GEORGIA BANKERS Georgia Banking School ASSOCIATION Info/Banking School/2016/Courses/Second Year/213 -Hoyt...• Value and benefits of risk management • The risk management process

GEORGIA

BANKERS

ASSOCIATION

Georgia Banking School

2016 Georgia Banking School May 1-6, 2016

UGA Hotel & Conference Center Athens, Georgia

RISK MANAGEMENT FOR

BANKING INSTITUTIONS

Rob Hoyt

Rob Hoyt Moore Chair and Professor of

Risk Management and Insurance


Overview

• Attention on risk management

• Broadened view of risk management (ERM)

• Value and benefits of risk management

• The risk management process

• Key risks in your organization

• Important types of risk and insurance • Catastrophe risk

• Directors and officers liability

• Cyber risk

• Operational risk

3


A World of Extremes (Attention on Risk)

4


Attention on Risk Management

• Google Search

– Risk Management –

• 2006 & 2007: 3.2 million

• 2008 & 2009: 27.2 million

• 2011 & 2012: 81.4 million

• “Audit committee members rank risk management as top worry”

– KPMG Survey of Corporate Directors

5


Risk Management #1 Focus of

Public Company Boards

• What topics would they like to spend more time on? – 55% of board members at public

companies cite risk management more than any other area

– 61% believe their liability risk as a director has increased during the past few years

Source: BDO Board Survey

6


Boards and Risk Management

• Boards are increasingly aware that risk

management is a corporate governance issue

• Audit Committees continue to expand risk

management awareness at Board level

• Board member participation in different

companies spreads risk management awareness

• Boards more willing to replace senior

management (evidence of more active role)

7

DISCUSSION:

How Has Your Board’s

Interest In And Perspective

On Risk Management

Changed?

8


Traditional View of Risk Management

• Silo management of risk

• Focus on risk transfer

• Limited integration with processes

• Scope limited to financial & hazard risks

• Unclear link to corporate objectives

9


A Brief History of Risk Management

• First generation risk managers – Insurance buyers

• Second generation risk managers

– Use multiple methods to manage hazard and financial

risks

• Third generation risk managers – Evolving toward enterprise risk management

10


Three Ways to Manage Risk

• Modifying firm’s operations

• Employing targeted financial instruments

• Adjusting firm’s capital structure

11

DISCUSSION:

What Examples Can You

Provide From Your Bank Of

Using These Three Methods?

12

Broadened View of Risk

Management (ERM)


So What Is Enterprise Risk

Management?

• Committee of Sponsoring Organizations (COSO) of the Treadway Commission's (COSO) definition of ERM:

"a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

14


Can You Match These Enterprise

Risks?

• A. Hazard/Insurable Risks

• B. Financial Risks

• C. Operational Risks

• D. Strategic Risks

• 1. Supply chain, IT, key managers, product quality

• 2. Natural disasters, injuries, deaths, product liability

• 3. Market demand, R&D, competitive strategies, reputation, customer need

• 4. Tax and interest rate changes, credit default, FX 15


Risks Included in ERM • Hazard risks

– Damage to property, liability to others, injuries to employees, etc.

• Financial risks – Interest rate risk, credit risk, FX risk, commodity price,

etc.

• Operational risks – Supply chain, distribution system, how we do

business, etc.

• Strategic risks – What businesses we are in, where we do business,

political risk, reputation risk (brand), who we do business with, etc.

16


Impact of Risks on Firm Value

Strategic

Operational

Financial

Hazard

Source: Mercer Management Consulting

58%

31%

6%

0%

17


Reasons for Engaging in Risk

Management Activities

• Theory suggests that firms should engage in hedging activities because they: – reduce the costs associated with conflicts of interest between

owners and managers and between shareholders and bondholders

– reduce expected bankruptcy costs

– reduce the firm’s tax burden

– reduce the costs of regulatory scrutiny

– improve the firm’s ability to take advantage of attractive investment opportunities

– can provide value-added services

18


Why ERM Adds Value to a

Financial Firm

• Better understand the aggregate risk inherent in different business activities

• Avoid duplication of risk management expenditures by exploiting natural hedges

• Benefit from being able to select investments based on a more accurate risk-adjusted rate

• Enables firms to better inform outsiders of their risk profile (especially financially opaque firms) and also serves as a signal of their commitment to risk management

• Growing interest by rating agencies (S&P, etc.) 19


CONCEPT CHECK: An Example

• BP purchased liability insurance from insurers

for the first $10m layer, but self-insured all

losses above $10m.

