Tally Ferguson, SVP, Director, Market Risk Management, Bank of Oklahoma will be participating at CFP’s upcoming 4th Annual Enterprise Risk Management 2015 Congress. Ahead of the Congress Tally has kindly provided the following key insights into leveraging regulatory requirements at a mid-sized bank, and the main challenges on the horizon in the context of enterprise risk management.
Tally can you tell us a little bit about yourself and your professional background?
I am a career financial industry professional. From my second summer job in high school through today, I have worked for a bank, bank consultant or bank regulator. My family has been “in banking” for three generations, albeit in the community bank space. Ranchers first, they sought more flexible borrowing terms than the industry allowed in the early 20th century, and they founded their own banks. Apparently they weren’t too flexible. Their banks survived the great depression. One still exists today.
I went to high school and college in the 80s. That period saw the rise of the Monetarists, the Monetary Control Act, the birth of swaps, and the great savings and loan crisis. How could I not be lured into banking? I started as an international examiner with the Federal Reserve Bank of New York. After about a decade in the regulator orchestra seats watching and evaluating new capital standards like Basel I and new profitability measures like RAROC, I transitioned to the private sector. I took the consulting route at EY, then called Ernst and Young. One of my clients, the Bank of Oklahoma, found me cheaper to hire full time than as a consultant, and I have been there ever since. All 19 years of my time there is in Risk management, mainly capital markets and price risk oriented.
At CFP’s 4th Annual Enterprise Risk Management, you will be discussing leveraging regulatory requirements at a mid-sized bank, what would you say are the main challenges faced by mid-sized institutions?
Mid-sized banks face the Scylla of heightened regulatory standards and the Charybdis of being small enough to fail. We lack the clout of money center banks and the strong local support of ‘hometown’ community banks.
We face three main challenges over the next five years. First, we have the highest capital and expense infrastructure requirements since Nixon relaxed the gold standard. Second, we face higher risk quantification standards than any time in the past. Third, payment systems and channel innovation exposes us to broader and more frequent attacks and theft.
US regulators’ adoption of Basel III mandates generally higher risk based and leverage capital for all financial institutions. In contrast to Basel II, the current regime gives less flexibility to risk weight assets. Banks with better mouse-traps for identifying and managing credit risk no longer get regulatory capital breaks. Admittedly, relative to Basel I, which governed most US banks prior to January, 2015, Basel III reduces risk capital for some assets. Enhanced prudential standards insist on expanded compliance and risk management functions at both the board and employee level. These standards reduce the chance of unexpected losses, but they do so at large fixed costs with no offsetting revenue. Managing growth in these functions and directing their efforts in value added pursuits will prove competitive advantages for some banks.
CCAR and DFAST illustrate the challenge of higher quantification standards. Beyond these, regulators demand better quantification discipline from fair lending to suspicious activity monitoring. Not only do the mathematical approaches for these applications need to be more sophisticated, but also the support, documentation and validation of these demands higher quality. We need to find people or vendors to build these. Cross functional business lines need to adopt them, and second line departments have to understand and critically challenge them. It seems that quants who were building trading strategies and rocket ships need to be diverted to predicting pre-tax pre provision income, capital and the race of an unidentified consumer borrower.
Regarding financial innovation, the last decade revolutionized both our payment systems and our delivery channels. Checks are archaic, and mobile banking is expected. Exchanging currency is rare. Paper, in general, grows rarer. We store records, make payments and deposit funds digitally. Our customers’ data is worth almost as much as our customers’ funds. Willie Sutton has been replaced by Russian, Chinese and terrorist hackers. Criminals innovate faster than the good guys, particularly when the good guys have to spend money on higher quantitative standards.
We have incentive individually and as a sector to address these challenges. Mid-size banks have an essential role in the financial industry. We intermediate liquidity, interest rate and credit risk between the very large and the very small. Community banks are our customers and we are big bank’s customers. The US financial sector needs mid-size banks.
How would you say mid-sized institutions can better develop models to ensure regulatory compliance?
Start by recognizing that model risk exists whether or not regulators prioritize it. At its root, model risk reflects making decisions based on model output that systemically lead to outcomes worse than we expected. The following chart illustrates this. Mid-sized banks should implement model governance standards that put them in the green zone more often with model use than without model use.
We have four years of regulatory prescription about model standards. We know the regulatory elements. These are model development implementation and use, model validation, and model governance. We know regulatory areas of focus, effective challenge, conceptual soundness, ongoing monitoring, testing, outcomes analysis, data quality, and documentation. Sadly, with these areas, we do not know what standards regulators hold us to. In a nod to Justice Potter Stewart, it seems that regulators know the appropriate standards when they see it. Is effective challenge met by quoting a research paper supporting a model’s conceptual soundness? Or must a team of NASA scientists rebuild the model from grass, twigs and acorns?
