Top 10 hurdles to developing effective risk management and Basel compliance

Standard & Poor''s discusses the hurdles banks face and how to overcome them.

There is considerable pressure on banks today to improve their risk management. Some of this comes from the increasingly competitive local business environment, some of it from the local regulator, and some of it from the globalisation of markets bringing with it new competitors and regulators. Hovering in the background is the Basel II, which can be viewed as adding to the pressure for change, or alternatively as aiding banks in the change process through a codification to some degree of good credit risk management practices.

From our experience in working with banks in emerging markets to enhance their credit risk management, reinforced by insights from the Risk Management Benchmarking study undertaken by Standard & Poor's Risk Solutions, some of the key hurdles to developing an effective credit risk management system have been identified.

1. Ensuring a Significant Degree of Senior Management Commitment / Involvement

"I approved a substantial budget, set a demanding deadline, and get monthly reports; what more do I need to do?"

Nothing major happens without senior management approval, but the most effective change programs benefit from active senior management commitment and involvement. This impacts a number of aspects.

At a simplistic level, there is nothing so focusing as presenting and debating issues with the CEO/Governor and Deputy CEO/Governor at fortnightly steering committee meetings, nor a more powerful incentive for business and service units to comply with project requirements than when they are active parties' to the request.

Similarly, resources are important but it is not just a case of money and bodies, it is important that people with appropriate experience are assigned to the project. Too often the only people that the Credit Risk Management project team does not include are experienced lending bankers; and their knowledge is critical to an effective and efficient process.

Finally, and perhaps most importantly, the ultimate success of any project to improve credit risk management will depend on senior management acceptance. Credit quality, portfolio management and risk capital allocation are senior management issues; but their willingness and ability to act in these areas will depend on their comfort and confidence in the new processes.

2. Ensuring Significant Business Unit "Buy-in", with Risk Seen as a Business Issue

"I don't care how they set up this new internal rating system; I do not have any people to spare, and it had better not impact my business"

It is hard to know whether it is more important that the credit risk management and assessment function is independent of the line business origination function, or that it is not irrelevant to the line business units. Effective credit risk management requires active involvement of the line business. They must ensure that the project team has capable people who understand the origination side of the business, the issues involved in managing clients, and transactional credit. A process designed without practitioners is unlikely to be practical. The business unit managers should be actively involved on the steering committee, to ensure that their needs and concerns are met.

Effective credit risk management is to a bank, what an effective research and development function is to a pharmaceutical company, an effective purchasing function is to a retailer, and an effective engineering function to a contract manufacturer. It is the essence of the business.

The days of business units being measured on loan volume alone are fading. The trend is towards risk based performance measures and risk based pricing. The foundation stones for these concepts are provided by the same concepts essential to Basel and effective credit risk management; an Internal Rating System, probability of default, loss given default, risk capital, etc. So line businesses better make sure the system is sensible and practical, because it will determine their ability to not only manage their business but compete in the market place. Contribute your best and brightest, not your leftovers.

3. Moving from a Focus on Compliance (Having) to one on Business (Using)

"We'd better introduce an internal rating system to satisfy the new regulations, but let's just do the minimum required to satisfy it"

While this is partly related to the previous hurdle, it is more about the objectives than the approach. If the focus is on the minimum regulatory requirement then there is probably a good chance that it will not be an effective process and that the money associated will not have been well spent. With all due respect to the regulators, regulations are often as much constrained by the lowest common denominator as inspired by the desire to raise it. If credit risk management is the essence of banking, can we afford to aspire to the lowest common denominator? The best managers are positioning their organisations for the prospective environment some years ahead, not the environment today.

That said it is entirely sensible to target minimum regulatory requirements as a first step, provided work is undertaken in the context of the longer term goal.

Focusing on compliance also makes the design phase more difficult because regulations are typically not prescriptive as to how you do it. Anyone who has waded through the Basel II documents will see that this is not likely to change. Its tough enough with business applications as a guide, but without them the project is likely to be like a ship without a rudder.