• What motivations can we give for BP’s choice

of this program structure?

20

Benefits of Enterprise

Risk Management (ERM)


Deloitte – Financial Institutions

• Highest value

– improved understanding of risk

– improved perception by the regulator (in these

highly regulated industries)

– ability to escalate critical issues to senior

management

22


Ernst & Young – firms generally

• Top benefit: better identify and understand key

risks

• Key risk categories: financial, strategic,

compliance and operational

• Top areas for focus on risk management:

– Improving alignment of RM and business strategy

– Improving risk assessment to better anticipate risks

• Enhancing coordination

23


Treasury & Risk Management

• Strategic risks still viewed as the most difficult to

assess and manage

• Biggest challenges to fully implementing ERM

– conflicting priorities

– difficulty quantifying risks

– difficulty embedding risk in culture

24


ERM Activity

• Recent survey by RIMS (review of proxy statements of companies in the DJIA) – 20% had a CRO (89% in banking sample)

– 64% mentioned ERM

– 27% describe Board’s oversight of risk management, but expect 100% in 2013

• Recent Deloitte survey – 91% of executives “plan to reorganize and

reprioritize their approaches to risk management in some form in the coming three years.”

25

DISCUSSION:

How Is Risk Management

Organized In Your

Organization?

26

Risk Management

Process


The Risk Management Process

• Identifying exposures to loss

• Measuring/evaluating exposures • frequency

• severity

• Selecting a risk handling or treatment approach • avoidance

• retention

• control

• transfer (e.g., insurance, hedging)

• Implementation and monitoring of the risk management program 28


Risk Characteristics as

Determinants of the Tool

Frequency Of Losses

Severity

Low High

Of Low Retention Retention

& Control

Losses High Transfer Avoidance

29


Risk Mapping

• Risk identification

• Risk measurement

• Risk mitigation (residual risk)

30


Categories of Risk Promulgated by

Regulatory Authorities in Banking

• Credit risk

• Interest rate risk

• Market risk

• Liquidity risk

• Operational risk

• Compliance risk

• Reputation risk

• Strategic risk

31


Basel Principles

• Process

– Identifying, measuring, monitoring, capital

planning and needs, control and mitigate,

report to board

• 11 principles

– Process, engagement by board, strong

control framework, BCP, disclosures on

operational risk

32


Risk Mapping: A Final Note

• You are never really “done” creating your

firm’s risk map

• Risk maps are dynamic, not static

• To be effective, the risk map must be updated

regularly to reflect changing circumstances

33

DISCUSSION:

What Do You Believe Are The

Key Risks Facing Your

Organization?

34


Top Business Risks for 2016

• Business interruption and supply chain

• Market developments (volatility, competition)

• Cybercrime, IT failures, data breaches

• Natural catastrophes

• Changes in legislation and regulation

• Macroeconomic developments (commodity price risk, inflation/deflation)

• Loss of reputation/brand loss

Source: Allianz

35

FS-1

FS-2

FS-3


ERM in Banks (McKinsey)

• Banks are increasingly exposed to non-traditional risks (cyber risks, regulatory risks and new forms of macro risks)

• Regulators are increasingly skeptical about banks´ internal—and often complex and opaque—risk modeling and measurement approaches

• 80% of participating banks believe they successfully integrate stress testing into strategic decision making

• Potential for improvement is especially significant in capital-allocation and talent-management processes

36


Risk Trends • Reputation risks

– 80% chance of a company losing at least 20% of its value in any single month over a five-year period due to a reputation crisis (Aon)

• Cyber-Liability – Need to think about these risks outside of the IT department – Data loss, privacy, virus issues – Need broad-based, disaster recovery plan (need to test it!)

