Achieving ‘JUST RIGHT ’ Risk with ERM · with our own values, which are all about knowing,...

June 2012 The RMA Journal

••First United Bank CEO Greg Massey and chief credit and risk officer Stephen Phillips discuss the benefits of their recently implemented enterprise risk management (ERM) program. They don’t want their risk to be over-controlled or under-controlled. Like Goldilocks, they want their bank’s risk to be “just right.” Stacy Germano, RMA’s associate director of enterprise risk management, and Kathleen M. Beans, editor of The RMA Journal, talked with both.

ENTERPRISE RISK

54

Achieving ‘JUST RIGHT’ Risk with ERM



RMAJ: What led you to consider the use of ERM for First United Bank?Massey: We recently went through a three-and-a-half-year period when our assets grew from $1 billion to $2 billion. I knew that we needed a systematic approach that would allow us to know that our risk and control processes were staying in place throughout the organization. We started looking at best practices to align the risk management of the bank within First United Bank’s culture and our stake-holder model.

As our chief risk and credit officer, Stephen [Phillips] has been very involved in putting this in place for First United Bank.

Phillips: We’ve spent a lot of time developing and articulat-ing our stakeholder model throughout the company. It’s Greg’s vision and work, and it’s crucial to the alignment of ERM.

Massey: We’re truly a purpose-driven company that strives to help our stakeholders, which are our customers, employ-ees, shareholders, vendors and suppliers, and our com-munities, find their paths to success. It’s not about making a loan, but it’s truly doing what’s right for that customer time and time again. Enterprise risk management is a very appropriate method to serve our matrix of stakeholders.

Phillips: It’s unique for any bank, particularly one of our size, to have gone through the thoughtful and purposeful exercise of articulating and defining what we do, and then to balance how we serve the needs of all five stakeholder groups. Although it’s not easy to accomplish, we truly be-lieve that when we do it successfully, we fulfill the purpose of the organization. ERM is a key component of that effort, helping us stay aligned to our purpose and aligned with our stakeholders.

55June 2012 The RMA Journal

First United BankDurant, OklahomaFounded in 1900Serves 19 communities in Oklahoma and North TexasAsset size: $2 billion Employees: 700

“We’re truly a purpose-driven company that strives to help our stakeholders, which are our customers, employees, shareholders, vendors and suppliers, and our communi-ties, find their paths to success.”

—Greg Massey, CEO of First United Bank (pictured below)


to the board. Our board has an audit subcommittee to which our audit function and loan review functions report directly. They assure the board that we have these processes in place.

Phillips: The board’s audit subcommittee is where we report all of the ERM information, including the audit work, loan review, and compliance. The board sets the risk governance structure for the bank. They devised our framework for risk governance, and it includes an enter-prise risk management committee, an internal committee that’s charged with executing the board’s risk governance structure. We report the activities across the whole ERM platform to the board each month.

RMAJ: How do you train the board and the executive management team with respect to ERM?Phillips: We spent a lot of time communicating and train-ing both the board and the bank around ERM. We worked with an outside consultant, John Drew of ERMSCO, to develop the methodology for introducing new processes throughout the bank.

We became good and purposeful about initiating proj-ects. We started with a detailed project plan that aligned to the bank’s overall strategic objectives. In the training and education project plan, we defined who is responsible for training and education, who the audiences for it were, and how we were going to accomplish it. Some staff were trained one-on-one, while others were trained electroni-cally. Some were trained using our video teleconferencing center. The training took place once a month or once a quarter, depending on the audience and the needs of the individual or groups.

We spent a tremendous amount of time making sure that our board and our process owners and our executive sponsors understood ERM and what it meant to First United before rolling out our ERM platform.

RMAJ: What was the timeline to fully implement ERM? Did managers view it as a burden? How did you get buy-in from the staff?Massey: It took about a year to go all the way through

56

RMAJ: Was it challenging to gain buy-in from your board for the ERM program?Massey: The board loved it. From day one, they recognized the need. They understood what we were doing and why. It was a lot harder sell to the executive team because, from time to time, ERM highlights changes that need to take place. ERM’s systematic way of reviewing processes throughout the organization meant that the board and, of course, I, as CEO, became aware of these needs. Managers would rather be the ones telling me about the areas of weakness versus having a systematic process highlight them.

With our ERM system, the board and I get quarterly reports of every risk area in the organization. Risk profes-sionals monitor and control risks, reporting on those risks and controls on a quarterly basis. We get a more thorough look at the whole organization four times a year.

