Unfortunately, the economic downturn in 2008 revealed the weaknesses of many programs. Failures in risk management policies, procedures and techniques were evident throughout the sector. Key risks were not identified, analyzed or properly managed.
As a result, financial regulators -- including the Federal Housing Finance Agency (FHFA), the regulator of Fannie Mae, Freddie Mac and the nation's 12 Federal Home Loan Banks -- have emphasized the need for executives and boards of directors to improve their view of the risks facing their organization. Regulators want to ensure management and boards establish formal risk management programs, adhere to regulatory requirements and align their institutions with an established risk appetite.
So, against the backdrop of a difficult economic environment and in response to the rising expectations of the FHFA, the management and board of the Federal Home Loan Bank of Topeka (FHLBank) initiated a project to significantly strengthen its ERM program.
To begin this process, the bank's board appointed a chief risk officer (CRO), who was a long-tenured executive with the company, had extensive knowledge of its operations and was already fulfilling many of the responsibilities commonly designated for a CRO (i.e., overseeing its market, credit and ERM departments).
The board also redesignated its finance committee as the risk oversight committee (ROC) and significantly revised its roles and responsibilities. In addition, two new risk management committees were established within the bank: the strategic risk management committee (SRMC) and the operations risk committee.
The ROC, working with the CRO and his staff, worked to determine why ERM had failed at so many financial firms and what could be learned from those failures. In revising the bank's approach, they were intent on avoiding the following potential pitfalls.
- An excessive reliance on models without challenging the assumptions used within them and without considering "fat tail" risk scenarios.
- ERM processes that are too bureaucratic (i.e., they became focused on completing forms rather than really thinking about and managing risk).
- A rationalization of a risk position by management that went unchallenged by the board of directors.
- The failure of executive management and the board to truly understand the risks that they were taking.
- Marginalizing of the ERM team, role or function.
- Conducting risk management on a "silo" basis rather than a holistic, enterprisewide basis.
- A governance structure at the executive and board levels that inundated members with risk data but did not allow them to focus on the key risks.
- Failing to consider new risks, emerging risks or "black swan" events (i.e., risks with extreme implications that may have quickly appeared where they were not traditionally expected).
The ROC also recognized that managing risk at the enterprise level had never been more important for financial institutions. Not only is it now required by most regulators -- it is necessary to help ensure a firm's survival.
Those institutions today that recognize this and take appropriate measures to manage enterprise risk can benefit in several ways. For example, they will likely maintain a healthy bottom line, enjoy a strong reputation with their customers and position themselves for long-term success.
As a next step, the ROC recommended that the FHLBank select an outside third party to complete a comprehensive assessment of the bank's ERM activities, benchmarking them to established standards and comparing them to other large, complex financial institutions. This would provide a baseline and identify potential enhancement opportunities that had not already been identified by the CRO or ROC. Ultimately Deloitte Touche Tohmatsu Limited was selected to perform this review.
Deloitte identified 81 recommendations to strengthen the FHLBank's ERM program. In response, management drafted an action plan including 30 items expected to improve the bank's overall risk management program. They also developed a risk management framework that acknowledges the risk-taking side of the business and the key role that it plays in the overall risk management of the bank.
At the same time Deloitte's work was being completed, the ROC and FHLBank management (in particular, the SRMC) began a process to better define the bank's risk philosophy and risk appetite. This was easier said than done. It is very difficult for most firms to truly establish a risk appetite since significant risks are even present in activities that are flourishing, and participants involved in these activities often do not recognize the risks involved. A realization of this phenomenon resulted in many management and board discussions in an effort to clearly define the bank's risk philosophy and appetite.
The philosophy adopted by the board helped shape the FHLBank's business strategy and includes a set of shared beliefs and attitudes to consider risk in everything it does. The bank's risk management philosophy focuses not solely on risk avoidance, but also on prudent risk-taking as a means of creating value for its stakeholders.
Mindful of the bank's risk philosophy, the board established specific guidelines to assist management in defining the bank's risk appetite:
- We must never jeopardize the FHLBank's ability to provide competitively priced and readily accessible liquidity to our members.
- We must protect the $100 par value of members' capital stock in the FHLBank.
- We must always be able to repurchase or redeem members' capital stock and/or pay an acceptable dividend.
- We must integrate risk management into the FHLBank's strategic planning process and take a "holistic" or enterprisewide view of risk. This approach is an effort to eliminate any tendency to manage risks in silos without consideration of how they fit together or whether the overall risk profile was consistent with the FHLBank's true risk appetite.
The ROC gave the CRO the responsibility to ensure the that the bank stayed focused on these objectives and did not accept risk beyond the defined appetite. The CRO's responsibilities also included developing an ERM framework to allow management and the board to report on risk and evaluate the FHLBank's actual risk profile.
Some key concepts the ROC and executive management adopted include the following:
In some cases, organizations may be practicing effective risk management on an exposure-by-exposure basis, but they may not be paying close enough attention to the aggregate exposures across the entire organization. An organization must understand how its various business components -- which can be quite sophisticated and complex -- interact. A successful ERM program should be able to identify specific exposures, which, in the aggregate, could cause an unacceptable level of risk.
Organizations need to analyze how any potential risk could impact achievement of their key strategic objectives. ERM must be directly connected to the corporate strategy.
An organization must avoid developing a bureaucratic approach to ERM. Simply completing forms and processes rather than seeking a true analysis of the key risks must be avoided. The ROC believes many ERM programs fail because they become too bureaucratic -- meaning, something management feels it needs to complete just to satisfy the board or regulators. Our process is intended to be a truly dynamic process that is focused on identifying, analyzing and managing key risks.
A mind-set of continuous improvement is very important. ERM is a journey, not a destination. We need to be continuously improving our organization's risk management processes and approaches.
The board needs the following information provided in a succinct way: the key risks the FHLBank is facing, management's plan to manage those risks and the level of residual risk that remains. This is to ensure that there is transparency and that both management and the board are on the same page relative to how risks are being managed.
There is no one-size-fits-all approach to risk management. At the same time, there are commonalities that every successful ERM program should include. For example, we must continually monitor the environment and be an early adoptee of new practices and techniques. ERM, at its best, is a dynamic, ever-changing process.
It is important that organizations not ignore or accidentally overlook lower-profile activities that may bear substantial risks. Such activities can include financial statement reporting, information security, legal compliance and back-office systems. And more broadly, operational risk can create disruptions for the organization that could reduce its overall value.
Often, the solutions to these problems are relatively basic, such as providing additional training, establishing policies and procedures, developing internal controls, and establishing awareness and the appropriate risk culture across the organization. Therefore, organizations should look at ERM and its discipline as a means to ensure that they effectively deal with uncertainty and examine its associated risk and opportunity.
In addition to promptly and effectively addressing major risk exposures, the goal of the FHLBank's ERM function is to find opportunities to take advantage of risks that when analyzed are determined to be a "good risk" for the bank. The FHLBank views effective ERM as a "business enabler" designed to help it achieve -- and even exceed -- its corporate objectives.
The FHLBank's ERM framework and the changes to its organizational structure, combined with implementation of the bank's action plan, are expected to strengthen its overall risk governance, monitoring and control functions. These practices will help ensure that senior management and the board of directors are provided with a holistic, enterprisewide perspective of the bank's corporate risk profile.
For the FHLBank, as it should be with any organization, the objective is to be able to use ERM as more than just a process for risk mitigation. Ultimately, ERM's true benefits are realized when risk information is integrated with business decisions so that management can protect and enhance organizational value in the face of risks and uncertainties. With this goal in mind, ERM can become an essential ingredient for continued organizational growth and success.