Post-Crisis: Credit Risk Management: Lessons Learned and Best Practices from Canadian Banks
Lam, James, The RMA Journal
The global financial crisis represents the ultimate stress test in risk management. In its aftermath, banks and other companies should review the performance of their risk management programs to determine what worked and what needs improvement.
In a previous article, I discussed the main lessons and fundamental requirements for enterprise risk management. (1) However, credit risk management has been--and will continue to be--the core competency for banking institutions. This article discusses the key lessons and requirements for sound credit risk management. As shown in Figure 1, the fundamental requirements for ERM can be applied to any risk function, including credit risk management.
Many observers have recently highlighted the Canadian banking system as the best-practice model. And indeed, Canadian banks demonstrated how sound credit risk management practices can withstand even the most challenging financial crisis. In its annual Global Competiveness Report, the World Economic Forum ranked Canada's financial system the soundest in the world (with a rating of 6.8 out of 7). And on his first trip to Ottawa as U.S. president, Barack Obama said, "Canada has shown itself to be a pretty good manager of the financial system and the economy in ways that we haven't always been."
The numbers support the accolades. While U.S. taxpayers have provided hundreds of billions of dollars in bailout money to 450 financial institutions, not one penny of bailout money has been given to Canada's 21 banks. Between early 2007 and early 2009, U.S. bank stocks dropped 80%, compared to a 40% decline in Canadian bank stocks. Clearly, Canadian banks have outperformed global banks over the longer term. Since 1999, the market value of Canada's major chartered banks increased about 85%, while the aggregate market capitalization of the top 50 international banks declined 26%.
[FIGURE 1 OMITTED]
Key Lessons Learned
Based on its research and client experiences with U.S. and Canadian banks, James Lam & Associates (JLA) has identified four key lessons learned with respect to credit risk management practices at commercial banks:
1. Governance structure and policies. Banks must establish an effective governance structure, including credit risk policies with explicit risk-tolerance levels. The fundamental issues include:
* Who (among the board and management committees, corporate and business units, and individuals) is responsible for making credit risk management decisions?
* Who is responsible for providing independent risk oversight?
* What are the policies and limits that provide guidelines and constraints for those decision makers?
2. Credit Analyses. Banks must develop credit analyses from the bottom up--by borrower and transaction, by industry and geographic region, and by country and portfolio segment. In addition, banks should ensure that their liquidity positions, credit reserves, and capital base can withstand severe market conditions by conducting rigorous stress testing.
Key issues include:
* How transaction-level and portfolio-level credit decisions are made with respect to analytical input.
* How data integrity is maintained with respect to borrower financial statements, covenant requirements, and other key documents.
* How reserve and capital adequacy should be assessed over an economic cycle.
3. Credit Risk Management. Banks must integrate their credit analyses into business decisions. Moreover, they should consider change management requirements when planning for major risk management initiatives. Key issues include:
* Which specific business decisions (for example, credit granting, pricing, risk transfer) will optimize the risk/ return profile of the credit portfolio?
* Which change management requirements (for example, training, communication, incentives) must be addressed to ensure organizational alignment?
4. Reporting and Monitoring. Banks must establish effective reporting and monitoring processes to identify key credit risk exposures and trends. The fundamental issues include:
* How (ex post) will the performance of credit risk management decisions be evaluated?
* How can risk visibility be enhanced by technology and automation and by timely and effective reporting?
Governance Structure and Risk Policies
Who makes what decisions? And which guidelines or constraints should influence those decisions? Those are the key questions to be addressed by governance structure and risk policies. With respect to credit risk management, this includes board and management risk committee structures and charters, credit policies and limits, independent risk oversight, delegation of lending authority, and credit review and audit processes.
In the aftermath of the financial crisis, U.S. banks should address three specific issues: 1) improving the risk governance structure and processes at the board level, 2) establishing risk-tolerance levels for key credit risk exposures, and 3) enhancing the independence of the risk management function.
A risk committee of the board has been a common practice among Canadian banks for many years, and some U.S. banks are now debating whether they should follow suit. But establishing a board risk committee is not enough. U.S. banks must also ensure that an effective committee charter is established. More importantly, risk committee members must have sufficient experience in banking and risk to carry out their duties and challenge management on critical risk management issues.
