Best Practices for Managing Risk Rating Approvals

For most lenders, and especially banks, the risk rating of a loan is a critical indicator of credit risk. In our experience working with banks and credit departments for 20 years, we’ve seen various mechanisms for how changes to risk ratings are managed, controlled, and approved. In this article we’ll discuss some best practices for managing risk rating approvals and how banks can adopt these practices to improve efficiencies and ensure compliance. It should be noted that these best practices can be applied to other forms of credit risk changes, such as charge-offs, non-accruals, TDRs, loan reserves, etc. But we’ll focus on risk ratings for this article, since they are often a central focus of daily credit administration.

Defining a System of Record 

When discussing the process by which risk ratings are changed, we should first clarify what it means to change a risk rating. Where exactly is it changing, and how do institutions ensure that the change is reflected in all systems and reports? At BankPoint, we recommend establishing an official “system of record” for risk ratings and other critical information. We define the system of record as the system that is formally designated by the institution as the primary system that should be referenced to determine the current, approved value for the loan information in question. Once a system of record is defined and published, everyone should be on the same page, and all loan officers, credit officers, and executives should feel confident that the defined system holds the correct value. If other systems also contain this field, they should be viewed as supplementary systems that mirror the system of record, and appropriate procedures and interfaces should be developed to ensure all systems are updated and synchronized accordingly.

Common Legacy Practices 

When working with banks or other lenders, we often ask “Do you have a designated system of record for risk ratings?”. The most common answer we hear is “no”, or “I don’t think so”, but after a little discussion it becomes clear that the core banking system (or loan servicing system) is acting as the default system of record for risk ratings. The next question we ask is “How are risk rating changes approved?” Even in 2021, the most common answer we hear is “we submit a status change form”. In other words, they use a printed piece of paper that contains boxes for “Old Rating” and “New Rating”, which is physically signed by the appropriate parties, scanned into the imaging system, and given to loan ops, who performs the actual “file maintenance” on the core system. The approval process is usually manual, often involving interoffice mail, or more recently (with remote work) some combination of scanning/emailing/signing.

Recommended Best Practices 

It goes without saying that manual, offline processes are inefficient, error-prone, and cumbersome. So, what’s the recommended best practice for automating risk rating approvals?

At BankPoint we recommend:

1. Establishing a system of record for risk ratings and other credit actions.
2. Implementing automated workflow to manage approvals of changes to these credit actions.

When choosing a system of record, it’s tempting (and common) to choose the core banking system or loan servicing system. We’ve spent years evaluating and implementing core systems from all major core banking vendors. In our experience, core systems are usually not designed for credit administration. While the risk rating will definitely be stored in the core, there are typically not controls in place to manage the approvals, history, and audit trail of changes to risk ratings. Therefore, we recommend implementing a different system to act as the system of record for risk rating and other credit related elements. Typically, this system would be focused on credit administration and would include other features not focused on loan servicing, which is the core’s purview. Our customers use the BankPoint platform for this purpose, but of course there are other systems on the market that could be appropriate.

Once the system of record is established and implemented, an approval workflow should be implemented that conforms to the bank’s credit policy. Generic workflow systems have been around for decades, but banks need workflow systems that are intelligent enough to compare the details of a loan to the bank’s credit policy to ensure the right approvals are included. The workflow engine should be powerful enough to allow for complex credit policy rules, but simple enough that it can be setup and maintained over time as credit policies evolve. In our experience, many workflow solutions (even those provided with core systems) fall short in this area, so banks should be sure to thoroughly evaluate and test workflow platforms before committing to a solution.

Other factors that should be considered when implementing a risk rating workflow system include:

• Notification Filtering– As your institution grows in size and volume, senior approvers may quickly become overwhelmed with approval requests, feeling as if they are being SPAMMED with notifications to approve changes to risk ratings or other credit actions. Be sure the chosen system has controls that allow users to tailor the level of notifications they receive to eliminate inbox fatigue.
• Role-Based Security– User roles should be established that represent key managers, department heads, etc. and their appropriate security and approval levels. Specific users should then be assigned to these roles, and the roles should drive the approval process.
• Documentation– Approval requests should include appropriate documentation such as loan analysis, meetings minutes, etc. This documentation should live with the approval request in the form of attachments or notes and be accessible before and after the approval is received for audit purposes.
• Committee and Board Approvals– It’s common for approvals to be required at the committee or board level. To capture these approvals, we recommend setting up proxies to provide approval in the system on behalf of the committee or board. The approval role itself is usually called “Board” or “Sr. Loan Committee”, but the person actually checking the box could be the board secretary or scribe from the meeting. This person should also attach the appropriate meeting minutes and other related notes to the approval request.
• Audit Trail– Obviously, risk rating approvals should be clearly documented and easily auditable. Though the actual approvals are provided electronically, it’s common to provide a printed audit trail to auditors or regulators. So be sure the system you implement allows for printable and electronic audit trails.
• Keeping Things in Sync – Once an approval is fully received, the new risk rating is deemed official and is updated on the system of record. But as mentioned above, there are likely other systems that also contain the risk rating (including the core system) that should be updated in a timely manner. Ideally, this update would occur automatically via a system interface. In practice, however, it’s not always easy to update legacy systems programmatically. A more practical approach could be to add an additional workflow step to notify the appropriate users in other departments (such as loan operations) to update the associated system (such as the core system). Upon receiving the notification, the responsible person could easily click on the associated audit trail to see that the required approvals have been received, providing the authority to update the associated system. Once updated, the final workflow item would be marked complete, and the workflow process archived. To ensure that all systems are in sync, the system of record should provide exception reports showing any differences in risk ratings between the system of record and the mirroring systems. These reports should be run and reviewed regularly so that any exceptions can be resolved.  
• Risk Rating Trends – As risk ratings change over time it can be valuable to see the history and trends of a specific loan, a segment of loans, or the portfolio as a whole. This requires that systems store the effective date of each new risk rating change while preserving the history of all changes. When evaluating systems, be sure the system captures a detailed history of risk rating changes and provides the ability to easily display risk rating history and trends on screens and reports.

Risk ratings are used by banks and non-bank lenders to provide a snapshot of the current credit risk of a loan. Managing how risk ratings are changed is an important part of the credit administration process, yet many banks are still relying on manual, paper driven processes. By defining a system of record and implementing an automated approval process, banks can improve the integrity and compliance of their loan portfolio, leading to smoother audits and streamlined growth.