A little over 10 years ago the recession was developing with a burst of the residential mortgage bubble. Today, cyber risk has reached the level of global warfare, BSA and AML compliance remains a challenge, and third party risk continues to increase as we expand outsourcing. These and other areas can threaten and disrupt the strategic plans of the institution. While attending the 2018 ABA Risk Management conference I thought to share a few ways to protect your business strategy within your ERM program.
Don’t just focus on compliance
Too many experienced executives combine management of compliance and risk management together. Compliance lends itself more to the structure of banking practices, technology and people, whereas risk management needs to be less structured to better prepare for loss scenarios that are likely to impact us.
Compliance funding and the benefits of the investment are easier to see than the leap of faith that is required to see the investment benefit from investments in risk management. Regulatory compliance is a determined minimum performance guide. Risk Management involves looking at your organization uniquely, and determining the specific needs based on the products and services we offer and how we operate. Funding is likely targeted toward a risk we aren’t yet experiencing instead of a requirement we are told to comply with.
Engage and innovate with your 1st Line of Defense -- Line Management
There is growing acceptance that line management owns the risk of the institution. Simply put, they are the risk takers while the 2nd line of defense, the CRO, is the risk manager. CROs can identify the strategic risks and processes of pivoting to new digital products and delivery channels, but line management must recognize and desire the need to innovate. Questions like “Should we partner with a FinTech company?” or “Should we develop digital banking apps?” can’t be discussed if there’s an inherent bias in our management group to continue business as usual and not innovate. The perception that risk managers are the executives of “No” must be dismantled.
Make sure your Board understands the risk
Risk managers need to help their boards understand why an integrated Enterprise Risk Management program is necessary. It’s not uncommon to get a response like “we’re a small institution. We don’t need an expansive ERM program” or “the regulators are happy with our program”. This underlines a misunderstanding within the institution. Board members understand that customers want convenience and a personal touch, but that might not translate to the requirement for new technologies and vendors, and the risk management practices to manage the change successfully. It’s human nature to be cautious in the face of ambiguity. If we can’t enumerate and list all the risks and threats confident that we manage them, we shouldn’t expect board members to be ready to back new products and delivery options. The lack of innovation in your organization will increase strategic risk.
In a world where small FinTech firms or large organizations like Amazon or Apple are participating significantly in the banking industry, we need to know now how we will transform our business to preserve the franchise. If we wait too long it will become too expensive and too big a project to undertake and we will lose our community banking institutions.