Introduction

• Individual or group errors in specific transactions can result in significant financial losses for a firm, although it is rare for a single transaction to lead to bankruptcy. Bankruptcy typically arises from the accumulation of toxic transactions due to a poor risk management framework and corporate governance failure. Investigations into massive losses often reveal adherence to procedures, highlighting a collective failure without blaming individuals.
• The focus on organizing credit risk management in large organizations should prioritize processes leading to risk-taking, especially origination, credit risk assessment, and approval. While Portfolio Management and Mitigation and Transfer are important, avoiding bad transactions is the most effective way to prevent losses. Incentive systems in corporations often drive origination towards top-line growth, and the risk manager must emphasize quality control in this environment. Efficient portfolio management or mitigation strategies cannot compensate for deficient risk-taking, emphasizing the importance of preventing bad transactions from the outset.

Three Lines Of Defence

• Risk management responsibilities in an organization involve a multifaceted approach to identify, assess, and mitigate potential risks that may impact the achievement of business objectives. The three lines of defense framework, as outlined by the Institute of Internal Auditors, plays a crucial role in organizing and distributing these responsibilities within the organization:
• First Line: Business Owners
  • Responsibility: The business owners, who are the first line of defense, are responsible for owning and managing risks associated with day-to-day operations.
  • Tasks: They play a direct role in originating transactions, making decisions that involve risk- taking, and managing risks at the operational level.
  • Key Focus: Business owners focus on ensuring that risk management is an integral part of their activities and that they adhere to established guidelines.
• Second Line: Monitors and Overseers
  • Responsibility: The second line of defense consists of functions such as enterprise risk management, compliance, and legal teams.
  • Tasks: These teams monitor and oversee the risks identified by the first line, establish policies and procedures, and serve as a management oversight for the first line.
  • Key Focus: The second line ensures that risk management processes and controls are in place, effective, and aligned with organizational objectives.
• Third Line: Independent Assurance
  • Responsibility: The third line of defense provides independent assurance of the risk management and monitoring activities performed by the first and second lines.
  • Tasks: This includes internal audit, external auditors, and special audit committees, which assess the effectiveness of risk management processes and controls.
  • Key Focus: The third line ensures objectivity and independence, providing an unbiased evaluation of the risk management practices implemented by the first and second lines.

Processes That Lead To Risk Taking

• The management of credit risk within financial institutions is a complex and interconnected endeavor, spanning various critical processes. At its core are credit origination, credit risk assessment, and credit approval processes. Effectively navigating these processes demands a thorough understanding of their intricacies and the ability to identify, assess, mitigate, and monitor risks continuously.
• Credit Origination:
• Initiation of Credit Transactions: Credit origination is the initial step where credit transactions are originated or proposed. This process involves identifying potential borrowers, assessing their credit needs, and determining the feasibility of extending credit to them.
• Risk Assessment During Origination: It is crucial for risk managers to oversee the credit origination process to ensure that transactions adhere to established risk management standards. This involves evaluating the quality of borrowers, the purpose of the credit, and the overall risk-return profile of the transaction.
• Alignment with Risk Appetite: Financial institutions must ensure that credit origination practices align with their risk appetite and strategic objectives. This involves balancing the pursuit of business opportunities with the need to manage credit risk effectively.
• Assessment of Collateral: For secured loans, lenders assess the value and quality of the collateral offered by the borrower to mitigate the risk of default.
• Incentive Systems and Transaction Volume: Incentive systems within corporations can heavily influence the credit origination process. For instance, if incentives prioritize top-line growth over risk-adjusted returns, there might be a tendency to originate more transactions, potentially compromising on risk assessment standards.
• Credit Risk Assessment:
  • Evaluation of Counterparty Creditworthiness: Credit risk assessment involves evaluating the creditworthiness of counterparties, which includes analyzing their financial stability, repayment history, industry dynamics, and other relevant factors.
  • Transaction Risk Characteristics: Beyond assessing the counterparty, the risk assessment
  • process also entails evaluating the specific characteristics of the transaction itself. This includes factors such as the amount of credit exposure, the nature of collateral (if any), and the duration of the credit relationship.
  • Quantitative and Qualitative Analysis: Credit risk assessment combines quantitative analysis (such as financial ratios and credit scores) with qualitative judgments (such as industry outlook and management quality) to form a comprehensive risk profile for each transaction.
• Credit Approval Processes:
  • Structured Decision-Making: Credit approval processes involve structured decision-making frameworks to evaluate and approve credit transactions. This may include assessing the risk- return profile, ensuring compliance with regulatory requirements, and aligning with internal credit policies.
  • Authority Delegation: Authority for approving credit transactions is typically delegated based on predefined risk parameters. Higher-risk transactions require approval from higher levels of management or specialized credit committees. These credit committees or similar bodies may review and approve larger or more complex credit requests to ensure consistency and adherence to risk management policies.
  • Executive Board Approval: Complex or unique transactions that deviate from predefined guidelines might necessitate approval from executive boards at the highest level. This underscores the importance of rigorous scrutiny for non-standard transactions to mitigate potential risks effectively.
  • Regulatory Compliance: Lenders must ensure compliance with regulatory requirements related to credit approval, including consumer protection laws, anti-money laundering regulations, and fair lending practices.
  • Risk Mitigation Strategies: During the credit approval process, risk mitigation strategies are often considered and implemented to manage and reduce credit risk exposure. This may include requiring collateral, setting appropriate credit limits, or structuring the transaction with risk-mitigating features.
• By implementing robust risk management practices throughout credit origination, assessment, and approval processes, financial institutions can enhance their resilience to credit risk and safeguard their long-term viability.

