MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2015 Wolf & Company, P.C.

2015 CEO & Board University

Aligning the Strategic Plan with Enterprise

Risk Management Programs

Michael D. Cohn, CPA, CISA, CGEIT

© 2015 Wolf & Company, P.C.

Session Description

Risk assessment is agreeably the foundation for an

effective enterprise risk management program. Once

you have it complete, how do you know what’s next?

Your Risk DNA confirms the tenets of your strategic

plan and guides managers how to deliver products and

services. Key Risk Indicators, if properly aligned with

your Risk DNA, should monitor all the key threats. Miss

identifying key threats and/or KRIs and risk a negative

impact to capital. Once alignment is complete, what

else should you be talking about?

2

© 2015 Wolf & Company, P.C. 3

© 2015 Wolf & Company, P.C.

Can we take more

risk and remain safe?

4

© 2015 Wolf & Company, P.C.

Are We Safe?

5

© 2015 Wolf & Company, P.C.

Are We Still Safe?

6

© 2015 Wolf & Company, P.C.

And Now?

7

© 2015 Wolf & Company, P.C.

What actions can we take to

make enterprise risk

management programs

more strategic?

8

© 2015 Wolf & Company, P.C.

Current State of Affairs

9

© 2015 Wolf & Company, P.C.

We Are Here

10

More People

More Process

More Technology

More Policy

More Procedures

More Governance

More Regulation

Social Media

Risk

Assessment

Vendor

Risk

Asses

sment Fair Lending

Risk

Assessment

Operations

Risk

Assessment

RDC Risk

Assessment

BSA/OFAC

Risk

Assessment

ID Theft

Red

Flags

Risk

Assess

mentIT Entity Level

Risk

Assessment

Customer

Information

Risk

Assessment

Market Risk

Assessment

New Product

Risk

Assessment

MFA Risk

Assessment

Vendor Risk

Assessment

Business

Continuity

Risk

Assessment

Interest

Rate

Risk

Liquidity Risk

Management

Credit Risk

Management

© 2015 Wolf & Company, P.C.

Emerging Threat Landscape

OPERATIONS:

• Technology risk

• Cyber risk

• Multi-factor authentication

risk

• Model risk

• Privacy risk

• Transaction risk

• ACH risk

• RDC risk

• Mobile Banking risk

• Regulatory Compliance risk

• BSA/OFAC risk

• Fair Lending risk

• UDAAP risk

• Social Media risk

• Profit risk

• Board of Director risk

• Key Employee risk

11

• Vendor risk

• Business Continuity risk

• Legal risk

• Compensation risk

• Financial Reporting risk

MARKET:

• Credit risk

• Interest Rate risk

• Liquidity risk

• Foreign Exchange risk

• Price risk

New Product risk

Strategic risk

Reputation risk

Today’s ThreatsEmerging

Threats Areas

© 2015 Wolf & Company, P.C.

Compliance ERM

Integrated ERM

Top to Bottom ERM

12

Compliance

Tech & Ops

Risk (Management)

ALCO

Risk (Board)

Audit

Current ERM Maturity Model

Informs Risk Governance

© 2015 Wolf & Company, P.C.

Pulling the ERM Program Together

Risk Indicators

Enterprise Risk Assessments

Risk Committees

Risk Appetite Statement – Preamble Example

Strategic Plans

We will only sell products that we believe are suitable for customers whose business we understand and we can monitor. Every employee will understand the risks to the organization within their roles and responsibilities, and we will be accountable for

behaving with high ethical standards.

© 2015 Wolf & Company, P.C.

Do We See the Risk?

14

© 2015 Wolf & Company, P.C.

Mapping Your

Enterprise Risk DNA

15

© 2015 Wolf & Company, P.C. 16

“What Can Kill You vs.

What Just Hurts”

© 2015 Wolf & Company, P.C.

