2013 issued a Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing, 8 which builds upon 2003 interagency guidance 9 and addresses the characteristics, governance, and operational effectiveness of an institution s internal audit department. The Federation of European Risk Management Associations (FERMA) released its European Risk Management Benchmarking Survey 10 in October 2012, which included 809 responses from risk and insurance managers in 20 European countries. The survey revealed a few interesting points, including the following: In the current financial and economic climate, top management wants more information on the risks and risk management of the business, according to 46 percent of respondents. In 53 percent of the companies with mature or advanced risk management ( percent), the function now reports to the board, a board committee or a top executive. The survey found that there is considerable work to be done before companies across Europe fully understand the implications of the European 8th Company Law Directive (a European version of the U.S. Sarbanes-Oxley Act legislation) and integrate them into their business. 11 While GTS was initially founded by the OCC requirements, there is a pattern of more rigorous and definitive directives around key aspects of internal risk management infrastructures, which continue to be presented through proposed guidelines and regulations. Each of the entities or pieces of legislation above expands upon the initial requirements to focus on a broader ERM concept, where getting risk management systems to Strong can and should be applied across institutions of all sizes and with various complexity levels. 5 Principles for Enhancing Corporate Governance, Basel Committee, October 2010: 6 Ibid. 7 The Internal Audit Function in Banks, Basel Committee, June 2012: For additional information on this topic, see Protiviti s Financial Services Flash Report, August 9, 2012: Reports/Basel-Updates/Financial-Services-Flash-Report-Basel%20Committee-Effectiveness-Internal-Audit pdf. 8 Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing, Board of Governors of the Federal Reserve System, January 23, 2013: For additional information on this topic, see Protiviti s Financial Services Flash Report, January 29, 2013: General-Business/FSI-Flash-Report-Federal-Reserve-Issues-Supplemental-Policy-Statement-IA%20Function-and-Outsourcing- Protiviti.pdf. 9 Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, Board of Governors of the Federal Reserve System, March 17, 2003: 10 FERMA European Risk Management Benchmarking Survey 2012, FERMA, 2012: 11 The Internal Audit Function in Banks, Basel Committee, June 2012: For additional information on this topic, see Protiviti s Financial Services Flash Report, August 9, 2012: Reports/Basel-Updates/Financial-Services-Flash-Report-Basel%20Committee-Effectiveness-Internal-Audit pdf. PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 4

6 GTS: WHAT IT MEANS The financial crisis exposed a wide range of deficiencies in many aspects of ERM, including the first, second and third lines of defense. Failings included weaknesses in corporate governance structures, which resulted in some institutions having an overall lack of credible challenge in the boardroom during critical times of the crisis. This lack of credible challenge was also witnessed at all levels of the organization and was particularly present in the second and third lines of defense at many institutions. Where firms had established corporate risk appetite statements, often the objectives adopted at the line of business (LOB) level did not reflect the strategic objectives of executive management and the board. In addition, metrics used to track the level of risk at the LOB were often inconsistent and not well defined. This led to an inability to accumulate, aggregate and advance these risk metrics to the top of the house, which resulted in insufficient exception tracking and the absence of an effective escalation process. The GTS mandate is rooted in core elements of effective ERM. Essentially, a strong risk management function is critical to having secure and reliable financial institutions, and ensures that an appropriate risk management function is in place and that risk-taking activities are proactively controlled within risk tolerance levels. The core elements revolve around accountability, effective challenge, stature within the organization, competence of staff and talent management: Accountability/Effective Challenge Effective challenge depicts an environment in which LOB leaders must acknowledge issues and operate with an appropriate sense of urgency and focus in the timely clearing of findings and recommendations. Changes to controls and/or practices are facilitated by risk management. Risk management is highly effective in facilitating change by identifying the root cause and ensuring appropriate corrective action. Stature Within the Organization Reporting structure of risk management is independent from the LOBs. Executive management supports the risk management function with appropriate frequency to ensure effective leadership is carried out. Competence of Staff/Talent Management Continuous improvement to meet and exceed industry best practices. Sufficient depth of technical and managerial expertise within the risk management function to understand the business, risks, and controls, and how individual functions respond to material changes affecting the risk profile. PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 5

