Although a solid compliance program may not help you grow revenue, a weak compliance program can cost you plenty in the long run. On the other hand, ERM programs are different; a solid risk management program is a source of competitive advantage. If your Chief Risk Officer presents the ROI of new investment alternatives after having established a track record of documenting and monitoring ALL the threats to your business, instincts should be to assertively move forward if the rest of the business is sound. But, how do we know when ALL the threats are known and how do we know if serious danger is not on the horizon?
Loss Events by Functional Risk Area
Little coordination takes place with the risk assessment process and loss events. Risk assessments are performed in 12 major areas (technology, vendor, transaction, business continuity, privacy, compliance, interest rate, credit, price, liquidity, strategy, and reputation) with special purpose, sub-assessments (e.g., fair lending, BSA, cyber, fraud) completed as well. Loss data is rarely correlated back to the threat assessment, leaving these two activities unconnected.
Three steps are required, along with new resources but the money will be well spent.
Step 1: Inventory the Threats- not just the Controls. Too many risk assessments focus on the number and strength of controls. Legacy thinking purports a reassurance that with hundreds of controls, we must be safe. This approach will be discouraged as 2019 slides into 2020, this century’s third decade. Good cyber management and preparedness starts with a discussion of the threat, followed by what controls help mitigate the threat. This methodology allows us to stop inventorying all the controls and instead, focus on controls that mitigate each threat. When applied to banking operations and market risks, a focused analysis on key controls rather than a broad discussion on every control is expected.
Step 2: Calculate the dollars at risk. Here are two examples. The first is Credit. Let us assume that in an ACRE portfolio the average credit facility is $1,000,000. A worst-case scenario during a significant recession is a 40% loss in a facility. If the risk based capital allocation to ACRE is $4 million, then 10 loss events is a risk limit ($4mm / $400,000 per credit). The goal is to understand that once capital at risk is assigned to the credit portfolio, how many loss events are tolerated beyond the reserve accrual before significant capital is lost. Many complex models can be deployed and used, however for smaller institutions, a more simple and explainable method to all members of the management team and the Board is more effective.
Second is Technology. Let us assume that $500,000 of capital is allocated to technology risk. Is this sufficient? Many industry guides point to the cost of security events at approximately $250 per confidential customer record. If core lending or deposit systems contain 100,000 customer records, then the potential loss would approximate $25,000,000 before cyber insurance coverage. For most community-based financial institutions, that is a material potential impact to capital. Understanding the dollars at risk, elevates the confidence experienced in the risk assessment process and results.
Step 3. Link the threats into scenarios. Threats do not occur in a vacuum. Credit losses start with poor underwriting (an operational risk), and a significant cyber breach will affect reputation and worst case, an organization’s liquidity. The dollars at risk for the top 20 or so threats are the start of the process, not the end. The full scenarios should be mapped, gross impacts measured, and net impact either accepted, mitigated (i.e., add more controls) or transferred (add more insurance). Not knowing the net financial impact is gambling with the franchise and ultimately, your career.
Risk Management Program
The top down capital in risk programs is not sufficiently linked to the bottom up threat and risk assessments. Tightening the integration, between threats and risk assessments, should provide more security and competitive advantages. If we are holding excess capital above the potential impact of major risks, we are missing an opportunity to deal with the top threats namely cyber, Fintech, and unpredictable regulatory change.