Dallas Wells is joined by Matt Davis, COO of Paragon Bank, to discuss Enterprise Risk Management (ERM).
In Matt’s article for banking.com, he laid out 8 big types of risk that an effective ERM platform should cover. Its one thing to talk about ERM, but is quite another to actually bring all of those very different risks under one umbrella. Matt and Dallas go over what some of the struggles Paragon Bank has either found directly or heard from other banks in managing risks that are often in a silo with their own department?
Helpful Links
- Enterprise Risk Management for Banks
- What Banks Learned About Risk Management in 2013
- Remarks by Carolyn G. DuChene – Deputy Comptroller Operational Risk at the Bank Safety and Soundness Advisor Community Bank Enterprise Risk Management Seminar
- Getting started right in Enterprise Risk Management
Podcast Transcript
Welcome to another episode of “The Purposeful Banker” podcast brought to you by PrecisionLender, where we discuss the big topics on the minds of today’s best bankers. I’m Dallas Wells, and thank you for joining us. Today, we’re going to be talking about enterprise risk management and why it’s become such a big topic for banks. To help us with that conversation, I’m joined by Matt Davis. Matt is the Chief Operating Officer at Paragon Bank. Matt, thank you for joining us.
Thank you very much, Dallas. It’s a pleasure to be with you today.
Matt, why don’t we start just by telling us just a little bit about Paragon Bank and your role there.
Paragon Bank is a bank about a billion-three in asset size. The bank was started in 1999. What’s a little different about Paragon is that we are … Our model is not your typical community bank in that we started with the idea of having a very limited branch network, and we cater primarily to business clients and the high-end private-banking individuals. We have three locations in Raleigh, North Carolina, Charlotte, and also in Cary.
Our primary, I guess, differentiator from your typical bank is we provide just a very high level of service to a fairly narrowly defined niche target market. My role has been throughout the existence of the bank. I started off on the sales side of the bank, then migrated into credit, as Chief Credit Officer. Then since 2012, I’ve been the Chief Operating Officer.
So you guys have a very specific target as far as customers, and then it’s a very high-touch kind of model with those clients?
Exactly.
The reason that you got to be lucky enough to be on this podcast was that you wrote an article out on banking.com. We’ll put a link out there to that, but it was called “Using Enterprise Risk Management to Achieve Bank Stability.” What spurred you to write that and post it out there?
Well, this was an opportunity I was invited. Due to our role and due to the fact that we have taken some steps in the direction of ERM, I was invited to be a participant in this. In doing so, it gave us an opportunity to go out there and articulate for others what we’ve been able to do over the past several years. We could talk more about that later. It was just more of a request. In doing so, it turned out to be something that we realized that we have made some progress in this area, even though I would say that there’s still a lot of things to be learned and new areas to be explored. It was a good opportunity for us to sort of put out there and also learn from others some things that other people are doing, as well.
I always find as I write stuff, it really helps you clarify exactly where you’ve been and where you’re at and where you’re headed with it, to make yourself put it on paper like that.
Exactly.
You guys have started a full-blown enterprise-risk-management program. Is this something that you guys slowly tiptoed into over time, or was this a formal decision where you just jumped in with both feet?
Back in 2009, this really became much more of a focus of ours. We have someone here at the bank who is the head of our internal audit department. He’s a seasoned banker, and he’s got a tremendous wealth of knowledge and experience. He brought it to our attention, the trend of ERM. He educated all of us on this beginning focus within our industry. In doing so, we started to just slowly introduce the concepts. He integrated it. It’s somewhat related to the role of internal audit in many ways, so he was a natural resource for us. In doing so, he kind of guided us through the process. Now that was in 2009. We did this on and off through that. As you know, in our industry, we were all focused on … Risk, at the time, was primarily focusing on credit risk, but we also focused in the various areas throughout the organization.
Then in 2012, we had an opportunity to bring in a group of graduate students from North Carolina State University School of Management. They came in and spent about a month with us. They took the work that we had done, and they really helped us take it to the next level and essentially designed and expanded the work we’d already done and created this into more of a holistic, true ERM product. That was really, I would say, the beginning of our formal … I would never say it’s a complete program, but it was much more robust at that point in time with their help. It has really received some really positive feedback from our third-party auditors and examiners, so we feel like we’ve come a long way with it.
We see … It sounds like you’ve had several folks with hands in it, and that’s kind of the nature of ERM, but we see a lot of different roles handle that, especially as banks are first getting it up and going. Not everybody has a Chief Risk Officer. You guys are at that size where that first starts becoming a thing you talk about. We see it handled by CFOs, COOs, or internal audit, which it sounds like it kind of kicked off the process for you guys. Who owns that function at this point for you guys?
