Comptroller of the Currency Eugene Ludwig announced last month that his agency will soon be modifying the way it supervises national banks, by adopting a new examination procedure called "supervision by risk."
The emphasis will be on the quantity of risk in various bank activities and the quality of risk management in the bank. The comptroller said that the new approach would "pose no new requirements on banks."
While that may be literally true, in practice the new system will mean significant changes in the approach banks take to managing both risk and compliance. The emphasis on risk assessment of all banking activities is a dramatic and fundamental change in philosophy.
Bankers will have to rethink their approach to business risk management and to regulatory compliance as well. The compliance functions at most banks will become, over time, a risk management function, which will pose interesting, time-consuming, and difficult challenges for many institutions.
The rewards, however, are likely to be worth the investment.
While the important announcement was made only by the Comptroller's office, over time the other federal banking agencies will move in the same direction.
The changes in the traditional examination framework to the soon-to-be- implemented supervision by risk are an indication of a revolution in the way regulators think of banking institutions - as a collection of business activities each with its own risk characteristics that need to be managed across business and in the aggregate.
To be prepared for this change, now is the time for domestic banks to evaluate how they think about risk management and how they comply with laws and regulations.
Different Approach
Bankers should begin to think about "supervision by risk" as the identification and measurement of risk elements associated with each of the bank's business activities. The basic risks institutions should evaluate include credit risk, market risk, liquidity risk, operations risk, compliance risk, and reputation risk.
The Comptroller's office identifies nine primary risks, since it chooses to segregate market risk and operations risk into more precise risk elements. Specifically, market risk is separated into price risk, interest rate risk, and foreign exchange risk; and operations risk is separated into transaction risk and strategic risk.
With a new focus on the quantity of risk and its management, examinations will be very different.
The existing system assessing the well-being of a banking institution by application of the Camel rating system is backward-looking in its approach. That rating system basically asks: What is the amount and quality of capital? What is the quality of assets? How good has management been doing its job? What have earnings been and how good are they? Is liquidity satisfactory?
By contrast, "supervision by risk" will be proactive and forward- looking, critiquing a process rather than a static condition. The new system will ask:
*What level of risks are inherent in each of the business activities undertaken by the institution?
*How will each of those risks affect each activity and the institution overall under different economic, business, and perhaps political scenarios?
*How good is the risk management system the institution uses for monitoring and controlling those risks?
*What impact will external factors have on the bank's risk profile?
In many ways, the new compliance assessments will be business assessments, judged against not only legal and regulatory requirements, but also against best business practices as the Comptroller's office and other agencies gather information about approaches to risk management.
The system will evolve and change incrementally over a period of time. Bankers and examiners will jointly come to understand that if an institution's level of risk is "high" and/or the quality of risk management is "low," risk must be brought down and/or risk management improved, and ultimately capital needed to support the level of risk inherent in the institution.
Risk Management
Risk management systems are now in place or being developed in a growing number of banking institutions. While they all have the same objectives - namely, to measure, monitor, and control risks - they also can be quite different in approach and emphasis.
Presumably even those risk management systems now in place will need to be "re-examined" and modified as more information becomes available from the Comptroller's office about its new risk assessment approach.
Traditionally, risk management has involved four distinct functions: risk identification, risk measurement, risk monitoring, and risk control.
The Comptroller's office has now helped establish a common view toward risk identification with its lexicon of risk categories. However, definitions alone are only a first step. Identification must also include recognition of risks and an understanding of them. The more difficult functions to establish across banking business activities will, of course, be risk measurement, risk monitoring, and risk control.
Although these functions are available for credit and market risks, far less time and attention has been paid to systematic approaches to reputation risk, compliance risks, strategic risks, and transaction risks.
In every risk area there are common elements of a good risk management approach that start with policies, procedures, training of personnel, and controls.
Institutions should have board-approved policies and procedures that control the major risk components across all activities of the institution. All personnel should understand the policies and procedures affecting their particular function and should be periodically trained or retained in them. Control structures should ensure that adequate systems are in place to monitor compliance with policies and procedures to control all of the identified risks.
Though most institutions of size consider most of these items on at least a cursory basis now, an examination spotlight on measurement, monitoring, and control of specific risk types will provide new challenges for risk management at most institutions.
Other unanswered questions
The comptroller and his staff should be praised for coming forward with this new approach to supervision. However, it is now incumbent upon them to supply national banks with as much information and detail as possible. The devil, is after all, always in the details.
One of the more interesting effects of the new "supervision by risk" program is that the process of supervision, for large banks and small, is likely to be significantly different. The risks that small banks assume reflect the well understood, traditional types of banking activities - such as deposit taking, small business and consumer lending, and the provision of payments services.
Risks that large banking institutions assume would reflect those same traditional activities plus more diverse, complex, and sophisticated financial products and services now offered in competition with nonbank financial services companies - trading, underwriting, guarantees, and the use of complex derivatives in hedging programs.
Certainly, one could question whether implementation of supervision by risk for the smallest institutions would be approached in the same manner and time frame.
The new approach will require examiners and management to evaluate the risk profile of every business activity in the bank. That is, each activity will have some or all of the types of risks represented by the nine risk categories defined by the Comptroller's office. It may also be necessary to aggregate the risk measurements across activities to arrive at a meaningful overall rating.
This has not generally been done before, and will no doubt involve a combination of quantitative and qualitative processes. Thus, one might expect some type of aggregate individual ratings for each of the nine risk categories established by the agency.
For example, credit risk will be inherent in commercial, consumer, and mortgage lending, as well as, in investments, leases, and trading activities and is susceptible to qualification. Reputation and compliance risks will have to be judged on a much less precise scale.
The role of banking supervision and regulation is not to stop risk taking, but rather to ensure that risks are taken within the scope of law and regulation, in a safe and sound manner.
The challenge for institutions is to make sure they are ready for supervision by risk assessment. As risk management continues to evolve over the next several years, institutions should expect the examination process, using a risk assessment approach, also to become much more dynamic than the traditional examination framework.
Properly understanding and managing the risk exposures of an institution allows management to confidently maximize its earnings potential and value, while at the same time protecting the safety and soundness of the institution. Mr. Roberts is partner in charge of the financial services regulatory advisery practice of KPMG Peat Marwick. Mr. Young is a manager with the practice.