• Health Care Issues • Liability / Tort issues

– Climate, energy, professional

• Big data – Predictive modeling

• Talent – The graying of the workforce – Recruiting and retaining it

37

Current Research:

Changes in Risk Reporting


BP

0

10

20

30

40

50

60

20

08

Q1

20

08

Q2

20

08

Q3

20

08

Q4

20

09

Q1

20

09

Q2

20

09

Q3

20

09

Q4

20

10

Q1

20

10

Q2

20

10

Q3

20

10

Q4

20

11

Q1

20

11

Q2

20

11

Q3

20

11

Q4

20

12

Q1

20

12

Q2

20

12

Q3

20

12

Q4

2008-2012 Quarterly Report Pages

Report Length

100% increase in length

No direct mention of oil spills or ocean drilling prior to 2012 Q2

4/20/2010 Deepwater Horizon explodes and sinks

39


Banks and Risk Reporting • Number of times the term “risk management” was used

in firm’s 10-K (2005 v. 2013) Financial Institution Times used in 2005 Times used in 2013 Percent increase

Bank of America 85 171 101.2%

BB&T 13 24 84.6%

JP Morgan 92 167 81.5%

PNC 83 133 60.2%

SunTrust 51 74 45.1%

Wells Fargo 34 137 302.9%

3 had CROs in 2005, all 6 had CROs in 2013 40


Important Types of Risk and

Insurance

• Categories/Types of Risk and Insurance

• Physical property and business continuity risk

• Legal risk

• Management liability risk

• Human resources risk (including BOLI and COLI)

• Environmental risk

• Crime and Cyber risk

• Fleet risk

41

Catastrophe Risk


U.S. Insured Catastrophe Losses $

7.5

$2

.7

$4

.7

$2

2.9

$5

.5

$1

6.9

$8

.3

$7

.4

$2

.6

$1

0.1

$8

.3

$4

.6

$2

6.5

$5

.9 $1

2.9

$2

7.5

$6

.7

$2

7.1

$1

0.6

$1

3.8

$3

5.9

$3

5.0

$1

2.9

$1

5.3

$1

6.1

$6

1.9

$9

.2

$0

$10

$20

$30

$40

$50

$60

$70

89

90

91

92

93

94

95

96

97

98

99

00

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

Source: Property Claims Service/ISO; Insurance Information Institute

$ Billions

Sandy $18.8B

43

Most Costly Disasters in U.S. History

(Insured Losses, 2012 Dollars, $ Billions)

$7.8 $8.7 $9.2$11.1

$13.4

$18.8

$23.9 $24.6 $25.6

$48.7

$7.5$7.1$6.7$5.6$5.6$4.4

$0

$10

$20

$30

$40

$50

$60

Irene (2011) Jeanne

(2004)

Frances

(2004)

Rita

(2005)

Tornadoes/

T-Storms

(2011)

Tornadoes/

T-Storms

(2011)

Hugo

(1989)

Ivan

(2004)

Charley

(2004)

Wilma

(2005)

Ike

(2008)

Sandy*

(2012)

Northridge

(1994)

9/11 Attack

(2001)

Andrew

(1992)

Katrina

(2005)

Hurricane Sandy became the 5th costliest event

in US insurance history

Includes Tuscaloosa, AL,

tornado

Includes Joplin, MO, tornado

12 of the 16 Most Expensive Events in US History Have Occurred Over the Past

15 Years

Sources: PCS; Insurance Information Institute inflation adjustments to 2012 dollars using the CPI.

