From Loan Review to Risk Review: A Long Strange Trip?

Introduction: What a Long Strange Trip It’s Been

When the Grateful Dead had gathered enough material for its second compilation album in 1977, the group titled it “What a Long Strange Trip It’s Been.” You might not think of your loan review in the same light as the Grateful Dead, but in some respects, loan review has been on a long trip itself over the timespan of the Grateful Dead. So, sit back and enjoy the travelogue of loan review’s journey from digging through credit files after the fact to financial preemptive strike SWAT status.

The Three Lines of Defense: Loan Review in the Lines of Fire?

Loan Review’s migration out of banking’s backroom into the bright lights of the executive floor may have begun with the introduction of the three lines of defense combined assurance model developed for HSBC by KPMG within the United Kingdom in the 1990s. It was later adopted by the Basel Committee on Banking Supervision as a good model for internal control management.[i] 

The Great Recession certainly accelerated its implementation across the banking industry. In fact, the OCC made the three lines of defense mandatory for banks over $50 billion in size effective November 2014.[ii] The regulatory agencies insisted that the larger banks adopt the three lines of defense because of their collective concern over how failure of the bigger banks might lead to systemic risk . 

The three lines of defense model is simple enough; the first line is comprised of the functions that own and manage risk, e.g., lending lines of business. The first line of defense is handled by front-line and mid-line managers who have day-to-day ownership and management over risks and controls. This group owns the risk and executes the corresponding controls to enhance the likelihood that the organization’s objectives are achieved.  

The second line is manned by the functions that oversee risk per se and compliance with risk, e.g., the various risk management regimes. The second line of defense is put in place to support senior management by bringing expertise and monitoring alongside the first line to ensure that risks and controls are properly managed. Essentially, this is a management and oversight function that owns aspects of the risk management process. Second-line functions may develop, implement, or modify internal control and risk processes of the organization. Depending on the organization’s size and industry, the composition of the second line can vary significantly. 

Finally, the third line independently watches over how well the first two lines are doing their jobs, e.g., audit. The third line of defense provides assurance to senior management and the board that the first and second lines’ efforts are consistent with expectations. In the beginning, this group was an assurance function performed by the internal auditor function. Internal auditors accomplish their objectives by bringing a systematic approach to evaluating and improving the effectiveness of risk management, control, and governance processes. They ultimately ensure independence and professionalism within the organization. The main difference between this third line of defense and the first two lines is its high level of organizational independence and objectivity. 

It has taken a few years for bankers to figure out that for loan review to do its job, it also must have the independence of audit and access to executive management and the board of directors. Some banks have merged loan review function and the audit function, but the results have been mixed. It is partly an issue of knowledge and its application. Auditors have considerable ongoing educational requirements in accounting and audit topics, and their intellectual objective is to ensure that the processes they evaluate comply with the complex body of accounting and audit knowledge. On the other hand, loan reviewers draw on their own experiences with loan and credit analysis and evaluation, underwriting and structuring, approval and booking, closing and funding, and monitoring and reporting.  

Years ago the loan review function reported to the senior lender and then later to the chief credit officer, presumably for more independence. However, whether reporting to the line or to credit, loan review still was potentially vulnerable to pressure to support the lending and credit strategies of the bank. Since the Great Recession, there has been a noticeable shift of loan review from the second line of defense to the third line of defense, first, to ensure its independence, and, second, to ensure that it could report directly to the board of directors. As audit typically reports to the board’s audit committee, loan review tends to report to the board’s risk committee. 

Along with its ascension from the second line to the third line of defense has come a broadening in its name, from loan review to credit review and/or to risk review. The name change also reflects a broadening of its responsibilities, from ex post facto review of lending deficiencies and investigation of loan losses to preventive maintenance work to identify not just credit risk failures but other risks related to credit, e.g., operating risks fed by inadequate execution, compliance risks posed by inattention to regulatory requirements, etc. This expansion to risk review probably crosses over into the audit domain, but better to overlap than to leave a gap. The difference in the perspective of a loan reviewer and an auditor ironically combine to provide a cross-functional evaluation of how well the first lines and the second lines are taking, monitoring and managing risk. So how does this square up with what the regulatory agencies expect?