One key responsibility for the board risk committee is to provide independent oversight of the bank's risk management policies. With respect to credit risk management, the risk committee should ensure that credit policies include explicit risk-tolerance levels, such as exposure limits by borrower, industry, and country. Beyond these basic limits, U.S. banks should also consider scenario-based risk limits, such as the financial impact of home prices declining 30% or oil prices increasing 50%. U.S. banks should also establish exposure limits with respect to liquidity risk and balance sheet leverage. (2) Compliance with key risk limits must not be implicit, but explicit in terms of tracking by management and reporting to the board.
Independent risk oversight is a critical tenet of effective risk management. As such, the reporting relationship between the board risk committee and the chief risk officer or chief credit officer should be clearly established. This reporting relationship should enable direct and unfiltered communication between the board and the risk function. Ultimately, the CRO or CCO should be able to raise risk management issues to the board without being concerned about job security or compensation.
The old computer adage "garbage in, garbage out" highlights the importance of data quality. This same phrase can be applied to credit risk management in two important ways. First, the quality of individual credit decisions depends on the quality of the underlying credit information. Second, the application of advanced portfolio analytics must be supported by granular loan-by-loan and borrower-by-borrower credit analysis. In other words, credit risk analysis must be built from the bottom up.
Based on its research and client experiences, JLA believes that Canadian banks are generally more diligent in gathering and maintaining critical credit information, as well as in deploying technologies and analytics to produce granular and portfolio-level credit analysis.
U.S. banks should adopt a back-to-the-basics approach and examine how well they can assess and monitor the "Five Cs of Credit": character, capacity, capital, conditions, and collateral. Banks not only must evaluate these key factors as part of the initial underwriting and credit-granting process, but also maintain and review this information on a frequent basis. Critical credit information includes borrower financial statements, credit ratings, background checks, ratio analysis, collateral values, and borrowing-base analysis.
Often, U.S. banks rely on manual processes and Excel[R] spreadsheets to collect and maintain this type of credit information. The information is generally updated and reviewed on an annual basis. In contrast, Canadian banks apply technologies to automate data collection and maintenance, document tracking, financial and credit analysis, covenant monitoring, and compliance and reporting. Moreover, Canadian banks update and review credit information much more frequently (often on a monthly basis).
Once the basic loan-by-loan, borrower-by-borrower analyses are developed and maintained, banks can build on this information and perform more advanced portfolio analytics. Some U.S. banks have invested millions in developing advanced portfolio analytics without first addressing the underlying informational requirements.
Unfortunately, without good data, even the best analytical models can produce inaccurate portfolio analysis and suboptimal credit decisions. But a bank can develop very useful portfolio analysis if it is supported by granular and updated credit information. For example, Toronto-based TD Financial Group performs stress testing as part of the bank's industry review process. This includes determining key industry risk factors, stress testing those factors under adverse scenarios, and asking the business unit to identify specific strategies for proactively mitigating the key risks.
The capability to analyze credit risk at the borrower and portfolio levels, including stress testing and scenario analysis, can help a bank maintain adequate reserves and capital. Transactional and portfolio-level credit analysis can support regulatory capital requirements and Basel II compliance, as well as bank management and board decisions on reserve and capital adequacy. Given that new bank regulations will likely lead to higher capital and liquidity requirements, U.S. banks should ensure they have the appropriate credit data and analytical infrastructure in place. Beyond supporting regulatory compliance, this will help them make better credit risk management decisions.
Credit Risk Management
The transactional and portfolio credit analyses discussed above would not be useful from an economic perspective unless they are integrated into the business decisions that affect the bank's risk/return profile. Some of the key business decisions include the following:
* Credit granting. The most basic decision is whether or not the bank wants to provide credit to the borrower. If the decision is affirmative, the bank needs to determine the terms and structure for the loan or credit facility, including loan covenant requirements.
* Credit pricing. In conjunction with the decision to grant credit, the bank needs to establish the appropriate risk-based pricing, including operational cost, funding cost, expected loss (provision), unexpected loss (capital), and liquidity cost.
* Borrower and portfolio limits. The bank should determine its risk appetite relative to individual borrowers as well as to portfolio segments that are impacted by similar economic factors. Explicit risk limits reflect the bank's risk appetite.
* Loan reserves and capital. Based on the underlying risks, the bank needs to set aside the appropriate levels of loan loss allowance and economic capital. These decisions should be linked to the bank's capital and dividend policies.
* Risk transfer. If credit risk exposures are determined (or projected) to be excessive, then the bank may decide to change its underwriting standards, sell down its positions, or use credit derivatives to hedge against potential loss.