Your Risk DNA Map

17

TransactionInformation

TechnologyVendor

Business

ContinuityCredit

Interest

RatePrice Liquidity

Personal Checking L H H H H H H H L L L L

Business Checking H M L H H H L M L L L L

Savings Accounts L H H H H M H H L L L L

Retail CD L H L H H M M M L L L L

Internet Banking H H H H H H H H M M M M

Residential Mortgages M H M H H M H H H H H M

Home Equity L M L H H M H H H H L M

Consumer L M L M M M M M H M M M

Commercial Real Estate H M M M L H L M H H H H

Asset Backed H M M M L M L M H H H M

C & I H M M M L H L M H H H M

Trusts & IRA L M M L H L H H L L M L

Brokerage M M H H H H H H L L L M

Cash Management M M L H H M M M M M M M

Merchant Card Services M M M M M M M M M M M M

Treasury Management M H H M H M M M L M M H

IT Operations L M L H M H L L L L L L

RETAIL BANKING

LENDING

INVESTMENTS

BUSINESS SERVICES

CORPORATE SERVICES

Market

StrategicProducts and Services Reputation

Operations Customer

Information

Regulatory

Compliance

© 2015 Wolf & Company, P.C.

Your Risk DNA Map

18

TransactionInformation

TechnologyVendor

Business

ContinuityCredit

Interest

RatePrice Liquidity

Personal Checking L H H H H H H H L L L L

Business Checking H M L H H H L M L L L L

Savings Accounts L H H H H M H H L L L L

Retail CD L H L H H M M M L L L L

Internet Banking H H H H H H H H M M M M

Residential Mortgages M H M H H M H H H H H M

Home Equity L M L H H M H H H H L M

Consumer L M L M M M M M H M M M

Commercial Real Estate H M M M L H L M H H H H

Asset Backed H M M M L M L M H H H M

C & I H M M M L H L M H H H M

Trusts & IRA L M M L H L H H L L M L

Brokerage M M H H H H H H L L L M

Cash Management M M L H H M M M M M M M

Merchant Card Services M M M M M M M M M M M M

Treasury Management M H H M H M M M L M M H

IT Operations L M L H M H L L L L L L

RETAIL BANKING

LENDING

INVESTMENTS

BUSINESS SERVICES

CORPORATE SERVICES

Market

StrategicProducts and Services Reputation

Operations Customer

Information

Regulatory

Compliance

© 2015 Wolf & Company, P.C.

Your Risk DNA Map

19

TransactionInformation

TechnologyVendor

Business

ContinuityCredit

Interest

RatePrice Liquidity

Personal Checking L H H H H H H H L L L L

Business Checking H M L H H H L M L L L L

Savings Accounts L H H H H M H H L L L L

Retail CD L H L H H M M M L L L L

Internet Banking H H H H H H H H M M M M

Residential Mortgages M H M H H M H H H H H M

Home Equity L M L H H M H H H H L M

Consumer L M L M M M M M H M M M

Commercial Real Estate H M M M L H L M H H H H

Asset Backed H M M M L M L M H H H M

C & I H M M M L H L M H H H M

Trusts & IRA L M M L H L H H L L M L

Brokerage M M H H H H H H L L L M

Cash Management M M L H H M M M M M M M

Merchant Card Services M M M M M M M M M M M M

Treasury Management M H H M H M M M L M M H

IT Operations L M L H M H L L L L L L

RETAIL BANKING

LENDING

INVESTMENTS

BUSINESS SERVICES

CORPORATE SERVICES

Market

StrategicProducts and Services Reputation

Operations Customer

Information

Regulatory

Compliance

© 2015 Wolf & Company, P.C.

“Risk assessment is not the end

but the end of the beginning.”

20

- Mike Cohn, 2005

© 2015 Wolf & Company, P.C.

Risk Assessment – Are We Done?

1. Control Testing

Are our junior associates processing transactions safely?

2. Monitoring

Are our business processes functioning safely?

E.g.; Vendor. Compliance.

3. Policies & Procedures

Did management construct an environment to operate safely?

4. Key Risk Indicators

Can we reasonably evaluate if we will perform safely tomorrow?

21

© 2015 Wolf & Company, P.C.

Key Risk Indicators

22

© 2015 Wolf & Company, P.C.

Our Risk Indicator Challenge

23

Quantitative Measures

• Credit Risk → Stress Testing

• IRR → Earnings Simulation

• Liquidity Risk → Capital Management

Qualitative Measures

• Vendor Risk → Monitoring

• IT Risk → Monitoring

• Compliance → Monitoring

© 2015 Wolf & Company, P.C.

