December 01, 1998
In recent years a remarkable evolution has taken place in the financial services marketplace. Modern portfolio theory and financial engineering have transformed the way risk is viewed and managed in virtually every niche of the financial services sector. In commercial banking, risk management has been transformed from a rather narrow focus on assetlliability management, to a focus on the management of risk on an enterprise-wide basis.
This change in focus has had significant impacts on the role and responsibilities, and potential liabilities, of boards of directors and senior management. The management of risk has become a critical part of standards by which their stewardship is evaluated by shareholders and regulators.
The business of banking has always been primarily about intermediation, requmng the management of a variety of attendant risks. However, the kind of risks faced by banks today and how those risks are managed are being driven in new directions by a number of dynamic forces.
These include the development of new and increasingly complex products; the convergence of banking, securities and insurance; the expanding role and importance of technology; the globalization and volatility of markets; and the pressure of investor expectations. Each of these forces, as well as others, have brought the management of risk more to the forefront of the issues faced by both money center and community bankers.
The marketplace has been the driving force in risk management. From the money center banks actively dealing in derivatives products globally, all the way to the community bank on Main Street, the management of risk is taking on new meaning in the context of day-today business. Today, risk management involves sophisticated risk identification analysis, monitoring, reporting and management techniques.
Since banking is one of the most regulated of businesses, it is natural that risk management would have an impact on the way federal and state authorities approach the regulation of banks. It continues to do so. Technology permits information and capital to travel quickly in today's markets, and the technology gap seems to be widening between regulators and the markets on almost a daily basis. In many significant ways, the marketplace has largely supplanted "command and control" approaches toward bank regulation.
Focusing on the nature of risk and risk management.
In banking, as in other business activities, the underlying business reality is that risk is a positive and measurable force tbat serves as the primary source of profitability, and it is the striking of a balance between risk and reward that lead to optimizing that profitability. The
following diagram can represent the business dynamic:
Thus, the successful strategy for effectively managing risk involves the identification monitoring and management of risk toward business and fmancial objectives.
In the context of banking, the term "risk" refers to the potential that events, expected or unexpected, may subject the fum to adverse capital or earnings impacts, to regulatory penalties or restrictions, or to customer criticism, attrition or claims.
The major categories of risk faced by banking institutions are as follows:
- Strategic Risk - integrity of the decision making process.
- Credit Risk potential counter-party default.
- Liquidity Risk - ability to fund obligations.
- Interest Rate Risk - exposure from rate direction, basis and curve shape.
- Market Risk portfo lio price movements.
- Foreign Exchange Risk - currency rate movements.
- Transaction Risk - product delivery system capabilities.
- Compliance Risk - contract , laws and regulations.
- Reputation - customer and public image.
These risk categories track those identified by federal banking regulators in their respective pronouncements on the management of risk and their procedures for the evaluation in the course of the
examination process of how an institution manages risks.
Applying risk management principles to business combinations.
As merger, acquisition and consolidation trends continue to unfold in the commercial banking industry, the management of risk should be an important consideration in how banks consider and consummate those transactions. The actions of boards and senior management drive such transactions, and their success is largely a function of how diligently those consolidations are planned, evaluated and executed.
For a number of reasons, friendly mergers, rather than hostile takeovers, are the norm in banking. A typical mergers and acquisitions transaction can been seen as a series of a fairly standard components centered around the following:
- The identification of a partner or target.
- Commencement of initial discussions.
- Assuming a mutual attraction and interest, initial discussions between the party get underway.
- Transaction structures and terms of explored by the parties and their advisors.
- Once a framework in agreed upon, a confidentiality agreement is executed, which provides a comfort zone that allows preliminary disclosures to be made by the parties.
- Based on knowledge gained from that disclosure, an indicative bid or exchange price is put on the table.
- In the case of a publicly traded institution, the directors may very well want to solicit or consider other potential suitors so as to assure that shareholder value will have been optimized.
- A Letter of Intent is executed with the prospective suitor/target, which allow full-blown due diligence to go forward.
