View original document

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.



	 NUMBER 328a

Chicag­ Fed Letter
Managing risk in the recovery
by Marshall Eckblad, senior supervision analyst, Supervision and Regulation, and Lamont Black, assistant professor, DePaul University

The Chicago Fed’s Supervision and Regulation Department, in conjunction with the Center
for Financial Services at DePaul University’s Driehaus College of Business, held the
seventh annual Financial Institution Risk Management Conference on April 8–9, 2014.
The conference brought together business professionals, academics, and regulatory agency
staff to discuss current risks and challenges facing a broad range of financial institutions.

This Chicago Fed Letter summarizes the

The agenda and some
materials presented at this
year’s conference, Managing
Risk in the Recovery, are
available at www.chicagofed.

two-day conference that explored riskmanagement issues and strategies for financial institutions. Many of the speeches
and conversations from this year’s conference built upon those from last year’s,1
with a focus on risks and opportunities
stemming from the current U.S. economic
environment that has begun showing
signs of a sustainable recovery. There was
an emphasis on interest rate risk2 throughout several panel discussions. Many riskrelated issues—including how to instill
strong risk management across all levels
of a firm’s staff and how to balance the
use of qualitative and quantitative risk
management—were explored through
the perspectives of bankers based in the
Seventh Federal Reserve District.3 Moreover, there were in-depth analyses of the
role of banks’ boards of directors in
overseeing their institutions’ risk management and of the relationship between
banks and regulatory supervisors. Lastly,
conference participants spoke about
cyberattacks on financial institutions and
other organizations, including those
perpetrated or abetted by employees.
“Strategic risk” in the recovery

Recently passing the five-year mark,
the ongoing recovery from the Great
Recession and financial crisis has characteristics with few historical precedents.
Some of this recovery’s prominent

features are a prolonged period of low
market interest rates, tepid loan demand,
and uneven improvements in the U.S.
economy. Benchmark interest rates for
loans and investments continue to track
well below historical norms as most financial industry customers—commercial
and consumer clients alike—are borrowing selectively and paying lower fees for
a variety of services. These trends have
put pressure on net interest margins4
at many financial institutions, creating
incentives for them to stretch to support their earnings, including a temptation to focus on isolated pockets of
loan demand and industries with faster
growth than the broader economy.
This challenging post-crisis environment
has required financial institutions and
regulatory supervisors to develop ways
to measure, calibrate, and mitigate the
risks embedded in these institutions’
operations and business strategies. “Strategic risk” is one term to describe these
sets of risks, which vary widely from firm
to firm. “Strategic risk is something we’re
talking about a lot these days because
banks are trying hard to find new ways
of making money,” said Cathy Lemieux,
executive vice president for Supervision
and Regulation, Federal Reserve Bank
of Chicago.
A panel of regulatory agency representatives held a rich discussion on the

effects of fierce competition among lenders due to weak loan demand. The capacity of lenders continues to outstrip
aggregate demand from creditworthy
borrowers, producing bidding contests
to attract and retain customers with high
credit quality. “Everyone’s looking for
good loans. Lenders are competing by
going long on terms and lowering rates,”
said Eric Robbins, regional manager,
Federal Deposit Insurance Corp. (FDIC).5
The need to support earnings has enticed many financial institutions to focus
their lending and business activities on

those risks to support earnings,” said
panelist Doug Gray, managing examiner,
Federal Reserve Bank of Kansas City.
Dennis Angner, president and CFO,
Isabella Bank Corp., said such decisions
reminded him of the 1980s, when a quick
rise in interest rates caused deep losses
and even failures at hundreds of financial
institutions. Panelists agreed the most
optimal scenario for financial institutions
would be a gradual rise in interest rates
over the course of two or three years.
“Quick changes in interest rates leave
little time for maneuvering,” said Gray.

“Banking is a risk-taking business. But that business is not
sustainable if risks aren’t well managed.” — Kathy Dick,
managing director, Promontory Financial Group
industries growing faster than the broader economy. Examples include health
care, energy production, transportation,
warehouse and distribution, and software technology. The regulatory panelists
agreed that a narrow focus on promising
sectors can lead to lender distress if underlying fundamentals in those industries erode. Concentration thresholds
are a common safety measure. “One of
the biggest lessons we learned from the
crisis was the danger of concentrations,”
said John Vivian, assistant deputy comptroller, Office of the Comptroller of
the Currency (OCC).
Interest rate risk

The interest rate risk panelists focused
most of their discussion on risks associated with the current low interest rate
environment. One form of interest rate
risk is repricing risk, which involves
pairing long-term fixed-rate assets with
funding sources that may reprice over
shorter durations. In today’s environment, many institutions have recently
been willing to compete for customers
by issuing fixed-rate loans at low rates,
in some cases with long-dated terms—
a strategy that can boost earnings today
but can also exacerbate repricing risk.
“What’s the worst risk? Lending against
commercial real estate over 20 years or
having a fixed-rate asset for 20 years?
Some banks are currently combining

