How Sanwa plans for overall risk management

There is an old folk tale of a prince of India who, when quarreling court philosophers felt each alone had the right metaphysical argument, directed that his servants bring in one of the royal elephants. Then three men, blind from birth, were brought in and asked to describe the animal by touch.

"The elephant is a long, snake-like creature," insisted the first blind man, feeling the trunk.

"Surely you jest, thou whose mother had no children," said the second blind man, feeling one of the animal's great legs. "The elephant is a squat, round creature like a tree trunk."

"I am in the company of fools," insisted the third blind man, feeling the elephant's huge ear, "for surely any man of reason, even blind, can appreciate that the elephant is a winged creature, something like a huge bat."

The blind men began to argue, and were joined by the king's advisors, who began to poke and prod the beast, too, everyone trying to discover more about the beast, and finally, the king himself waded in to separate the combatants. Just then, the aged elephant, upset by the commotion, suffered a fatal heart attack, and collapsed to the floor, crushing all the men dead as it rolled.

Actually, this is not the way the folk tale really ends, but it's apropos of the debate that has gone on in banking in recent years when the subject is risk management.

The moral? Not considering that there may be many aspects to an issue may lead to crushing results.

Risk gets rediscovered
"Risk" is the banking world's hottest buzzword these days. To the casual observer, risk management in banking would seem to have exploded overnight from the stuff of security officers and insurance administrators into a veritable new banking discipline bordering on religion. It's hard not to come across a seminar, a consultant, or a regulator that isn't couching issues, no matter what subject is at hand, in risk-management terms.

The Federal Reserve Board and the Comptroller's Office have already implemented risk-based examination schemes for the banking companies they supervise and FDIC is field-testing its own setup.

It's not that bankers and examiners hadn't always recognized that banking entails some risk. But now there is an effort to rise above the level of specific activities, to assess the organization's risks across its range of activities.

Coming to an understanding
What the regulators have been saying about risk lately isn't all that new, says Roland K. Ojeda, senior vice-president in charge of the risk-management division at Sanwa Bank, Los Angeles, California. Yet it has been helpful, the 30-year veteran of California banking says, in that it has served to push the industry to come up with a common risk vocabulary. This has been particularly valuable for the $7.75 billion-assets Sanwa because now all players can clearly understand what types of challenges a new product, practice, or event pose to the organization.

Sanwa's risk-management effort was outlined in a recently adopted, board-level document that contains what could be described as the bank's "risk mission statement," which begins:

"RISK is not a 'four-letter word' at Sanwa Bank California. It is the way we make a profit. Risk can be defined as the predictability of loss for which the Bank has been appropriately compensated." Controlling risk puts the focus on checks and balances, the document also notes, while managing risk asks what those checks should be and monitors their effectiveness.

Sanwa's Ojeda says that the bank's effort to enunciate its risk program in a single document partly represented a response to the numerous challenges of the FDIC Improvement Act. Indeed, day to day, the required attestation and compliance processes under FDICIA serve as the bank's means of controlling risk at the line manager level.

But where is the payoff in improved risk-management architecture and practices, since banks have long been managers of risk?

"It is expected that there will be better regulatory credibility and improved credibility with insurance companies," says Ojeda, "but the ultimate use is to make our processes an integral part of our RAROC (risk-adjusted return on capital) mechanisms, so that there is adjusted pricing for each business line." The idea is to use a systematic approach to risk, rather than a gut-feel approach, so that the bank can be compensated for all the risks wrapped up in a particular product or service, and with particular customers. Ojeda says the bank has been working with the First Manhattan Consulting Group on this and still has more work to do before it can completely make pricing reflect complete risk.

Ultimately, according to Ojeda, better control of risk results in better control of pricing, which begets improved performance. That connection hasn't been completed yet at Sanwa, says Ojeda, but he is confident that the link will be forged over time.

Two coverages on banks' top priority list

With a rash of negative and much-publicized employee relations actions recently, banks are recognizing that two coverages, employment practice liability insurance (EPLI) and agents' errors and omissions insurance, could serve as an indispensable buffer if they were ever taken to court. Employee practices "Even if charges prove false, the cost to defend an employee incident can be $10,000 or higher," says Dirk DeJong, an insurance agent at Frank H. Furman, Inc., Pompano Beach, Fla. Recognizing the high risk of operating without this coverage coupled with the reduced cost of the coverage, has made EPLI more and more popular with banks. Before only a select few insurance companies, namely Lexington Insurance, Complete Equity Markets Inc., and Chubb Insurance provided this type of coverage, but recently it has opened up and the price has come down. "EPLI," says DeJong, "was unaffordable before--the minimum premium was $25,000. Now the premiums are being reduced to $3,000 to $5,000." The cost of coverage can be reduced by practices including, having a thorough

employee manual, stringent hiring practices, and an adept review board. EPLI coverage protects banks in three core areas--sexual harassment, wrongful termination, discrimination--and DeJong says some insurance companies are seriously considering including it in their general liability policy. Agents' E&O In March of this year the Supreme Court ruled that national banks can sell insurance from small-town branches to any customer at any location. As banks make insurance sales a part of their services, the need for coverage to protect them against any of their agents' mistakes is crucial. "It just something that you will want to have, like headlights on your car," says Basil Holder, a state financial planner based in Black River Falls, Wis. "I find more mistakes on insurance that was sold in banks than any other place. Banks are really new and naive and are being had by marketing organizations." Since banks are bound to make more mistakes than they care to think about, agents' errors and omissions is preferable to self-insuring. "The biggest exposures that banks have right now deals with insurance agents," says Ed Armstrong, managing director of Risk Management Services, Washington, D.C.

