How Good Is Your Risk-Rating System?

Register now

How good is your business loan risk-rating system? If you're like a lot of CU and bank executives, you're not so sure.

Less than two-fifths (37%) of bankers and credit union executives think that their risk-rating system is objective and properly applied, according to a survey by Sageworks, a financial information company that provides loan portfolio and risk management services.

Risk-rating is a crucial element in assessing the inherent risk of a loan portfolio for financial institutions, but there's a lack of uniform standards, in part due to the fact that most systems include a mix of objective and subjective factors , such as the character and perceived competence of the borrower.

Based on responses from 180 individuals in a poll conducted in mid-December 2015, almost 60% of those surveyed responded that they don't apply their risk-rating system as properly as they could.

"Risk-rating is a huge part of risk management," said Sageworks' senior risk management consultant Robert Ashbaugh. "It is the basis of understanding the risk in your portfolio."

The risk rating applied to a borrower consists of a single number (typically from one to nine), which serves as a composite figure of the borrower's suitability as a loan recipient based on his or her risk profile.

But risk-rating data have come under fire for, among other reasons, using too many subjective factors and not updating themselves to match the realities of a modern, complex globalized economy.

In an interview with Credit Union Journal, Ashbaugh said despite the fact that only 37% of financial executives believe their risk-rating system is "objective and applied properly," that doesn't necessarily mean most credit unions and banks are handing out too many loans to risky borrowers. Rather, it likely means they think their risk-rating process "could be much better," he added.

Ashbaugh further noted that, in his opinion, the survey results suggest financial executives believe the risk-rating process is "too subjective" and does not "significantly rely" on cold, hard facts such as financial metrics.

The "subjective side" of risk ratings, he said, could include the lender's opinion of the borrower and his industry – i.e.,  the qualitative side of the risk-rating process.

Brian Robertson, president of PCMS Inc., a Missoula, Mont.-based company that provides consulting and advisor services to financial institutions,  commented that the aforementioned 37% figure likely arose because  financial institution officers surveyed believe their internal risk-rating system is not as valid as they may like.  "Some institutions use knowledgeable, experienced independent staff or independent third parties to evaluate and assess loan risk and risk rating/grading accuracy," he said. "Those institutions [which] do not have an independent risk verification system rely on loan officers, auditors or examiners to assign the risk grade.  For those institutions, knowledge and experience may be lacking."

Ashbaugh explained that risk rating is a crucial practice since it directly affects the allowance for loan and lease loss (ALLL), which is especially important now, given the imminent emergence of the Financial Accounting Standards Board (FASB's) proposed current expected credit loss (CECL) model.

Ashbaugh also told CU Journal that CECL is likely going to rely on [loan-level?] risk-rated loans. "It will be important that these loans be accurately rated for an accurate ALLL calculation," he specified. "The risk ratings for each loan will also need to be evaluated periodically, maybe annually or more often as the scenario requires."

In addition, he said, "what you can do today will give you a more accurate CECL calculation in a couple [of] years. Having a risk-rating process on hand and in place is going to mitigate or reduce the chance of a real capital impact on the bottom line."

Risk analysis drives the ALLL adequacy determination, Robertson explained. "As the accountants discovered during the last financial meltdown, their method of using only past history and present assumptions for ALLL adequacy determination fell painfully short of actual ALLL adequacy," he quipped.

As for CECL, Robertson characterized the proposals as reminiscent of "Back to the Future."  "[Formerly], financial institutions utilized ALLL analysis processes to not only provide for past and present losses but also future losses," he noted. "Then FASB put a stop to a very sound process and now wants to go back to that process."

This is the basic problem Robertson posited: everyone wants to believe there is a science that is easily applied and statistically valid.

"[But ] there are just too many moving parts, structures, industries and risk mitigation strategies to create potential loss algorithms that pass through a crystal ball," he warned. "Individual credit analysis, hard work, knowledge and experience are the keys to risk analysis and ALLL adequacy determination."