Key Principles Of Best Practices For Governance

• Optimal governance practices are centered on four fundamental principles crucial for ensuring the quality of originated transactions:
  • Guidelines: Establishing clear directives for approving credit-risk-generating transactions.
  • Competency: Delegating authority to committees and individuals possessing suitable skills.
  • Boundaries: Implementing defined limits.
  • Supervision: Employing qualified personnel with sufficient independence and resources.

Guidelines

• Guidelines serve as comprehensive documents detailing the specific rules and criteria that must be followed before a transaction is finalized within a financial institution. Often referred to as “credit policies” or “risk management standards”, these guidelines provide a framework for decision-making and risk assessment throughout the credit origination, assessment, and approval processes. They are designed to ensure consistency, transparency, and compliance with regulatory requirements while also aligning with the institution’s risk appetite and strategic objectives.
• Efficient guidelines should be:
  • Understandable: Written in clear, simple language to ensure comprehension, particularly in global organizations with non-native speakers.
  • Concise: Reasonably sized to respect the reader’s time and deliver information quickly and efficiently.
  • Precise: Detailed enough to address real-life situations without being overly general, thus ensuring effectiveness.
  • Accessible: Easily locatable by all professionals who need them, perhaps through a summarized version posted on the company’s intranet with reference to the complete set.
• Creation and Approval Process:
  • Guidelines serve as crucial safeguards for a firm’s capital and viability. Executive management bears accountability if transactions, either authorized or overlooked due to guidelines, lead to adverse outcomes. Therefore, senior executives like the CRO or CFO typically sponsor guidelines, with approval from the Board of Directors. Financial institutions often have a dedicated risk committee within the Board of Directors responsible for reviewing and approving guidelines.
  • Regular updates and reviews of guidelines are essential to ensure their alignment with evolving business needs and risk landscapes. Additionally, even minor financial losses prompt reviews to make sure that guidelines are relevant.
  • Similarly, unforeseen events, even if they do not directly impact the company, could have significant repercussions. For example, in April 2020, the price of oil briefly turned negative due to technical reasons, resulting in sellers of oil futures contracts having to pay buyers $37 per barrel. This unexpected scenario underscores the importance of having guidelines in place to protect capital.
• Promulgating and Maintaining Guidelines: The CRO’s office is responsible for creating, approving, disseminating, and maintaining guidelines. In large organizations, this role typically requires a full-time professional with extensive knowledge of the business and sufficient seniority. This is essential for several reasons:
  • Knowledge: Guidelines must accurately reflect the business environment and evolve with market dynamics. Junior staff may lack the necessary understanding to craft effective guidelines or educate others on their purpose.
  • Politics/Diplomacy: Crafting guidelines can lead to conflicts between line managers and risk managers. Senior professionals are better equipped to navigate these delicate situations and resist pressure.
  • Approval Process: Guidelines are approved at a senior level, requiring credible and experienced staff to sponsor and present them.
• New guidelines or significant modifications may be necessary when entering new business areas, experiencing market changes, or undergoing operational shifts like mergers and acquisitions. Additionally, periodic updates are vital as operations evolve over time. Following the 2007 financial crisis, financial institutions bolstered their risk management functions, spurred by increased regulatory scrutiny. This ongoing oversight serves as a strong incentive to maintain effective guidelines.
• Content of Guidelines: Guidelines should cover the following –
  • Purpose of the guidelines – Clearly state the objectives and scope of the guidelines, focusing on managing credit risk and compliance with regulations.
  • Methodology for defining transaction parameters – Define a systematic approach for assessing transaction parameters, including risk quantification methods and criteria for evaluating counterparties.
  • Transaction approval and delegation of authority – Detail the process for approving transactions, including the delegation of authority based on risk levels and sizes.
  • Procedure for handling new products and markets – Include protocols for handling transactions outside predefined parameters.
  • Process for reviewing and updating guidelines – Outline procedures for evaluating and monitoring new financial products or services, emphasizing pilot testing and ongoing risk assessment.
  • Consequences of guideline non‐compliance – Specify disciplinary actions or termination for failing to adhere to the guidelines, emphasizing the importance of compliance.
• Breach of Guidelines: Breaches of guidelines should be rare in well-managed companies, as they are serious and often result in immediate termination. Compliance with guidelines ensures that risks taken are within the accepted limits.
  • Carve‐Outs: Guidelines may include exceptions, such as for foreign exchange volatility, where limits may be expressed on a local currency basis.
  • Centralized Database: A centralized database captures transaction exposure and key credit parameters, enabling enforcement of guidelines and streamlining deal flow.
  • Instantaneous Feedback: Originators can quickly verify if proposed transactions comply with guidelines, eliminating the need for manual verification. The system rejects unauthorized transactions and provides documentation if attempted.

