by Keith Monson
The recent financial crisis is slowly fading from our memories, yet its lasting effects continue on. One area that’s garnering increasing attention from regulators and examiners is risk management. Regulators are of the general opinion that if bankers aren’t collectively considering all their risks, then they are not really managing risk, which could foster the type of poor decision-making that led to the financial crisis in the first place.
Rather, a bank’s risk areas should be viewed as interactive parts of a solid whole, each affecting the other. This approach, called Enterprise Risk Management (ERM), helps both management and the board of directors gain a complete picture of all risk areas and how they work together to ultimately affect a bank’s overall performance.
The Office of the Comptroller of the Currency (OCC) has defined eightrisk areas that should remain a top priority for all banks–credit, interest rate, liquidity, price, operational, compliance, reputation and strategic. An essential factor with ERM is the ability to set key risk indicators (KRIs)—a set of markers that help proactively identify changes in the probability of risk incidents—that take subjectivity out of the risk rating. In other words, management will no longer rely on educated opinion alone to make decisions.
Overcome the Obstacles to Establishing ERM
Financial institutions must ensure they are implementing an ERM program that is tailored to their size and complexity. Start with a strong business plan for the coming three years and apply all the specific risk measurements, then branch out from there.
The obstacle we’re basically facing is a change of culture for banks and bankers—because nobody really likes change. What bank management must do is challenge their thought process and take a proactive approach to a culture change.
Banks that welcome this change will find that it will enhance their relationship with regulators and possibly improve their exam cycle. And while there’s no guarantee that an exam will be easier, if the bank’s compliance rating is outstanding, its exam cycle likely could occur only every three years, rather than annually.
Remember, regulators are looking for this approach, so anything banks can do to be proactive is good.
Evaluate Your ERM Needs
Start by taking a look at your most recent exam results and identify areas that concerned the examiners. Then determine what steps will take you out of a reactive mode and into a proactive mode for managing risk.
Further, review your internal and external audits. The hope is that your auditors will catch issues, report them to the board, and get them corrected before the examiners come in. Also, make sure you have no repeat findings—those risks identified over more than one exam or audit cycle—or address them immediately if found.
Execute Your ERM Plan
Once you’ve taken a hard look at your audit and exam findings, it’s time to address the policies and procedures and guidelines that have already been approved by the board—what we refer to as residual risk. To execute an ERM program, first identify your KRIs within the OCC’s top eight categories and start tracking them. For this, financial institutions can develop—or work with a trusted third party to customize—a database or library of KRIs.
Then take a look at the policies and procedures to ensure you’re mitigating any risks that were identified. Think of it this way: these policies and procedures represent the existing ERM process at your bank.
Effective ERM third-party software can identify risks earlier by automatically applying KRIs to bank data and alerting management when risks are elevated. The most advanced software solutions also create the ability to efficiently collect, store, analyze, score and report on risk data, direction, and activities. This allows bank management to focus more on their day-to-day functions: taking care of customers’ needs.
The time is now for banks to abandon the separative approach to risk management. Use ERM to gain holistic transparency, visibility, and data aggregation—and provide your institution with a clear view of historic, current and future risk.
Keith Monson is vice president of application compliance for Computer Services, Inc. (CSI). In this role, Keith maintains focus on CSI’s compliance initiatives to establish and build out an enterprise-wide compliance framework for risk assessment and reporting, issue management and other key components of CSI’s corporate compliance program. He also works closely with CSI’s Board of Directors Audit Committee as well as other compliance teams across the organization to promote a culture of engagement and connectivity while implementing and advising on practices and related standards.