Risk Management Over a Decade Trends & Changes
:Do We See the Risk Management Trends?
For most of us, it is very difficult to see trends begin and know the point of inflection where the world will change forever. Many of us remember the effects of previously “settled trends,” such as the mainstream use of VCRs, home telephone landlines, cable TV, and printed maps. Current modern trends such as driverless cars, immunotherapy, and the migration away from the oil-based economy still have not quite reached the settled trend status. Another modern trend taking precedence is Enterprise Risk Management (ERM. I have affectionately called the ERM changes that have happened this decade as the “Renaissance of ERM” as its effects forge ahead into the third decade of the century.
Over the Past 5 Years
To look ahead, we must recognize how certain events shape the work and value ERM brings to an organization.
The first marketplace event is the rise and acceptance of the Chief Risk Officer in the executive suite.
Many organizations hired their first CRO from an internal, upwardly moving management team originating from executives leading
- Operations, or
These pioneers had a lot to learn as the knowledge base and best practices were emerging so fast. Now, many organizations are on their second or third CRO as the expectations of the role and the capabilities of the executives are better known.
The second event was a significant documentation of the rules and examination expectations surrounding the Dodd-Frank Act.
Although Dodd Frank was passed on July 21, 2010, it took many years for the Act’s provisions to be expanded to rules that the industry could follow and examiners could review. The past five years have shown how:
- Much the implementation would cost banks of all sizes and
- The unintended consequence of high compliance costs was a factor in the wave of continued bank consolidation.
The third event was the emergence of ERM maturity models and an understanding for the need to expand ERM program capabilities regardless of the organization’s size.
Early ERM models focused on consolidating existing risk management functions to benefit from obvious synergies such as:
- Information security,
- Physical security,
- Business continuity,
- BSA, and
- Vendor management.
As threats are related and emerge from the same triggered events, the next opportunity was to evaluate both operational and market risks together. These expanded ERM capabilities ensures previously unrelated threats are not left to individual executive oversight but rather that all executives and Board members participate in a holistic discussion of impact losses and strategic initiatives.
With these risk management trends running their logical course, the next five years will only culminate on the work mastered since 2013.
Paving the Road Ahead
A first foundational building block for ERM programs today is to bring focus to the high risk threats we face.
High risk threats have the potential to impact capital. This allows moderate and low risk threats to be absorbed through annual earnings. It also gives rise to a more threat-based approach to capital risk assessment and capital planning. Individual threats do not occur in isolation. In addition, the practice of looking at credit or liquidity risk top down will be insufficient to properly safeguard the institution.
The second risk management trend paving the road ahead will be the elevation of risk monitoring to an equal level of oversight as control testing.
The Graham-Leech-Bliley and Sarbanes-Oxley Acts brought significant focus to the control over private information and financial reporting, respectively. WolfPAC’s belief was that if controls were designed properly and operating effectively then large losses would be prevented. We have learned that strong controls to manage business practices when combined with forward-looking risk monitoring increase the early identification of potential losses. Over the next five years, results from risk monitoring will receive equal discussion among executive teams and Boards, and enhanced monitoring programs will be developed and funded to reach this equilibrium.
The third observed risk management trend is the cost of risk management.
If you believe that “if we measure the cost, we can make it cost less,” we can understand what drives our risk management processes costs. Early projects have shed some light – community based organizations likely spend 0.2% – 0.3% of assets on risk management. Since these expenditures are mostly non-interest expense, any reduction positively impacts net income. Will your organization solely rely on deregulation initiatives to relieve the compliance and risk management burdens? If so, then you may be the last of your competitive peers to experience the benefit. Creating transparency to what we observe is the 200-300 costs elements in each organization and developing a better aligned risk-based resource strategy is not difficult but requires a commitment to challenge existing norms and beliefs on how to keep us safe.
The Renaissance period for ERM is coming to and end and a new period is emerging. As a result, the innovative and non-mainstream management practices we try today will quickly develop into best practices. The economic expansion we have enjoyed will likely end and cracks in our management practices will emerge. I can’t predict the timing for these changes but the direction is clear.
I’ll leave you with a final thought:
What in your ERM program would you change now knowing that important business and economic changes are just around the corner?