Meeting the Policy Exception Challenge

Meeting the Policy Exception Challenge
Meeting the Policy Exception Challenge

Increased competition and reduced loan growth led to a loosening of underwriting practices for the fifth year running, according to the Office of the Comptroller of the Currency’s (OCC) Semiannual Risk Perspective, published in the fall of 2017.[1] In order to compete and retain customers, banks continue to ease the structure and/or terms of the loans they offer. The OCC’s spring 2017 Semiannual Risk Perspective provided additional detail on this trend, stating that credit risk was increasing due to “increased risk layering, rising loan policy exceptions, increasing loan-to-value (LTV) ratios, weaker loan controls or covenant protections, and higher concentrations in [commercial real estate] loans.”[2]

Regulators are focusing on those areas noted that are contributing to this increase in credit risk. This paper discusses one of those elements — policy exceptions — including the components required to create an effective policy exception system and its potential benefits.

Key Elements of Effective Credit Policy Exception Monitoring

Well-Defined Policies

Well-defined and sound credit policies that clearly delineate measurable underwriting criteria are the foundation for effective policy exception monitoring. All credit products should have clearly established and documented underwriting standards to ensure consistency in risk acceptance across the organization.

There are no guidelines for the number or type of exceptions. Instead, this should be reflective of the institution’s risk appetite.

Policy exceptions should be clearly identified within credit policy. A policy exception will typically occur when a minimum requirement is not met, when a maximum requirement has been exceeded, or when a credit action is identified as inadequate or inappropriate as per the organization’s defined requirements. Examples of policy exceptions include when the obligor’s debt-service coverage (DSC) ratio is less than the minimum requirement or when the maturity exceeds the term set out within a policy. Policies should avoid ambiguous language so that the exceptions are clear.

System for Identifying and Tracking

Each organization should have established tracking procedures and clearly delineated responsibilities in place related to identifying, approving, cataloging, assessing and reporting policy exceptions.[3]

The identification process occurs during underwriting. Lending personnel and credit approvers should be knowledgeable about the institution’s policies to ensure they can effectively identify policy exceptions. Any policy exceptions should be well documented, included in approval considerations and accompanied by a discussion of the mitigating factors that warrant the exception. Examples of potential mitigants include significant cash deposits with the organization or a strong repayment history on other loans.

Due to the increased risk in originating loans with deviations from underwriting standards, some organizations have adopted approval authorities with additional approval requirements based on relationship size and magnitude of policy exceptions.

Lending personnel should consider if the type, severity, and quantity of policy exceptions, in conjunction with other risk attributes, necessitate additional due diligence prior to origination or increased monitoring, such as financial covenants.

For approved loans, the number and type of policy exceptions should be recorded in a central system of record, as well as maintained within the permanent credit file for the loan or relationship. Automated systems that work in tandem with the loan approval process allow for efficiencies in capturing policy exception data, but they may not be cost effective for some institutions. For institutions relying on manual tracking, control points should be established to ensure the manual tracker is capturing all new policy exceptions. Additionally, a quality control process should be established to ensure policy exception information is captured accurately. Ensuring strong data quality is of the utmost importance when identifying and tracking policy exceptions to ensure sound information for use in decision-making.

Organizations need to be cognizant of when to record policy exceptions to ensure they are not double counted. To prevent double counting of loan exceptions for renewals that were already recorded when the loan was originated, institutions should develop reporting to isolate new loan originations from renewals. However, if a loan is renewed with an increase in loan proceeds or other significant modifications, it may be more appropriate to consider this a new extension of credit for policy exception tracking purposes.

Monitoring and Reporting Levels

Proper tracking and reporting of all exceptions is important to ensure transparency in underwriting compliance. Institutions should have an understanding of the number and nature of exceptions that exist within the portfolio and the combined effect of these additional risks. There should be established tolerances for the level of policy exceptions an organization is willing to accept. The number and exposure of loans with new policy exceptions should be proactively managed and reported to appropriate levels of management. Reporting of exceptions should increase in granularity at the management levels, with the most active roles in day-to-day underwriting and approving. Management with approval authority should receive adequate detail to isolate lenders and segments that are exceeding the organization’s policy exception tolerance when correlated over the loans they have originated. Levels of senior management reporting should decrease in granularity, but still include adequate detail to appropriately inform the report’s audience. The reporting of exceptions to the board should remain at a high level, with an overview of the exception landscape showing where additional risks exist within the portfolio.

