December 2009–January 2010 The RMA Journal

Credit Risk

60

SwiSS

mack

y/Sh

utte

rSto

ck

Post-Crisis Credit Risk Management Lessons Learned and Best Practices

from Canadian Banks

The RMA Journal December 2009–January 2010 61

by James Lam

The global financial crisis represents the ultimate stress test in risk management. In its aftermath, banks and other companies should review the performance of their risk management programs to determine what worked and what needs improvement.

In a previous article, I discussed the main lessons and fundamental requirements for enterprise risk management.1 However, credit risk management has been—and will con-tinue to be—the core competency for banking institutions. This article discusses the key lessons and requirements for sound credit risk management. As shown in Figure 1, the fundamental requirements for ERM can be applied to any risk function, including credit risk management.

Many observers have recently highlighted the Canadian banking system as the best-practice model. And indeed, Canadian banks demonstrated how sound credit risk man-agement practices can withstand even the most challenging financial crisis. In its annual Global Competiveness Report, the World Economic Forum ranked Canada’s financial sys-tem the soundest in the world (with a rating of 6.8 out of 7). And on his first trip to Ottawa as U.S. president, Barack Obama said, “Canada has shown itself to be a pretty good manager of the financial system and the economy in ways that we haven’t always been.”

The numbers support the accolades. While U.S. taxpay-ers have provided hundreds of billions of dollars in bailout money to 450 financial institutions, not one penny of bailout money has been given to Canada’s 21 banks. Between early 2007 and early 2009, U.S. bank stocks dropped 80%, com-pared to a 40% decline in Canadian bank stocks. Clearly, Canadian banks have outperformed global banks over the longer term. Since 1999, the market value of Canada’s major chartered banks increased about 85%, while the aggregate market capitalization of the top 50 international banks declined 26%.

Key Lessons LearnedBased on its research and client experiences with U.S. and Canadian banks, James Lam & Associates (JLA) has iden-tified four key lessons learned with respect to credit risk management practices at commercial banks:1. Governance structure and policies. Banks must establish

an effective governance structure, including credit risk policies with explicit risk-tolerance levels. The funda-mental issues include:

• Who(amongtheboardandmanagementcommittees,corporate and business units, and individuals) is respon-sible for making credit risk management decisions?

• Who is responsible for providing independent riskoversight?

• Whatarethepoliciesandlimitsthatprovideguidelinesand constraints for those decision makers?

2. Credit Analyses. Banks must develop credit analyses from the bottom up—by borrower and transaction, by

Canadian banks demonstrated how sound credit risk management practices can withstand even the most challenging financial crisis.

ERM Framework

Source: James Lam & Associates, Inc.

Governance Structure and Policies

Dashboard Reporting and Monitoring Enterprise Risk Management Risk Assessment and Quantification

Risk Management

Figure 1

December 2009–January 2010 The RMA Journal62

industry and geographic region, and by country and portfolio segment. In addition, banks should ensure that

their liquidity positions, credit reserves, and cap-ital base can withstand severe market condi-tions by conducting rigorous stress testing. Key issues include:

• Howtransaction-levelandportfolio-levelcreditdecisionsare made with respect to analytical input.

• Howdataintegrityismaintainedwithrespecttoborrowerfinancial statements, covenant requirements, and other key documents.

• Howreserveandcapitaladequacyshouldbeassessedover an economic cycle.

3. Credit Risk Management. Banks must integrate their credit analyses into business decisions. Moreover, they should consider change management requirements when planning for major risk management initiatives. Key is-sues include:

• Whichspecificbusinessdecisions(forexample,creditgranting, pricing, risk transfer) will optimize the risk/return profile of the credit portfolio?

• Whichchangemanagementrequirements(forexample,training, communication, incentives) must be addressed to ensure organizational alignment?

4. Reporting and Monitoring. Banks must establish effec-tive reporting and monitoring processes to identify key credit risk exposures and trends. The fundamental issues include:

• How(expost)willtheperformanceofcreditriskmanage-ment decisions be evaluated?

• Howcanriskvisibilitybeenhancedbytechnologyandautomation and by timely and effective reporting?

Governance Structure and Risk Policies Who makes what decisions? And which guidelines or con-straints should influence those decisions? Those are the key questions to be addressed by governance structure and risk policies. With respect to credit risk management, this includes board and management risk committee structures and charters, credit policies and limits, independent risk oversight, delegation of lending authority, and credit review and audit processes.

In the aftermath of the financial crisis, U.S. banks should address three specific issues: 1) improving the risk governance structure and processes at the board level,

2) establishing risk-tolerance levels for key credit risk exposures, and 3) enhancing the independence of the risk management function.

