Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
GEORGIA
BANKERS
ASSOCIATION
Georgia Banking School
2016 Georgia Banking School May 1-6, 2016
UGA Hotel & Conference Center Athens, Georgia
RISK MANAGEMENT FOR
BANKING INSTITUTIONS
Rob Hoyt
Rob Hoyt Moore Chair and Professor of
Risk Management and Insurance
Georgia Banking School
Overview
• Attention on risk management
• Broadened view of risk management (ERM)
• Value and benefits of risk management
• The risk management process
• Key risks in your organization
• Important types of risk and insurance • Catastrophe risk
• Directors and officers liability
• Cyber risk
• Operational risk
3
Georgia Banking School
Attention on Risk Management
• Google Search
– Risk Management –
• 2006 & 2007: 3.2 million
• 2008 & 2009: 27.2 million
• 2011 & 2012: 81.4 million
• “Audit committee members rank risk management as top worry”
– KPMG Survey of Corporate Directors
5
Georgia Banking School
Risk Management #1 Focus of
Public Company Boards
• What topics would they like to spend more time on? – 55% of board members at public
companies cite risk management more than any other area
– 61% believe their liability risk as a director has increased during the past few years
Source: BDO Board Survey
6
Georgia Banking School
Boards and Risk Management
• Boards are increasingly aware that risk
management is a corporate governance issue
• Audit Committees continue to expand risk
management awareness at Board level
• Board member participation in different
companies spreads risk management awareness
• Boards more willing to replace senior
management (evidence of more active role)
7
Georgia Banking School
Traditional View of Risk Management
• Silo management of risk
• Focus on risk transfer
• Limited integration with processes
• Scope limited to financial & hazard risks
• Unclear link to corporate objectives
9
Georgia Banking School
A Brief History of Risk Management
• First generation risk managers – Insurance buyers
• Second generation risk managers
– Use multiple methods to manage hazard and financial
risks
• Third generation risk managers – Evolving toward enterprise risk management
10
Georgia Banking School
Three Ways to Manage Risk
• Modifying firm’s operations
• Employing targeted financial instruments
• Adjusting firm’s capital structure
11
Georgia Banking School
So What Is Enterprise Risk
Management?
• Committee of Sponsoring Organizations (COSO) of the Treadway Commission's (COSO) definition of ERM:
"a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
14
Georgia Banking School
Can You Match These Enterprise
Risks?
• A. Hazard/Insurable Risks
• B. Financial Risks
• C. Operational Risks
• D. Strategic Risks
• 1. Supply chain, IT, key managers, product quality
• 2. Natural disasters, injuries, deaths, product liability
• 3. Market demand, R&D, competitive strategies, reputation, customer need
• 4. Tax and interest rate changes, credit default, FX 15
Georgia Banking School
Risks Included in ERM • Hazard risks
– Damage to property, liability to others, injuries to employees, etc.
• Financial risks – Interest rate risk, credit risk, FX risk, commodity price,
etc.
• Operational risks – Supply chain, distribution system, how we do
business, etc.
• Strategic risks – What businesses we are in, where we do business,
political risk, reputation risk (brand), who we do business with, etc.
16
Georgia Banking School
Impact of Risks on Firm Value
Strategic
Operational
Financial
Hazard
Source: Mercer Management Consulting
58%
31%
6%
0%
17
Georgia Banking School
Reasons for Engaging in Risk
Management Activities
• Theory suggests that firms should engage in hedging activities because they: – reduce the costs associated with conflicts of interest between
owners and managers and between shareholders and bondholders
– reduce expected bankruptcy costs
– reduce the firm’s tax burden
– reduce the costs of regulatory scrutiny
– improve the firm’s ability to take advantage of attractive investment opportunities
– can provide value-added services
18
Georgia Banking School
Why ERM Adds Value to a
Financial Firm
• Better understand the aggregate risk inherent in different business activities
• Avoid duplication of risk management expenditures by exploiting natural hedges
• Benefit from being able to select investments based on a more accurate risk-adjusted rate
• Enables firms to better inform outsiders of their risk profile (especially financially opaque firms) and also serves as a signal of their commitment to risk management
• Growing interest by rating agencies (S&P, etc.) 19
Georgia Banking School
CONCEPT CHECK: An Example
• BP purchased liability insurance from insurers
for the first $10m layer, but self-insured all
losses above $10m.