Many existing internal rating systems have been targeted largely at meeting regulatory non-performing loan reporting requirements. As a result, the typical single dimensional rating scale we find today is an amalgam of likelihood of default at the upper end of the scale, and likelihood of loss at the lower end; thus the scale does not fully represent either concept.

4. Broadening from a purely transactional perspective to a portfolio perspective

"A good credit officer can just look at a set of financial statements and assess the risk"

Over the years, many banks have developed over the years the ability to effectively assess individual borrowers / credits, whether based on effective assessment processes (desirably) or reliant on key individuals with a wealth of experience (okay today, but risky tomorrow when they may be gone). Even these banks cannot be said to have an effective credit risk management system by today's standards, because the addition of a portfolio perspective is now essential. In the future effective capital management will require a portfolio perspective, but even today credit risk management can benefit from such a perspective.

This can be a challenging change for those of us brought up on a transactional focus. Saying no to a good credit because it still adds to the portfolio risk can be hard to accept, as is accepting a lesser quality credit from a different industry or segment because it reduces the portfolio risk.

The Basel II concepts of probability of default, loss given default and risk capital are once again the foundation stones for such a portfolio approach. Scorecards and modelling are also arguably a portfolio related concept, drawing on factors identified across a range of borrowers to develop an objective assessment process, to which expert judgement should subsequently be applied.

It is important to stress that modern credit risk management, with its increasing focus on the portfolio level and statistical processes, does not replace the importance of expert judgement, but rather merely supplements it.

5. Developing a Common and Effective Credit Culture

"We couldn't let our loan officers make a judgment like that"

Many banks have controlled credit risk by concentrating credit approval power in a single entity, be it a senior individual or a credit committee. Loan officers can become restricted to interfacing with the client and "pencilling"; not really included in the credit process, nor trained or trusted to identify and monitor critical qualitative credit information. Unfortunately, despite the existence of a high level of credit risk management skills from an organisational perspective, the decision rules are typically seldom sufficiently clear or codified to enable other officers to understand and learn. Credit skills and experience can become concentrated in a very small number of people, making the organisation vulnerable.

The contrast is an organisation where everyone is tasked with responsibility for risk management, and developed to be both risk aware and share a common understanding of the bank's risk tolerance. Qualitative credit risk factors are critical to credit early warning systems, let alone the assessment of SME credit. The source of most such information is the loan officer during the course of ongoing contact with the borrower. Excluding this source can only seriously limit the credit risk management process.

A further benefit of an enterprise wide, pro-active, credit risk culture is the scope it provides for a bank to safely devolve credit decision-making power closer to the customer; of course with appropriate checks and balances. This enables banks to respond to two increasing pressures: the desire of larger customers for "fast response", and the need to reduce the "cost to serve" for smaller customers.

6. Ensuring an Independent Risk Function

"We need this deal to make our volume targets so place the emphasis on the company's strengths rather than its weakness"

Despite having argued earlier for the close involvement of the line businesses and an enterprise wide risk culture, there is still a need for the credit risk function to be independent of the origination function. That is not to say that the line of business should not have a say in the final credit decision, but rather that there should be a source of independent, objective assessment as an input to that decision.

Similarly, there needs to be someone responsible for establishing and monitoring the application of the credit processes. The existence of an independent credit risk function makes this responsibility clear.

Increasingly banks are introducing the role of the Chief Risk Officer to oversee risk management enterprise wide, to drive the change, and to take a strategic approach to risk.

7. Building an Effective Internal Rating System

"Its hard enough deciding whether to lend or not, without trying to choose between 10 different levels of risk. It can't be done"

An effective internal rating system provides an invaluable mechanism for understanding and communicating, not only the credit quality of individual exposures but of the overall portfolio.

Numerical estimates of likelihood of default, and likely loss, are increasingly required for capital purposes, but an effective internal credit risk rating system plays essential enabling and encapsulating role in the credit risk management process. Ratings provide a bridge between expert judgment and statistically based numerical assessments of risk, a "shorthand" for summarising the assessed credit risk associated with a given exposure; and a mechanism to streamline credit risk management processes.