Sanwa's definition of risk
The dizzying array of risk-management theories, programs, and options now being peddled hasn't fazed Sanwa's Ojeda. "Everything being talked about is of some use," he explains. Putting together Sanwa's program, staff considered and adapted pieces from many sources and consultants, the latter including Arthur Andersen's Business Risk Model. (Andersen is the bank's outside accounting firm and bases its annual audit procedures in part on its own matrix of the risks faced by individual banking clients.)

Models out there run from the spare to the excruciatingly specific. "Some banks are developing risk glossaries the size of the Manhattan phone book," scoffs Ojeda. "You have to strike a balance between complexity and usefulness."

Sanwa's own nine-point categorization of risks is a hybrid of all that it evaluated, with its own thinking mixed in. Summarized, it runs as follows:

1. Strategic risk--resulting from bad decisions.
2. Reputation risk--resulting from negative public opinion.
3. Credit risk--resulting, on or off the balance sheet, from the failure of any obligor--counterparty, issuer, or borrower--to perform as promised.
4. Market risk--resulting from changes in value of instruments in the course of market-making, dealing, and position-taking in interest rate, foreign exchange, equity, and commodity markets.
5. Interest-rate risk--resulting from movement in interest rates. This may take four forms: the difference between the timing of rate changes and the timing of cash flows; the differences between changes in rate relationships among various yield curves affecting bank operations; changing rate relationships across maturities; and the impact of interest-related options embedded in bank products.
6. Liquidity risk--resulting from any inability to meet obligations as they come due without incurring unacceptable costs or losses.
7. Fiduciary risk--resulting from failure to properly administer trust and agency accounts.
8. Transaction risk--resulting from the breakdown of internal controls, information systems, employee integrity, and operational processes so that service or product delivery is impaired.
9. Regulatory/compliance risk--resulting from litigation or violations of or nonconformance with the law, regulations, ethical standards, or accepted practices.

Avoidance, transfer, and acceptance
In Sanwa's risk management strategy, there are three ways to address a risk once it has been identified as such:

1. Avoidance of risk--When it comes to new products, the bank makes a point of exploring potential risks before going live. The department originating the idea must draft a white paper detailing the idea and the risks it perceives to be involved. Then all departments with a possible stake in the matter are asked to review the document and have their say.

"There have been products where the idea sounds good and where, when you put it on paper, it doesn't and so it gets killed," says Ojeda. However, more often, when risk lights start going off, the bank determines ways to limit its risk.

Once that stage is past, it can determine how much risk it is willing to bear for how much return. As an example, Ojeda points to the bank's decision to expand into home equity loans with higher loan-to-value ratios. Part of the product design called for the higher-ratio loans to be sold to an investor, rather than kept in the bank's portfolio.

2. Transfer of risk--Management and the board may decide the risk represents an opportunity, but at a price the bank needn't fully absorb.

There are ways to lay off the risk on other parties, albeit at an expense. These include insurance; pricing that recognizes relative risks; sharing of risk through syndication or securitization; establishment and maintenance of reserves; and adoption of hedging.

3. Acceptance of risk--There are some risks that can be addressed by intelligently approaching the matter. Proper organization and staffing is one remedy. Another is use of appropriate policies and procedures. Monitoring of risks also is a critical factor. One of the structural devices that Sanwa already had in place is its Risk Management Division. While many large banks have such divisions, they are frequently the home of insurance and related functions. At Sanwa, "risk" is defined broadly and nearly any function of the bank that touches on some aspect of risk finds its home there.

"Sanwa put all of the audit and control functions under one umbrella," says Ojeda. "That helps us get greater synergy out of these groups." The bank has maintained a broad-based risk management division since 1992.

As head of the division, Ojeda oversees a diverse crew of experts, each with their own specialists inside and sometimes outside of the bank for overseeing some facet of risk. Here are the main ones:

• Compliance and CRA coordination
• Insurance and contingency planning
• Appraisal department, which also includes oversight of environmental inspection services.
• Asset-based finance Audit
• Security department
• Credit review department
• Internal audit department

The latter two groups report to the Sanwa board's audit committee, though they are administrated through Ojeda's division.

Diverse as they may be in terms of focus, the one thing that unites all seven of the areas that Ojeda supervises is this, in his words: "These are all groups requiring independence for monitoring and evaluation." In many banks it is still typical, for instance, to find the appraisal function directly attached to the real-estate function.

Risk Council created
One of Sanwa's newest efforts in risk management is its Risk Council. This consists of three key players, the head of the bank's quality management division (the chief credit officer); the head of financial management and control (the chief financial officer); and the head of risk management (Ojeda).

The council must meet quarterly, which coincides with dates of FDICIA-related duties. At the group's regular meetings an overall view of the bank's risk picture is obtained by filling in a worksheet. The worksheet's columns consist of the bank's nine risk categories and its rows consist of slices of the bank's business.

That's the routine. "But anytime one of us sees a change in the bank's risk profile, we can convene," says Ojeda.

In either event, the council's task is not only to identify clearly that there has been a change in the bank's risk profile, but to determine why there has been a change.

Risk management and the board
The relative duties of the four key groups involved in risk management (directors, executive management, line managers, and the risk council) are summarized in the diagram on the first page of this article.

As in so many areas, the regulators' renewed and revised focus on risk places a significant reliance on the attention of a bank's board of directors on risk factors. Sanwa is addressing this issue.

One new step is a pending revision of the way ongoing performance issues are presented to the board at its regular meetings. In the past, this had been done in fairly traditional ways, focusing on matters function by function.

In 1997, says Ojeda, the bank plans to reorganize its board presentations along the lines of its risk factors list.

Of course, its oversight responsibility gives the board a significant role in risk management. "Nothing really new goes out without the board approving of the general concept," says Ojeda.