FDIC’s Regulatory Expectations for Loan Review: High Hopes?[iii]

Frank Sinatra had a big hit 1n 1959 with “High Hopes:”

“But he’s got high hopes, he’s got high hopes,

He’s got high apple pie in the sky hopes.”

Right up there with the high apple pie in the sky hopes reside the FDIC’s regulatory expectations for loan review, especially for an industry concerned about its non-interest expense ratio. Nevertheless, bankers must figure out how to adhere to the FDIC’s following guidance on loan review systems, credit risk rating systems, loan review system elements, qualifications of loan review personnel, loan review personnel independence, frequency of reviews, scope of reviews, review of findings and follow-up, and work paper distribution and reporting:

Loan Review Systems.  The terms loan review system or credit risk review system refer to the responsibilities assigned to various areas such as credit underwriting, loan administration, problem loan workout, or other areas. Responsibilities may include assigning initial credit grades, ensuring grade changes are made when needed, or compiling information necessary to assess the appropriateness of the ALLL. The complexity and scope of a loan review system will vary based upon an institution’s size, type of operations, and management practices. Systems may include components that are independent of the lending function, or may place some reliance on loan officers. Although smaller institutions are not expected to maintain separate loan review departments, it is essential that all institutions have an effective loan review system. Regardless of its complexity, an effective loan review system is generally designed to address the following objectives:

· To promptly identify loans with well-defined credit weaknesses so that timely action can be taken to minimize credit loss;

 · To provide essential information for determining the To identify relevant trends affecting the collectability of the loan portfolio and isolate potential problem areas;

 · To evaluate the activities of lending personnel;

· To assess the adequacy of, and adherence to, loan policies and procedures, and to monitor compliance with relevant laws and regulations;

· To provide the board of directors and senior management with an objective assessment of the overall portfolio quality; and

· To provide management with information related to credit quality that can be used for financial and regulatory reporting purposes.

Credit Risk Rating or Grading Systems.  Accurate and timely credit grading is a primary component of an effective loan review system. Credit grading involves an assessment of credit quality, the identification of problem loans, and the assignment of risk ratings. An effective system provides information for use in establishing an allowance for specific credits and for the determination of an overall ALLL level. Credit grading systems often place primary reliance on loan officers for identifying emerging credit problems. However, given the importance and subjective nature of credit grading, a loan officer’s judgement regarding the assignment of a particular credit grade should generally be subject to review. Reviews may be performed by peers, superiors, loan committee(s), or other internal or external credit review specialists. Credit grading reviews performed by individuals independent of the lending function are preferred because they can often provide a more objective assessment of credit quality. A loan review system typically includes the following:

· A formal credit grading system that can be reconciled with the framework used by Federal regulatory agencies;

· An identification of loans or loan pools that warrant special attention;

· A mechanism for reporting identified loans, and any corrective action taken, to senior management and the board of directors; and

· Documentation of an institution’s credit loss experience for various components of the loan and lease portfolio.

Loan Review System Elements.  Loan review policies are typically reviewed and approved at least annually by the board of directors. Policy guidelines include a written description of the overall credit grading process, and establish responsibilities for the various loan review functions. The policy generally addresses the following items:

 · Qualifications of loan review personnel;

· Independence of loan review personnel;

· Frequency of reviews;

· Scope of reviews;

· Depth of reviews;

· Review of findings and follow-up; and

· Workpaper and report distribution.

Qualifications of Loan Review Personnel.  Personnel to involve in the loan review function are qualified based on level of education, experience, and extent of formal training. They are knowledgeable of both sound lending practices and their own institution’s specific lending guidelines. In addition, they are knowledgeable of pertinent laws and regulations that affect lending activities.

