I’ve found that the understanding and implementation of risk management is driven not by industry or size of institution, but rather by its people: boards, executives, their teams and front-line managers keeping their organizations on track to achieve their goals and preventing missteps and scandals in the fast-paced age of the See-Through Economy.
In an effort to give these two groups some insight into how they can accomplish this, I presented at two conferences for risk managers in the financial industry on new best practices and emerging trends. At the American Banking Association’s 2019 Risk Management Conference in Austin, TX, I presented on how attendees could get more out of cross-functional risk assessments. A short day later, I dove into effective board reporting at the Risk Management Association’s GCOR XIII Conference in Cambridge, MA.
In this blog, I’ll recap some of the highlights of these two important, intimately related topics. I’ll also pass along the tools I showed to each session’s attendees to give you a head start on implementing these tips for risk management in the banking industry.
Attendees of ABA and GCOR alike have similar goals and challenges in the financial industry. So first, what are these goals? Protect your bank by identifying, mitigating, and monitoring risks before they manifest and identify new opportunities and capital efficiency.
What’s the challenge? Today, there’s a lot to protect your bank from – data breaches, reputational damage, non-compliance, a recession, and so much more. So the challenge, in a word, is complexity.
To paint a small picture of this complexity, think about the main regulatory body your bank has to align with and how many different risk categories they define. What I’ve seen time and time again is banks trying to put together different risk assessments to match up with all these different categories – the FFIEC’s 6 risk categories, the OCC’s 9 risk categories, etc.
The problem with this approach is if you take one of these categories, say Reputation Risk, and try to ask someone in IT to fill out a risk assessment on this category, they won’t know where to begin. They can only speak to what they know, and most IT professionals haven’t made the connection between what they know and reputation risk.
A better approach is to attract as many as you can with honey. The honey in this case is cross-functional risk assessments.
With cross-functional risk assessments, you’ll be able to gather, re-aggregate, and report on all the information you need to protect your business from a myriad of risks.
First, my presentation is summarized in our eBook “5 Steps for Better Risk Assessments: A Special Edition for the Fin... so feel free to download a free copy for an in-depth recap.
For the purposes of this blog, however, I’d like to reiterate three things:
1) The key to cross-functional risk assessments is taking a multi-disciplinary approach. Risk management is in every employee’s job title, whether they know it not. Having their engagement in the risk assessment process is crucial to achieving an attract-with-honey effect. Download the Risk-Based Approach Wheel I showed ABA attendees here. Use it to connect with other professionals in your organization like Audit or Compliance by starting with their priorities and working your way around the risk management cycle from their most preferred starting point!
2) Rethink your risk assessment categories. Instead of creating risk assessments with categories that align specifically with FFIEC or OCC categories, use standards in scoring, naming conventions, and risk libraries to organize them by key departments, key products and services, and key regulations. This way, you’re talking to people about what they know best and getting the most accurate information with the accountability for those risks attached.
3) Re-aggregate risk assessment information to align with big regulator risk categories and more. With a taxonomy in place, and by using the standards from #2 above, you can categorize one risk in multiple ways. Let’s say the Marketing Manager identifies someone hacking into the website as a risk. This would be simultaneously categorized as a marketing risk, an external risk, and a reputation risk (one of the OCC’s main categories).
Item number three above has everything to do with developing a flexible reporting structure. With such a structure, you can take any piece of information you’ve gathered from across the enterprise and dig into it in a multitude of ways. This requires an interrelated and standardized structured approach called a “taxonomy”.
Above we talked about how aligning with the main regulatory bodies adds complexity to managing risk in the financial industry. Another faction of this complexity is aligning with strategic goals set by the board. So, not only are risk managers juggling hundreds of regulations, they also have the board and others calling on them for evidence that their ERM program is effectively supporting the goals they set for the company.
Risk managers may not at first realize the massive amounts of information already on hand throughout their bank covering all areas of the organization down to the front lines. Without standards and taxonomy to link and relate all the connections across that information, it can be very challenging to portray how operational activities also align with the business’s greater strategic goals. Historically, boards of directors and senior leadership have struggled to engage with risk managers because information is typically not collected and distilled in the most effective way. The boards want to see the bottom line: how risk management is supporting their strategic objectives.
I’d like to give you a few tips on how you can overcome this challenge and paint the big picture for the board, while distilling this information into a digestible yet insightful format.
First, the taxonomy I describe above is a great tool for aggregating risk in many different ways. With a flexible categorization structure in place, you can pull reports on risks tied to different departments, products, regulations, or even strategic goals. The board wants concise deliverables providing evidence that the appropriate risk management controls are in place and that they are effective over the risks they are designed to mitigate. They also want to know that these risks are monitored, so that they won’t be the next name in the headlines.
Another tip to keep in mind, is to collect information in a way that enables your reports to be flexible. Compiling enterprise-wide risk into strategic dashboards gives the board a comprehensive look at the “why” of an aggregated view of risk and its implications, and also provides the flexibility to drill into individual risks all the way out to the front-business lines where the risks are known. They are strategic in that the information in the dashboard can be dynamic but the presentation framework remains the same so that board members can quickly zoom in on the insights they need without needing to interpret the structure of how the data was gathered or changing the presentation style that is being used. The board doesn’t need to be overwhelmed with all of the risks at the business activity level, but it is best to have the option to dig deeper and re-aggregate information within the report.
Once the board has a clear view of their organization’s risk, they can rest assured that your risk management program has their strategic organizational goals in mind. As a result, the board will continue to provide the necessary support for your program.
It was an honor presenting at the ABA and RMA GCOR XIII Conferences, where I got to share and learn from risk professionals in one of the most advanced industries in the risk management fields. I hope attendees, and new readers, found these tips and tools useful!
This article was originally posted on LogicManager.com