We Typically See

Several Hundred Risk Indicators

24

INDICATOR NAME INDICATOR NAME INDICATOR NAME INDICATOR NAMECredit Allowance to total nonaccrual loans Products Net change in core deposits

Monthly comparison of: Allowance to total loans Collateral Type Net change in new accounts versus closed accounts

Commercial & Residential Loans by types Non-performing assets to total assets Geographic (by county) Trend Analysis

a. Growth numbers quarterly Total loans to total assets Concentration limits by product type including security

assets

ALCO

Percentage of loan types over total loans OREO to total assets Risk rating migration by loan type Quarterly Ratio Reporting including Peer

Non-accrual and non-performing loans residential Other assets to total assets Loan balances by risk rating by loan type Interest Income/Avg Earning Assets

Non-accrual and non-performing loans commercial Net charge offs to total loans Loans with policy exceptions Interest Expense/Avg Earning Assets

OREO a. By type - Consumer and Commercial/CRE % with details by type of exception if significant Net Int Income/ Avg Earning Assets

ALLL OREO to average assets Capital Net Non-Core Funding Dependency Ratio

30 day and over past due commercial & residential loan Classified assets to capital Tangible ratio Excluding CDs over $100 thousand

a. Include aggregate past due and non-accrual loans Total Past due & nonaccrual loans as % of each loan Tier 1 Ratio Excluding CDs over $250 thousand

Overdrawn tax escrow balances Non-performing as % of each loan category Total Risk Based Capital ST Non-Core Funding Dependency to Total Assets

Charge-offs by type of asset/loan type Number of delinquent notes by loan category Tangible common equity ST Non-Core Funding Dependency to Total LT Assets

Broker Monitoring Charge-off ratios by loan/asset type as % Annual market share Core Deposts as % of Aver Assets

Repurchase Claims Quarterly LTV and DTI and Credit scores by loan type Stress test results Brokered Deposits to Deposits

QC review statistics (monitoring oversight of 1st line) % of risk rating downgrades made by loan review

function, rather than by loan officer

Liquidity/Funding Brokered Deposits Maturing less than 1 Year to

Brokered Deposits

Loss Mitigation (Servicing) Quarterly Total Liquid Assets to Total Assets Growth in categories of loans and deposits

CRE Concentration for 100% & 300% ratio Unencumbered Liquid Assets to Total Assets On-hand liquidity ratio

Monthly/Quarterly ratios of: Concentrations exceeding 25% of Risk Based Capital

by:

1, 3, 12 month base and stress iflows to total outflows Outside bank rating - Moody's, S&P. IRA

Nonaccrual commercial loans to total commercial loans Individual Borrower BASEL III Rations (LCR & Net Stable Funding Ratio) NII at risk and EVE at risk sensitivity calculations

a. Peer ratios and regulatory classified/criticized ratios Small Inter-related Groups Borrrowings maturing or putable Gap measures

Nonaccrual loans to total loans Individual Project Single non FHLB provider Loans/Assets

a. Peer ratios and regulatory classified/criticized ratios

quarterly

Single Repayment Source Deposits Investments/Assets

Nonaccrual loans and OREO to total assets Concentrations exceeding 100% of Risk Based Capital DDA overdrafts over 60 days Loans/Deposits

Allowance to non-accrual commercial loans Industry DDA overdrafts in excess of $5,000 Efficiency Ratio

Can 30-50 Key risk indicators keep the institution safe?

© 2015 Wolf & Company, P.C.

Does Your Institution

Look Like This?

25

Functional Risk Area Number of Risk

Indicators

Credit risk 72

Interest Rate risk 52

Liquidity risk 38

Regulatory Compliance risk 31

Transaction risk 21

Information Technology risk 21

Reputation risk 14

Vendor risk 12

Strategic risk 6

Business Continuity risk 3

Customer Information risk 3

Price risk 2

TOTAL 275

© 2015 Wolf & Company, P.C.