Yes. I would say it ultimately rolls up to me, the Chief Operating Officer. However, I would say that the actual responsibility who oversees the program is the Director of Internal Audit and Enterprise Risk Management. In fact, we expanded his role here at the bank. I would guess, technically, the owner of it is that particular individual. However, he does report directly to me, and ultimately I am the one who takes it and presents many of the findings at the board level, even though the Director of Enterprise Risk is involved at the Audit Committee level. We can talk a little bit more about that.
Obviously, with these programs, there’s pretty heavy board involvement. Does this go to the full board, or do you guys make a subcommittee to handle these direct issues?
Actually, it does. It goes through … First of all, it goes through a management committee. It’s the Management Risk Committee. In fact, we met yesterday. That consists only of internal-management members throughout the entire organization. All the departments are represented in that committee. We meet on a quarterly basis for the purposes of reviewing all of the risk assessments, the findings, the risk assignments, the low, medium, and high, just making sure that everyone is on the same page. That’s at the management level.
We also have, on an at least annual basis, we present the findings to the Audit Committee, which is the subcommittee of the full board. The Audit Committee … The level of detail, I would say, of the final risk-assessment reports, I would say that we’ve designed over the years some really good, concise, fairly-representative reports that the Audit Committee goes through in detail. Then they will provide a summary of their findings and understandings to the full board on a monthly basis.
I think what you hit on right there is the real trick, the hard part to this that we’ve heard from other folks, which is, in your article, you laid out eight big types of risk. I’ll run through those real quick: the credit risk, interest-rate risk, liquidity risk, operational risk, compliance risk, strategic, reputational, and financial-reporting risk. That’s a mouthful. It’s also a lot of stuff to try to encompass under one umbrella.
I think the first trick is exactly as you said. You’ve got to take all this data, and board packets have gotten ugly enough as it is, hundreds of pages. You’ve got to take all that stuff and boil it down to what do we really need to know. Where are the risks, and where do we find those? Talk about the challenges of pulling all that stuff together from all those different areas and some ways that you guys dealt with that.
Absolutely. I think that’s exactly the challenge that many institutions will face as they have begun this process. What we do is that we have risk assessments that each department head is responsible for updating on a quarterly basis. That is the flow-through. As they go through and update it … This is all done systematically on an application software that actually originally began in the audit department. It’s the application that’s used for several different areas. One is internal audit, but it’s also used and has been customized for enterprise risk management.
It makes it somewhat more consistent as each one of these various departments will go in; they’ll update their risk assessments on a regular basis with some assistance from our Director of Enterprise Risk. Then that flows through into a very nice, concise, easy-to-read reporting where we are able to prioritize the risk and then take the high risk, put those into a dashboard. A board member can take a look at this, can easily see if there’s any movement from the previous quarter in any of the risk categories. It does make it very simple because you’re absolutely right. With limited time and the ability not to get too far into the weeds, so to speak, on this, we felt like the use of a dashboard is absolutely critical. Otherwise, it’s got some real challenges to it.
Yeah. I think that that basic core philosophy is a good one for dealing with the board, in general, and even at the management level. As you grow as a bank and things get more complicated and sophisticated, you’ve got to take all that raw data, and you can’t keep looking at just tables of numbers. You’ve got to put it in a way that you focus the conversation on the things that are really important and the things that need decisions. That dashboard kind of approach is the right way to do that.
That’s absolutely exactly right.
As you guys have grown, and I know that a lot of this was 2009. It was just the prudent thing to do, was to start thinking about this holistic view of risk and of the institution. Have you experienced some changing expectations from your regulators?
Yeah. I would say that they’ve been very good to work with in that they have set forth expectations and they’ve talked about enterprise risk management. They have been very open to understanding. They have not come in and said, “There’s only one way to do this, and here’s the way to do it.” They have been open enough to see and I think they’ve been interested to see the way different organizations are approaching enterprise risk management, and to your point, they have sort of fine-tuned. I think as we’ve all gotten further along in this process, they’re able to fine-tune what they look at, and they’re able to kind of drill down. Our enterprise-risk-management reports are something that they spend quite a bit of time with. They occasionally will make comments because they do have the benefit of seeing a lot of different organizations.
Absolutely.