• What motivations can we give for BP’s choice
of this program structure?
20
Georgia Banking School
Deloitte – Financial Institutions
• Highest value
– improved understanding of risk
– improved perception by the regulator (in these
highly regulated industries)
– ability to escalate critical issues to senior
management
22
Georgia Banking School
Ernst & Young – firms generally
• Top benefit: better identify and understand key
risks
• Key risk categories: financial, strategic,
compliance and operational
• Top areas for focus on risk management:
– Improving alignment of RM and business strategy
– Improving risk assessment to better anticipate risks
• Enhancing coordination
23
Georgia Banking School
Treasury & Risk Management
• Strategic risks still viewed as the most difficult to
assess and manage
• Biggest challenges to fully implementing ERM
– conflicting priorities
– difficulty quantifying risks
– difficulty embedding risk in culture
24
Georgia Banking School
ERM Activity
• Recent survey by RIMS (review of proxy statements of companies in the DJIA) – 20% had a CRO (89% in banking sample)
– 64% mentioned ERM
– 27% describe Board’s oversight of risk management, but expect 100% in 2013
• Recent Deloitte survey – 91% of executives “plan to reorganize and
reprioritize their approaches to risk management in some form in the coming three years.”
25
Georgia Banking School
The Risk Management Process
• Identifying exposures to loss
• Measuring/evaluating exposures • frequency
• severity
• Selecting a risk handling or treatment approach • avoidance
• retention
• control
• transfer (e.g., insurance, hedging)
• Implementation and monitoring of the risk management program 28
Georgia Banking School
Risk Characteristics as
Determinants of the Tool
Frequency Of Losses
Severity
Low High
Of Low Retention Retention
& Control
Losses High Transfer Avoidance
29
Georgia Banking School
Risk Mapping
• Risk identification
• Risk measurement
• Risk mitigation (residual risk)
30
Georgia Banking School
Categories of Risk Promulgated by
Regulatory Authorities in Banking
• Credit risk
• Interest rate risk
• Market risk
• Liquidity risk
• Operational risk
• Compliance risk
• Reputation risk
• Strategic risk
31
Georgia Banking School
Basel Principles
• Process
– Identifying, measuring, monitoring, capital
planning and needs, control and mitigate,
report to board
• 11 principles
– Process, engagement by board, strong
control framework, BCP, disclosures on
operational risk
32
Georgia Banking School
Risk Mapping: A Final Note
• You are never really “done” creating your
firm’s risk map
• Risk maps are dynamic, not static
• To be effective, the risk map must be updated
regularly to reflect changing circumstances
33
Georgia Banking School
Top Business Risks for 2016
• Business interruption and supply chain
• Market developments (volatility, competition)
• Cybercrime, IT failures, data breaches
• Natural catastrophes
• Changes in legislation and regulation
• Macroeconomic developments (commodity price risk, inflation/deflation)
• Loss of reputation/brand loss
Source: Allianz
35
FS-1
FS-2
FS-3
Georgia Banking School
ERM in Banks (McKinsey)
• Banks are increasingly exposed to non-traditional risks (cyber risks, regulatory risks and new forms of macro risks)
• Regulators are increasingly skeptical about banks´ internal—and often complex and opaque—risk modeling and measurement approaches
• 80% of participating banks believe they successfully integrate stress testing into strategic decision making
• Potential for improvement is especially significant in capital-allocation and talent-management processes
36
Georgia Banking School
Risk Trends • Reputation risks
– 80% chance of a company losing at least 20% of its value in any single month over a five-year period due to a reputation crisis (Aon)
• Cyber-Liability – Need to think about these risks outside of the IT department – Data loss, privacy, virus issues – Need broad-based, disaster recovery plan (need to test it!)
