Skip to main content

The role of loan review in the credit risk management system

Written by admin on . Posted in Risk Management.

By: David Reno, Director of Loan Review & Lending Services

Loans, especially non-consumer loans, typically represent the greatest level of risk on your balance sheet. Therefore, effective commercial loan portfolio management is crucial to control credit risk. It can serve as an early indicator of emerging credit risk related to lending to individual borrowers, aggregate credit exposure to related borrowers, and the overall credit risk associated with a loan portfolio. It serves as an integral part of an institution’s credit risk management system that is a continuum comprised of the following stages:

  • Well-formulated lending policies, procedures, and practices that are consistently applied, well-known to all credit and lending staff, and compliant with regulatory guidance
  • The collection and accurate credit analysis of financial and other underwriting information
  • Assignment of an accurate risk grade
  • Proper and qualified approval authorities and risk-based process
  • Correct and thorough documentation
  • Pre-closing preparation and loan closing
  • Post-closing credit administration
  • Internal annual loan review
  • External/independent loan review
  • Timely problem loan identification and management
  • Proper calculation of the ALLL
  • Collection and loss mitigation

Effective and efficient loan reviews can help an institution better understand its loan portfolio and identify potential risk exposures to contribute to the formulation of a risk-based lending and loan administration strategy.

Regulatory background

The OCC, FRB, FDIC, and NCUA issued the Interagency Guidance on Credit Risk Review Systems in FIL-55-2020 dated May 8, 2020, which aligns with Interagency Guidelines Establishing Standards for Safety and Soundness. This guidance is relevant to all institutions supervised by the agencies and replaces Attachment 1 of the 2006 Interagency Policy Statement on the Allowance for Loan and Lease Losses. The final guidance details the objectives of an effective credit risk review system and discusses such topics as sound management of credit risk, a system of independent, ongoing credit review, and appropriate communication regarding the performance of the institution’s loan portfolio to its management and board of directors.

Credit risk rating (or grading) framework

The foundation for any effective credit risk review system is accurate and timely risk ratings. These risk ratings are used to assess credit quality and identify or confirm problem loans. The system generally places primary reliance on the lending staff to assign accurate, timely risk ratings and identify emerging loan problems. However, the lending personnel’s assignment of risk ratings is typically subject to review by qualified and independent peers, managers, loan committee(s), internal credit review departments, or external credit review consultants that provide a more objective assessment of credit quality.

Elements of an effective credit risk review system

The starting point is a written credit risk review policy that is updated and approved at least annually by the institution’s board of directors or board committee to evidence its support of and commitment to maintaining an effective system. Effective policies include a description of the overall risk rating framework and responsibilities for loan review.

An effective credit risk review policy addresses the following elements:

Qualifications of credit risk review personnel. The level of experience and expertise for credit risk review personnel is expected to be commensurate with the nature of the risk and complexity of the loan portfolio, and they should possess a proper level of education, experience, and credit training, together with knowledge of generally sound lending practices, the institution’s lending guidelines, and relevant laws, regulations, and supervisory guidance.

Independence of credit risk review personnel. Because of their frequent contact with borrowers, loan officers, risk officers, and line staff are primarily responsible for continuous portfolio analysis and prompt identification and reporting of problem loans to proactively identify potential problems. While larger institutions may establish a separate credit review department, smaller institutions may use an independent committee of outside directors or other qualified institution staff. These individuals should not be involved in originating or approving the specific credits being assessed, and their compensation should not be influenced by the assigned risk ratings. Regardless of the approach taken, it is prudent for the credit risk review function to report directly to the institution’s board of directors or a committee thereof. Senior management should be responsible for administrative functions.

The institution’s board of directors may outsource the role to a third-party vendor; however, the board is ultimately responsible for maintaining a sound credit risk review system.

Scope of reviews

Comprehensive and effective reviews cover all segments of the loan portfolio that pose significant credit risk or concentrations. The review process should consider industry standards for credit risk review coverage, which should be consistent with the institution’s size, complexity, loan types, risk profile, and risk management practices. This consideration helps to verify whether the review scope is appropriate.

An effective scope of review is risk-based and typically includes:

  • Loans over a predetermined size along with a sample of smaller loans
  • Loans with higher risk indicators, such as low credit scores or approved as exceptions to policy
  • Segments of loan portfolios, including retail, with similar risk characteristics, such as those related to borrower risk (e.g., credit history), transaction risk (e.g., product and/or collateral type), etc.
  • Segments of the loan portfolio experiencing rapid growth
  • Past due, nonaccrual, renewed, and restructured loans
  • Loans previously criticized or adversely classified
  • Loans to insiders, affiliates, or related parties
  • Loans constituting concentrations of credit risk and other loans affected by common repayment factors

 Review of findings and follow-up

A discussion of credit risk review findings should be held with management, credit, and lending staff and should include noted deficiencies, identified weaknesses, and any existing or planned corrective actions and associated timelines.