RMAJ: How did you gain the management team’s acceptance of ERM?Phillips: ERM is like most things; it’s a value proposition. The key to getting management to understand, accept, and adopt it, and essentially change the culture of the bank, was to show them the value that it adds.

In an integrated ERM platform, risk and controls are rated with a uniform system. Tolerance ranges are determined in conjunction with the executive sponsor and the process and sub-process owners. Then we overlay the independent assessment work that’s done by audit, compliance, and loan review. The result is a powerful system that ultimately provides the information to drive positive change in the company, increasing value to our stakeholders.

When we were able to show value to the stakeholders, we started getting the buy-in from the management team. In the beginning, they viewed it as a project, and that, of course, is the antithesis of how I view ERM. It’s a way to manage your business.

RMAJ: What are the reporting lines for ERM? Who reports to the board?Massey: We have a director of enterprise risk management who reports to Stephen, and Stephen reports to me. I report

“ERM is like most things; it’s a value proposition. The key to getting management to understand, accept, and adopt it, and essentially change the culture of the bank, was to show them the value that it adds.”—Stephen Phillips, First United Bank


the process. It took another year to get the buy-in from the executive team and senior management, but the nonexecu-tive staff embraced it quickly because everyone, from the executive team to the process owners to the sub-process owners, was able to understand our bank’s goals and how our processes are now aligned to meet them. ERM created beautiful communication systems throughout the orga-nization. Previously, communication from top to bottom sometimes left staff unsure if what they were doing was appropriate. The levels below the executive group appre-ciated the comfort of knowing that what they were doing was correct.

Phillips: In the beginning, folks viewed it as, “Oh my goodness, this is one more thing we have to do,” as opposed to a process for better managing the business unit. Once the value-added proposition was recognized, the response was more like, “My goodness, this is creating a tremendous amount of value and, absolutely, I’m on board with it and let’s help ensure the process.”

RMAJ: How did ERM improve your risk manage-ment practices, in terms of both the quality and the delivery of products and services? Massey: It helped the visibility of risk management throughout the organization and it helped to have a com-mon way for all of us to gauge risk. ERM has helped us to better think through the process when considering new products and services.

Phillips: The folks who aren’t so versed in ERM think that the risk guy wants to take all the risk out of the bank, and it’s really just the opposite. We’ve spent a lot of time under-standing what Greg calls the “just right” mentality. From my risk/reward perspective, we’re all about doing what’s just right, and we carry that through everything—products, services, anything that’s going on in the bank.

From a product delivery standpoint, we realized some huge benefits from ERM in the credit risk area. We de-veloped several tools internally that give us a competitive advantage. These tools include a new two-dimensional

“We spent a tremendous amount of time making sure that our board and our pro-cess owners and our executive sponsors understood ERM and what it meant to First United before rolling out our ERM platform.”

—Stephen Phillips, chief credit and risk officer, First United Bank (pictured below)



responsibility. The committee creates high-level summary data, showing heat maps of risk and our risk-rating thresh-old. The data is reviewed internally and also presented to the subcommittee of the board. Over time, the success of the program will be determined by how the bank continues to improve its efficiency.

RMAJ: Your bank is a relatively new member of RMA. Has RMA been helpful as you’ve developed your program and rolled it out?Massey: Absolutely. Stephen and our enterprise risk management director have been on the board of two RMA chapters—Oklahoma and North Texas. The chapters are a great way for us to network, to understand what’s going on in other banks in our areas. RMA training courses are valuable because they help our staff do a better job.

Phillips: I really love RMA’s mission of promoting ERM. The goal to drive a healthier banking industry closely aligns with our own values, which are all about knowing, living, and sharing what’s right. RMA is the leader in doing what’s right around risk management, and it aligns very well with what we’re trying to do in our own culture.

RMAJ: Did you encounter any surprises as you rolled out your ERM program?Massey: The biggest surprise was how differently people throughout the organization viewed risk. Once we rolled out the program and everybody was speaking a common language around risk, we discovered that parts of the bank were over-controlled while other parts of the organization were under-controlled. Getting everybody on the same page has been very important to me.

Phillips: I was surprised at how quickly the adoption occurred. One of the big benefits is that we’re all speaking the same language when we discuss risk and controls, inven-tories and ratings. We have a system to capture information and we have defined objectives from the board and our internal committee. It’s a credit to Greg, and to the partners we worked with, to give us a framework and a platform to drive ERM throughout the whole company.