• Health Care Issues • Liability / Tort issues
– Climate, energy, professional
• Big data – Predictive modeling
• Talent – The graying of the workforce – Recruiting and retaining it
37
Georgia Banking School
BP
0
10
20
30
40
50
60
20
08
Q1
20
08
Q2
20
08
Q3
20
08
Q4
20
09
Q1
20
09
Q2
20
09
Q3
20
09
Q4
20
10
Q1
20
10
Q2
20
10
Q3
20
10
Q4
20
11
Q1
20
11
Q2
20
11
Q3
20
11
Q4
20
12
Q1
20
12
Q2
20
12
Q3
20
12
Q4
2008-2012 Quarterly Report Pages
Report Length
100% increase in length
No direct mention of oil spills or ocean drilling prior to 2012 Q2
4/20/2010 Deepwater Horizon explodes and sinks
39
Georgia Banking School
Banks and Risk Reporting • Number of times the term “risk management” was used
in firm’s 10-K (2005 v. 2013) Financial Institution Times used in 2005 Times used in 2013 Percent increase
Bank of America 85 171 101.2%
BB&T 13 24 84.6%
JP Morgan 92 167 81.5%
PNC 83 133 60.2%
SunTrust 51 74 45.1%
Wells Fargo 34 137 302.9%
3 had CROs in 2005, all 6 had CROs in 2013 40
Georgia Banking School
Important Types of Risk and
Insurance
• Categories/Types of Risk and Insurance
• Physical property and business continuity risk
• Legal risk
• Management liability risk
• Human resources risk (including BOLI and COLI)
• Environmental risk
• Crime and Cyber risk
• Fleet risk
41
Georgia Banking School
U.S. Insured Catastrophe Losses $
7.5
$2
.7
$4
.7
$2
2.9
$5
.5
$1
6.9
$8
.3
$7
.4
$2
.6
$1
0.1
$8
.3
$4
.6
$2
6.5
$5
.9 $1
2.9
$2
7.5
$6
.7
$2
7.1
$1
0.6
$1
3.8
$3
5.9
$3
5.0
$1
2.9
$1
5.3
$1
6.1
$6
1.9
$9
.2
$0
$10
$20
$30
$40
$50
$60
$70
89
90
91
92
93
94
95
96
97
98
99
00
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
Source: Property Claims Service/ISO; Insurance Information Institute
$ Billions
Sandy $18.8B
43
Most Costly Disasters in U.S. History
(Insured Losses, 2012 Dollars, $ Billions)
$7.8 $8.7 $9.2$11.1
$13.4
$18.8
$23.9 $24.6 $25.6
$48.7
$7.5$7.1$6.7$5.6$5.6$4.4
$0
$10
$20
$30
$40
$50
$60
Irene (2011) Jeanne
(2004)
Frances
(2004)
Rita
(2005)
Tornadoes/
T-Storms
(2011)
Tornadoes/
T-Storms
(2011)
Hugo
(1989)
Ivan
(2004)
Charley
(2004)
Wilma
(2005)
Ike
(2008)
Sandy*
(2012)
Northridge
(1994)
9/11 Attack
(2001)
Andrew
(1992)
Katrina
(2005)
Hurricane Sandy became the 5th costliest event
in US insurance history
Includes Tuscaloosa, AL,
tornado
Includes Joplin, MO, tornado
12 of the 16 Most Expensive Events in US History Have Occurred Over the Past
15 Years
Sources: PCS; Insurance Information Institute inflation adjustments to 2012 dollars using the CPI.