Loan Review Personnel Independence. Loan officers are generally responsible for ongoing credit analysis and the prompt identification of emerging problems. Because of their frequent contact with borrowers, loan officers can usually identify potential problems before they become apparent to others. However, institutions should be careful to avoid over-reliance on loan officers. To avoid conflicts of interest, management typically ensures that, when feasible, all significant loans are reviewed by individuals that are not part of, or influenced by anyone associated with, the loan approval process. Larger institutions typically establish separate loan review departments staffed by independent credit analysts. Cost and volume considerations may not justify such a system in smaller institutions. Often, members of senior management independent of the credit administration process, a committee of outside directors, or an outside loan review consultant fill this role. Regardless of the method used, loan review personnel should report their findings directly to the board of directors or a board committee.

Frequency of Reviews. The loan review function provides feedback on the effectiveness of the lending process in identifying emerging problems. Reviews of significant credits are generally performed annually, upon renewal, or more frequently when factors indicate a potential for deteriorating credit quality. A system of periodic reviews is particularly important to the ALLL determination process.

Scope of Reviews. Reviews typically cover all loans that are considered significant. In addition to loans over a predetermined size, management will normally review smaller loans that present elevated risk characteristics such as credits that are delinquent, on nonaccrual status, restructured as a troubled debt, previously classified, or designated as Special Mention. Additionally, management may wish to periodically review insider loans, recently renewed credits, or loans affected by common repayment factors. The percentage of the portfolio selected for review should provide reasonable assurance that all major credit risks have been identified. Depth of Reviews Loan reviews typically analyze a number of important credit factors, including:

 · Credit quality;

· Sufficiency of credit and collateral documentation;

· Proper lien perfection;

· Proper loan approval;

 · Adherence to loan covenants;

· Compliance with internal policies and procedures, and applicable laws and regulations; and

· The accuracy and timeliness of credit grades assigned by loan officers.

Review of Findings and Follow-up. Loan review findings should be reviewed with appropriate loan officers, department managers, and members of senior management. Typically, any existing or planned corrective action including estimated timeframes is obtained for all noted deficiencies, with those deficiencies that remain unresolved reported to senior management and the board of directors.

Workpaper and Report Distribution.  A list of the loans reviewed, including the review date, and documentation supporting assigned ratings is commonly prepared. A report that summarizes the results of the review is typically submitted to the board at least quarterly. Findings usually address adherence to internal policies and procedures, and applicable laws and regulations, so that deficiencies can be remedied in a timely manner. Examiners should review the written response from management in response to any substantive criticisms or recommendations and assess corrective actions.

Summary and Closing: How Do We Get from Here to There?

Mark Twain offered this advice, “The secret of getting ahead is getting started.” This piece began with loan review’s start as a backroom function. The introduction of the three lines of defense 20 years ago has certainly moved loan review out of the backroom into the showroom, but the regulatory expectations for loan review require considerable resources now, and the overlapping boundaries of the 3-lines model already generate a degree of redundancy expensive for larger banks, let alone community banks. Nevertheless, loan reviewers have joined auditors in the third line of defense, and they bring with them their knowledge of and experience with the art of lending across their banks’ lending lines of business. Expanding their current duties to consider the other enterprise risks as risk reviewers will eat up additional resources. Let’s close with Mr. Twain’s advice on tough digestive problems, “If it’s your job to eat a frog, it’s best to do it first thing in the morning. And if it’s your job to eat two frogs, it’s best to eat the biggest one first.” Next time, let’s look at what we can cook up.

[i] IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, January 2013, https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf (01/118/2020)

[ii] “Heightened Standards for Large Banks; Integration of 12 CFR 30 and 12 CFR 170: Final Rules and Guidelines, OCC Bulletin 2014-45,” September 25, 2014,  https://www.occ.gov/news-issuances/bulletins/2014/bulletin-2014-45.html (01/19/2020)

[iii] Section 3.2 Loans-FDIC, https://www.fdic.gov/regulations/safety/manual/section3-2.pdf (01/11/2020)