7 The roles of the board, executive management and the first, second and third lines of defense should all be considered in the institution s ERM efforts. Just as each level has a different role within the organization, the owners would have different risk management roles and responsibilities as well. This graphic depicts each level s risk roles and responsibilities: GTS Risk Roles Risk Focus Owner Oversight of Business Growth and Risk Strategy Board of Directors Risk Appetite-Setting, Execution & Capacity Building Executive Management (Supports All Three Lines of Defense as Board s On-Site Proxy) Upside Risk: What is the risk if we lose this deal? Client-facing Businesses (First Line of Defense Growth) Risk Balancing: How do we grow profitably within our risk appetite and when are we willing to go outside it? Risk Management (Second Line of Defense Control) Downside Risk: What is the risk if this business process fails or if the level of risk is understated? Internal Audit & Loan Review (Third Line of Defense Assurance) While the risk roles and responsibilities vary at each level within the organization, every level has a responsibility to the organization to understand the Corporate Risk Appetite Statement and how that view of risk has been pushed down and adopted at each LOB. Every LOB executive must be able to review, measure, assess and conclude on its business risk profile and be able to roll their risk profile metrics up to the top of the house to ensure that the tolerances established at the corporate level are not breached. Additionally, LOB conclusions on risk should be reported throughout the organization to allow for the firm to continually re-evaluate its risk position. It is critical for the organization to evaluate continually its risk position in terms of established tolerances, metrics and limits, but just as importantly, also to be able to identify and respond to emerging risks in its operating environment. Emerging risks are newer to the organization or the result of macro/industrylevel changes. This is distinguished from the concept of evolving risks, which are changes in the risk level for already identified risks in the institution s risk inventory. For example, a change in interest rates is generally an evolving risk versus the impact of social media and mobility, which would typically be viewed as emerging risks. For both evolving and emerging risks, a strong risk management function will have well-established transparent escalation procedures to ensure that management at the highest levels in the organization is well aware of any breach or pending breach of established risk tolerances. For an organization to navigate a GTS program for ERM successfully, it must be a well-organized effort that is directed and owned by the CEO and the board. The three lines of defense must act in a collaborative PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 6

8 fashion with a well-laid-out plan detailing specific objectives, milestones, lines of accountability, and detailed timelines. This must be a coordinated effort by the entire organization, led by the CEO and directed by the CRO. Achieving GTS is the ability to demonstrate at any point in time that the entire organization s corporate strategy, its risk appetite and its performance measurement systems are intentionally well-aligned, and the business is being managed accordingly. Additionally, GTS will require evidence that all parts of the organization have and are executing on a common understanding of risk and reward to instill effective ERM. GTS: WHY GO THERE So, why should a financial institution choose to work toward GTS? The value proposition for working toward and achieving GTS includes the following outcomes: Ability to anticipate successfully and respond consistently to a rapidly changing risk environment where management is informed of and understands the risks they are undertaking or just as importantly, the risks they are not taking Increased transparency and accuracy in reporting and ability for executive management to make timely business and risk management decisions Consistent, long-term financial profitability and capital adequacy Fully understood and executed ERM roles and responsibilities by the lines of defense Transparency for and confidence of key stakeholders, including regulators, counterparties, funds providers, rating agencies, and shareholders Achieving regulatory compliance and helping to frame the view that regulators have of the institution These resulting benefits of this initiative will not be easily achieved. While the regulators will expect the organization to achieve certain milestones, they are well aware that to do this right, it will take an enormous amount of effort, time and money in most organizations. In the short term, they will be looking to ensure that the organization is achieving directional consistency in its approach and reflects a broader vision. The true payoff of working toward GTS will come in the repeatable ability to demonstrate disciplined growth while shifting through an evolving risk landscape and high stakeholder expectations. Sometimes this will lead to tightening constraints to limit risk, while other times more risk may be prudently taken through better information and analysis. Let s consider the repercussions of not working toward GTS: Inability to maneuver new financial crisis situations and changes in risk environments Decreased confidence in reporting and inefficient ability for executive management to make timely business and risk management decisions Impaired long-term financial profitability Misaligned lines of defense, which are unsure of their ERM roles and responsibilities Vague, confusing and/or contradictory information Decreased confidence among key stakeholders including regulators, debt holders, rating agencies, shareholders, depositors and their communities Struggles with regulatory compliance PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 7

