Strengthening Financial Risk Management at the FDIC
Strengthening Financial Risk Management at the FDIC – Executive Summary
Since 1933, the FDIC’s mission has been to protect depositors and promote the
"safety and soundness of insured depository institutions and the U.S. financial
system by identifying, monitoring, and addressing risks to the deposit insurance
funds."1 While the specifics risks to the insurance funds have changed over time – overextension in the 1980s, consolidation in the 1990s, subprime lending today – the need for an effective risk management capability has not. The rapid pace of change in both the banking system and domestic and global capital markets presents
special challenges to this mission and demands that the FDIC constantly and
continually upgrade its risk management metrics, policies, systems, and
organization to remain effective.
The economic climate in the United States has put mounting pressure on banks,
their customers, and the FDIC. In 2002, more banks failed than in any year since
1994. The number of "problem institutions" on the FDIC’s reserve list, one of
many indicators of financial strain in the banking system, rose significantly in each
of the last 3 years, with aggregate assets at these institutions quadrupling since 1998
to $39 billion at year end 2002. The FDIC’s Bank Insurance Fund (BIF) reserve
ratio, meanwhile, has dropped markedly over the last 4 years to a current level of
1.28 percent – slightly above the legal minimum.
At the same time, deposit insurance reform legislation now under consideration may
present new challenges and opportunities for the FDIC. While the final form of any
new regulatory scheme remains to be determined, the general outlines are becoming
clearer. The FDIC is likely to obtain greater latitude to manage a combined deposit
insurance fund2 within a range of reserve ratios (e.g., 1.15 to 1.50) rather than to a
specific target number (i.e., 1.25). Moreover, the FDIC is likely to have increased
authority to charge risk-based premiums to financial institutions that it insures. In a
post-reform era, a heightened understanding of risk – both financial risk to the FDIC as well as economic risk to the banking system – will be especially critical, not only for the effective and efficient management of the deposit insurance system but also for fair and accurate premium assessments on the banking industry.
Amid these developments, the FDIC has started to think more proactively about
risk, initiating several major reforms over the last 18 months. In early 2003, it
created the National Risk Committee (NRC), a cross-divisional body of senior
managers established to identify and evaluate major business risks facing the
banking industry and the insurance funds. The NRC provides coordinated policy
guidance to the operating units, including on the development of appropriate
strategies and operating policies. A network of similar committees in the FDIC
regions delivers regular regional risk reports to the NRC. In addition, a state-of-the art
Risk Analysis Center (RAC) was created earlier this year to monitor emerging
macro and micro risks on a daily basis and to recommend responses to the NRC.
The NRC and the RAC complement a third cross-divisional risk committee, the
Financial Risk Committee (FRC), whose broad mission is to quantify risks to the
deposit insurance system for financial reporting and fund management purposes. In
particular, the FRC sets a contingent loss reserve (CLR) to satisfy GAO accounting
rules and estimates the total assets of banks that may fail within the subsequent
eight quarters (the "2-year Projection") for deposit insurance pricing and internal
Consistent with the growing importance of risk and risk management to the banking
industry and the insurance funds, the FDIC has commissioned an independent
evaluation of the processes and methodologies used to establish the CLR and the
2-year Projection. McKinsey & Company was selected to provide this assessment.
Based on an in-depth analysis of financial models used by FRC, observations of the
FRC decision-making process, and extensive internal and external interviews, we
have developed recommendations to modify, supplement, and in some cases replace
parts of the existing FRC processes. As part of our review, we have also had the
opportunity to assess the risk management processes and procedures of the NRC
and the RAC, and we similarly provide recommendations to strengthen these two
risk management initiatives.
Our recommendations for improving the FDIC’s financial risk management
practices span three overlapping time horizons. Beginning now and continuing over
the next 3 to 6 months, a set of clear improvements to the existing financial risk
reporting should be quickly and methodically implemented (Horizon 1) to address
any industry uncertainty regarding the process’s accuracy, robustness, and
transparency. Beginning now and continuing over the next 18 months, a new
generation of financial risk management models under development should be
finalized and a set of supporting organizational processes should be established (Horizon 2). Beginning after the new risk models are in place and other
organizational improvements are well underway and continuing indefinitely, the
FDIC should regularly and systematically review its emerging risk management
needs to determine whether an investment in a more substantial risk infrastructure is
warranted (Horizon 3).