Uncovering the Gaps Create

Opportunities for Improvement

26

TransactionInformation

TechnologyVendor

Business

ContinuityCredit

Interest

RatePrice Liquidity

RETAIL BANKING

Personal Checking 10 1 1 1 8 3 2 2 0 30 0 7

Business Checking 10 1 1 1 8 3 2 2 0 30 0 7

Savings Accounts 10 1 1 1 8 3 2 2 0 30 0 7

Retail CD 10 1 1 1 8 3 2 2 0 30 0 7

Internet Banking 0 1 1 1 8 3 2 2 0 0 0 0

LENDING

Residential Mortgages 9 1 1 1 8 3 2 3 17 1 0 0

Home Equity 9 1 1 1 8 3 2 3 17 1 0 0

Consumer 6 1 1 1 8 3 2 3 15 1 0 0

Commercial Real Estate 18 1 1 1 8 3 2 3 30 30 0 3

Asset Backed 11 1 1 1 8 3 2 3 25 30 0 3

C & I 11 1 1 1 8 3 2 3 25 30 0 3

INVESTMENTS

Trusts & IRA 2 1 1 1 8 3 2 4 2 0 0 0

Brokerage 0 1 3 1 8 3 2 4 1 0 0 0

BUSINESS SERVICES

Cash Management 0 1 1 1 8 3 2 2 0 0 0 0

Merchant Card Services 0 1 1 1 0 3 2 3 0 0 0 0

CORPORATE SERVICES

Treasury Management 6 0 2 1 8 3 0 2 0 13 3 26

IT Operations 0 0 0 12 10 3 2 2 0 0 0 0

Market

Products and Services Strategic Reputation

Operations Customer

Information

Regulatory

Compliance

-8

1 3 4

+8

2. e. Rate-sensitive Assets/Assets(%)

2. f. Rate-sensitive Liabilities/Assets %)

2.d. Maintain Interest Expense/ Avg. Assetswithin acceptable limits (%)

2.c. Maintain EVE above acceptable levelswithup/down 100, 200, 300 bps rate shocks

2.b. Maintain Duration gap betweenacceptable levels with up/down 100, 200,…

2.a. Achieve satisfactory CAMELS ratings forSensitivity to Market Risk

2. Market/ Risk Earnings

1 3 44.a. Achieve satisfactory CAMELS ratings for

Liquidity

4.b. Maintain Satisfactory Net Non-CoreFunding Dependence (%)

4.c. maintain satisfactory Net Short-TermLiabilities/ Assets (%)

4.d. Maintain satisfactory FHLB fundingavailability

4.e. Maintain acceptable liquidity ratios (%)

4.f. Maintain Acceptable Levels of pledgedsecurities

4. Liquidity

100

100

300

4

1 3

200

200

400

8

4

3.g. Maintain C&I within limits to RBC (%)

3.f. Maintain Residential 1-4 within limits to RBC(%)

3.e. Maintain CRE Loans/ Total RBC withinacceptable level (%)

3.d. Maintain ALLL within acceptable level(3000s)

3.c. Maintain Non-Performing Loans/ Loanswithin acceptable level (%)

3.b. Maintain Non-Performing Assets/ Assetswithin acceptable level (%)

3.a. Achieve satisfactory CAMELS ratings forAsset Quality

3. Credit Risk

1

20

6

3

30

8

4

1.d. Maintain Leverage Ratio within acceptablelevels (%)

1.c. Maintain capital ratios above regulatorycapital requirements (%)

1.b Maintain Total Equity/ Total Assets withinacceptable limits (%)

1.a Achieve satisfactory CAMELS ratings forCapital Adequacy

1. Capital Adequacy

1

1

Green Risk is within acceptable threshold Current Level

Yellow Increase in risk as threshold has been breached 12 month Avg

Red Increase in risk as threshold has been breached

Legend

10.7

17.5 17.7

10.3 10.4

6.0

..89 .99

63.963.7

33.1.32.2

5.5

5.65.5

7.0

379.5378.2

.159.6155

5.8

9.5

30.6

29.428.6

7.0

10.9

.12 .12

Risk Appetite Key Risk Indicators

Example

© 2015 Wolf & Company, P.C.

Cost of Risk Management

28

© 2015 Wolf & Company, P.C.

“Not until you measure it can

you make it cost less!”

29

- Mike Cohn, 2012

© 2015 Wolf & Company, P.C.