Instilling firm-wide risk management

A panel of chief risk officers from the
Chicagoland region discussed ways in
which strong risk management can be
instilled across all levels of a financial
institution’s staff, including leaders providing detailed descriptions of the firm’s
risk appetite. “We think it’s crucial to be
clear about which risks we’re taking, and
how much of those risks we’re taking,”
said Steven Cunningham, chief risk
officer, Discover Financial Services.
In an address, Kathy Dick, managing
director, Promontory Financial Group,
said the financial crisis underscored the
importance for financial institutions to
understand and manage their risks.
“Banking is a risk-taking business,” she
said. “But that business is not sustainable
if risks aren’t well managed.” John Thain,
chairman and CEO, CIT Group, stated,
“It’s very important a firm’s CEO is involved in the risk-taking as well as the
risk-management process. This is not
something CEOs can delegate from
40,000 feet up.” Thain also observed,
“The risk-management people have to
be just as talented as the business side.
Otherwise, you have business people
overwhelming the risk department.”
A Chicago financial institution’s

Edward Wehmer, president and CEO,
Wintrust Financial Corp., continued

the Chicago Fed/DePaul risk conference’s tradition of thought-provoking
keynote addresses from industry executives. Wehmer described Wintrust’s firmwide approach to risk management,
which includes a culture of encouraging
executives to identify and mitigate risks
when they surface.
Wehmer explained that the firm’s proactive risk management began before the
financial crisis as the company realized
the market was taking excessive risks. As
the housing bubble expanded, Wintrust’s
models showed that prevailing rates on
new loans made new real estate credits
too risky. “So I made our folks sit on the
sidelines,” Wehmer said. “They wanted
to keep lending, but I said no.” Wehmer
noted that Wintrust made similar decisions
with regard to commercial real estate lending, where the company maintained its
conservative credit criteria—unlike some
lenders that were willing to relax their
loan terms and underwriting standards.
Wehmer also described the frequent
temptation for financial institutions to
shortchange their compliance with the
rules and regulations that were developed in response to the financial crisis.
He advised his peers: “Spend the money
and commit the resources necessary
not just to comply, but to overcomply.”
Throughout his address, Wehmer frequently returned to the message that discipline is the central feature in avoiding
risks that can imperil financial institutions.
“Our credit policy and our profitability
policies do not change,” he said. “If the
risk numbers show that we can’t do the
business, then we won’t do the business.”
Balancing qualitative and quantitative
risk management

Throughout the conference, panelists
and speakers discussed the emerging need
for regulatory supervisors and financial
institutions to balance the use of qualitative and quantitative risk management.
There is a long and deep history of financial services firms using qualitative
risk management—which can be summarized as a combination of management
expertise, experience, and subjective
judgments that rely on nonquantifiable
information to assess risks. By contrast,

the history of quantitative risk-management tools—including data-driven stress
test analyses6 and mathematical models
for measuring and forecasting risks
associated with markets, borrowers, and
counterparties—is relatively much shorter;
the use of these tools grew dramatically
following the financial crisis of 2007–08.
There was broad agreement that financial
services firms should scrutinize assumptions used in quantitative analysis. Gray,
of the Kansas City Fed, said, “Modeling
is not fortunetelling or being clairvoyant.
It’s just having a good approach to thinking about what might happen.” Expressing concern about how data points can
be misinterpreted, Kevin Moffitt, executive vice president and chief risk officer,
First Midwest Bank, said, “The narrative
at the top of a report is just as important as the data that’s underneath it.”
Cunningham noted his organization,
Discover Financial Services, has been
intentional in fostering a culture that
constructively questions the inputs used
by its quantitative analysts. “The notion
of challenging assumptions is something
we take to heart,” Cunningham said.
A growing role for boards of directors

For the first time in its seven-year history,
the Chicago Fed/DePaul risk conference convened a panel of professionals
currently serving on boards of directors
that govern banks and bank holding
companies. Among the notable features
of the post-crisis operating climate is a
steadily rising expectation—among
supervisors, investors, and institutions
alike—that boards of directors become
more involved in overseeing financial
institutions’ risk management. Some of
these growing expectations have become
formalized—e.g., through explicit regulatory requirements for larger institutions to form board-level risk committees.7
“Expectations for board involvement
are at an all-time high,” said Emily
Greenwald, vice president for Supervision
and Regulation, Federal Reserve Bank
of Chicago.
The directors explained ways their institutions have developed directorate
roles, including scrutiny of individual
business units. Susan Gordy, director,
Johnson Bank and Johnson Financial