We like to benefit from that, and they obviously share their thoughts with us and their insights. Sometimes they make suggestions about how to improve it or things to do differently. Yeah, it has sort of, I guess … It continues to evolve, but I think … I would say that we have, for the most part, been maybe a little bit ahead of some of our peers in this because we did jump on it pretty early on.
I think you make a good point there. It kind of dovetails with my own experience with regulators, which is two things. Number one, proactive. You don’t wait to be told something. You’re actively trying to put something in place before it’s required. Then number two, you’re very communicative about that. The regulators are not there for it to be an adversarial relationship, and a lot of banks approach it that way. Really, we’re all in it for the same thing, right? We want the banks to be safe and sound and healthy and to grow in a profitable and sound way.
We’re all going at it from maybe slightly different perspectives, but we want the same thing. I think if you ask the regulators … As you said, they see a lot of stuff. They get a lot of different perspectives. They bring some good ideas out of that. Say, “Here’s where we are. Here’s what we’re thinking and why. How can we make this better?” Then it’s a back-and-forth conversation instead of, “Well, here’s your exceptions and things that you have to clean up within ninety days.” When it starts heading that way, now you’ve gone down the wrong path.
That’s right. That’s exactly right.
You guys have been at this a little while and so have gotten it to a good place and, as you say, still evolving, but what are some baby steps maybe that a bank can take? If they’re wanting to start putting ERM in place, where’s a good starting point?
I would say the first thing I think is critical is to don’t assume … because to have a really robust ERM program in any type of institution, you’ve got to have everyone at the departmental level involved, right? They have to be the ones, because they’re the ones that are closest to the risk. I think sometimes the biggest challenge is there are some areas within the bank, in our situation, that they’re just not necessarily fully aware of exactly what the risk will look like. The key is to absolutely, before you get too far into the process of identifying risk, is to really explain, educate, and even train some of the department heads on what exactly risk is.
Now, that sounds sometimes like it’s a simple question and a simple answer, but it’s really not. Those of us, for instance myself, having come through the credit side of the bank, people say all we do is worry about things that can go wrong, but there are a lot of people who are much more talented at processes that they aren’t necessarily focused on the risk of what could go wrong. What you do … I think for us, it is getting everyone somewhat trained on the concept of what risk really looks like, what it is, and what it looks like in their world, and help them to figure out how to best identify and articulate what those risks are. Then you have to take it to the next step, is you have to get them to basically prioritize the risk and then obviously, with that, you have to rank the risk.
Then that is a really good … It’s a great process for the employees to go through because then they start to … Then they’re able to put together … You have a couple of great benefits. Number one, they’re starting to really see how all the departments within the organization are interrelated as it relates to the flow, the risk, the overall functioning of an organization. Number two, it helps them see the value of what they do in an organization because what every leader wants in an organization is they want every employee to feel like what they do on a day-to-day basis is extremely important.
Many times what we found out is going through this risk-management process and you’re able to put down a whole list of all the risk, then number one, it does make people … Some people get a little more concerned about the risk in the organization. Number two, it helps them remember that they’re just an integral part in making sure that we manage this risk. It really has a lot of benefits to it in addition to the fundamental purpose of just keeping the bank safe. There’s a lot of benefits to it, but educating is the key, helping people … Don’t assume people understand what risk is and what risk management looks like because it’s not always obvious to everyone.
Sure. To that end, we’ll link to a few resources that we’ve stumbled across. We’ll include your article out there. Any other good resources that you’ve found that you could point people to? Where can bankers go for help on this stuff?
I’ll tell you, one of the best resources that we have relied on has been our external auditors. We have worked very closely with them, and they’ve been just … Again, much like the regulatory community, they’ve been just a real great resource for us. Again, for us, our path was a little bit different than many others, but we have the benefit of being here in Raleigh next to NC State University, and we’re able to benefit from the project work that the grad students did for us. That was a little different, like I said, but I would say we relied most heavily on feedback from regulators and also from our auditors.
Okay, great. Well, Matt, I think that’ll wrap it up. Thanks again for taking the time to do this. We really appreciate it.
Well, thank you, Dallas. I’ve really enjoyed it.
All right, good. You can find Matt and some information about him at Paragon Bank’s website. We’ll link out to that. We’ll provide links to all that kind of stuff on the show notes for this episode. You can always find those at precisionlender.com/podcast. If you like what you’ve been hearing, make sure to subscribe to the feed in iTunes, SoundCloud, or Stitcher. We’d love to get ratings and feedback on any of those platforms. Thanks for tuning in. Until next time, this has been Dallas Wells, and you’ve been listening to “The Purposeful Banker.”