Best practices in risk rating policies

Elise Hauser
Posted by Elise Hauser

Policies are “the cornerstones for sound lending and loan administration,” and risk rating policies are a key component. Regulatory agencies lay out elements that loan policies should cover, such as what types of loans an institution will make and what information will be required from borrowers, but they rarely dictate the details.


An institution must develop appropriate policies and procedures based on its size and the complexity of its portfolio. These governing documents should require credit analysts to maintain timely and accurate risk ratings with appropriate oversight.


Here are three best practices when developing risk rating policies.


Determine Number of Risk Ratings Based on Portfolio Complexity

Regulators expect a lending institution to have a risk rating system that can distinguish criticized and classified assets. Additionally, even the smallest and least complex institution is expected to have some gradation within its non-criticized (i.e., Pass) assets. Larger, more complex institutions would have more stratification. An institution should align these distinctions to its processes. As a simple example, the institution can tie the frequency of review to risk ratings. A bank with 5 grades of Pass along with Special Mention, Substandard, Doubtful and Loss might set account review frequency for its C&I portfolio as follows:

Risk Rating  Review Frequency
Pass (1-3) Annual
Pass (4-5) Semi-Annual
Special Mention (6) Quarterly
Substandard (7) Monthly
Doubtful & Loss (8-9) Weekly


Vest Risk Rating Responsibility Appropriately

Risk rating assignment should be separate from loan origination in order to limit bias – both real and perceived. The credit analyst may discuss the risk rating with the lender since the lender is likely to have additional perspective on the borrower’s state. Some institutions may also use a committee structure to discuss risk ratings. However, the final responsibility should be with the credit department. This separation of responsibilities safeguards the risk rating from undue influence.


Require Additional Approval Levels and Reviews

An institution may require additional approvals in certain circumstances. Common reasons for additional approvals are large size, a change in risk rating from prior period or a final risk rating that differs from the scorecard output. Policies may further distinguish between situations that require approval before a rating is finalized and those that merit periodic monitoring. The emphasis should be on ensuring risk ratings are assigned accurately and timely.


There are a number of variants that an institution could employ. For example, an institution may allow a credit analyst to approve a final rating that differs from the scorecard by one grade and require a manager to approve any other differences. The institution would then review all differences periodically. Similarly, an institution’s policy may require a manager to approve a change of two or more grades from the prior period because this level of change should occur rarely. It would review overall migration periodically as part of portfolio monitoring.


The current environment of low defaults could easily create complacency. It is critical to maintain strong risk rating policies and use them to identify troubled credits early to maximize a lender’s recovery with swift intervention.


Learn more about Risk Rating by viewing the on-demand webinar, Answers to the Most Often Asked Risk Rating Questions.

Download the free eBook Commercial Risk Ratings Considerations to learn best practices for building your risk rating system.

tags: risk rating