- Assuming no insurmountable obstacle surface in the course of the due diligence inquiry, a final price is agreed upon.
- The transaction is consummated with the necessary regulatory approval.
A properly structured and executed due diligence process that integrates up to date risk management principles serves to answer a number of critical questions, including the following:
- Does the deal make sense for the participating institutions given their strategic plans and positioning in the marketplace?
- How do the risks of the participating institutions compare with one other?
- How do the participants measure, monitor, manage, and control risk?
- What are the corporate structures and cultures of the participants?
- What integration issues does the proposed transaction pose for the combined institution?
- How should those issues be addressed and who should have related responsibilities and accountability?
- What should the acquiring institution ultimately pay based on the knowledge obtained from the due diligence process?
The integration of a risk management focus modifies the due diligence process in a number of important ways in that:
- Its objective is to gain insight, not merely information.
- It undertakes to analyze, not merely distill.
- It takes a strategic approach, as contrasted with a transactional approach.
- It is proactive and offensive, rather than defensive.
- It is concerned with risk prioritization, not just issue identification.
- It takes a contextual approach toward tasks, rather than just a documentation approach.
- It undertakes to evaluate and test information, not just verify.
- It looks toward the integration of the entities, not just their combination.
In the bank mergers and acquisitions context a risk-based due diligence process should be organized
along the major areas to be reviewed. The review should analyze each area in light of industry best practices applicable to each. An objective should be gain insight as to how the practices of the
institution being reviewed compare to those best practices. Where there are discrepancies or gaps, the underlying reasons should be explored, as well as any actions that may be warranted to bridge those gaps.
Risk based due diligence starts with the bigger picture.
An initial question that must be asked in reviewing a mergers and acquisitions transaction from a risk management point of view is whether the constituent institutions have formal risk management systems and frameworks in place. A formalized risk assessment and analysis process should be in place. The process should be a continual one for identifying, understanding, prioritizing, measuring, monitoring and reporting on risk.
A good place to begin the risk evaluation of a prospective consolidation partner is at the board and senior management level. In reviewing a risk management system it will be important in understanding how the bank approaches risk in terms of:
- The level of management commitment and oversight to risk management.
- The extent of buy-in to the risk management process at the board of directors' level.
- The adequacy of policies, procedures and limits and the extent to which they are documented, detailed and actually implemented.
- The delineation of risk responsibilities and accountability and whether risk management is built-in at business unit and enterprise levels.
- The adequacy of the monitoring and reporting processes and the attendant integration of information systems.
- The existence of business interruption plans and back-ups.
- The level of compliance and internal controls.
- The extent to which against practices and procedures are audited against actual practices.
Drilling down for the details.
Once the institution's overall risk management framework and system is evaluated, the due diligence process should focus on each of the major areas of risk that characterize the operations of the institution. These risk areas are somewhat standard to all institutions and can be devolved into specific differences dependant on factors affecting that bank.
Strategic risks should be looked at in tenus of whether a planning process is in place, and whether there is followup on implementation, tracking of performance against goals and objectives, and continuity and sustainability of the planning process over time.
A review of business areas should cover the integration of strategic and operational plans; products and the product development and implementation process; physical and intellectual properties important to the business; existing and potential markets; relationships with suppliers and customers; and sales, cash flows, profit and competitive trends.
The fmancial and accounting review should encompass all financial statements, projections and forecasts, operating budgets, and audit papers. Capitalization must be considered in terms of adequacy of the capital base and the availability of alternate sources.
Credit risk analysis begins with the existence and adherence of policies and procedures, the adequacy of reserves, the quality of testing, monitoring and reporting that is done. Credit review due diligence should include analysis of: credit files, related policies and procedures, the adequacy of reserves, the results of internal and regulatory examinations, and the effectiveness of credit monitoring and reporting processes.
Market risk analysis looks at exposure on both the asset and liability side in tenus of interest and exchange rates and price sensitivity. Positions and portfolios are modeled in tenus of exposure to volatility levels and methodologies are used to quantify those exposures in terms of measurements such as "value at risk".
