WolfPAC > Resources > Capital Risk Management: 3 Steps to Avoid Significant Losses
Back to Resources

Capital Risk Management: 3 Steps to Avoid Significant Losses

Author: Michael Cohn

Originally published in 2019. Updated in May of 2023

A solid compliance program may not help you grow revenue. However, a weak compliance program can cost you plenty in the long run.

On the other hand, Enterprise Risk Management (ERM) programs are different. That’s because a solid risk management plan is a competitive advantage. If your Chief Risk Officer presents the Return on Investment (ROI) of new investment alternatives after having established a track record of documenting and monitoring all the threats to your business, instincts should be to assertively move forward if the rest of the business is sound.

But, how do we know when all of the threats are known? How do we know if serious danger is not on the horizon?

Loss Events by Functional Risk Area

Little coordination takes place with the risk assessment process and loss events. Risk assessments are performed in 12 major areas (technology, vendor, transaction, business continuity, privacy, compliance, interest rate, credit, price, liquidity, strategy, and reputation) with special purpose, sub-assessments (e.g., fair lending, BSA, cyber, fraud) completed as well. Loss data is rarely correlated back to the threat assessment, leaving these two activities unconnected.

Three steps are required (along with a new resource) to create a successful capital risk management implementation strategy—but the money will be well spent.

Capital Risk Management Step 1: Inventory the Threats, Not Just the Controls

Too many risk assessments focus on the number and strength of controls. Legacy thinking purports a reassurance that with hundreds of controls, we must be safe.  Good cyber management and preparedness starts with a discussion of the threat, followed by what controls help mitigate the threat. This methodology allows us to stop inventorying all the controls and instead, focus on controls that mitigate each threat. When applied to banking operations and market risks, a focused analysis on key controls rather than a broad discussion on every control is expected.

Capital Risk Management Step 2: Calculate the Dollars at Risk

Here are two examples:

(1) The first is Credit.

Let us assume that in an ACRE portfolio, the average credit facility is $1,000,000. A worst-case scenario during a significant recession is a 40% loss in a facility. If the risk based capital allocation to ACRE is $4 million, then 10 loss events is a risk limit ($4mm/$400,000 per credit). The goal is to understand that once capital at risk is assigned to the credit portfolio, how many loss events are tolerated beyond the reserve accrual before significant capital is lost. Many complex models can be deployed and used. However for smaller institutions, a more simple and explainable method to all members of the management team and the Board is more effective.

(2) The second example is technology.

Let us assume that $500,000 of capital is allocated to technology risk. Is this sufficient? Many industry guides point to the cost of security events at approximately $250 per confidential customer record. If core lending or deposit systems contain 100,000 customer records, then the potential loss would approximate $25,000,000 before cyber insurance coverage. For most community-based financial institutions, that is a material potential impact to capital. Understanding the dollars at risk, elevates the confidence experienced in the risk assessment process and results.

Capital Risk Management Step 3: Link the Threats into Scenarios

Threats do not occur in a vacuum. Credit losses start with poor underwriting (an operational risk), and a significant cyber breach will affect reputation and worst case, an organization’s liquidity. The dollars at risk for the top 20 or so threats are the start of the process, not the end. The full scenarios should be mapped, gross impacts measured, and net impact either accepted, mitigated (i.e., add more controls) or transferred (add more insurance). Not knowing the net financial impact is gambling with the franchise and ultimately, your career.

Improving Your Capital Risk Management Program

The top down capital in risk programs is not sufficiently linked to the bottom up threat and risk assessments. Tightening the integration, between threats and risk assessments, should provide more security and competitive advantages. Are we holding excess capital above the potential impact of major risks? If so, we are missing an opportunity to deal with top threat—namely cyber, fintech, and unpredictable regulatory change.

Are you interested in learning more about how WolfPAC can help you build a modern, scalable, risk management program that stands up to the threat of today and tomorrow?

FAQs About Capital Risk Management

How does the article suggest assessing and managing emerging threats that may not have been previously identified?

The article suggests assessing and managing emerging threats by emphasizing the importance of integrating threat assessments with risk assessments. It points out that many risk assessments focus on controls rather than threats, leaving potential dangers unaddressed. By focusing on threats first and then identifying controls to mitigate them, organizations can better anticipate and manage emerging risks that may not have been previously identified.

What specific tools or methodologies does the article recommend for calculating the potential financial impact of various risks, especially for smaller financial institutions?

For calculating the potential financial impact of various risks, especially for smaller financial institutions, the article provides examples and methodologies. It offers examples such as calculating the dollars at risk for credit portfolios and technology risks. For instance, it suggests understanding the potential loss per credit facility or the potential loss per confidential customer record to assess the adequacy of capital allocated to different risk areas. The article also mentions the importance of using simple and explainable methods, especially for smaller institutions, to ensure that all members of the management team and the board understand the calculations and their implications.

Can the article provide examples or case studies illustrating successful implementations of the three steps outlined in the capital risk management strategy?

While the article does not provide specific case studies, it outlines the three steps required for successful capital risk management implementation and discusses the importance of linking threats into scenarios. It emphasizes that threats do not occur in isolation and provides examples of how various threats, such as poor underwriting leading to credit losses or significant cyber breaches affecting reputation and liquidity, are interconnected. The article suggests that mapping full scenarios, measuring gross impacts, and determining net financial impacts are crucial steps in effectively managing capital risk. However, it encourages readers to explore further how WolfPAC can assist in building modern, scalable risk management programs tailored to the challenges of today and tomorrow.

Visit our website or contact us to speak with an expert.