Has your financial organization recently faced a setback due to unforeseen risk or compliance failures? There's a lot at stake when it comes to risk management and compliance. For example, Deutsche Bank was recently fined $150M for "significant compliance failures" regarding three separate matters, including its former relationship with Jeffrey Epstein, and its correspondent-banking relationships with Danske Bank Estonia, and the Federal Bank of the Middle East.
"Banks are the first line of defense with respect to preventing the facilitation of crime through the financial system, and it is fundamental that banks tailor the monitoring of their customers' activity based upon the types of risk that are posed by the particular customers," said New York State Department of Financial Services Superintendent Linda Lacewell.
Building an updated enterprise risk management framework for banks is a critical step towards maximizing your organization's risk and compliance posture. There are a few key questions that you should ask yourself when building the enterprise risk management framework, including:
- What are the key considerations your business should make as it develops or refines an existing risk management framework?
- What new policies can you introduce to ensure continued and effective risk mitigation and regulatory compliance?
With careful consideration of these (and other) preparatory questions, you're ready to build a risk management framework.
What is a Risk Management Framework for Banks?
An enterprise risk management framework documents the processes that ensure financial organizations have risk management structures, systems, and mechanisms in place. These mechanisms must respond to new and evolving risks quickly.
Additionally, team members across the organizations must be brought into the institution's risk management framework. Recently, Wells Fargo paid out $3B in fines due to employee misconduct. Unfortunately, employees created fake bank accounts using customer's information. In this scenario, risk management best practices and procedures were not widely adopted.
Your enterprise risk management strategy needs to be comprehensive, value-driven, and distributed across the entire organization. With the right framework, you can detect risks early before they become full-fledged disasters.
There are four key elements of an enterprise risk management framework for banks.
The first component is to identify areas of risk. In this step, organizations must review their entire portfolio and vertices. You don't want to operate from an operational standpoint — but rather a strategic perspective. What are the potential risks?
Risk identification is foundational to risk management in financial institutions. Straightforwardness into the idea of risk drives downstream applications, including risk measurement, impact estimation, control, moderation, execution, and mitigation. Risk identification includes:
- Stress test scenario: You should complete a stress test to see if risk factors can be dealt with appropriately. This test should include security threats and ensure the financial institution has enough capital to withstand a financial crisis.
- Disaster test: You should complete a disaster test to ensure the institution’s stability in times of war or after a natural disaster.
- Risk modeling: Risk modeling can help identify what areas require attention. These scenarios are analyzed piece-by-piece for a precise understanding of the risks and their possible outcomes. These play-by-play rundowns give an accurate idea of how the financial institution would handle situations with extremely negative consequences. Once the risk management team has this data, preemptive controls and protocols can be put in place.
- Risk ownership: Risk management will be most effective if there are people who own and manage aspects of the risk. These individuals should have control over their process area(s). If something goes wrong in their department, that person (or team) is responsible for addressing the problem. With accountability in place, mistakes are less likely to turn into bigger issues.
- Strategic plan: Understanding the strategic objectives can help in identifying the risks that may impede the achievement and execution of those objectives.
The best way to mitigate loss is a robust risk assessment. Assessment of inherent and residual risk levels can help determine the appropriate steps to reduce these risks within a defined risk appetite.
Inherent risk is the risk posed by omission or error and is due to some factor other than a failure of internal control measures. Your bank will want to review the risk inherent in the bank’s products and services, customers and entity base, and geographical locations. Then, quantify this risk by calculating and assigning risk scores. Mitigating controls are controls designed to reduce the bank's inherent risks to an acceptable level. Residual risk is the risk level or volume that remains after risk controls have reduced inherent risks.
You calculate residual risk score by subtracting quality of risk management score from inherent risk score. So, residual risk = inherent risk - quality of risk management.
While a bank's policies, procedures, and controls may mitigate the inherent risks of high-risk customers, products, services, processes, systems, and geographies, the financial institutions’ residual risk score can remain unchanged. You calculate residual risk score by subtracting quality of risk management score from inherent risk score. So, residual risk = inherent risk - quality of risk management.
If there is an override in the residual risk rating, there should be a well-documented rationale for the adjustment.
