Strengthening Financial Risk Management at the FDIC – Executive Summary

INTRODUCTION

Since 1933, the FDIC’s mission has been to protect depositors and promote the "safety and soundness of insured depository institutions and the U.S. financial system by identifying, monitoring, and addressing risks to the deposit insurance funds."¹ While the specifics risks to the insurance funds have changed over time – overextension in the 1980s, consolidation in the 1990s, subprime lending today – the need for an effective risk management capability has not. The rapid pace of change in both the banking system and domestic and global capital markets presents special challenges to this mission and demands that the FDIC constantly and continually upgrade its risk management metrics, policies, systems, and organization to remain effective.

The economic climate in the United States has put mounting pressure on banks, their customers, and the FDIC. In 2002, more banks failed than in any year since 1994. The number of "problem institutions" on the FDIC’s reserve list, one of many indicators of financial strain in the banking system, rose significantly in each of the last 3 years, with aggregate assets at these institutions quadrupling since 1998 to $39 billion at year end 2002. The FDIC’s Bank Insurance Fund (BIF) reserve ratio, meanwhile, has dropped markedly over the last 4 years to a current level of 1.28 percent – slightly above the legal minimum.

At the same time, deposit insurance reform legislation now under consideration may present new challenges and opportunities for the FDIC. While the final form of any new regulatory scheme remains to be determined, the general outlines are becoming clearer. The FDIC is likely to obtain greater latitude to manage a combined deposit insurance fund² within a range of reserve ratios (e.g., 1.15 to 1.50) rather than to a specific target number (i.e., 1.25). Moreover, the FDIC is likely to have increased authority to charge risk-based premiums to financial institutions that it insures. In a post-reform era, a heightened understanding of risk – both financial risk to the FDIC as well as economic risk to the banking system – will be especially critical, not only for the effective and efficient management of the deposit insurance system but also for fair and accurate premium assessments on the banking industry.

Amid these developments, the FDIC has started to think more proactively about risk, initiating several major reforms over the last 18 months. In early 2003, it created the National Risk Committee (NRC), a cross-divisional body of senior managers established to identify and evaluate major business risks facing the banking industry and the insurance funds. The NRC provides coordinated policy guidance to the operating units, including on the development of appropriate strategies and operating policies. A network of similar committees in the FDIC regions delivers regular regional risk reports to the NRC. In addition, a state-of-theart Risk Analysis Center (RAC) was created earlier this year to monitor emerging macro and micro risks on a daily basis and to recommend responses to the NRC. The NRC and the RAC complement a third cross-divisional risk committee, the Financial Risk Committee (FRC), whose broad mission is to quantify risks to the deposit insurance system for financial reporting and fund management purposes. In particular, the FRC sets a contingent loss reserve (CLR) to satisfy GAO accounting rules and estimates the total assets of banks that may fail within the subsequent eight quarters (the "2-year Projection") for deposit insurance pricing and internal budgetary purposes.

Consistent with the growing importance of risk and risk management to the banking industry and the insurance funds, the FDIC has commissioned an independent evaluation of the processes and methodologies used to establish the CLR and the 2-year Projection. McKinsey & Company was selected to provide this assessment. Based on an in-depth analysis of financial models used by FRC, observations of the FRC decision-making process, and extensive internal and external interviews, we have developed recommendations to modify, supplement, and in some cases replace parts of the existing FRC processes. As part of our review, we have also had the opportunity to assess the risk management processes and procedures of the NRC and the RAC, and we similarly provide recommendations to strengthen these two risk management initiatives.

Our recommendations for improving the FDIC’s financial risk management practices span three overlapping time horizons. Beginning now and continuing over the next 3 to 6 months, a set of clear improvements to the existing financial risk reporting should be quickly and methodically implemented (Horizon 1) to address any industry uncertainty regarding the process’s accuracy, robustness, and transparency. Beginning now and continuing over the next 18 months, a new generation of financial risk management models under development should be finalized and a set of supporting organizational processes should be established (Horizon 2). Beginning after the new risk models are in place and other organizational improvements are well underway and continuing indefinitely, the FDIC should regularly and systematically review its emerging risk management needs to determine whether an investment in a more substantial risk infrastructure is warranted (Horizon 3).

Improving financial reporting – Horizon 1

To improve financial reporting and quickly strengthen the FRC estimates and processes, the FDIC should pursue three recommended sets of actions in Horizon 1: refine the CLR methodology; replace the 2-year Projection with a confidence interval around the CLR and a 2-year loss estimate; and adopt a set of new organizational practices for the FRC.