RMAJ: And it took two years, total?Phillips: Yes, we spent a good year just building the foundation. We identified approximately 1,000 risks and 3,000 associated controls across our various business units and departments. We then introduced a uniform rating system and overlaid it with tolerance ranges, all the while

58

risk-rating system for our loan portfolio. We also tweaked the way that we model our ALLL, and both the ALLL modeling and 2-D loan-grading system have gone a long way to strengthen our regulatory partnerships. We also became more robust on our loan portfolio reporting so that we better understand where risk resides in the loan portfolio. That knowledge allows us to align our risk with our strategic initiatives. Where do we want to grow the bank? What types of loans are we comfortable with? How do those loans line up with our existing basket of credit risk? The ability to answer those questions helps us deliver better products and be more competitive in our marketplaces.

RMAJ: So First United Bank took a top-down ap-proach with ERM, having the management team define the strategy, objectives, and risk framework, including its risk appetite.Phillips: Yes, that’s exactly right. The board was responsible for the overall governance. We like the “just right” termi-nology for our risk appetite. If you were to go through our entire risk and control inventory, you will see that not only do we have a uniform rating system of the inherent and the residual risk and the associated controls, but we also have tolerance ranges. We are as focused on over-controlled risk as we are on under-controlled risk. As we all know, allocation of resources—people, process, and systems—is extremely important in today’s world. So if we are over-controlled, we have resources that we could free up to help us in places where we’re under-controlled. We are all about that “just right” thinking. Our goal is to define our appropriate tolerance range and stay within it.

RMAJ: What are your next steps in the ERM journey?Massey: We need to continue to connect ERM throughout the organization, especially with our service model and our project management office. We’re trying to determine how to truly integrate the service model, which is all about efficiency and helping our customers. We also want to be able to rely on our process owners to understand the whole strategy of the organization so that it can be absorbed com-pletely within the culture of the bank.

RMAJ: How do you measure your success and report it to the board?Massey: We have a committee that meets monthly to re-view how every risk area within the organization is doing and how every process owner is doing. The committee also reviews how each executive is managing their areas of


educating the board, executive management, and our pro-cess owners. We also purchased a software solution to house the data, integrate the activities of internal audit and compliance, and report information to the board and executive team.

In the last year, we completely revamped our internal audit group. We went from a transactional-based auditing group to a process-based auditing platform, which was a brand new idea for our auditors. We also pushed owner-ship of compliance to our process owners. Our compliance group became our oversight for compliance around the bank, but they do not own any specific compliance related to a business unit.

It takes time for all those initiatives to mature, and we still have the opportunity to continue that maturing process. Overall, we’re pleased with the pace and the progress.

RMAJ: Would you have done anything differently in hindsight?Phillips: No, but we didn’t start the process until growth had occurred. In hindsight, we should have put a lot of these processes in place three or four years ago.

RMAJ: Why should community banks adopt ERM regardless of how well they think they manage risk?Massey: That’s an interesting question. I became president of this organization in 1993, when our asset size was about $180 million. Today, we are a $2-billion bank. At some point, it becomes very important to have ERM in place. The question is, at what point?

At a smaller bank, you can see and understand every-thing going on around you. But as your bank grows to a larger, scalable organization, you need data to confirm what you believe is going on in each area of the organi-zation. You also need to develop a monitoring process to ensure that your risk management controls stay in place if someone decides one day that they’re not going to follow procedures. That’s where mistakes get made in a growing organization. So many times, an organization will put controls in place and then a sub-process owner decides it’s not appropriate to follow it anymore. Then suddenly, something happens and causes a loss for the organization.

It’s tough to determine at what asset size to implement an ERM program. Every bank and its board need to make that decision for themselves based on the size and complexity of the organization. Regardless, they need to have a meth-odology that is the right size and the right fit to properly address their risk. v


“Once we rolled out the program and ev-erybody was speaking a common language around risk, we discovered that parts of the bank were over-controlled while other parts of the organization were under-controlled. Getting everybody on the same page has been very important to me.”

—Greg Massey, CEO of First United Bank

Achieving ‘JUST RIGHT ’ Risk with ERM · with our own values, which are all about knowing,...

Documents

Transcript of Achieving ‘JUST RIGHT ’ Risk with ERM · with our own values, which are all about knowing,...