A risk committee of the board has been a common prac-tice among Canadian banks for many years, and some U.S. banks are now debating whether they should follow suit. But establishing a board risk committee is not enough. U.S. banks must also ensure that an effective committee charter is established. More importantly, risk committee members must have sufficient experience in banking and risk to carry out their duties and challenge management on critical risk management issues.

One key responsibility for the board risk committee is to provide independent oversight of the bank’s risk manage-ment policies. With respect to credit risk management, the risk committee should ensure that credit policies include explicit risk-tolerance levels, such as exposure limits by borrower, industry, and country. Beyond these basic limits, U.S. banks should also consider scenario-based risk limits, such as the financial impact of home prices declining 30% or oil prices increasing 50%. U.S. banks should also establish exposure limits with respect to liquidity risk and balance sheet leverage.2 Compliance with key risk limits must not be implicit, but explicit in terms of tracking by management and reporting to the board.

Independent risk oversight is a critical tenet of effec-tive risk management. As such, the reporting relationship between the board risk committee and the chief risk officer or chief credit officer should be clearly established. This reporting relationship should enable direct and unfiltered communication between the board and the risk function. Ultimately, the CRO or CCO should be able to raise risk management issues to the board without being concerned about job security or compensation.

Credit Analyses The old computer adage “garbage in, garbage out” highlights the importance of data quality. This same phrase can be applied to credit risk management in two important ways. First, the quality of individual credit decisions depends on the quality of the underlying credit information. Second, the application of advanced portfolio analytics must be sup-ported by granular loan-by-loan and borrower-by-borrower credit analysis. In other words, credit risk analysis must be built from the bottom up.

Based on its research and client experiences, JLA believes that Canadian banks are generally more diligent in gathering and maintaining critical credit information, as well as in deploying technologies and analytics to produce granular and portfolio-level credit analysis.

U.S. banks should adopt a back-to-the-basics approach

Independent risk oversight is a critical tenet of effective risk management.

The RMA Journal December 2009–January 2010 63

and examine how well they can assess and monitor the “Five Cs of Credit”: character, capacity, capital, conditions, and collateral. Banks not only must evaluate these key factors as part of the initial underwriting and credit-granting process, but also maintain and review this information on a frequent basis. Critical credit information includes borrower financial statements, credit ratings, background checks, ratio analy-sis, collateral values, and borrowing-base analysis.

Often, U.S. banks rely on manual processes and Excel® spreadsheets to collect and maintain this type of credit information. The information is generally updated and reviewed on an annual basis. In contrast, Canadian banks apply technologies to automate data collection and main-tenance, document tracking, financial and credit analysis, covenant monitoring, and compliance and reporting. More-over, Canadian banks update and review credit information much more frequently (often on a monthly basis).

Once the basic loan-by-loan, borrower-by-borrower analyses are developed and maintained, banks can build on this information and perform more advanced portfolio analytics. Some U.S. banks have invested millions in devel-oping advanced portfolio analytics without first addressing the underlying informational requirements.

Unfortunately, without good data, even the best analyti-cal models can produce inaccurate portfolio analysis and suboptimal credit decisions. But a bank can develop very useful portfolio analysis if it is supported by granular and updated credit information. For example, Toronto-based TD Financial Group performs stress testing as part of the bank’s industry review process. This includes determin-ing key industry risk factors, stress testing those factors under adverse scenarios, and asking the business unit to identify specific strategies for proactively mitigating the key risks.

The capability to analyze credit risk at the borrower and portfolio levels, including stress testing and scenario analy-sis, can help a bank maintain adequate reserves and capital. Transactional and portfolio-level credit analysis can support regulatory capital requirements and Basel II compliance, as well as bank management and board decisions on reserve and capital adequacy. Given that new bank regulations will likely lead to higher capital and liquidity requirements, U.S. banks should ensure they have the appropriate credit data and analytical infrastructure in place. Beyond supporting regulatory compliance, this will help them make better credit risk management decisions.

Credit Risk ManagementThe transactional and portfolio credit analyses discussed above would not be useful from an economic perspective unless they are integrated into the business decisions that

affect the bank’s risk/return profile. Some of the key business decisions include the following:• Credit granting. The most basic decision is whether or

not the bank wants to provide credit to the borrower. If the decision is affirmative, the bank needs to determine the terms and structure for the loan or credit facility, including loan covenant requirements.

• Credit pricing. In conjunction with the decision to grant credit, the bank needs to establish the appropriate risk-based pricing, including operational cost, funding cost, expected loss (provision), unexpected loss (capital), and liquidity cost.

• Borrower and portfolio limits. The bank should determine its risk appetite relative to individual borrowers as well as to portfolio segments that are impacted by similar economic factors. Explicit risk limits reflect the bank’s risk appetite.