No Consolidated Risk

Management Budget

30

Expense Item Expense Item Expense Item Expense Item

Account disclosures Consulting for Auditing Internal Audit Penetration tests

Adverse action notices Correspondent bank loans Internal Audit Oversight Periodic statement. disclosures

Adverse action notices (incl. FCRA) Cost of sterile reserves IRP Plan Mgmt and Testing Privacy notices: annual mailout

Advertising Cost of sterile reserves IRR Privacy notices: opt-out maintenance

Alarm Monitoring CRA Committee - meeting prep ISO and staff effortProviding cr. scores to mort.

applicants

ALCO Modeling (in-house time) CRA performance context IT Audit Services Providing disclosures to customers

ALCO Modeling Software CTR reporting IT Audit Services Oversight Proximity cards

Anti-virus Customer notification of negative info. Legal review of contractsR&D in regards to Compliance with

new laws

APR disclosure Data management Loan limit monitoring Regulatory Exam

Avg. of annual reporting per month Determinates of hold notices Locks Reputation monitoring

Avoiding use of medical information DVR recording devices Mailing provisional credit lettersRisk assessment performance and

management

Background checks Error resolution Maintaining CRA public file Risk assessment software

Assistance with customer FEMA,

LOMA and LOMR requirementsFiling documentation

Management of all of the above

items within Software/hardwareRobbery training

BCP Plan Mgmt and Testing Financials on critical vendors Monitoring "related interests" SAR reporting

BCP Software FinCen requests Monitoring 3-day rescission ruleSchedule notices (initial, ATM,

teller windows)

Board prior approval Firewall Monitoring WDs to MMDA's Security awareness training

Cameras FM200 Gas System Monitoring services Servicing disclosure

Change in term/CD renewal discl. Fraud alerts Monitoring to avoid discrimination Single Signon software

Completion of calculation worksheet Handling disputes and blocking info. Network based IDS/IPS Social engineering tests

Compliance Monitoring HMDA software OFAC list and monitoringTraining (AIB, seminars, workshops,

schools)

Compliance Monitoring Oversight Home Owners Equity Protection Act (HOEPA)Outside consultants, attorneys and

auditors

Training materials (guide, books,

subscription)Consultants for Monitoring Host based IDS/IPS Paperwork on each loan (LAR report) US Patriot Act: Customer

Consultants or auditors Independent Loan Review Patch managementUS Patriot Act: monitoring high-risk

customers

© 2015 Wolf & Company, P.C.

Allocate the Costs of Risk

Management

31

TransactionInformation

TechnologyVendor

Business

ContinuityCredit

Interest

RatePrice Liquidity

Personal Checking 12,000 10,000 5,364 30,000 57,364

Business Checking 1,000 5,000 15,000 21,000

Savings Accounts 15,000 15,000

Retail CD 1,500 1,500

Internet Banking 6,000 6,000

Residential Mortgages 12,000 5,000 5,000 40,000 8,000 5,400 75,400

Home Equity 6,000 20,000 26,000

Consumer 4,000 30,000 34,000

Commercial Real Estate 5,000 8,000 7,500 20,500

Asset Backed 5,000 4,000 9,000

C & I 4,440 7,500 11,940

Trusts & IRA 10,000 5,000 3,000 18,000

Brokerage 6,000 6,000

Cash Management 3,500 5,000 3,000 11,500

Merchant Card Services 3,000 3,000

Treasury Management 5,000 5,000

IT Operations 13,000 13,000

TOTAL 75,000 33,000 23,364 150,000 20,440 24,400 3,000 5,000 334,204

RETAIL BANKING

LENDING

INVESTMENTS

BUSINESS SERVICES

CORPORATE SERVICES

Market

TOTALProducts and ServicesRegulatory

ComplianceReputationStrategic

Operations Customer

Information

© 2015 Wolf & Company, P.C.