Liquidity risk analysis considers current and future funding needs and availability and depth of funding sources.
Operational risk considerations focus on the structure and organization of the management team and the credibility of controls. Information systems risk looks at the adequacy and credibility of the platfonus and applications supporting the institution's data and communications needs. The review should include the process by which information is captured, the flow of data, and special issues such as those surrounding Y2K.
Legal and compliance risk is framed in contract, regulatory and consumer lending terms. The legal and compliance due diligence should consist of a review of significant records, manuals, agreements, financial instruments utilized, insurance contracts in force, the status of litigation, regulatory relationship and exposure, and tax position.
Reputation risk should focus on the management of customer and public relationships and images, and the extent to which management has strategies and plans in place to respond to events that could pose significant additional reputational exposure for the institution.
Taking one area as an example.
It would be useful to take this area of information systems and to run through the specific areas of inquiry that would be looked at in assessing systems risk.
Assessment would ask the following types of questions in each subcategory of systems:
Business Risk: Are the current business needs well understood? What will change in the future? Does the proposed solution "fit" the current and future needs?
Technology Risk: Do/will the technologies work .... and work together? Can capacity be expanded to meet future growth needs? Will key technology products be supported in five years ... will vendor be in business? Is the team familiar with the selected technologies?
Management Process Risk: Are the talent and disciplines in place to keep on time and on budget? Are estimates, deadlines and resources defined up-front, realistic, and maintainable? Are issues pro-actively identified and resolved to minimize negative impact? Is there adequate participation from the business and technical communities? Has there been adequate testing?
Control Risk: Do/will the system have controls adequate to maintain system integrity?
Implementation Risk: Does an adequate data clean up and conversion process exist? What training is required for business and technical staff? Is a process in place to address integration issues? What change in management or communication plans will facilitate success?
In reviewing these risks in the context of information systems the methodology employed should strive to:
- Understand business objectives and current management concerns.
- Document business process, workflows, and associated systems.
- Identify key risks and existing mitigating controls.
- Assure system and business controls implementation.
- Perform gap analysis to identify control issues.
- Test the security, reliability and accuracy of the data processing environment.
- Supplement business process controls - manual and automated.
- Identify business efficiency opportunities.
- Make recommendations to implement new business processes where appropriate.
Prioritization is an important part of the risk based due diligence process.
If it is to be useful and effective, a risk management based due diligence process must prioritize the various risks that are identified. For each risk identified, one needs to ask "What is the likelihood of occurrence and what is the potential impact on the institution?" One needs to pay closest attention to those risks that are identified in the upper-right box - high impactlhigh likelihood -of the following diagram. These have the highest potential impact likelihood of occurrence and would have the highest impact. The next priority should be on risk in the upper-left box - high impactllow likelihood.
These two boxes identify those types of risk that have to be effectively controlled, or else mitigated by changing the environment.
The risks identified in the lowerleft box in the diagram present potential opportunities for cost savings in instances where they are over-controlled. An example of this is 100% review of expense reports - exception reporting could flag just those instances warranting further investigation.
Another way of viewing the risk matrix is in terms of a "Risk Priority Zone", represented by the following diagram. The various risks are shown as points on the matrix. Priority attention should he paid to those risks that fall within the outlined Risk Priority Zone.
Scarce and costly resources can be most effectively utilized by focusing on those risks that have the highest potential impact and probability of occurring.
Due diligence is an integral aspect of a merger and acquisition transaction. Integrating principles and techniques used in the management of risk can significantly enhance the effectiveness of due diligence by changing the focus from merely verifying facts to understanding the risk profile of the constituent institutions and the issues that can arise from efforts to integrate their businesses. A deeper understanding of those issues and the means for their resolution can lead to better and more efficient planning and execution of the integration process.
*Frederick Medero is the Director of the Financial Institutions Services and Capital Markets Group at Deloitte & Touche, LLP, San Francisco, California. The above remarks were delivered in San Francisco at The Bank Directors Symposium, titled "Leading Your Bank Into the Twenty First Century," sponsored by the American Association of Bank Directors.