Risk Management Over a Decade Trends & Changes
Do We See the Trends?
For most of us it is very difficult to see trends begin and know the point of inflection where the world will change forever. Many of us remember the effects of previously “settled trends” such as the mainstream use of VCRs, home telephone land lines, cable TV, and printed maps. Current modern trends such as driverless cars, immunotherapy, and the migration away from the oil based economy still have not quite reached the settled trend status. Another modern trend taking precedence is Enterprise Risk Management (ERM. I have affectionately called the ERM changes that have happened this decade as the “Renaissance of ERM” as its affects forge ahead into the third decade of the century.
Over the Past 5 Years
To look ahead, we must acknowledge how certain events within the marketplace shape the work and value ERM brings to an organization.
The first marketplace event is the rise and acceptance of the Chief Risk Officer in the executive suite. Many organizations hired their first CRO from an internal, upwardly moving management team originating from executives leading audit, compliance, IT, operations, or credit. These pioneers had a lot to learn as the knowledge base and best practices were emerging so fast. In fact, by 2018 many organizations are looking to their second or third CRO as the expectations of the role and the capabilities of the executives are better known.
The second event was a significant documentation of the rules and examination expectations surrounding the Dodd-Frank Act. Although Dodd Frank was passed on July 21, 2010, it took many years for the 2,300 page Act’s provisions to be expanded to rules that the industry could follow and examiners could review. The past five years have shown how much the implementation would cost banks of all sizes, and how the unintended consequence of high compliance costs were a factor in the wave of continued bank consolidation and the lack of new bank formations.
The third event was the emergence of ERM maturity models and an understanding for the need to expand ERM program capabilities regardless of the organization’s size. Early ERM models focused on consolidating existing risk management functions to benefit from obvious synergies such as information security, physical security, business continuity, compliance, BSA, and vendor management. As threats are related and emerge from the same triggered events, the next opportunity was to evaluate both operational and market risks together. These expanded ERM capabilities ensures previously unrelated threats are not left to individual executive oversight but rather that all executives and Board members participate in a holistic discussion of impact losses and strategic initiatives.
With these trends running their logical course, the next five years will only culminate on the work mastered since 2013.
Paving the Road Ahead
A first foundational building block for ERM programs today is to bring focus to the high risk threats we face. High risk threats have the potential to impact capital, allowing moderate and low risk threats to be absorbed through annual earnings and giving rise to a more threat-based approach to capital risk assessment and capital planning. Individual threats do not occur in isolation and the practice of looking at credit or liquidity risk top down will be insufficient to properly safeguard the institution.
The second risk management trend paving the road ahead will be the elevation of risk monitoring to an equal level of oversight as control testing. The Graham-Leech-Bliley and Sarbanes-Oxley Acts brought significant focus to the control over private information and financial reporting, respectively. WolfPAC’s belief was that if controls were designed properly and operating effectively then large losses would be prevented. We have learned that strong controls to manage business practices when combined with forward-looking risk monitoring increase the early identification of potential losses. Over the next five years results from risk monitoring will receive equal discussion among executive teams and Boards, and enhanced monitoring programs will be developed and funded to reach this equilibrium.
The third observed trend is the cost of risk management. If you believe that “if we measure the cost, we can make it cost less,” we can understand what drives our risk management processes costs. Early projects have shed some light – community based organizations likely spend 0.2% – 0.3% of assets on risk management. Since these expenditures are mostly non-interest expense, any reduction positively impacts net income. If your organization will solely rely on deregulation initiatives to relieve the compliance and risk management burdens, then you may be the last of your competitive peers to experience the benefit. Creating transparency to what we observe is the 200-300 costs elements in each organization and developing a better aligned risk-based resource strategy is not difficult but requires a commitment to challenge existing norms and beliefs on how to keep us safe.
As the Renaissance period for ERM ends and a new period emerges, the innovative and non-mainstream management practices we try today will quickly develop into best practices. The economic expansion we have enjoyed will likely end and cracks in our management practices will emerge. I can’t predict the timing for these changes but the direction is clear. I’ll leave you with a final thought: what in your ERM program would you change now knowing that important business and economic changes are just around the corner?