9 The long-term benefits will outweigh the long-term costs of GTS and are critical to an institution s ongoing survival. Therefore, institutions need to define and begin a path to GTS, before the path is defined for them. KEY CONSIDERATIONS Regardless of where an institution is positioned today, every organization has the ability to determine and shape its future in this new regulatory environment. As such, as an organization begins to develop a GTS initiative, we believe it should keep a small number of key considerations in mind. These include defending an existing Satisfactory rating; having a strong risk culture and uniform collaboration within the organization; and investing in an environment of continuous improvement. 1. Defending Satisfactory Given the fact that the regulators witnessed a fairly significant breakdown in many financial institutions corporate governance and risk management systems during the last crisis, no institution should presume it is able to maintain a Satisfactory rating by remaining at the status quo. Two significant events occurred as a result of the regulators witnessing the breakdown during the financial crisis. First, the OCC mandated that its largest and most complex banks must achieve a Strong rating around their ERM processes. Second, the expectations required to obtain Satisfactory ratings have now also been raised. Financial institutions will need to consider new investment in risk management infrastructure, processes and people just to maintain a Satisfactory rating. A clear and broad objective assessment of the institution s capabilities and infrastructure is the first imperative to enable the institution to defend its Satisfactory rating. The bar will continue to be raised as examiners review institutions and find newer, better practices and graft those into subsequent examinations of other institutions. 2. GTS Risk Culture and Uniform Collaboration The GTS initiative must originate from executive management and the board. It must be supported and directed by executive management and must resonate with all levels throughout the organization. The well-constructed plan must be clearly articulated and understood throughout the organization; and be reinforced by multiple means including new-hire training, refresh courses, corporate communications (external and internal), incentive plan constructs, assurance function emphasis and other means. There must be a strong risk culture with uniform collaboration among all business units, risk and assurance functions. Once an institution has fully committed to a GTS directive, it must ensure that it remains directionally consistent in its approach and continually assesses its progress against established milestones and timelines. There are two co-dependent aspects of GTS. Alone, neither is sufficient to achieve GTS, and neither is institutionalized without major investments in time, effort and capital. They are: The tangible aspects of risk and business infrastructure (e.g., the policies, strategy, risk appetite, capital and liquidity positions, product offerings, metrics and reporting of governance) The intangible aspects of risk and business culture (e.g., the behaviors of accountability, discipline, language, focused execution, effective challenge and comfort with internal creative tension) The alignment of tangible and intangible aspects is critical to ensuring success. The inability of an organization to execute required cultural changes can disintegrate management s efforts in an initiative such as this. Culture will trump strategy and derail the project in every situation. It is the intangible aspect of culture that can elevate the well designed and executed ERM program to GTS. That is why it is critical that the changes to the tangible and intangible aspects of this program be driven from the top of the house. PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 8

10 An emerging GTS risk culture is built upon a strong risk management framework. The graphic 12 below illustrates the key linkage between risk culture and the entire risk management effort. Each element is linked and influences the other elements, requiring that the whole be examined for effectiveness in the GTS effort. Risk Culture Framework Corporate Strategy Risk Culture 1. Senior Management & Board Oversight 2. Policies & Practices 3. Organizational Structure 8. Resources 4. Risk Identification & Assessment 5. Risk Measurement & Data 6. Risk Reporting, Monitoring & Management 7. Effective Challenge To help decipher an adequate support structure, below are behavioral questions, which are just a few of the indicators of an emerging GTS risk culture. The answers to these questions may demonstrate where the financial institution is on the path to GTS: Does executive management openly support each line of defense in open discussions and not just in front of large in-house meetings? Can the LOBs identify and understand their risks and risk appetites? Can they define their risks and risk appetites, and discuss, measure, assess and report them, and either support or challenge their limits? Do they self-identify and report issues to management in a timely manner, before they are identified by the second or third lines of defense? Where is the CRO positioned within the institution? What is the organizational structure of risk management? How is risk management perceived within the organization? What policies, tools and processes are in place to support and challenge limits? What infrastructure supports risk identification and assessment; risk measurement; risk analysis, monitoring, reporting and management? How is this information disseminated and utilized within the organization? 12 Sources: Office of the Superintendent of Financial Institutions (OSFI) Supervisory Framework; Basel Committee s Principles for Enhancing Corporate Governance; OCC Large Bank Supervision handbook; Federal Reserve Board s Supervisor s Manual; Senior Supervisor s Group; and Protiviti s analysis and experience. PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 9

