A risk practitioner’s guide to Making Good Credit Risk Management Happen.

Mary Phibbs, ACA, a Chartered Accountant, has held Group Chief Credit Officer and other senior credit and risk management positions at ANZ Standard Chartered Bank, KPMG, PWC, National Australia Bank and Commonwealth Bank of Australia and is now Non-Executive Director of Northern Rock (Credit Risk). Mary is passionate about credit and risk management. She is adept at explaining and sharing practical understanding, project management and change management solutions when charged with rolling out a credit risk programme within a bank. Mary contributes this as the first in a series of articles for risk practitioners whose role is to embed sound credit risk governance and practice in their organizations.

You are the Head of Risk or Chief Credit Officer for a medium to large sized Financial Institution and so far you have done a great job. You have put risk and good risk governance high up on the agenda for your organization. From the board down they are aware of the lessons and implications of the credit crisis, of increased regulator intervention and of many new rules. Everyone agrees that sound risk management and governance has to be embedded deep into the organisation’s culture processes and procedures and you are the person for the job.

The Challenge

Congratulations and now you have a challenge: what does all this mean in practice for your organization?

For instance,

• How will you put in place controls around something you haven’t defined?
• How will you record risks when you can’t afford to upgrade the system?
• How will you get people to adopt what they don’t understand?
• How will you explain it to the Board?
• How will you know when you have been successful?

You know that good risk or credit risk management does not happen in isolation of the business. Unfortunately in some organizations, the necessary establishment of risk as an independent function has meant that there is not always the recognition that management of risk occurs across all business activities and is not just the purview of the risk function.

The quality of business being written and the level of losses are not just the responsibility of the credit department.

Conversely the credit risk function has a role to play in each stage of the business cycle from planning and product design through to collecting the profits not just in sanctioning transactions. Additionally, from the outset good risk management will not become embedded in the organization unless you bring people along with you and they will not be open to change (If change is needed) unless they have a compelling set of reasons to do so.

For example, the finer points of the Turner Review may not present such a compelling reason for change to your branch loan officers as it does to the Chairman of the Board. So early on it’s a good idea to get a message across that everyone can start relating to.

A suggestion would be to communicate how good risk management will benefit everyone in the organization by enabling business sustainability and growth through:

• Efficient and effective decision making balancing risk and reward within the context of a well defined business strategy and risk appetite
• Containment of costs and losses as well as increased revenue from exploitation of new business opportunities
• Ensuring that business decisions are made and the business operates in line with a defined framework of values and principles and appropriate standards of risk management and governance are met.

You will have to put this into your own words, of course, as you will know what best suits your organization and culture. A hint: you really do have to connect with as many people as possible when you get it out there as they won’t hear your message until they know you care, so think big. Having started to paint a picture of where you are headed in broad terms the next step is to work out where you are at present. A great way to do this apart from looking at what documentation, reports internal and external etc you have is to actually ask a good cross- section of your key stakeholders. This will also have the benefit of engaging a wide variety of people into what you are trying to achieve early on. It may include the board and the regulator but don’t forget the more junior members of your team and the sales people and/or relationship managers and loan officers who have direct contact with the customers. These people usually have a really good idea of what is going on your organization and it’s just that so far maybe no one has thought to ask them. Try and think laterally about the type of data that will be helpful, e.g. if staff engagement data is available a low score will give you a fair indication that the risk culture will be wanting. The same goes for customer satisfaction surveys. Further, high turnover in credit risk roles could also indicate issues.

Getting Organised

To more easily pull it together at the end it is best to have some kind of checklist and structure to the questions and areas where you are going to take a closer look. The areas to be considered usually fall under four broad headings:

1. Strategic
2. Structure and framework
3. Process and portfolio
4. People and capabilities

The actual questions and their weight again will depend on your organisation’s circumstances, including your regulatory environment. Be clear which elements are mandatory, i.e. prescribed by law and regulation or regulator endorsed reports such as the Walker review in the UK, which questions are more about best practice and which are internal and in line with strategy or the brand value (e.g. a customer charter). Be aware also that although there may not be rules on, say, the appropriateness of data, a regulator may have difficulty in seeing how a firm can have effective risk management as required under its rules without the appropriate data being available.

The answers to the questions will also help you identify potential problem areas early on so you can take action quickly. Also it is a good idea to keep the questions broadly focussed initially rather than limiting them to those you believe solely relevant to credit risk. Risk types and business processes are closely linked. You may discover for instance that in order to improve the credit quality of the book the collections process or the documentation process may need to be addressed and neither process may be the direct responsibility of the credit risk function.

The author invites comments via email to JK@riskrewardlimited.com