Each of the above decisions would directly impact the bank's risk/return profile. However, these decisions are usually influenced by multiple functions or committees. For example, the establishment of credit risk limits usually involves the business unit, the risk management function, corporate management, and the board. As such, organizational alignment behind a major change in policy, strategy, or technology is critical to success.
As a general observation, JLA has noted that Canadian banks, when introducing major risk management initiatives, pay significantly more attention to change management requirements than do their U.S. counterparts. These requirements include conflict identification and resolution, consensus building, corporate communication, board and management training, and incentives redesign. While change management initiatives take time and resources, JLA believes that they have contributed to the long-term success of major risk management initiatives at Canadian banks.
Reporting and Monitoring
How should credit risk management performance be defined, quantified, and reported? In other words, what are the key performance indicators (KPIs) for credit risk management? Each bank should define a set of credit KPIs based on its business model and credit risk management strategy. Examples may include loan loss ratios, risk-adjusted profitability measures, unexpected charge-offs or earnings volatility due to credit exposures, exceptions to credit policies and limits, and so on.
Regardless of the set of KPIs used, each bank should define objective measurements and ensure there is a dynamic feedback loop in terms of credit risk management performance. These credit KPIs (as well as key credit risk exposures and trends) and forward-looking risk analysis (such as stress testing and scenario analysis) should be organized into "risk dashboards" and provided to management and the board. The structure and content of these risk dashboards should be custom designed based on the informational and decision-support needs of the recipients.
In addition to management and board reporting, U.S. banks should leverage technology to enhance the visibility of day-to-day credit risk management. Manual processes are inefficient and prone to error. Excel spreadsheets can lead to data-integrity issues and difficulties in aggregating credit information across the bank. Moreover, these operational issues, combined with infrequent updating and monitoring of credit information, can lead to unexpected changes in borrower condition, higher credit losses, and operational inefficiencies. U.S. banks should consider end-to-end process automation, which can significantly improve the performance of both credit risk and operational risk management. (3)
As an example, Montreal-based Laurentian Bank automated its commercial-loan monitoring process and integrated it into its suite of online financial services for commercial banking clients. This initiative provided significant benefits to the bank in improved loan monitoring and operational efficiencies. The bank reported that it reduced the average loan review time by 85%, from 89 minutes to 13 minutes. Moreover, the bank indicated that it improved its service to customers by automating the information-exchange process between the borrowers and loan officers.
As Paul Volcker, the widely respected former chairman of the Federal Reserve and close advisor to President Obama, said not long ago, "It's interesting that what I'm arguing for looks more like the Canadian system than the American system." For good reason. Canadian banks are the envy of the banking world. U.S. banks should take note and reexamine their credit risk management processes with respect to governance, credit analysis, credit risk management, and reporting and monitoring.
Blakely, Kevin. "Why Are Canadian Banks the Envy of the World?" The RMA Journal, May 2009.
Lam, James. "Key Requirements for Enterprise-wide Risk Management: Lessons Learned from the Global Financial Crisis." The RMA Journal, May 2009.
Porter, Michael E., and Klaus Schwab. "The Global Competitiveness Report, 2008-2009." World Economic Forum.
(1.) See "Key Requirements for Enterprise-wide Risk Management: Lessons Learned from the Global Financial Crisis," The RMA Journal, May 2009.
(2.) A key factor behind Canadian banks' success in weathering the crisis is their conservative leverage. OSFI, Canada's bank regulator, limits banks to a 23 leverage multiple (total assets divided by capital), and Canadian banks generally keep this multiple at under 20. By comparison, U.S. and European banks leveraged their capital base 25-50 times prior to the crisis.
(3.) JLA research has shown that up to one-quarter to one-third of credit losses at some U.S. banks are caused by operational risk issues (for example, poor loan documentation, human error, credit data problems, and technology issues).
James Lam is president of James Lam & Associates and author of Enterprise Risk Management: From Incentives to Controls. He is also a member of the board of directors of Covarity, Inc. Contact him at firstname.lastname@example.org.…
Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: Post-Crisis: Credit Risk Management: Lessons Learned and Best Practices from Canadian Banks. Contributors: Lam, James - Author. Magazine title: The RMA Journal. Volume: 92. Issue: 4 Publication date: December 2009. Page number: 60+. © 2007 The Risk Management Association. COPYRIGHT 2009 Gale Group.
This material is protected by copyright and, with the exception of fair use, may not be further copied, distributed or transmitted in any form or by any means.