44


Key Lessons and Issues

from Recent Catastrophes

• Flood risk remains a big issue – NFIP

• Business interruption is one of the biggest issues facing businesses – and it is poorly assessed and addressed

• Increased concerns from inland risks (tornados, hail, winter storms)

• Data Centers, utilities, supply chains …

45

Directors and Officers

Liability


Directors and Officers Legal Liability

• Exposure to loss

– basic functional duties

– fiduciary duties

– types of suits

• D&O insurance

– coverages

(Side A, Side B and Side C)

– common policy features

94% of the U.S. M&A deals in 2013 over $100 million were challenged in shareholder lawsuits

47


The FDIC’s Perspective on

D&O Insurance

• Purchase of D&O insurance is a legitimate

business activity

• Must be aware of exclusionary language

• The bank can’t buy coverage that

reimburses D&Os for civil money penalties

• The FDIC urges each board member and

executive officer to understand this

coverage

48

Most Frequently Cited D&O Issues

12.7%10.9%

7.8%

0.0%

2.0%

4.0%

6.0%

8.0%

10.0%

12.0%

14.0%

Wrongful

Termination

Inadequate /

Inaccurate

Disclosure

Mergers and

Acquisitions

49

Who Sues Officers and Directors? (2001-2010)

50

Cyber Risk


Cyber Liability Insurance

• Coverage (may include):

• reimburse immediate clean up costs (forensics, notification,

setting up call centers, paying for credit monitoring)

• legal fees

• cost of hiring crisis management firm

• Estimated cost in 2013 of a data breach was $188

per compromised record (only upfront clean up costs)

• Maximum capacity in the insurance market estimated

at $300 million (Target had $100 million)

52


Industry Developments Increased awareness of FI security/breach procedures following 2011

Citi breach

Oct 2011 SEC guidance/disclosure obligations relating to “cyber security” risks and incidents

Number of large FI’s purchasing first-time privacy insurance increased substantially in the last 12 months

Coverage Overview Privacy related liability/litigation from disclosure of client information

Regulatory action defense, fines and penalties, consumer redress fund

Loss mitigation expense (including notification/call center, credit monitoring, cost to reissue credit/debit cards, client identity restoration, discovery/data forensics, crisis management/PR firm)

No distinction as to cause of breach (e.g. laptop, hacked systems, malicious insider)

Coverage also includes breaches of bank’s data from outsourced suppliers

Morgan Stanley $200MM

Bank of America $120MM

PNC $100MM

Ally $100MM

SunTrust $75MM

Fifth Third $60MM

Goldman Sachs $60MM

US Bank $50MM

Keycorp $50MM

Bank of NY Mellon $30MM

Wells Fargo $25MM

Average FI Limit $80MM

FI Benchmark – Privacy Limits

Privacy / Cyber Security Liability

53

Operational Risk


Key Operational Risk Areas of Focus

Technology Risk

Supplier Risk

Regulatory/ Litigation

Risk

“Given the complexity of today’s banking markets and the sophistication of technology that underpins it, it is no surprise that the OCC deems operational risk to be high and increasing. Indeed, it is currently at the top of the list of safety and soundness issues for the institutions we supervise.”

- Thomas Curry, Comptroller of the Currency, Speech from May 16, 2012

55


Risk Management/Insurance Implications

Technology Risk

Supplier Risk

Regulatory/ Litigation

Risk

Cyber/Privacy Liability insurance here to stay Does insurance strategy contemplate new exposures? Potential business disruption/impact Critical business infrastructure supplier dependent

Increased external expectations (regulators, insurers) Managing risk through relationship lifecycle Focus management efforts on high risk suppliers “Supply Chain” insurance an evolving product

Expectations of Board’s role (oversight vs. mgmt) Rigorous underwriting process for D&O/E&O Stand-Alone Side A D&O now mainstream Buying more coverage, not less Outside coverage counsel critical to renewal process

56


Complacency is an Enemy of Risk

Management

• “It’s never happened before.”

• “It can’t happen here.”

• “We can handle it.”

• “Ignore it and it will go away.”

57

DISCUSSION:

What Other Questions Or

Comments Do You Have

Regarding Risk Management

For Your Bank?

58


Contact Information for the Risk Management and Insurance Program

at the University of Georgia

• Department Head, Rob Hoyt – Brooks Hall 206

– [email protected]

• Our web site – www.terry.uga.edu/insurance

Documents

GEORGIA BANKERS Georgia Banking School ASSOCIATION Info/Banking School/2016/Courses/Second Year/213 -Hoyt...• Value and benefits of risk management • The risk management process