In this embryonic environment, it behooves us to set standards based on how we benefit. Start with a governance framework to which all models are subject. The framework should define a model and clarify roles for owners, developers and validators. It should lay out documentation requirements, and it should impose an ongoing review process. Consider the following framework outline.
| Framework Stage | Allowable Flexibility Extremes | |
| Model Development and Use Standards (1st Line of Defense) | Models whose output will never lead to decisions that could impact earnings by $500,000 or more | Models whose output is instrumental in making multi-million dollar income decisions |
| 1. Data | Identify source | Test and validate source, import and any transfer and load process. Examine data integrity |
| 2. Theory & Conceptual Soundness | Cite a 2nd grade arithmetic text book | Research public sources for alternative approaches. Explore several. |
| 3. Implementation & Testing | 2nd pair of eyes | Extensive user acceptance testing, in-sample or out-of-sample back testing, scenario analysis, and sensitivity analysis |
| 4. Model Reporting Standards | These have limited audiences. | Acceptable error range, periodic reporting requirements. |
| Model Risk Management Standards and Procedures (2nd Line of Defense) | ||
| 1. Model Review and Risk Grading | Base on discussion with model owner and developer | Start with model owner and developer discussions and iterate with validation findings. |
| 2. Model Validation Approach | Reasonableness check and review of model documentation | Complete and independent check of all above framework portions |
| Governance | Does not vary by model | |
| 1. Inventory | ||
| 2. Risk Score | ||
| 3. Annual Review | ||
| 4. Executive Management and Board reporting | ||
| 5. Model Maintenance and Governance Standards | ||
Note that the above table allows flexibility according to the impact of the model. This is important, particularly when resources are stretched. Proactively defining and defending the range of standards lets regulators make informed decisions about whether standards meet their expectations. Absent that, regulators have little downside holding us to higher standards than are needed.
Can you give some examples of model risk management successes, without giving too much away?
One of our best, most influential success has been the build-up of our model validation team. We brought on a five-year veteran from our Capital Markets division to create a Modelling Analytics team responsible for corporate model governance and independent validation. He took a recently minted combined math and finance master’s degree student, and the two of them spent a year evangelizing and establishing model governance standards. They also validated critical models. They studied industry standards, reviewed regulatory pronouncements, and attended conferences with industry practitioners. From this they compiled a model inventory, scored each model and implemented validation standards. Their work was lauded by regulators, and valued by management.
We doubled the team and our standards in our second year. We validate all models internally, although we judiciously secure consulting support. The commendations we received from regulators and third party consultants on models ranging from DFAST to fair lending to Bank Secrecy all stem from our model risk governance infrastructure.
What in your opinion is the most effective model risk governance process for mid-sized institutions?
From question 4, you can tell that I am a big fan of a centralized independent model validation unit that champions model governance. This group is separate from model owners and developers. These latter reside in business lines. My response to question 3 also gives insight to what I consider effective model governance.
Within the context of ERM, what do you consider to be the main changes/challenges over the next couple of years?
I will discuss two ERM challenges I see. The Tower of Babel problem comes to mind first. Banks have managed the classical risks for seven hundred years. These risks comprise credit, interest rate and liquidity. I concede the Medicis didn’t have interest rate and credit default swaps to manage or exacerbate risks, but the general concepts permeate history. Newly identified risks include operational, price and model risks. Vocabulary for these has a much shorter history. I’m not sure there is a Latin term for “electronic payments networks.” Today, price risk begets credit risk, and credit risk leads operational risk. Indeed, with technology and financial innovation, risks are more interrelated today than in banking history. Yet “spread risk” means something completely different to a pipeline hedger than to a credit specialist. We need to establish and evangelize a common set of definitions.
I refer to a second main ERM challenge as actionable communication. Core elements of today’s ERM are Risk Appetites, Risk Profiles, and governance structure. Done well, these foster communication across business lines and support groups. With regulatory nudging, I expect all mid-size banks are at this stage. The next step is to aggregate risks where appropriate. For example, price risk likely emanates from several business lines. Each needs flexibility to take and hold positions for optimal efficiency. Added together, however, the sum of each business line’s price risk tolerance may exceed the board’s aggregate risk tolerance. What is the best actionable communication to take as theses business lines near their tolerance? One approach is to set an aggregate limit and force price risk liquidation at one or all of the desks, even if they are within their own tolerances. Another approach is to invoke a mandatory executive discussion, triggered by a group dedicated to monitoring aggregate price risk. We need to develop a best practice to determine when and how to act as aggregate positions across desks approach ERM thresholds.
Hear more from Tally Ferguson by registering to CFP’s Enterprise Risk Management 2015.