Improving financial reporting – Horizon 1
To improve financial reporting and quickly strengthen the FRC estimates and
processes, the FDIC should pursue three recommended sets of actions in Horizon 1:
refine the CLR methodology; replace the 2-year Projection with a confidence
interval around the CLR and a 2-year loss estimate; and adopt a set of new
organizational practices for the FRC.
Recommendation 1.1: Refine the CLR methodology. The FRC can enhance the
accuracy, robustness, and transparency of the CLR process by:
Developing explicit guidelines about when to deviate from historical
Constraining subjective deviations in failure rates to a 90-percent
confidence interval of the 2-year historical average
Incorporating liability and asset structure into loss-rate estimates (e.g.,
commercial loans, consumer loans, real estate, cash versus securities)
Updating the Research Model with more recent data, and expanding it to
incorporate institution size and dispositions other than liquidation.
These proposed changes would have improved the accuracy of the CLR over the
most recent 5-year period for which data is available by more than 20 percent, and
they are likely to yield similar results going forward.3 Other potential enhancements to the CLR, such as reserving for institutions with CAMELS ratings
1-3, do not offer material benefits in accuracy and are not recommended.
Recommendation 1.2: Replace the 2-year Projection with a confidence interval
around the CLR and a 2-year loss estimate. To better meet the FDIC’s risk reporting
needs, the 2-year Projection should be replaced with a confidence interval
around the CLR and a new 2-year loss estimate:
The FDIC should no longer calculate the 2-year Projection. The three supporting models should be either maintained for estimating the CLR(Pro Forma) or migrated to other uses (SAM). Models that do not have a specific, well-defined role in this new environment should be abandoned (e.g., possibly Proportional Hazards).
In place of the 2-year Projection, the Division of Insurance and Research (DIR) should calculate a confidence interval around the CLR, and the Division of Finance (DOF) should use the upper end of this confidence interval as an estimate of "reasonably possible" losses in its annual financial statements (Note 6 to the FDIC’s 2002 Annual Report).
DIR should create a 2-year loss estimate using methodology similar to that of the CLR and investigate the sensitivity of this method to changes in the reserve list.
Recommendation 1.3: Adopt a set of new FRC organizational practices. To
create a more effective and efficient process for financial reporting, the FRC should
adopt and implement:
A clear mission statement to better guide the committee, its participants, and other stakeholders
A FRC dashboard of needed risk metrics to standardize its view of critical risk factors and simplify risk monitoring
Formal voting, attendance, and meeting procedures to enhance decisionmaking and accountability
Formal and systematic feedback loops to strengthen analysis, transparency, and effectiveness on a continuous basis.
The FRC should pursue these recommendations aggressively over the next 90 days,
to enhance the FDIC’s financial risk reporting as soon as possible. Collectively, the
adoption of these recommendations will give the FDIC and its external stakeholders
a significantly improved understanding of the risks it faces, while building
important organizational momentum to move toward the modeling and
organizational improvements envisioned for Horizon 2.
Building best-practice financial risk management – Horizon 2
While efforts are underway to improve financial reporting in Horizon 1, the FDIC
should expand and enhance two current initiatives to move toward best-practice
financial risk management at Horizon 2. First, it should accelerate ongoing efforts
to improve and integrate its risk models; and second, it should continue the
integration of its risk management groups into a high-performing risk organization.
Recommendation 2.1: Accelerate development of the new integrated model for
financial risk management. With respect to risk models, the FDIC should move
aggressively to develop an integrated model for financial risk management in the
near- to mid-term. By combining and synthesizing models of bank failures,
investment income, deposit growth, and premium income, such an integrated model
will enable the FDIC to monitor and manage its overall financial risks (e.g.,
likelihood of exhausting the BIF over a given time horizon, likelihood of falling
below the reserve ratio over a given time horizon). The outputs of this integrated
model should be captured in user-friendly “dashboard” formats with appropriate
detail for the NRC, RAC, and FRC to help focus the organization on a timely basis
on risk metrics that are significant, relevant, and actionable within its current risk
management environment. The benefits of an integrated model can be realized in as
little as 12 to 18 months with adequate project planning.
Specifically, by the end of 2003, DIR should build a working prototype
of a new bank failure model (the “credit risk model”) based on an initial
set of assumptions about failure rates, loss rates, and correlation
structures, while employing basic simulation software. Work now
underway with Robert Jarrow, an outside consultant, will play an
important role in shaping the prototype’s architecture.
