Remarks by
John D. Hawke, Jr.
Comptroller of the Currency
Before the FFIEC Risk Management 
Planning Conference
Washington, D.C.
November 8, 1999

Three weeks ago, the OCC sponsored a conference on risk 
measurement here in Washington.  We had a big turnout of 
financial professionals, including dozens of community 
bankers from cities and small towns across America.  
They heard from many of the world's leading academic 
and private sector authorities about developments in 
risk modeling and management.  They learned about the 
state-of-the-art in analyzing and measuring various 
types of risk, the theoretical bases for these models, 
and where future research and development in this area 
is likely to lead us.  It was a stimulating two days.

But while the conference featured enough differential 
equations and standard deviations to gladden the heart 
of most mathematicians, there was a lot more to the 
conference than numbers.  We made a point of including 
on the program a number of prominent end users -- bankers 
like you -- to talk about the practical value of the new 
technology in the larger context of risk management.  

These bankers displayed a more tempered enthusiasm for 
risk models.  They agreed that models can be an important 
element in the overall risk management regimes of 
some -- but not necessarily all -- banks.  They agreed 
on the need for potential users to look at the models 
critically and cautiously, to fully understand their 
strengths and limitations before adopting them.  And, 
most of all, they agreed that even the best of these 
models should be seen as a component of -- rather 
than a substitute for -- a risk management program 
solidly grounded in sound judgment.  

One would most expect to find advanced risk measurement 
capabilities in the largest and most diverse financial 
institutions.  Risk modeling is indispensable in 
helping to manage the risks inherent in their vast 
and varied portfolios.  Indeed, we as supervisors 
would look askance at any institution that takes on 
such complex risk without having risk measurement 
systems of comparable power and sophistication. 

So it was instructive to hear the chairman and co-CEO 
of one of the nation's largest banks -- a bank that 
has been on the cutting edge of financial services 
for decades -- talk to the conference not about his 
own bank's advances in modeling and measuring risk 
but about the fundamental principles of risk 
management -- principles validated by this one bank's 
own recent experience, but equally applicable to 
banks of all shapes and sizes. 

He discussed such fundamental concepts as the 
importance of capital adequacy -- and defined 
adequacy in the most expansive terms.  He warned a
gainst losing sight of the macro factors -- political 
and social as well as economic -- that shape the 
risk environment.  He emphasized the importance 
of independent internal risk assessments and the 
dangers of allowing these assessments to be performed 
by the operational unit responsible for the activity.  
And, most of all, he stressed the need for an overall 
risk management strategy -- a strategy based on a clear 
understanding of the institution's tolerance for 
risk -- and the will to see it through, even when 
that means foregoing short term profit.   

To some members of our audience, all this may have 
been seen as simply restating the obvious.  But the 
importance of risk management solidly grounded in 
the fundamentals can never be exaggerated or taken 
for granted.  Your bank is not Citibank.  But the 
principles that John Reed articulated are as vital 
and relevant for community banks and for our high-tech 
times as they were in the days before anyone knew 
what a computer model was.

You may not give a second thought to the political 
turmoil in Indonesia or other distant lands because 
you think you have no business exposure there.  But, 
directly or indirectly, your customers might well be 
exposed -- and if they suffer losses as a result, you 
might well suffer them, too.  

You might consider your bank adequately capitalized 
because it meets or exceeds all statutory standards.  
But how long would that capital last in the event 
of a downturn in your local economy?  As we know, 
minimum capital and adequate capital are hardly 
synonymous. 

You know your employees by name.  You trust them 
implicitly.  But it's still not prudent to rely on 
the credit officer who originated a loan for an 
valuation of how well the loan is performing or what 
the prospects are for repayment.  An independent 
opinion from someone who does not have a reputational 
stake in the transaction is essential.  For financial 
institutions of all types and sizes, checks and 
balances are essential. 

The point is that while community banks face risks 
that are different in degree from larger institutions, 
they are in many ways little different in kind.  
Even the difference in degree is not always what 
you'd expect.  In some cases, the risks facing community 
banks can be compounded by the advantages of scale 
they lack.  For example, it's relatively easy for a 
megabank to redeploy resources to augment the loan 
review function when management decides it's necessary.  
But where does the community banker obtain that 
independent second opinion when there's no second person 
with the necessary skills at hand to do the job?  

Similarly, it's relatively easy for an integrated 
megabank with an international presence to diversify 
its asset base when management decides that concentrations 
have reached the point of concern.  But how do you as 
a community banker achieve diversification greater than 
that of the community you serve?  For better or worse, 
its future and yours may be inextricably linked. 

I'm not suggesting that risk models and other advanced 
risk management tools have no place in the overall 
business strategy of community banks.  In fact, just 
the opposite is true.  Technology will help resolve s
ome of the business dilemmas that I've just described.  
It can help compensate in some ways for the manpower 
limitations that are an inescapable fact of life for 
most community banks.  Much of the software that is 
being developed today to help measure and manage risk 
is targeted at the small bank market, and the presence 
of so many community bankers at our conference shows 
that there's a keen interest in what these products 
have to offer.  Community banks have long used gap  
models to help them measure asset-liability mismatches, 
and credit-scoring models have already proved their 
worth in the loan origination process in many small 
banks.  The use of these and related applications 
should increase as they improve in reliability and 
user-friendliness.   

