Business and management experts wrote nearly 30 years ago that one of the keys to a successful business is to break down the barriers between staff areas. Author Mary Walton summarized this point in her book, The Deming Management Method: “People can work superbly in their respective departments, but if their goals are in conflict, they can ruin the company.”
How does your bank approach risk? Unfortunately, the traditional method has been for each department to manage risk independently, focusing only on those areas that posed the most threat to their specific operations. Yet, the risk factors in lending directly affect the risk factors in capital management, which influence the risk factors in information security and so on.
As data collection and more complex analytics become possible, regulators are now advising banks to collectively consider all the risks they face and their impact on the enterprise as a whole.
This approach, commonly referred to as Enterprise Risk Management (ERM), is no longer only for the largest banks. Even community and small regional banks should take a step back and break down the barriers between risk areas.
Eight Risk Areas
The Office of the Comptroller of the Currency (OCC) has defined the eight risk areas on which all banks must focus: credit, interest rate, liquidity, price, operational, compliance, reputation and strategic. These serve only as a starting point, though, since there may be varying levels of risk associated with each financial institution – no two are exactly the same.
ERM enables institutions to view these eight risk factors across all departments and helps both management and directors obtain a real-time snapshot of complete risk: quantitative and qualitative, inherent and residual. ERM also reinforces a bank-wide culture that takes risk into account during strategic business planning and helps managers think about goals that best strengthen the health of the bank.
An essential factor with ERM is the ability to establish key risk indicators (KRIs), a set of markers that help identify changes in the probability of adverse incidents soon enough to proactively prevent them. Using KRIs takes the subjectivity out of risk ratings, helping management rely on concrete data to make important decisions.
An ERM approach also ensures that each of the three audiences interested in risk issues – examiners, board of directors and senior management – possess the information and reports necessary to satisfy their needs. An ERM program ensures the proper risk management activity reaches each audience, as examiners will acknowledge the bank is adequately addressing the risks presented by taking such a proactive approach. ERM can also provide the board with adequate risk measurements that help determine the bank’s risk appetite. These measurable KRIs will also provide management the information needed to make better day-to-day decisions.
When it comes to building a strong ERM plan, there is no one template that a bank can plug in; each plan should fit the institution’s size and complexity. Like any strategic endeavor, start with a strong business plan and apply the specific risk measurements to it. One of the biggest obstacles banks often face is internal opposition to change. Bank managers should challenge their teams to take a more proactive, holistic approach to risk management. Banks that welcome the change will find it improves their relationship with examiners and has the potential to positively affect their exam cycle.
Once internal buy-in is achieved, institutions should look at their most recent exam results and identify those areas that posed the most concern. Taking this simple step will help move the bank from a reactive mode into a preemptive approach for addressing the issues identified. Further review of any internal and external audits will help establish which of the eight risk areas poses the greatest threat. These reports often shed light on potential issues before examiners find them, providing the bank the opportunity to proactively clean up risk procedures.
Finally, financial institutions should adjust their policies and procedures concurrently based on the risks identified. Tracking the KRIs within the OCC’s eight categories and making the necessary changes will further mitigate any risks that are discovered. And regularly monitoring these KRIs and risk categories will also ensure that new risks have not arisen.
While a bank is composed of many moving parts, each important to the whole, it is only by looking at risk management as it affects the entire bank and applying risk policies enterprisewide that bankers can spend less time worrying about compliance audits and more time serving the needs of their customers.
Mr. Monson is vice president of application compliance for Paducah, KY-based Computer Services Inc. (CSI). He can be reached at [email protected].