Ratings can be used to provide a summary level of information, for

  • approval processes - discretion & analysis
  • portfolio reporting
  • credit management - early warning / lending inspection targeting
  • pricing matrices
  • marketing - targeting specific quality, risk/return segments

Alternatively they can provide the basis for numerical estimates of the likelihood of default & likely loss using historically observed ratings performance, where direct, statistically based, estimates are not able to be made for individual exposures with any degree of reliability

However, having an internal rating system is not a panacea for credit risk, particularly if it exists largely for compliance. To be effective it must drive a wide range of risk and non-risk processes, to the degree that it is imbedded in the culture and infrastructure of the bank.

8. Establishing Effective Measurement, Monitoring and Reporting Processes

"Let's just over-ride the scorecard result; no-one tracks what actually happens"

Establishing an internal ratings system and associated assessment processes is not sufficient. Banks must also establish the mechanism to measure the performance of these systems, comparing estimates of probability of default to actual realised default rates, monitoring the ratings transition experience, monitoring the pattern and performance of over-rides, monitoring the recovery experience on defaulted loans. Scorecard and modelling systems tend to focus the need for such monitoring and validation processes more clearly but they are not the only reason for them.

Such information is not just for the use of the risk management function but should be essential input to line business managers, senior management and any supervisory body equivalent to a Board. Validation of the effectiveness of the processes is critical to effective credit risk management at the senior management level.

A key challenge for risk management is to ensure acceptance of the importance of maintaining an objective view of credit quality. Even progressive organisations can be reluctant to allow full acknowledgement of true loan portfolio quality. This problem has a double penalty. Not only does it impair effective management today, but it distorts the information/performance base on which tomorrow's effective management will depend.

9. Data, Data, Data

"Course we've got data, look at all these credit files .."

Effective credit risk management, and Basel II compliance, is totally dependent on data. Data on borrower credit risk factors and default experience, data on loss experience, data on exposure and limits. While all banks typically have data, the key is the extent to which it is accurate, complete, retrievable, appropriately organised, and easily able to be analysed and manipulated.

A bank's core banking system is typically awash with information on facility types, exposures and limits, though not always readily accessible. Data on borrowers, particularly financials has often been the next most common data, although not always reliable or accessible. Relatively few banks have a structured approach to qualitative credit factors. Data on default experience has not always been retained in a structured manner, while data on loss experience is sporadic at best, and typically accounting orientated.

The "customer credit file" often does contain a wealth of information, but they are rarely in the condition that management believe, and equally rarely in the location management thought; particularly historical files.

The key to solving the data problem is process and structure. The critical task is moving quickly to define the information needs, both immediate and long term. Having defined the data requirements, efforts should be made to collect the data using whatever medium is available; paper, spreadsheets, etc. It need not await the development of "the ultimate" IT system, as often happens.

The sooner started. the sooner useful.

10. Taking the First Step

"Where do I start, I don't have the people, information or systems."

Developing effective credit risk management can seem a daunting task at the outset. The key is to begin. Avoid delaying everything until the master project is specified and established. View effective credit risk management as a never ending journey, rather than a destination. One for which the Basel II Accord provides a useful road map, codifying good credit risk management practices, but it is not the end point, nor a prescriptive process. Don't aim for perfection, just improvement, but accept the need for continuous improvement. It is an evolutionary process, so don't be afraid to take small steps.

While data is a seemingly logical place to start, it can often become bogged down by IT system's projects. Establishing processes, which can begin to build the desired credit risk culture, even if based on approximations will be invaluable. While eventual compliance with local regulatory requirements or Basel II may require more rigorous data based validation, changing the credit culture is often the most difficult and slowest part of the process.

Consultants can help, but do not abrogate the responsibility for determining the direction and pace. Any risk management system must be tailored to the needs and culture of the bank; otherwise it will fail. The best internal rating system and models technically will be useless if no one believes or uses them.

So limber up, do some stretches, aim for some of the lower hurdles first. And jump them.