• Loan reserves and capital. Based on the underlying risks, the bank needs to set aside the appropriate levels of loan loss allowance and economic capital. These deci-sions should be linked to the bank’s capital and dividend policies.

• Risk transfer. If credit risk exposures are determined (or projected) to be excessive, then the bank may decide to change its underwriting standards, sell down its posi-tions, or use credit derivatives to hedge against potential loss.Each of the above decisions would directly impact the

bank’s risk/return profile. However, these decisions are usually influenced by multiple functions or committees. For example, the establishment of credit risk limits usually involves the business unit, the risk management function, corporate management, and the board. As such, organiza-tional alignment behind a major change in policy, strategy, or technology is critical to success.

As a general observation, JLA has noted that Canadian banks, when introducing major risk management initia-tives, pay significantly more attention to change manage-ment requirements than do their U.S. counterparts. These requirements include conflict identification and resolution, con-sensus building, cor-porate communication, board and management training, and incentives redesign. While change management initiatives take time and resources, JLA believes that they have con-tributed to the long-term success of major risk management initiatives at Canadian banks.

Organizational alignment behind a major change in policy, strategy, or technology is critical to success.

December 2009–January 2010 The RMA Journal64

Reporting and MonitoringHow should credit risk management performance be de-fined, quantified, and reported? In other words, what are the key performance indicators (KPIs) for credit risk man-agement? Each bank should define a set of credit KPIs based on its business model and credit risk management strategy.

Examples may include loan loss ratios, risk-adjusted profitability measures, unexpected charge-offs or earnings volatility due to credit exposures, exceptions to credit policies and limits, and so on.

Regardless of the set of KPIs used, each bank should define objective measurements and ensure there is a dy-namic feedback loop in terms of credit risk management performance. These credit KPIs (as well as key credit risk exposures and trends) and forward-looking risk analysis (such as stress testing and scenario analysis) should be organized into “risk dashboards” and provided to man-

agement and the board. The structure and content of these risk dashboards should be custom designed based on the informational and decision-support needs of the recipients.

In addition to management and board reporting, U.S. banks should leverage technology to enhance the visibility of day-to-day credit risk management. Manual processes are inefficient and prone to error. Excel spreadsheets can lead to data-integrity issues and difficulties in aggregating credit information across the bank. Moreover, these op-erational issues, combined with infrequent updating and monitoring of credit information, can lead to unexpected changes in borrower condition, higher credit losses, and operational inefficiencies. U.S. banks should consider end-to-end process automation, which can significantly improve the performance of both credit risk and operational risk management.3

As an example, Montreal-based Laurentian Bank au-tomated its commercial-loan monitoring process and integrated it into its suite of online financial services for commercial banking clients. This initiative provided sig-nificant benefits to the bank in improved loan monitor-

U.S. banks should leverage technology to enhance the visibility of day-to-day credit risk management.

The RMA Journal December 2009–January 2010 65

ing and operational efficiencies. The bank reported that it reduced the average loan review time by 85%, from 89 minutes to 13 minutes. Moreover, the bank indicated that it improved its service to customers by automating the information-exchange process between the borrowers and loan officers.

SummaryAs Paul Volcker, the widely respected former chairman of the Federal Reserve and close advisor to President Obama, said not long ago, “It’s interesting that what I’m arguing for looks more like the Canadian system than the American system.” For good reason. Canadian banks are the envy of the banking world. U.S. banks should take note and reex-amine their credit risk management processes with respect to governance, credit analysis, credit risk management, and reporting and monitoring. v

••James Lam is president of James Lam & Associates and author of Enterprise Risk Management: From Incentives to Controls. He is also a member of the board of directors of Covarity, Inc. Contact him at james@jameslam.com.

Notes1. See “Key Requirements for Enterprise-wide Risk Management: Lessons Learned from the Global Financial Crisis,” The RMA Journal, May 2009.

2. A key factor behind Canadian banks’ success in weathering the crisis is their conservative leverage. OSFI, Canada’s bank regulator, limits banks to a 23 leverage multiple (total assets divided by capi-tal), and Canadian banks generally keep this multiple at under 20. By comparison, U.S. and European banks leveraged their capital base 25-50 times prior to the crisis.

3. JLA research has shown that up to one-quarter to one-third of credit losses at some U.S. banks are caused by operational risk issues (for example, poor loan documentation, human error, credit data problems, and technology issues).

ReferencesBlakely, Kevin. “Why Are Canadian Banks the Envy of the World?” The RMA Journal, May 2009.

Lam, James. “Key Requirements for Enterprise-wide Risk Manage-ment: Lessons Learned from the Global Financial Crisis.” The RMA Journal, May 2009.

Porter, Michael E., and Klaus Schwab. “The Global Competitiveness Report, 2008-2009.” World Economic Forum.