Uncovering the Gaps Create

Opportunities for Efficiency

32

TransactionInformation

TechnologyVendor

Business

ContinuityCredit

Interest

RatePrice Liquidity

Personal Checking 12,000 10,000 5,364 30,000 57,364

Business Checking 1,000 5,000 15,000 21,000

Savings Accounts 15,000 15,000

Retail CD 1,500 1,500

Internet Banking 6,000 6,000

Residential Mortgages 12,000 5,000 5,000 40,000 8,000 5,400 75,400

Home Equity 6,000 20,000 26,000

Consumer 4,000 30,000 34,000

Commercial Real Estate 5,000 8,000 7,500 20,500

Asset Backed 5,000 4,000 9,000

C & I 4,440 7,500 11,940

Trusts & IRA 10,000 5,000 3,000 18,000

Brokerage 6,000 6,000

Cash Management 3,500 5,000 3,000 11,500

Merchant Card Services 3,000 3,000

Treasury Management 5,000 5,000

IT Operations 13,000 13,000

TOTAL 75,000 33,000 23,364 150,000 20,440 24,400 3,000 5,000 334,204

RETAIL BANKING

LENDING

INVESTMENTS

CORPORATE SERVICES

TOTALReputation

Market

Products and Services

Operations Customer

Information

Regulatory

ComplianceStrategic

BUSINESS SERVICES

© 2015 Wolf & Company, P.C.

Final Take Aways

1. Measure your Enterprise Risk DNA

Strategic Plan → Risk Appetite → Enterprise Risk Assessment

2. Align KRI with High Risk Threats

Management KRIs → Executive KRIs → Board KRIs

3. Reduce the Cost of Risk Management

Bottom Line: Seize the Opportunity to make ERM a

strategic asset, not a check-the-box process.

33

© 2015 Wolf & Company, P.C.

“Amateurs built the ark,

professionals built the Titanic.”

unknown

34

Final Thought

© 2015 Wolf & Company, P.C. 35

Mike Cohn, CPA, CISA, CGEIT

Director, WolfPAC Solutions Group

Member of the Firm

Voice: (617) 428-5488

Email: mcohn@wolfandco.com

LinkedIn: mikecohn1

Twitter: @MikeDCohn

Blog: wolfpacsolutions.com/blog/author/101

www.wolfandco.com

www.wolfpacsolutions.com

Thank You

© 2015 Wolf & Company, P.C.

Appendix:

Two Client Case Studies

36

Focusing the Measurement of Key Risk Indicators

with the institution’s Risk DNA

Provisioning the Cost of Risk Management with the

institution’s Risk DNA

© 2015 Wolf & Company, P.C.

KRI Case Study

• Key Profile Elements

– $800mm

– 5 Adjacent Counties

– 3 Commercial Loan Products

– No Residential Lending; Minimal Consumer Lending

– CDs being replaced by Core Commercial Deposit Accounts

• Well Capitalized

• Desire to enhance ERM beyond ALM elements

• CEO steering a significant profile change

37

Call to Action: Develop Risk Metrics Critical for the

Board to monitor

© 2015 Wolf & Company, P.C.

275 Baseline Risk Indicators

38

INDICATOR NAME INDICATOR NAME INDICATOR NAME INDICATOR NAMECredit Allowance to total nonaccrual loans Products Net change in core deposits

Monthly comparison of: Allowance to total loans Collateral Type Net change in new accounts versus closed accounts

Commercial & Residential Loans by types Non-performing assets to total assets Geographic (by county) Trend Analysis

a. Growth numbers quarterly Total loans to total assets Concentration limits by product type including security

assets

ALCO

Percentage of loan types over total loans OREO to total assets Risk rating migration by loan type Quarterly Ratio Reporting including Peer

Non-accrual and non-performing loans residential Other assets to total assets Loan balances by risk rating by loan type Interest Income/Avg Earning Assets

Non-accrual and non-performing loans commercial Net charge offs to total loans Loans with policy exceptions Interest Expense/Avg Earning Assets

OREO a. By type - Consumer and Commercial/CRE % with details by type of exception if significant Net Int Income/ Avg Earning Assets

ALLL OREO to average assets Capital Net Non-Core Funding Dependency Ratio

30 day and over past due commercial & residential loan Classified assets to capital Tangible ratio Excluding CDs over $100 thousand

a. Include aggregate past due and non-accrual loans Total Past due & nonaccrual loans as % of each loan Tier 1 Ratio Excluding CDs over $250 thousand

Overdrawn tax escrow balances Non-performing as % of each loan category Total Risk Based Capital ST Non-Core Funding Dependency to Total Assets

Charge-offs by type of asset/loan type Number of delinquent notes by loan category Tangible common equity ST Non-Core Funding Dependency to Total LT Assets

Broker Monitoring Charge-off ratios by loan/asset type as % Annual market share Core Deposts as % of Aver Assets

Repurchase Claims Quarterly LTV and DTI and Credit scores by loan type Stress test results Brokered Deposits to Deposits