Recommendation 1.1: Refine the CLR methodology. The FRC can enhance the accuracy, robustness, and transparency of the CLR process by:

• Developing explicit guidelines about when to deviate from historical failure rates



• Constraining subjective deviations in failure rates to a 90-percent confidence interval of the 2-year historical average



• Incorporating liability and asset structure into loss-rate estimates (e.g., commercial loans, consumer loans, real estate, cash versus securities)



• Updating the Research Model with more recent data, and expanding it to incorporate institution size and dispositions other than liquidation.

These proposed changes would have improved the accuracy of the CLR over the most recent 5-year period for which data is available by more than 20 percent, and they are likely to yield similar results going forward.³ Other potential enhancements to the CLR, such as reserving for institutions with CAMELS ratings 1-3, do not offer material benefits in accuracy and are not recommended.

Recommendation 1.2: Replace the 2-year Projection with a confidence interval around the CLR and a 2-year loss estimate. To better meet the FDIC’s riskreporting needs, the 2-year Projection should be replaced with a confidence interval around the CLR and a new 2-year loss estimate:

• The FDIC should no longer calculate the 2-year Projection. The three supporting models should be either maintained for estimating the CLR(Pro Forma) or migrated to other uses (SAM). Models that do not have a specific, well-defined role in this new environment should be abandoned (e.g., possibly Proportional Hazards).



• In place of the 2-year Projection, the Division of Insurance and Research (DIR) should calculate a confidence interval around the CLR, and the Division of Finance (DOF) should use the upper end of this confidence interval as an estimate of "reasonably possible" losses in its annual financial statements (Note 6 to the FDIC’s 2002 Annual Report).



• DIR should create a 2-year loss estimate using methodology similar to that of the CLR and investigate the sensitivity of this method to changes in the reserve list.

Recommendation 1.3: Adopt a set of new FRC organizational practices. To create a more effective and efficient process for financial reporting, the FRC should adopt and implement:

• A clear mission statement to better guide the committee, its participants, and other stakeholders



• A FRC dashboard of needed risk metrics to standardize its view of critical risk factors and simplify risk monitoring



• Formal voting, attendance, and meeting procedures to enhance decisionmaking and accountability



• Formal and systematic feedback loops to strengthen analysis, transparency, and effectiveness on a continuous basis.

The FRC should pursue these recommendations aggressively over the next 90 days, to enhance the FDIC’s financial risk reporting as soon as possible. Collectively, the adoption of these recommendations will give the FDIC and its external stakeholders a significantly improved understanding of the risks it faces, while building important organizational momentum to move toward the modeling and organizational improvements envisioned for Horizon 2.

Building best-practice financial risk management – Horizon 2

While efforts are underway to improve financial reporting in Horizon 1, the FDIC should expand and enhance two current initiatives to move toward best-practice financial risk management at Horizon 2. First, it should accelerate ongoing efforts to improve and integrate its risk models; and second, it should continue the integration of its risk management groups into a high-performing risk organization.

Recommendation 2.1: Accelerate development of the new integrated model for financial risk management. With respect to risk models, the FDIC should move aggressively to develop an integrated model for financial risk management in the near- to mid-term. By combining and synthesizing models of bank failures, investment income, deposit growth, and premium income, such an integrated model will enable the FDIC to monitor and manage its overall financial risks (e.g., likelihood of exhausting the BIF over a given time horizon, likelihood of falling below the reserve ratio over a given time horizon). The outputs of this integrated model should be captured in user-friendly “dashboard” formats with appropriate detail for the NRC, RAC, and FRC to help focus the organization on a timely basis on risk metrics that are significant, relevant, and actionable within its current risk management environment. The benefits of an integrated model can be realized in as little as 12 to 18 months with adequate project planning.

• Specifically, by the end of 2003, DIR should build a working prototype of a new bank failure model (the “credit risk model”) based on an initial set of assumptions about failure rates, loss rates, and correlation structures, while employing basic simulation software. Work now underway with Robert Jarrow, an outside consultant, will play an important role in shaping the prototype’s architecture.



• Subsequently, the results should be back-tested and any discrepancies resolved to develop an intermediate version of the credit risk model suitable for use in operations. Component inputs should be updated and refined in this version (e.g., failure rates and correlation structures). The intermediate model should be used for 6 months to shadow the current CLR methodology before being adopted by mid-2004.