44
Georgia Banking School
Key Lessons and Issues
from Recent Catastrophes
• Flood risk remains a big issue – NFIP
• Business interruption is one of the biggest issues facing businesses – and it is poorly assessed and addressed
• Increased concerns from inland risks (tornados, hail, winter storms)
• Data Centers, utilities, supply chains …
45
Georgia Banking School
Directors and Officers Legal Liability
• Exposure to loss
– basic functional duties
– fiduciary duties
– types of suits
• D&O insurance
– coverages
(Side A, Side B and Side C)
– common policy features
94% of the U.S. M&A deals in 2013 over $100 million were challenged in shareholder lawsuits
47
Georgia Banking School
The FDIC’s Perspective on
D&O Insurance
• Purchase of D&O insurance is a legitimate
business activity
• Must be aware of exclusionary language
• The bank can’t buy coverage that
reimburses D&Os for civil money penalties
• The FDIC urges each board member and
executive officer to understand this
coverage
48
Most Frequently Cited D&O Issues
12.7%10.9%
7.8%
0.0%
2.0%
4.0%
6.0%
8.0%
10.0%
12.0%
14.0%
Wrongful
Termination
Inadequate /
Inaccurate
Disclosure
Mergers and
Acquisitions
49
Georgia Banking School
Cyber Liability Insurance
• Coverage (may include):
• reimburse immediate clean up costs (forensics, notification,
setting up call centers, paying for credit monitoring)
• legal fees
• cost of hiring crisis management firm
• Estimated cost in 2013 of a data breach was $188
per compromised record (only upfront clean up costs)
• Maximum capacity in the insurance market estimated
at $300 million (Target had $100 million)
52
Georgia Banking School
Industry Developments Increased awareness of FI security/breach procedures following 2011
Citi breach
Oct 2011 SEC guidance/disclosure obligations relating to “cyber security” risks and incidents
Number of large FI’s purchasing first-time privacy insurance increased substantially in the last 12 months
Coverage Overview Privacy related liability/litigation from disclosure of client information
Regulatory action defense, fines and penalties, consumer redress fund
Loss mitigation expense (including notification/call center, credit monitoring, cost to reissue credit/debit cards, client identity restoration, discovery/data forensics, crisis management/PR firm)
No distinction as to cause of breach (e.g. laptop, hacked systems, malicious insider)
Coverage also includes breaches of bank’s data from outsourced suppliers
Morgan Stanley $200MM
Bank of America $120MM
PNC $100MM
Ally $100MM
SunTrust $75MM
Fifth Third $60MM
Goldman Sachs $60MM
US Bank $50MM
Keycorp $50MM
Bank of NY Mellon $30MM
Wells Fargo $25MM
Average FI Limit $80MM
FI Benchmark – Privacy Limits
Privacy / Cyber Security Liability
53
Georgia Banking School
Key Operational Risk Areas of Focus
Technology Risk
Supplier Risk
Regulatory/ Litigation
Risk
“Given the complexity of today’s banking markets and the sophistication of technology that underpins it, it is no surprise that the OCC deems operational risk to be high and increasing. Indeed, it is currently at the top of the list of safety and soundness issues for the institutions we supervise.”
- Thomas Curry, Comptroller of the Currency, Speech from May 16, 2012
55
Georgia Banking School
Risk Management/Insurance Implications
Technology Risk
Supplier Risk
Regulatory/ Litigation
Risk
Cyber/Privacy Liability insurance here to stay Does insurance strategy contemplate new exposures? Potential business disruption/impact Critical business infrastructure supplier dependent
Increased external expectations (regulators, insurers) Managing risk through relationship lifecycle Focus management efforts on high risk suppliers “Supply Chain” insurance an evolving product
Expectations of Board’s role (oversight vs. mgmt) Rigorous underwriting process for D&O/E&O Stand-Alone Side A D&O now mainstream Buying more coverage, not less Outside coverage counsel critical to renewal process
56
Georgia Banking School
Complacency is an Enemy of Risk
Management
• “It’s never happened before.”
• “It can’t happen here.”
• “We can handle it.”
• “Ignore it and it will go away.”
57
DISCUSSION:
What Other Questions Or
Comments Do You Have
Regarding Risk Management
For Your Bank?
58
Georgia Banking School
Contact Information for the Risk Management and Insurance Program
at the University of Georgia
• Department Head, Rob Hoyt – Brooks Hall 206
• Our web site – www.terry.uga.edu/insurance