Skills

• Not all transactions can be approved by senior committees, so authority granted by the Board of Directors must be delegated further. This delegation process, a key aspect of guidelines, often sparks tension between risk management and origination units. While origination units prioritize profit, risk managers focus on avoiding losses, leading to differing perspectives on authority. Originators seek autonomy to close transactions quickly to meet business objectives, while risk managers weigh potential risks beyond immediate profitability.
• Risk management units lack approval authority and serve in advisory roles, offering input on transactions without direct decision-making power. However, for certain transactions meeting specific criteria, risk management input or recommendations may be mandated, though veto rights are rare. In such cases, risk managers provide written memos attached to documentation presented to credit committees and may present their opinions in person during committee meetings.
• The delegation of authority follows a two-step process:
  • assigning fundamental parameters for each transaction from a risk management perspective, and then
  • delegating approval authority based on these parameters.
• Additionally, an approval process is defined for complex or unique transactions not covered by guidelines, often involving escalation to high-level authorities like transaction committees for further review and recommendation.
• Defining Risk Parameters:
• The typical parameters of a credit-sensitive transaction include:
  • Exposure Amount: Estimate of the maximum potential loss, calculated based on transaction nature.
  • Credit Quality: Development of a scale summarizing counterparty creditworthiness.
  • Tenor: Period of credit exposure, indicating the duration until the counterparty’s final financial obligation is due, such as in a loan agreement.
• Delegation of Authority:
  Approval levels increase with transaction risk. High-risk transactions require senior- management attention and committee approval, while low-risk transactions involving high-quality counterparties may be approved at lower levels. Simple transactions may be approved by a single individual. When a transaction enters the firm’s pipeline, the first step is assigning fundamental parameters. These parameters are then compared to guideline thresholds to determine the appropriate approval authority. The approval process is often illustrated in a risk/approval flow, outlining the delegation escalation. An example of this process is detailed in the table provided.
• For example, for a three-year transaction with a counterparty rated R5, generating a $110 million exposure, approval is necessary from the transaction committee authorized for R5 counterparties for exposures starting from $90 million up to $120 million. Additionally, a recommendation from credit risk management is required for transactions exceeding $60 million in this rating category.

The authority delegation hierarchy typically starts with the individual originator, progressing to the business unit head, and then to a transaction committee comprising unit heads and relevant advisors. For transactions exceeding specific thresholds in size, credit quality, and tenor, approval is delegated to an executive board or credit committee, including senior management like the CFO, chief counsel, and CEO. This delegation is cumulative, requiring approval from each level. The approval process for overall limits on counterparties mirrors this procedure.

• Credit Committee:
• The highest level of approval, known as the credit committee, comprises the firm’s most senior executives and handles transactions with significant stakes. Here are key principles governing its operations:
  • Committee Composition: It should include diverse expertise from departments like business units, risk management, legal, tax, compliance, and accounting.
  • Charter Inclusion: The credit committee’s role and membership must be outlined in the credit guidelines or related documents.
  • Preparation: Originators must provide a comprehensive approval package well in advance, allowing committee members time for review and inquiry.
  • Effective Chairperson: A respected chairperson facilitates discussions impartially, ensuring all opinions are heard.
  • Decision‐making: The committee has the authority to decline transactions, fostering efficiency and sound risk management.
  • Consensus and Voting: Decisions are typically reached through consensus, with voting as a fallback.
  • Documentation: Discussions and decisions are accurately recorded in meeting minutes, crucial for transparency and audit purposes in case of adverse outcomes.