Group, told the audience, “We want the
business lines to own the risks they take.”
Board oversight can be particularly valuable during periods of rising competition,
when business-line managers can feel
pressure to take on additional risk in
order to keep pace with competitors and
prop up near-term results. John Rau,
director and chairman of the risk oversight committee, BMO Financial, emphasized, “‘Everyone else is doing it’ is not
a rationale. It’s a red flag.”
Ronald Peterson, director, Quad City
Bank and Trust and QCR Holdings Inc.,
said a board’s risk committee should be
a hub of risk-management discussion.
“At our firm, the risk committee is a
vibrant committee, and a very high
priority at the company,” Peterson said.
“All the board members are invited, and
almost everyone attends.” The other
panelists also agreed that risk committee
chairs need expertise in their institutions’ business lines.
There was also consensus among the panelists that recruiting qualified directors
is a challenge for many financial institutions, especially in light of rising demands for expertise and participation.
Gordy observed, “The board’s role is to
ask probing questions and challenge
management. To do that, you have to
have a base of education. That can make
it challenging to find directors.”
Other panels from the conference also
highlighted the importance of engaging
a bank’s board of directors. During the
aforementioned panel on interest rate
risk, Angner said he is always looking
for ways to help directors better understand the strategies and risks of his firm,
Isabella Bank. “For most board members,
interest rate risk is an abstract concept,”
he said. “They understand credit risk,
but interest rate risk is more difficult.”
Angner described how his board’s discussions improved after management
translated interest rate scenarios from
percentage changes in balance-sheet
performance to dollars gained or lost.
Regulatory perspectives

The agendas of regulators often reflect
emerging trends at financial institutions, and the regulatory update panel
discussed a handful of current issues.

Anthony Gibbs, Midwest regional director, Consumer Financial Protection
Bureau (CFPB), said his agency’s focus
includes scrutinizing the following areas:
reporting errors among consumer credit
reports, mortgage servicing practices,
and payday lending activities (including
transactions cleared through banks).
Among mortgage servicers, Gibbs noted,
the CFPB found substantial evidence
of loan servicers’ failure to accurately
record receipt of mortgage payments
and, in other cases, follow protocols
for when to stop charging borrowers
private mortgage insurance. Robbins,
from the FDIC, said he’s become aware
that third-party payment processors are
contacting banks to entice them with
lucrative transaction-clearing arrangements that may present a variety of risks.
Moreover, Robbins noted that the FDIC
recently published an article reiterating
that “deposit relationships with payment
processors can expose financial institutions to risks not present in typical commercial customer relationships, including
greater strategic, credit, compliance,
transaction, legal, and reputation risk.”8
The discussion among the regulatory panelists demonstrated that oversight of thirdparty vendors has become a top priority.9
Charles L. Evans, President  Daniel G. Sullivan,
Executive Vice President and Director of Research;
Spencer Krane, Senior Vice President and Economic
Advisor ; David Marshall, Senior Vice President, financial
markets group  Daniel Aaronson, Vice President,
microeconomic policy research; Jonas D. M. Fisher,
Vice President, macroeconomic policy research; Richard
Heckinger,Vice President, markets team; Anna L.
Paulson, Vice President, finance team; William A. Testa,
Vice President, regional programs, and Economics Editor ;
Helen O’D. Koshy and Han Y. Choi, Editors  ;
Rita Molloy and Julia Baker, Production Editors 
Sheila A. Mangler, Editorial Assistant.
Chicago Fed Letter is published by the Economic
Research Department of the Federal Reserve Bank
of Chicago. The views expressed are the authors’
and do not necessarily reflect the views of the
Federal Reserve Bank of Chicago or the Federal
Reserve System.
© 2014 Federal Reserve Bank of Chicago
Chicago Fed Letter articles may be reproduced in
whole or in part, provided the articles are not
reproduced or distributed for commercial gain
and provided the source is appropriately credited.
Prior written permission must be obtained for
any other reproduction, distribution, republication, or creation of derivative works of Chicago Fed
Letter articles. To request permission, please contact
Helen Koshy, senior editor, at 312-322-5830 or
email Chicago Fed
Letter and other Bank publications are available
ISSN 0895-0164

The panelists reminded the audience that
each financial institution is responsible for
its own entire operations, including vetting
and monitoring outsourced functions.
A number of panels discussed the ways
that financial institutions and regulatory
agencies can improve their relationships. New rules following the financial
crisis—in particular, those stemming from
the Dodd–Frank Wall Street Reform
and Consumer Protection Act—have
increased the interaction between financial organizations and the agencies that
supervise them.

that regulatory agencies need to be constantly evaluating how they supervise and
communicate with financial institutions.
Dick, of the consultancy Promontory,
observed: “The crisis has made bankers
much more concerned about going to
regulators and asking, ‘Do you think I
have this right?’ There are a lot of questions that come into my firm where I
think it’s unfortunate they don’t feel comfortable posing them to their regulators.”