But while technology can be an invaluable adjunct in 
the management of risk, and will undoubtedly play an 
even bigger role in managing it in the future, it can 
never provide the whole answer, not for a hundred 
billion dollar bank and not for you.  Community bankers 
seem to have fewer illusions on this score than some of 
their large bank counterparts.  What we see -- 
encouragingly -- is that community bankers are working 
hard to manage risk by educating their customers in better 
ways to manage theirs.  For example, some agricultural 
banks are working with borrowers to help them manage the 
risk associated with volatile commodity prices -- long 
the farmer's bane.  By encouraging forward sale and 
marketing arrangements for their crops and livestock, 
armers can be assured of a more predictable income 
stream, in good times and bad.  In many cases, this 
has made the difference between a farm loan in default 
and one that's current.  Some big city bankers could 
learn something from some of their smaller counterparts' 
innovative approach to managing risk. 

We see community bankers taking advantage of Small Business 
Administration and other government guarantee programs to 
serve as a buffer against risk.  Some small banks have even 
established relationships with banks in nearby communities 
to help mitigate the effect of concentrations.  More and 
more are taking advantage of opportunities to securitize 
and sell parts of the loan portfolio to access new sources 
of  liquidity and reduce credit risk. 

Such instances exemplify risk management at its best.  A 
bank's approach to risk must be as creative -- and as 
soundly grounded in the fundamentals  -- as its approach 
to any other aspect of its business.  In other words, risk 
management cannot be reduced to a tool or technique or 
even a model; it's a philosophy -- a consciousness -- that 
must permeate every aspect of a bank's operations.  It 
starts with an awareness of the forms that risk takes.  
You can't manage what you don't recognize or understand, 
and it's the banker's job to inculcate that awareness in 
the bank's decision makers and its board.  It sounds simple, 
but it's fundamental to effective risk management. 

The fact is that a bank can have all the right mechanisms 
and procedures in place and still not have an effective risk 
management regime if management's heart is not truly in it.  
For example, a bank's audit department can be well staffed 
and trained, and be dogged in pursuit of irregularities.  
But if the bank's culture encourages these problems to be 
resolved without addressing them at their source, it invites 
a recurrence.  That's not effective risk management.  

If a bank's compensation plan rewards loan production and 
loan growth and does not hold its people accountable for 
the quality and performance of those loans, that too is 
not effective risk management.  Again, lip service to 
the principles of risk management -- even when accompanied 
by an infusion of resources -- is not enough.  Good risk 
managers are true believers. 

For most community banks, the loan portfolio is the largest 
asset and the primary source of revenues.  It's also one 
of the greatest sources of risk to the bank's safety and 
soundness -- and the toughest test of a bank's risk 
management capabilities.  When OCC examiners find that 
banks have effective credit risk procedures in place, it 
tells them a great deal about a bank's overall attitude 
toward risk.

There was a time when it was sufficient -- from 
the examiner's standpoint -- that individual loans be 
properly underwritten and administered.  While we strongly 
believe in the fundamentals of controlling risk at the 
transactional level, we also take a more comprehensive 
view of the loan portfolio than ever before, recognizing 
that the interrelationships among portfolio segments can 
be as important in determining a bank's credit risk 
profile.  So we look for those things that define a 
sound risk management culture: clear objectives and 
risk tolerance limits, management information systems 
capable of monitoring loan performance, diversification 
policies, policies on exceptions, stress testing 
procedures, and independent audit, loan review, and 
control functions, supplemented by the appropriate 
risk measurement tools.  And we look to ensure that 
these and other risk management functions work in 
harmony with one another.  The failure of any one 
can render the others ineffective. 

All banks need to have fundamental risk management 
principles in place in some form.  But the extent to 
which they must be formalized into written policies 
depends on the size of the bank, and the complexity 
and character of the risk it has assumed.  In the largest 
and most sophisticated banks, policies need to be 
formal and prescriptive.  Community banks, on the 
other hand, may be able to implement these principles 
in a less formal, less structured manner than larger banks. 

The way banks manage credit risk is a good barometer of 
its approach to risk management across its business.  I 
know of few institutions where careful attention to the 
fundamentals of controlling credit risk is not reflected 
in the institution's approach to controlling the other 
forms of risk that banks assume.  

Much has been said in recent years about change in 
the banking system.  Given the legislative events of 
recent weeks, the changes that have occurred already 
will almost certainly be overshadowed by the changes 
soon to come.  It now seems certain that the arrival 
of the new millennium will coincide with the start of 
an important new chapter in the life of this industry.  
We don't know what the banking business will look like 
ten years from now except that it will look significantly 
different than it looks today.  

But I know of at least one thing that won't change.  
The fundamentals of risk management are timeless.  
Bankers who conscientiously and effectively manage 
risk will be successful.  Those who don't manage 
risk well will eventually be overwhelmed by it.  
Whatever else happens in the coming years, that 
much we can count on.