11 Does executive management have direct and consistent contact with all lines of defense to ensure an understanding of their functionality and challenges? Is there an element of effective challenge and a degree of comfort with creative tension across the different lines of defense while maintaining professionalism and a shared goal of quality growth? Does the third line of defense receive adequate resources and house appropriate, competent skill sets to be credible with LOB and risk personnel? 3. Invest in an Environment of Continuous Improvement GTS is not simply a compliance exercise. The GTS directive is a holistic, concerted effort to improve all areas of risk management and ultimately facilitate the productivity and profitability of the bank. Establishing a culture of continuous improvement is one important aspect of the initiative. Activities include continuous monitoring and constant evaluation of the evolution of external expectations and moving market forces. The repetition of these activities will serve to continuously strengthen the institution s risk management capabilities. For example, changing market conditions can quickly degrade the original thesis of an investment program or the design principles of a business process. This is the point where robust oversight and effective challenge must intersect for the good of the whole institution. This principle is vital to GTS, as it bolsters both the tangible and intangible aspects of GTS. Further examples: Once in place, are the risk appetite performance metrics, limits, and tolerances periodically backtested to ensure they remain supportive of achieving the corporate strategy? This is particularly important, as major lines of business may be closed, opened or evolved as major new product introductions are launched. Is continuous improvement evident by clearance of issues regarding control weaknesses, be they self-identified or cited by audit or credit review? Over time, has the weakness or issue been tied to leaders performance plans and reward systems? Are findings in one area of the organization assessed and reviewed for applicability to other areas? Are lessons learned shared and assessed for impact on an enterprisewide basis? Are silos within risk management functions and other internal control areas breaking down? Are risk managers proactively engaging other risk areas, internal audit, legal, or compliance to explore the potential impact of issues across the organization? Organizations will need to evaluate their views and ingrained cultures on continuous improvement and determine if changes are needed to ensure all areas of the organization support and can show evidence of an active continuous improvement culture. Institutions will not want to wait for industry standards to evolve or regulatory prescriptions to be handed out to make necessary changes. PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 10

12 GTS: THE HOW Key steps to beginning the path to GTS start with a true evaluation of the institution s current risks, risk appetite, risk management processes and capabilities, in relation to existing regulatory expectations and industry best practices. Each organization will choose to create its optimal program within its own infrastructure and should tailor the program to ensure consistent long-term sustainability. The following six elements of risk management infrastructure highlight certain aspects of risk management where an organization would want to focus its baseline evaluation. An evaluation assessing these elements against regulatory guidance, industry best practices and its future state position would help an organization to determine its baseline and gaps in each area. Six Elements of Infrastructure Strategies and Policies Business Processes Organization and People Management Reports Methodologies Systems and Data Corporate strategy Business plans Product profiles Risk management policies Limit structures Risk appetite and tolerance Overall risk strategy Risk assessment processes Issue tracking Risk sourcing Risk aggregation P&L attribution Central vs. business line responsibilities Risk ownership Reporting lines Authorization levels Executive team and board responsibilities Management and board reports Business line reporting Risk maps Risk category reporting Economic capital and capital allocation methodologies VaR and EaR models Risk measurement and scaling models Emerging risk identification and evaluation Scenario analysis Exposure measurement Risk assessment systems/tools Risk analysis systems GRC platform Issue-tracking database/ system Historical, realtime and forecasted data The identified gaps between an institution s baseline evaluation today and where executive management and the board want the institution to be in the future begin to lay the foundation for the GTS directive and roadmap. For all institutions, the path to GTS will require more capital and resources; strong executive management and board support; a willingness to evaluate milestones and determine if and when changes to the GTS directive are needed; and the ability to show productive and meaningful effort toward the GTS goals. The table on the next page depicts each area of an institution (board, executive management, and the first, second and third lines of defense) and selected examples of risk management capabilities within each area and how their roles could translate into Satisfactory versus Strong rating. PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 11