QC review statistics (monitoring oversight of 1st line) % of risk rating downgrades made by loan review

function, rather than by loan officer

Liquidity/Funding Brokered Deposits Maturing less than 1 Year to

Brokered Deposits

Loss Mitigation (Servicing) Quarterly Total Liquid Assets to Total Assets Growth in categories of loans and deposits

CRE Concentration for 100% & 300% ratio Unencumbered Liquid Assets to Total Assets On-hand liquidity ratio

Monthly/Quarterly ratios of: Concentrations exceeding 25% of Risk Based Capital

by:

1, 3, 12 month base and stress iflows to total outflows Outside bank rating - Moody's, S&P. IRA

Nonaccrual commercial loans to total commercial loans Individual Borrower BASEL III Rations (LCR & Net Stable Funding Ratio) NII at risk and EVE at risk sensitivity calculations

a. Peer ratios and regulatory classified/criticized ratios Small Inter-related Groups Borrrowings maturing or putable Gap measures

Nonaccrual loans to total loans Individual Project Single non FHLB provider Loans/Assets

a. Peer ratios and regulatory classified/criticized ratios

quarterly

Single Repayment Source Deposits Investments/Assets

Nonaccrual loans and OREO to total assets Concentrations exceeding 100% of Risk Based Capital DDA overdrafts over 60 days Loans/Deposits

Allowance to non-accrual commercial loans Industry DDA overdrafts in excess of $5,000 Efficiency Ratio

Can 30-50 Key risk indicators keep the institution safe?

© 2015 Wolf & Company, P.C.

Case Study KRI Inventory

39

Functional Risk Area Number of Risk

Indicators

Credit risk 72

Interest Rate risk 52

Liquidity risk 38

Regulatory Compliance risk 31

Transaction risk 21

Information Technology risk 21

Reputation risk 14

Vendor risk 12

Strategic risk 6

Business Continuity risk 3

Customer Information risk 3

Price risk 2

TOTAL 275

Potentially Too Many Indicators

Ensure Key Threats Covered

Enhance Risk Assessment to

Identify Key Threats

© 2015 Wolf & Company, P.C.

Align the Enterprise Risk Assessment

and Key Risk Indicators

40

TransactionInformation

TechnologyVendor

Business

ContinuityCredit

Interest

RatePrice Liquidity

RETAIL BANKING

Personal Checking 10 1 1 1 8 3 2 2 0 30 0 7

Business Checking 10 1 1 1 8 3 2 2 0 30 0 7

Savings Accounts 10 1 1 1 8 3 2 2 0 30 0 7

Retail CD 10 1 1 1 8 3 2 2 0 30 0 7

Internet Banking 0 1 1 1 8 3 2 2 0 0 0 0

LENDING

Residential Mortgages 9 1 1 1 8 3 2 3 17 1 0 0

Home Equity 9 1 1 1 8 3 2 3 17 1 0 0

Consumer 6 1 1 1 8 3 2 3 15 1 0 0

Commercial Real Estate 18 1 1 1 8 3 2 3 30 30 0 3

Asset Backed 11 1 1 1 8 3 2 3 25 30 0 3

C & I 11 1 1 1 8 3 2 3 25 30 0 3

INVESTMENTS

Trusts & IRA 2 1 1 1 8 3 2 4 2 0 0 0

Brokerage 0 1 3 1 8 3 2 4 1 0 0 0

BUSINESS SERVICES

Cash Management 0 1 1 1 8 3 2 2 0 0 0 0

Merchant Card Services 0 1 1 1 0 3 2 3 0 0 0 0

CORPORATE SERVICES

Treasury Management 6 0 2 1 8 3 0 2 0 13 3 26

IT Operations 0 0 0 12 10 3 2 2 0 0 0 0

Market

Products and Services Strategic Reputation

Operations Customer

Information

Regulatory

Compliance

© 2015 Wolf & Company, P.C.

What Will Management Do Next?

1. Construct the KRI universe

2. Educate to build consensus on KRI reporting

3. Develop the reporting process, reaffirm the goals,

and present to the Board

41

© 2015 Wolf & Company, P.C.