Benefits of an Effective Policy Exception Process

Measurement of Risk Trends

Overall, the level of policy exceptions can be used as a forward-looking indicator of credit underwriting quality and may be incorporated into an institution’s risk appetite framework as a key risk indicator (KRI). Policy exception levels can also be utilized as a determinant of an institution’s risk tolerances. If the organization has established risk tolerances, timely adjustments to policies or underwriting practices may be made based on established levels of recorded policy exceptions. Additionally, policy exception tracking can provide measurement of more granular credit risk trends when segmented by type, industry and product.

Tool for Determining Whether Policy is Too Stringent in Some Areas

An increasing number of exceptions could imply that there is an inadvertent loosening of underwriting practices. Conversely, a high number of exceptions could signal the lending standards are too stringent for the institution’s risk profile and management may need to revise policies to better align. A lack of exceptions may suggest that the credit policy is too liberal and does not accurately reflect the general standards to which credit is underwritten.[4]

Risk Layering Indicator

Policy exceptions can also help to isolate loans with multiple risk characteristics and identify if liberal, moderate or conservative underwriting practices are applied. Risk layering can be understood as the layering of multiple customer and facility characteristics that in aggregate may signal increased risk. Examples of common risk layering characteristics considered during underwriting include credit history, loan structure and collateral. All risk layering characteristics should be considered during the loan approval process. Additionally, institutions may use risk layering characteristics to isolate higher-risk loans (e.g., loans with multiple policy exceptions) within their portfolio for additional loan monitoring.

Stress Testing and Allowance Application

The number and type of policy exceptions can also be used as an attribute within stress testing and the allowance for loan losses. This can improve loss assessment methodologies by incorporating additional indicators on level of risk.


An effective credit policy framework entails clear underwriting policies with readily identifiable exception statements that allow exception levels to be properly identified, managed and reported. This framework also enables an organization to be more in tune with their underwriting standards as it relates to their risk appetite, enabling an institution to proactively manage the number and exposure of loans originated with policy exceptions, which may mitigate portfolio credit quality deterioration in the future. A system that easily allows a bank to identify and segment which loans in their portfolio contain riskier elements, such as policy exceptions prior to default, can help reduce capital demand when integrated into loss methodologies. This can provide a competitive advantage to the bank, allowing them to continue lending activities with a higher degree of confidence in the adequacy of their capital allocation.

How Protiviti Can Help

We have helped more than 30 percent of the top 25 U.S. banks understand the risks in their credit portfolios and improve capabilities of their credit review functions to evaluate these risks with a proactive and forward-looking approach. Our Credit Risk practice consists of experienced professionals with expertise ranging from assessment and benchmarking of existing credit review functions to offering complete credit review services in an outsourced and co-sourced capacity. We perform these services on an ongoing basis, or as part of an acquisition due diligence.

Our services include:

  • Credit Review Services
  • Credit Operations Assessment, Design and Implementation
  • Credit Process Assessments and Internal Audit
  • Credit Risk Software and Tool Assistance
  • Transaction and Lender Due Diligence
  • Capital Allocation Methodology Assessment and Design


Michael Brauneis
Managing Director
[email protected]
Matthew Moore
Managing Director
[email protected]
Bill Byrnes
Managing Director
[email protected]

[1]Semiannual Risk Perspective, OCC, Fall 2017.
[2]Semiannual Risk Perspective, OCC, Spring 2017.
[3]Risk Management Examination Manual for Credit Card Activities, Federal Deposit Insurance Corporation.
[4]Risk Management Examination Manual for Credit Card Activities, Federal Deposit Insurance Corporation.

Ready to work with us?