• An advanced version of the credit risk model with additional variables should be developed by December 2004. Once in place, it should be improved continuously, based on existing and new FDIC research focusing on correlation between failures. Additionally, the new credit risk model should be extended to project losses over multiple years.



• Simultaneous with the development of the credit risk model, DIR should develop auxiliary models of investment results, premium growth, and deposit growth. These models together with the credit risk model will form an integrated financial risk management model that will allow the FDIC to monitor and manage risk to the insurance funds more effectively. The integrated model, for example, will provide the ability to run simulations on the likelihood of falling below (within) the reserve ratio (range), or on the probability of suffering a loss of any given size.

Recommendation 2.2: Build a more integrated risk management organization. An integrated financial risk model is an important step toward best practices in risk management, but it is not sufficient. It must be complemented with an effective risk management organizational environment to ensure that its full potential is realized. The FDIC recently has taken important steps toward creating such an environment. With the creation of the National Risk Committee and Risk Analysis Center in 2003, along with the FRC in 1998, it has established the necessary units to meet its risk management objectives. Now, for each unit to play its appropriate role effectively, the FDIC needs to clearly and formally define the mission, responsibilities, and outputs of each. To ensure continuous progress toward integrated risk management, these committees need strong feedback mechanisms, to focus more deliberately on measuring and improving their performance against the FDIC’s risk-management objectives. Improvements can be made within each committee:

Strengthening the NRC. The NRC should clarify its role, enhance its outputs and operations, and build feedback mechanisms to drive continuous improvements:

• Clarifying the NRC’s role. The NRC should forge a consensus across divisions and provide policy advice on cross-cutting issues (e.g., subprime lending), oversee the RAC and the FRC, and provide guidance to DIR and the RAC about needed research.



• Enhancing the NRC’s outputs and operations. The NRC should produce a monthly risk-guidance report, create a “dashboard” of the most important risk indicators (e.g., probability of losses exceeding a critical threshold within the next year), and enlist executive support to ensure execution against its decisions. The risk guidance report should be submitted on a monthly basis to the Chairman’s office, and on a quarterly basis to the Board.



• Building feedback mechanisms. The NRC should adopt feedback mechanisms to assess its progress and drive continuous performance improvements

Strengthening the RAC. The RAC should clarify its role, enhance its operations, and adopt formal feedback mechanisms:

• Clarifying the RAC’s role. The RAC should produce a weekly riskguidance report for the NRC, regularly assess the FDIC’s offsite models, and organize occasional briefing sessions for supervisors.



• Enhancing the RAC’s operations. The RAC should develop a dashboard of key indicators that it will track regularly and reduce its afternoon meetings to one or two sessions per week



• Building feedback mechanisms. The RAC should adopt feedback mechanisms to assess its progress and drive continuous performance.

Expanding the FRC’s long-term mandate. The FRC should broaden its mission to include estimating the long-term financial health of the FDIC, for dissemination in public forums such as FDIC’s Annual Report.

Anticipating future needs – Horizon 3

The improvements of Horizons 1 and 2 will deliver substantial value to the FDIC and external stakeholders, but the FDIC will have the option to go even further. After achieving Horizon 2, the FDIC may want to implement Horizon 3 capabilities like real-time risk management, programs for hedging or reinsurance, and the ability to carry out rapid scenario analyses. While none of these Horizon 3 capabilities is necessary now, each is likely to become more attractive over time. Accordingly, the FDIC should actively monitor its risk profile to determine whether or when to move to Horizon 3 tools and approaches. In addition, as integrated risk approaches become more common at the FDIC, it may eventually make sense to create a Chief Risk Officer position to support the NRC, RAC, and FRC.

• Recommendation 3.1: Annually assess whether to move to Horizon 3. Because moving to real-time risk management requires a significant investments to upgrade the organization’s IT and skills, the FDIC will need to monitor the results of its improvements in Horizons 1 and 2 to determine whether the benefits of moving to Horizon 3 outweigh the costs.

* * *

The three chapters that follow provide a detailed discussion of each recommendation.

¹ FDIC 2002 Annual Report, inside cover (emphasis added).

² Both the current House and Senate versions of deposit insurance reform legislation combine the BIF and the Savings Association Insurance Fund (SAIF) into a single fund.

³ Exhibit 1-4 depicts improvements in accuracy from such a transition.

CONTENTS | NEXT >>