Subsequently, the results should be back-tested and any discrepancies
resolved to develop an intermediate version of the credit risk model
suitable for use in operations. Component inputs should be updated and
refined in this version (e.g., failure rates and correlation structures). The
intermediate model should be used for 6 months to shadow the current
CLR methodology before being adopted by mid-2004.
An advanced version of the credit risk model with additional variables
should be developed by December 2004. Once in place, it should be
improved continuously, based on existing and new FDIC research
focusing on correlation between failures. Additionally, the new credit
risk model should be extended to project losses over multiple years.
Simultaneous with the development of the credit risk model, DIR should
develop auxiliary models of investment results, premium growth, and
deposit growth. These models together with the credit risk model will
form an integrated financial risk management model that will allow the
FDIC to monitor and manage risk to the insurance funds more
effectively. The integrated model, for example, will provide the ability to
run simulations on the likelihood of falling below (within) the reserve
ratio (range), or on the probability of suffering a loss of any given size.
Recommendation 2.2: Build a more integrated risk management organization.
An integrated financial risk model is an important step toward best practices in risk
management, but it is not sufficient. It must be complemented with an effective risk
management organizational environment to ensure that its full potential is realized.
The FDIC recently has taken important steps toward creating such an environment.
With the creation of the National Risk Committee and Risk Analysis Center in
2003, along with the FRC in 1998, it has established the necessary units to meet its
risk management objectives. Now, for each unit to play its appropriate role
effectively, the FDIC needs to clearly and formally define the mission,
responsibilities, and outputs of each. To ensure continuous progress toward
integrated risk management, these committees need strong feedback mechanisms, to
focus more deliberately on measuring and improving their performance against the
FDIC’s risk-management objectives. Improvements can be made within each
Strengthening the NRC. The NRC should clarify its role, enhance its outputs and
operations, and build feedback mechanisms to drive continuous improvements:
Clarifying the NRC’s role. The NRC should forge a consensus across divisions and provide policy advice on cross-cutting issues (e.g., subprime lending), oversee the RAC and the FRC, and provide guidance to DIR and the RAC about needed research.
Enhancing the NRC’s outputs and operations. The NRC should produce a monthly risk-guidance report, create a “dashboard” of the most important risk indicators (e.g., probability of losses exceeding a critical threshold within the next year), and enlist executive support to ensure execution against its decisions. The risk guidance report should be submitted on a monthly basis to the Chairman’s office, and on a quarterly basis to the Board.
Building feedback mechanisms. The NRC should adopt feedback mechanisms to assess its progress and drive continuous performance improvements
Strengthening the RAC. The RAC should clarify its role, enhance its operations,
and adopt formal feedback mechanisms:
Clarifying the RAC’s role. The RAC should produce a weekly risk guidance
report for the NRC, regularly assess the FDIC’s offsite models,
and organize occasional briefing sessions for supervisors.
Enhancing the RAC’s operations. The RAC should develop a
dashboard of key indicators that it will track regularly and reduce its
afternoon meetings to one or two sessions per week
Building feedback mechanisms. The RAC should adopt feedback
mechanisms to assess its progress and drive continuous performance.
Expanding the FRC’s long-term mandate. The FRC should broaden its mission
to include estimating the long-term financial health of the FDIC, for dissemination
in public forums such as FDIC’s Annual Report.
Anticipating future needs – Horizon 3
The improvements of Horizons 1 and 2 will deliver substantial value to the FDIC
and external stakeholders, but the FDIC will have the option to go even further.
After achieving Horizon 2, the FDIC may want to implement Horizon 3 capabilities
like real-time risk management, programs for hedging or reinsurance, and the
ability to carry out rapid scenario analyses. While none of these Horizon 3
capabilities is necessary now, each is likely to become more attractive over time.
Accordingly, the FDIC should actively monitor its risk profile to determine whether
or when to move to Horizon 3 tools and approaches. In addition, as integrated risk
approaches become more common at the FDIC, it may eventually make sense to
create a Chief Risk Officer position to support the NRC, RAC, and FRC.
Recommendation 3.1: Annually assess whether to move to Horizon 3.
Because moving to real-time risk management requires a significant
investments to upgrade the organization’s IT and skills, the FDIC will
need to monitor the results of its improvements in Horizons 1 and 2 to
determine whether the benefits of moving to Horizon 3 outweigh the costs.
* * *
The three chapters that follow provide a detailed discussion of each