Limits

• Limits, also known as credit lines, signify the maximum permissible risk exposure or potential loss a company is willing to accept, typically in monetary terms. They can be assigned to various entities such as counterparties, industries, or countries. However, setting limits can be challenging, especially for transactions like long-term supply contracts or derivatives, where potential losses upon bankruptcy depend on market conditions at that time. To address uncertainty in such exposures, institutions often combinations of limits, including overall exposure limits and specific sub-limits for different transactions or products, to manage risk effectively. For example, a company might specify a maximum risk of $100 million for Company X, with the condition that derivative products account for maximum 40 percent of the total exposure.
• Determining credit limits involves a blend of quantitative models like value at risk (VaR) and qualitative judgment, which incorporates management’s intuition and practical experience. It combines assessing risk exposures with a sense of what regulators, rating agencies, or shareholders find acceptable.
• Ideally, originators are aware of counterparties’ aggregate credit lines, preventing conflicts over shared limits. However, tensions can arise between front offices and risk management regarding preapproved limits, as originators prefer certainty when engaging prospective clients to avoid unsupported business ventures later.
• Limits must be regularly adjusted to remain relevant to the current situation. Also, continuous monitoring of exposures against set limits is vital. Organizations must have a clear and well- defined process for addressing breaches when limits are exceeded, typically including immediate review and potential corrective actions. They should deploy systems that enable real-time tracking and immediate response to such breaches.

Oversight

Effective oversight involves supervising and evaluating processes and decisions related to credit risk. The role of oversight in credit risk management is crucial for maintaining financial stability and safeguarding against potential losses. Oversight ensures that risk management practices are not only in place but also actively functioning as intended. Successful oversight relies on four key components: (1) independence, (2) qualifications, (3) proximity to the business unit, and (4) open mind.

1. Independence:
   • The independence of the risk management unit is paramount and should not be compromised. Two fundamental rules ensure this independence:
     • it should not operate within a profit-centered business unit, and
     • a risk manager’s compensation should not be tied to business profitability.
   • All risk management staff should report ultimately to the chief risk officer (CRO), avoiding conflicts of interest.
   • In many large companies, the CRO reports directly to the CEO, holding a position of equal seniority to top business heads. This reporting structure allows the CRO to informally influence the CEO and encourages compliance with guidelines. Additionally, the CRO typically has privileged access to the risk and audit committees of the Board of Directors, ensuring independence, especially in environments like the United States under Sarbanes-Oxley regulations.
2. Qualifications:
   • Effective oversight hinges on the qualifications and capabilities of risk managers. They must possess technical expertise in risk assessment and a deep understanding of the business environment and market dynamics to offer valuable insights and informed recommendations.
   • Risk managers aim to earn the respect of their business partners, despite inevitable conflicts. Mutual respect hinges on a shared understanding of the business language. Business professionals cannot spare time to educate risk managers on fundamental transaction elements, which could undermine the latter’s credibility and influence.
   • While originators are confident in their abilities, they welcome constructive criticism, which can spur innovation and enhance propositions. However, if a risk manager lacks proficiency, originators may delay involving them until necessary for obtaining required recommendations.
3. Proximity to the Business Unit:
   • Risk managers must strike a balance between independence and proximity to operations. While organizational and physical proximity to business operations is necessary for a thorough understanding of underlying processes and motivations, risk managers must maintain their independence from frontline activities to fulfill their role effectively.
   • While it is uncommon for risk managers to join client discussions, a trusted credit risk manager can provide value by articulating the firm’s position, especially in resolving deadlocks due to terms, conditions, pricing, or limits. However, two cautions should be considered before accepting such invitations:
     • Risk managers may lack extensive negotiation experience.
     • Furthermore, getting too involved in front office activities can be detrimental. The primary role of a risk manager is to offer a distinct perspective and safeguard the company’s financial health.
4. Open Mind:
   • Effective oversight requires an open-minded approach to risk management. Instead of outright refusal, risk managers should focus on providing constructive alternatives. This collaborative approach is valued by both business and risk management teams. Business professionals are motivated to finalize deals, and constant rejection from risk managers can be discouraging. Effective risk managers acknowledge this and strive to help achieve mutual success. Engaging in roles within risk management becomes more fulfilling when it includes collaborating with originators, analyzing deal specifics, and assisting in structuring transactions.