13 What Is Satisfactory Versus Strong? In assessing the strength of a bank s risk management support and capabilities, we will compare the bank s risk management presence at each level as it would compare to a Satisfactory versus Strong capability. Indicators of Satisfactory Versus Strong Organizational Owner Satisfactory Strong Board of Directors Board reports recap findings from recent cycle. Board focuses solely on the CRO. Board reports call out large risks and emerging issues. Board s risk committee focuses on the CRO and the succession planning of direct reports. Executive Management Risk management culture is not exemplified by executive management. CEO and team waver in support of the CRO, risk management and internal audit. Technology and MIS systems present fragmented, elongated and trailing risk reviews. Risk management culture is embraced and fully demonstrated by all executive management. CEO and team visibly support the CRO, risk management and internal audit. Ensure technology and MIS systems can produce timely assessments. Client-Facing Businesses (First Line of Defense) LOB depends on risk management or audit for identification of emerging risks and issues. Communicate only findings and conclusions. Limited if any discussion occurring with risk management. LOB responses to issues lag, diminishing importance of risk management findings. Only reactive to issues and events. LOB owns their risks and is held accountable for self-identification of issues. Active communication with risk management on findings and thought process. Resolution of risk management issues in a timely manner to ensure fewer repeat findings. Proactive in highlighting and addressing trends. Risk Management (Second Line of Defense) Internal Audit and Loan Review (Third Line of Defense) CRO is an intelligent person, but lacks either bearing or business acumen as well as the willingness or ability to challenge. CRO and team routinely function by ensuring only compliance. Risk management is only informed of strategic plans and compensation decisions. Internal audit and loan review only review the institution s risk profile annually as they develop their plans and rarely make interim changes to their plans. Occasionally effective at eliciting the strengthening of controls and risk management practices. Identification of issues and risks do not always occur in a timely fashion. CRO is a strong individual with clear, earned stature within the organization. Demonstrated ability and confidence to challenge the LOB management. CRO and team play a critical role in establishing a strong risk management culture. Participates in strategic decision-making and compensation decisions. Internal audit and loan review are proactive in evaluating emerging institutional risks and their potential impact, and make changes to their plans to support the institution s risk profile changes. Effective at strengthening controls and risk management practices through timely identification of controls weaknesses and risk exposures. Each level listed above has an important risk role. The ability to move each role from Satisfactory to Strong cannot happen without movement by all owners. The interconnectedness of the risk roles could prevent another area from moving from Satisfactory to Strong. This graphic above shows how the key considerations are central to the GTS directive. If an institution does not initially defend and strengthen its Satisfactory status, then it cannot continue the move ahead to Strong; and if an institution does not move all organizational owners together in concert, then those owners cannot help to get the overall institution to Strong. And if the institution chooses to do nothing, it likely will not even be able to maintain its Satisfactory rating, much less get to Strong. PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 12

14 GTS: WHEN AND HOW WILL AN INSTITUTION KNOW IT HAS REACHED STRONG Critical to investing in any major change initiative is the ability to measure success along the way. This is no different with GTS. The initial design of the GTS directive and roadmap includes specific timelines, milestones and goals. These are the tools the institution should use to gain insight into its progress. Measures of success include and go beyond successful completion of milestones on the original timeline created. Measures of success can also be found in: The decision and ability to walk away from an initial plan that becomes out-of-date or unachievable Better risk limit evaluation, assessment, monitoring and reporting Experiencing positive cultural changes and a sense of teamwork across risk owners within the institution The trend in creation and clearance of issues found by control groups (e.g., internal audit, credit review and regulators) reflects they are headed in the right direction Proactive application of issues found in one area across the institution Continuing self-identification of issues, including those of the highest severity ratings Increased use of common risk language Talent development and rotation among major functions of the organization All these indicators are made possible by executive management s commitment and willingness to hold themselves and others accountable for GTS. Throughout the entire process, executive management should have open and consistent dialogue with regulatory bodies on their path to GTS. THE EFFECTS OF THE EXTERNAL ENVIRONMENT ON GTS In addition to achieving internal successful steps along the path to GTS, institutions must consider the external implications of taking a path to GTS. The business and economic environment in which institutions operate today has vastly changed over the past 10 years. There are new technologies developed almost daily, business and economic environments are changing faster, and long-term sustainability of businesses are consistently questioned. These developments are changing how many organizations conduct business and manage risks. The concept of how the technology element can affect a path to GTS is crucial. The introduction of the Internet, Wi-Fi, social media, smartphones, tablets and other expansive technology is changing the swiftness with which information is reported and disseminated every day. News, both positive and negative, goes viral instantly, until the next big news story. Meanwhile, audiences do not wait for explanations from companies, individuals, or court systems to pass judgment on an issue they decide how it affects them and how they want to respond and move forward. Judgment is swift and often based on incomplete information. This speed to judgment adds further urgency to an institution having strong risk management capabilities versus merely getting by with satisfactory. Secondly, over the past few decades the economic and business environments have been evolving faster in part due to new technologies, but also because of the vast array of economic turbulence and increased competition. Businesses will need to continuously and consistently evaluate their business and economic environments for emerging risks. They will need to ensure they can deal with the risks and challenges of today, while still looking toward the future. PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 13

