Managing risk in todays regulatory environment
Today's banking institutions are facing a heightened regulatory environment. In response to recent financial crises, government bodies have stepped up scrutiny of banks' risk management practices. Regulators are asking more and more questions about their Enterprise Risk Management (ERM) systems, and whether supervisory frameworks are adequate. Debt rating agencies have also increased their examination of banks' risk management processes. Even small community banks, historically unaccustomed to fielding such questions, are receiving increased scrutiny.
As a result, banks can no longer afford to view ERM as an option. It is increasingly becoming a necessity, regardless of bank size. By definition, banks are highly complex operations operating within equally complex capital markets. The more complex the interaction of parts within the organization, the stronger the need for effective risk practices that can identify problems in advance. The interdependency of these parts means that one weak link could unravel the entire structure. This may explain how inadequate risk management practices can lead to systemic failure of the institution, and given the deep integration of banks within the larger financial markets framework, to dire consequences for the economy as a whole.
Given these factors, banks should revisit their ERM framework periodically to assess whether it has the capacity to meet the heightened regulatory standards. Yet as one stares at a risk management plan on paper, it's not always easy to assess the organization's tolerance for risk. Would it pass a compliance examination? Has it considered the possibility of unforeseen events? And is its risk framework really integrated on an enterprise-wide basis?
A focus on corporate governance
The starting point of a bank's ERM initiative should be a pledge of commitment to risk management by the board and top-tier executives. The actions of company leaders are critical in establishing the ethical framework of the organization. "Tone-at-the-top' tends to have a trickle-down effect throughout the organization, and should be a major focus for any risk management process. Additionally, steps should be taken to fully integrate the "tone' into all corporate governance policies and strategies. This process is aided by the establishment of a risk committee or chief risk officer who can serve as the coordinator of all risk activities in the bank.
Risks facing banking institutions
Before beginning any ERM process, it helps to develop a list of possible risks facing an average bank:
- Finance and accounting
- Interest rate
- Hazards (natural disaster, property damage)
When faced with this daunting list, banks may discover that their existing framework is addressing some risks adequately, but not others. For example, it's common for banks to be addressing compliance and financial risks sufficiently, but not operational and strategic risks. This may be because the latter are harder to quantify or anticipate, or maybe just because certain areas of the business – information technology, operations, strategy – are harder to integrate into the framework. Yet to understand the costs and effectiveness of the bank's overall risk management framework, all functions and processes must be fully integrated at the enterprise-wide level. Without this integration, it's all too easy to lose control of individual risk management activities.
In other cases, overlapping functions can lead to duplication of risk mitigation measures. These redundancies result in inefficiencies and therefore, higher risk management costs overall. The perceived high cost of integrated risk frameworks can cause many decision-makers to hold back on a full implementation of the ERM program. Yet this is not necessarily a valid concern. In fact, a well-orchestrated ERM program can actually help companies reduce risk management costs in cases where it identifies duplications and inefficiencies within the existing framework.
Analyzing the effectiveness of an ERM framework
After the bank has secured the sponsorship of the board and executive leaders and established its corporate governance strategy, the next step is to do a rigorous analysis of its present risk management structure. Here are some of the major objectives of this process:
- To establish a formal framework for overall corporate risk
- To identify all key risks within the organization
- To quantify risks and examine risk treatment
- To determine risk gaps through effective gap analysis
- To establish risk monitoring processes and continuous improvement activities
- To minimize disruptions that could have an impact on the bank's ability to achieve its goals
- To significantly reduce the cost of risk management
Costs and benefits of ERM
For a bank to be successful, it must have the trust and confidence of its customers and the community-at-large. Unfortunately, negative events that erode trust can occur, despite the best efforts and intentions of bank managers. When they do, these events can do major damage to the bank's reputation, and loss of reputation will almost invariably have a bottom line impact. Yet, it's possible to mitigate the damaging impact of those events with a sound ERM program, which can reduce the "costs' of a crisis, in both reputational and financial terms.
In addition to helping protect reputation, ERM may also improve efficiencies by removing redundant risk management measures. In the process, the costs of compliance can be lowered. Given the escalating costs of compliance, ERM's ability to reduce these costs is an important benefit. ERM may also benefit the bank by serving as a market differentiator, which could give it an overall competitive advantage. Finally, it's important to note that ERM does not just protect the bank and its bottom line. It protects the interests of customers, shareholders, employees, government regulators and the overall community.
For more information
For more information about ERM services and solutions, please contact your financial services representative or John Brackett, national practice leader, Governance, Risk & Compliance and Enterprise Risk Management, McGladrey, at 704.442.3820.