Cost of Risk Management

Case Study

• Key Profile Elements

– $500mm Community Bank

– Solid franchise focused on retail lending and deposit

products

– ERM program functioning for 5 years; CRO in place

• Well Capitalized

• Tenured and stable management team

42

Call to Action: Measure the Cost of risk management

to identify inefficiencies and gaps

© 2015 Wolf & Company, P.C.

Client Case Study:

150 Types of Expenses

43

Expense Item Expense Item Expense Item Expense Item

Account disclosures Consulting for Auditing Internal Audit Penetration tests

Adverse action notices Correspondent bank loans Internal Audit Oversight Periodic statement. disclosures

Adverse action notices (incl. FCRA) Cost of sterile reserves IRP Plan Mgmt and Testing Privacy notices: annual mailout

Advertising Cost of sterile reserves IRR Privacy notices: opt-out maintenance

Alarm Monitoring CRA Committee - meeting prep ISO and staff effortProviding cr. scores to mort.

applicants

ALCO Modeling (in-house time) CRA performance context IT Audit Services Providing disclosures to customers

ALCO Modeling Software CTR reporting IT Audit Services Oversight Proximity cards

Anti-virus Customer notification of negative info. Legal review of contractsR&D in regards to Compliance with

new laws

APR disclosure Data management Loan limit monitoring Regulatory Exam

Avg. of annual reporting per month Determinates of hold notices Locks Reputation monitoring

Avoiding use of medical information DVR recording devices Mailing provisional credit lettersRisk assessment performance and

management

Background checks Error resolution Maintaining CRA public file Risk assessment software

Assistance with customer FEMA,

LOMA and LOMR requirementsFiling documentation

Management of all of the above

items within Software/hardwareRobbery training

BCP Plan Mgmt and Testing Financials on critical vendors Monitoring "related interests" SAR reporting

BCP Software FinCen requests Monitoring 3-day rescission ruleSchedule notices (initial, ATM,

teller windows)

Board prior approval Firewall Monitoring WDs to MMDA's Security awareness training

Cameras FM200 Gas System Monitoring services Servicing disclosure

Change in term/CD renewal discl. Fraud alerts Monitoring to avoid discrimination Single Signon software

Completion of calculation worksheet Handling disputes and blocking info. Network based IDS/IPS Social engineering tests

Compliance Monitoring HMDA software OFAC list and monitoringTraining (AIB, seminars, workshops,

schools)

Compliance Monitoring Oversight Home Owners Equity Protection Act (HOEPA)Outside consultants, attorneys and

auditors

Training materials (guide, books,

subscription)Consultants for Monitoring Host based IDS/IPS Paperwork on each loan (LAR report) US Patriot Act: Customer

Consultants or auditors Independent Loan Review Patch managementUS Patriot Act: monitoring high-risk

customers

© 2015 Wolf & Company, P.C.

Cost of Each

Element

44

Item Estimated Cost

Consulting - IRR $24,400

Consulting - Liquidity 3,000

Consulting - Liquidity 2,000

Consulting - FAS 107 3,000

Internal Audit 75,000

OTTI Analysis 20,440

Compliance 42,500

Impairment Analysis 5,000

Compliance on the Web 1,995

Trade Membership 3,520

IT Vulnerability/Intrusion Testing 13,000

Compliance Academy 1,948

BSA/AML Compliance Seminar 395

Compliance online training 4,068

Core System - SAS70 report 800

Disaster Recovery Site fee 23,664

estimated staff cost - (BSA) 5,000

estimated staff cost - (BSA) 15,000

estimated staff cost - IT 20,000

estimated staff costs - lending 11,320

Online disclosures 2,250

CRA/HMDA reporting software 1,907

Loan Documents/disclosures 4,365

Loan Documents 6,254

Annual Privacy/Reg E notice + postage 6,309

Records Retention/Destruction 12,300

IT audit logging software 8,994

IT email virus scans 2,695

IT intrusion monitoring software 4,445

IT software blocks malicious websites 8,635

Total $334,204$334,204

© 2015 Wolf & Company, P.C.

Allocate the Costs of

Risk Management

45

© 2015 Wolf & Company, P.C.

Align the Cost of Risk

Management

46

© 2015 Wolf & Company, P.C.

What Will Management Do Next?

1. Reallocate resources to High risk areas

2. Evaluate the total resource provision

3. Budget and provision based on changes to the

business and regulatory environment

47