15 Thirdly, institutions will need to evaluate emerging risks in the context of their long-term sustainability. They will need to remain vigilant on the environmental changes and adapt their business plans, corporate strategy and risk management capabilities to support an environment of continuous improvement in a dynamic business and economic landscape. CONCLUSION Let s fast-forward a business cycle and look at an institution that has not only defended its Satisfactory rating, but also achieved a Strong rating. The institution exhibits many of those strong qualities listed above; the risk owners are being held accountable for their environment, address issues in a timely manner, and work in a concerted effort with other risk owners to ensure the best outcome for the institution; and there is an expectation of continuous improvement at all levels. Then, the risk environment shifts, and the institution finds that it is breaching previously set limits that were consistently stable in the prior risk environment. Those limit breaches are reported up to executive management and the board, and both risk management and the LOBs make their business cases for lowering portfolio asset levels according to limit breaches or raising breached limits, respectively, if an opportunity is viewed within the chaos of the moment. What do executive management and the board do? What is their expected outcome? What is the process for decision-making at this level? Who gets to make the final decision? The CRO? The CEO? A board committee or the board itself? There is no easy answer: at minimum, at least one party will be disappointed and potentially lose stature within the institution. A well-designed and functioning GTS program should have a previously established process to answer these questions well before the institution is in the heat of the decision-making moment. The institution should consider the outcomes of these types of decisions, both financially and culturally. Just as institutions must decide where they desire to be on the risk management continuum, they must also decide how decisions will be made and how outcomes will be addressed. There is no one-size-fits-all holistic GTS program; each institution must figure out what GTS means to its organization, and tailor its program accordingly. The benefits are significant, enabling not only future survival, but also aiding the ability to flourish in times of uncertainty. Looking ahead, stakeholders also will want their institutions to go forward striving toward strong, not crumbling as weak. PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 14

16 ABOUT PROTIVITI Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000 and FORTUNE Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. About Our Financial Services Industry Team We assist financial services companies in identifying, measuring and managing the myriad risks they face. With our commitment to service, people, resources and values, we are the service provider of choice for financial institutions of all types and sizes. Our consultants are experienced professionals. Many have decades of experience working in the financial services industry. Located in offices across the globe, they include former industry executives, former regulators and a broad range of subject-matter experts who have firsthand knowledge of the issues on which they provide advice. Our internal commitment to training ensures that our consultants remain current on important industry issues. Armed with tested tools and methodologies, our consultants provide pragmatic, cost-effective and value-added solutions to your company. At Protiviti, we understand the challenges faced by financial services companies. Our solutions are designed to help your company turn these challenges into competitive advantages. Contacts Carol Beaumier Managing Director carol.beaumier@protiviti.com Thomas Andreesen Managing Director thomas.andreesen@protiviti.com Cory Gunderson Managing Director cory.gunderson@protiviti.com Timothy Long Managing Director timothy.long@protiviti.com Michael Schuchardt Managing Director michael.schuchardt@protiviti.com PROTIVITI GETTING TO STRONG WHAT FINANCIAL INSTITUTIONS NEED TO KNOW 15

17 THE AMERICAS EUROPE UNITED STATES FRANCE THE NETHERLANDS Alexandria Atlanta Baltimore Boston Charlotte Chicago Cincinnati Cleveland Dallas Denver Fort Lauderdale Houston Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. Winchester Woodbridge Paris GERMANY Frankfurt Munich ITALY Milan Rome Turin MIDDLE EAST Amsterdam UNITED KINGDOM London ARGENTINA Buenos Aires* BRAZIL Rio de Janeiro* São Paulo* CANADA Kitchener-Waterloo Toronto CHILE Santiago* MEXICO Mexico City* Monterrey* PERU Lima* VENEZUELA Caracas* BAHRAIN Manama* KUWAIT Kuwait City* OMAN Muscat* QATAR Doha* UNITED ARAB EMIRATES Abu Dhabi* Dubai* ASIA-PACIFIC AUSTRALIA Brisbane Canberra Melbourne Perth Sydney CHINA Beijing Hong Kong Shanghai Shenzhen * Protiviti Member Firm ** Protiviti Alliance Member INDIA Bangalore Mumbai New Delhi INDONESIA Jakarta** JAPAN Osaka Tokyo SINGAPORE Singapore SOUTH KOREA Seoul 2013 Protiviti Inc. An Equal Opportunity Employer. PRO-PKIC Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.