Communication and distribution of results

The results of a credit risk review are presented in a summary analysis with detailed supporting information that substantiates the concluded risk ratings assigned to the loans reviewed. The summary analysis is then periodically presented to the board of directors or board committee to maintain accountability and drive results. Comprehensive reporting includes trend analysis regarding the overall quality of the loan portfolio, the adequacy of and adherence to internal policies and procedures, the quality of underwriting and risk identification, compliance with laws and regulations, and management’s response to substantive criticisms or recommendations.

Summary insights

The back-testing that is performed by the loan review process is necessary to ensure that an institution has in place a comprehensive and effective credit risk management system and that an institution acknowledges and practically applies the established framework of its unique but compliant credit culture.

An effective external loan review process is not so much a traditional audit exercise as it is an advisory process that produces meaningful dialogue between the review firm and the institution that seeks to identify and interpret various aspects of credit risk to minimize risk of loss by implementing industry best practices, maintaining regulatory compliance, and supporting the institution’s long-term viability in continuing to serve the needs of its customers and community.

For more information on the role of loan review in the credit risk management system, contact David Reno. Reno is the director of loan review & lending services, at dreno@younginc.com or 330.422.3455.

Vendor due diligence evaluations

Written by admin on . Posted in Risk Management.

By Michael Gerbick; president, Young & Associates

Do you have a due diligence packet?

Can you answer these questions for our due diligence?

Our outsourced vendor relationship manager will be reaching out to you for due diligence information.

As a trusted vendor to many clients, we receive requests/comments like these every day from our customers and it brings to light the large disparity between what is requested and what is understood from the information. We are trusted with personal, identifiable information daily, and it is our responsibility to do our best to protect that information. No one can guarantee foolproof protection as it’s not “if” but “when” security breaches will occur. We can, however, adhere to industry standards that assist in reducing these risks significantly. This is important when looking internally at our own systems and processes as well as our critical vendors.

There are several areas to consider in the due diligence evaluation. I have highlighted a few of these areas below to assist you in choosing a trustworthy vendor.

Vendor purpose

Knowing how a vendor will be leveraged will begin to shape the risk analysis needed for the remaining due diligence areas. Think about if they will need access to your environment, if they will need access to your confidential information, and/or if they will provide a service that you could not otherwise handle without them. How long have they been in business? Have they declared bankruptcy? Your risk profile will start to take shape regarding strategic and reputational risk and will direct the due diligence areas you focus on going forward.

Information access

At a most basic level, how will your vendor access your information? Remotely from anywhere, with unbridled access to your core system? Onsite via paper documents with 24-hour oversight by your staff? Or will the service be executed in a hybrid fashion (onsite and remote)? In addition to access, will you allow the vendor to save the information outside of your environment? Will you send information electronically to the vendor and if so, how will you communicate? Vendors that do not have direct access to your core or large repositories of confidential information may still touch non-public information.

You may consider a business email compromise for your vendor and its impact to your organization as a scenario when you approach sharing non-public information through either email or a secure file transfer. Thinking about how the information will be accessed, transferred, and used will help in your due diligence process and help ensure that you’ve done your best to get the valuable service from your vendor with a method of accessing confidential information you are most comfortable with.

Information and system controls

This is more than just passwords. It’s about if the vendor’s systems are updated frequently with the latest patching, data center security (SOC 1 and 2 reports), the encryption on devices, the MFA (Multifactor Authentication) in place at the account and device level, the antivirus, antimalware, protection from ransomware and MDR (Managed Detection and Response), where your information is accessed and that all the system controls are monitored. Every week, there are news reports of another ‘hack’ and ransom of individuals’ sensitive information. The only constant here is that this is reality, and the protections and attacks are ever-changing and evolving.

There is a lot to unpack here, and you can ask thousands of questions of your provider. Ultimately, you need to decide if the information you share with them is held in an environment that meets your expectations of safety and security. An informed and trusted IT leader on your team can help make sense of this space for your organization and identify those areas that apply to you. At a minimum a complete set of robust questions or list of requests will help you immediately highlight those vendors that can help you from those that may just introduce risk to your organization.

Business continuity, incident response plan, and disaster recovery

An event will happen. Plans in place that are reviewed and tested regularly will minimize the negative impact. Ask your vendor if they have these plans and discuss with them to understand how robust they are. Gain a comfort level that the vendor cares about managing the inevitable event as much as you do. If they are a critical vendor and something happens, you should expect them to have a plan to mitigate risk.

Confidential information

In addition to specific language in your vendor contract and the methods of accessing confidential or non-public information, ask about cybersecurity-specific insurance coverage in case of an incident. If their staff is touching your information, ask about their hiring practices. Also ask about the expertise of their personnel, confidentiality agreements and background checks.

Conclusion

There are many talented vendors out there to assist your organization. A consistent approach with a defined leader on your team will elevate the quality of the vendors your organization chooses to do business with. The few areas discussed above help manage risk when something goes wrong. The more prepared your vendor and you are for those inevitabilities, the less impact it will have.

If you want to find out more about vendor due diligence or need help improving or starting your vendor due diligence program, please contact Michael Gerbick at mgerbick@younginc.com or 330.422.3482. Young & Associates can help you every step of the way.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question