There was ample conversation about the
need for financial institutions to be proactive in engaging regulators, particularly
when it comes to stressful matters and
changes in strategies or risk profiles. In
turn, panelists agreed, supervisors need
to be more receptive, most notably to
informal deliberations. Vivian, on the
regulatory panel, said the OCC is eager
to participate in such discussions. “Before
you roll out a significant new product or
push into a sector or business line, get
us at the table, so we can talk through
it and help make sure it matches your
strategic plan,” Vivian said. “We need
to always be asking ourselves, What can
we do to make sure these relationships
are a two-way street?” Greenwald, of
the Chicago Fed, said.

While risks related to the economic climate dominated the conference, the rapidly increasing threats from cyberattacks
were also a focus.10 Cyberthreats have
required institutions to invest in staff and
infrastructure to protect systems, databases, websites, mobile banking platforms,
and customer data. In a presentation that
illustrated the shifting landscape, Joseph
Nocera, partner, PricewaterhouseCoopers,
shared research showing cyberattacks
on commercial organizations rose 170%
from 2012 to 2013. That might be a
conservative estimate, he said, because
nearly one in five firms surveyed still do
not know how many attacks they have
suffered. “The use of technology has
created types of risk we never imagined
before,” said Elijah Brewer III, professor
and chairman of the Department of
Finance, DePaul University.

Speakers and panelists outside the supervisory panel were also in broad agreement

Presenters said the highest priority for
information technology among financial

	 A summary of the 2013 Chicago Fed/
DePaul risk conference is available at

the middle of 2012. Separately, in March
2013, the Board of Governors of the Federal
Reserve System, the Office of the Comptroller
of the Currency, and the FDIC jointly issued
supervisory guidance (available at www.
sr1303.htm) in response to declines in
underwriting standards for leveraged
commercial loans, most notably “syndicated
loans,” or those held by multiple lenders.


	 Interest rate risk is the risk of changes to
a financial institution’s balance sheet due
to a change in the yield curve’s shape or
in any other interest rate relationship.


	 The Seventh District, which is served by the
Chicago Fed, comprises all of Iowa and most
of Illinois, Indiana, Michigan, and Wisconsin.


	 Net interest margin is the income generated
by a bank minus the interest paid on its
borrowed funds, divided by the average value
of the assets on which it earned income.


	 Data from the Federal Reserve’s Senior Loan
Officer Opinion Survey on Bank Lending Practices
(available at
boarddocs/snloansurvey/) demonstrate a
steady decrease in underwriting standards
for commercial and industrial (C&I) and
commercial real estate (CRE) credit since


	 The Dodd–Frank Wall Street Reform and
Consumer Protection Act requires some
form of annual stress-testing exercises at
all institutions with at least $10 billion in
consolidated assets. Institutions with at
least $50 billion in consolidated assets are
subject to higher stress-testing requirements,
including separate tests performed by the
institution and the regulatory agencies.


	 Supervisory guidance published by the Fed
in December 2012 describes boards of
directors’ responsibilities at institutions with
more than $10 billion in consolidated assets.


institutions should be the identification
and protection of their most critical data,
including customer information and
trade secrets. An effective defense against
cyberthreats must include the management of insider threats—whether intentional or unwitting—in addition to
customary protection from outsider dangers. John Fleshood, chief risk officer,
Wintrust Financial Corp., shared a story
to illustrate information security risk: “A
chief risk officer at another firm told me
how he got a call from someone who had
bought a flash drive at a garage sale. They
had found all sorts of banking data on
it.” Panelists also discussed the importance of having methods to monitor employee activity, most notably the copy
or transfer of sensitive information.

The conference’s speeches, presentations,
and discussions underscored how the
current operating environment has made
it imperative for financial institutions to
manage risk in dynamic and proactive
ways. Moreover, conference participants repeatedly returned to a lesson that
has emerged since the financial crisis:
Financial institutions that embrace
enterprise-wide risk management are
better positioned than those that neglect
to do so. Sound risk management is not
merely a supervisory checklist or expense
line item to be managed, but rather a
distinguishing feature of stable and
successful financial institutions.
These include, but are not limited to,
requirements to “establish and maintain
the firm’s culture, incentives, structure,
and processes that promote its compliance
with laws, regulations, and supervisory
guidance.” See


	 In December 2013, the Board of Governors
of the Federal Reserve System provided
guidance on managing risks associated
with outsourcing (available at www.
sr1319.htm); it applies to all financial
institutions supervised by the Federal


	Several types of cyberthreats are discussed


Federal Reserve Bank of St. Louis, One Federal Reserve Bank Plaza, St. Louis, MO 63102