Uniform Standards?
Because risk ratings are typically used only for business loans and not all credit unions offer business lending, there's been a lack of uniform standards, Ashbaugh said.

"Until recently, credit unions primarily handled consumer loans which have not always been risk rated," he specified. "Without that history of risk ratings, methodologies at credit unions developed independently from each other."

But he added that there has been some "commonality," such as the risk-rating scale ranging from one to nine and loan segmentation, but the variables and process being used varies across credit unions.

Rick Odenthal, chief executive officer of Central Minnesota Credit Union, a $919-million institution based in Melrose, Minn., said risk rating and loan classifications cannot be uniform and standardized across the credit union landscape because "you have a lot of variations in economies throughout the country."

In addition, there are variations among credit unions themselves with respect to the make-up of their membership, among other things.  "Then you have each credit union's own culture and portfolio concentrations and risk tolerance," he noted. "I think in the case of member business lending you would be very hard-pressed to standardize things because business varies so much and no two [loans] are alike to make such comparisons."

Robertson indicated that the lack of uniformity in risk-rating models is "by design." He clarified that some state-chartered credit unions have risk-rating methodologies mirroring those of state-chartered banks. "Generally, they follow the Office of the Comptroller of the Currency (OCC) Credit Risk Rating model," he said. "Believing the OCC, regulator of national banks for 150 years and now thrift institutions, had the knowledge and experience necessary for risk analysis, the FFIEC [Federal Financial Institutions Examination Council] basically adopted the OCC risk rating model."

But NCUA specifically opted not to use the FFIEC standard risk-rating definitions and supported each credit union's ability to design its own unique risk rating system for business lending.

And a one-size-fits-all approach may not make a lot of sense, suggested Robertson, noting, "the spectrum is so wide and diverse; attempting to apply broad risk standards is difficult."

Commercial lenders have structural components and different varieties of risk- mitigation strategies unique to each business loan, Robertson added. Thus, attempting to pool commercial loans and attach common characteristics for risk-rating and potential loss exposure does not work. "Even if two business loans appear identical, far too many factors enter into risk and potential loss analysis," he offered.

Interestingly, Robertson pointed out, When analyzing commercial/business loans, financial institution asset size is of no consequence. "Certainly the amount of capital/net worth plus ALLL buffers solvency -- the question is to what degree," he said.  "If the degree is unknown so is the question of solvency."

Outsourcing vs. In House
Many credit unions use outside vendors to develop their risk models, but certainly not all of them, Ashbaugh said.

For instance, Odenthal pointed out that his credit union has developed its own risk-rating model after "many years of trial and error."

"We have had input from a variety of examiners, auditors and various models that we have had access to," he said.

Central Minnesota's risk rating criteria is based on a variety of things, Odenthal indicated.  "We use a great deal of analytics, historical data, and we make assumptions based on current markets and economic forecasting," he said. "These assumptions are based on both local national trends and statistics."

Robertson believes that for credit unions new to business lending, the use of third parties for many business loan support functions is imperative. "They have not developed the depth of knowledge and experience necessary to address a variety of concerns," he said.

Michael Fuchs, director of commercial lending at  Wolters Kluwer Financial Services, strongly advocates that credit unions adopt a "more targeted, data-oriented approach" to  credit risk-rating systems in order to make smarter lending decisions.

Fuchs warned that even if credit unions boast very low delinquency and default rates on loans (which imply strong underwriting practices), it never hurts to fine tune and incrementally upgrade risk-rating modules using both qualitative and quantitative factors in a systematic manner.

"Risk rating should be intimately tied to loan pricing, and that's a very important thing to consider," he said. "Credit unions, like banks, need to be compensated for assuming higher levels of risk."

Similarly, Robertson concluded that without a timely and accurate risk identification process, financial institutions may be misstating the quality of their commercial/business loan portfolio. "Early detection leads to early resolution of potential problems," he said. "If increasing risk goes undetected, solvency of the financial institution may be in jeopardy."

For reprint and licensing requests for this article, click here.