Respond by putting the proper control mechanisms in place to mitigate areas of high risk. Banks that implement a well-structured risk management infrastructure will reduce risk across all of their vertices. A financial institution's ability to counter its threats is a major factor for investors. Because of loan losses, a bank without a proper credit risk management system will see lower profits. Here are some strategies to counter this threat:
- Credit risk policies: To ensure processes are developed to identify sources of credit risk, assess their magnitude, and mitigate the risks as appropriate, include the following in credit risk policies--approved loan products, approval processes for large dollar transactions, credit concentration limits, product eligibility, and portfolio segmentation.
- Origination/acquisition standards for loans: Specify underwriting and purchase criteria that specify types of factors to be considered in loan approval and in acquiring credit-sensitive investments, including how underwriting, collateral appraisal, and investment selection operations are structured.
- Loan administration and investment portfolio management: Specify credit and portfolio management operating procedures that specify how to identify and manage problem loans and investments that have experienced credit deterioration, including how to assist customers through periods of financial hardship.
After appropriate risk mitigating strategies and controls have been implemented, financial institutions need to monitor these controls. Monitoring controls are designed to provide effective ongoing oversight of activities performed by internal and external parties that impact operations and/or customer experience.
What Do Organizations Typically Get Wrong When Building Their ERMF?
Appropriate governance is essential for effective ERM. Those responsible for ownership of the ERM program will not be able to make a positive impact without a robust governance structure.
Frequently, organizations focus on the board, it's committees, and executive-level management committees when building out their governance structure, but these committee forums are too senior and high-level for robust discussions and healthy debates about risks and associated control activities.
You should also consider implementing governance forums at a level where you can have comprehensive discussions about risks.
2. Risk Taxonomy
The core of an effective risk management framework is a risk taxonomy that names, classifies, and defines risk across an organization. Among other things, it supports the consistent identification of risks, assigns accountability and ownership of each risk area, facilitates the execution of all risk assessments, supports the development of risk appetite statements and key risk indicators, and facilitates consistency of risk measurement and risk aggregation.
Organizations do not appreciate the considerable effort necessary to identify and assess all the risks impacting their business activities. Risk identification begins with identifying all the products, services, processes, and other activities conducted by an organization to meet its business objectives, including applicable laws and regulations. Risk identification is not an easy feat, and most don't do it well.
3. Policies and Procedures
Organizations need to have clearly articulated and consistently documented policies, procedures, standards, and guidelines. Policies and procedures form an essential foundation for a successful ERMF.
Documented policies and procedures are usually one of the first things examiners and internal audit requests when conducting examinations, so it's important for firms to streamline and standardize their approach to policies and procedures.
4. Key Risk Indicators
One of the building blocks of risk data gathering is key risk indicators or KRIs. Organizations confuse KRIs with metrics. However, they are quite different. Metrics provide a vital monitoring function. It merely counts exceptions or measures performance.
On the other hand, KRIs measure increase or decrease in risk levels. They predict when risk is changing and allow for proactive intervention.
5. Risk Aggregation and Reporting Design
The quality of reporting is vital to the success of an ERMF. Without adequate reporting, an ERMF wouldn't be meaningful at all.
Reporting shouldn't be about gathering data. If risk reporting leaves its audience asking, "so what?" it's of little value. Reporting should provide risk analysis and transparency that lead to better business decision making.
What About Maintenance During Unusual Stress/Disruption?
Operational resiliency is a firm's ability to sustain core business services both during business as usual and when experiencing operational stress or disruption. This concept is essential as it pertains to ERMF because financial firms face an increasingly sophisticated threat landscape and risks associated with their activities.
Customers expect service delivery that is always robust and responsive in the event of issues — this is a necessity for building trust with customers. Further, technological innovations have enabled cyber-attacks, which have unpredictable consequences.
Financial institutions are increasingly using sophisticated systems across application development and infrastructure. These systems can introduce increased risk and potential impact, both financially and operationally, if they fail.
Customers and financial firms continuously exchange an enormous amount of data. In this regard, customers expect their financial firm to comply with minimum standards regarding the security of their data.
Get Access to Free Online Training to Help You Manage Risks
As a financial institution, you face unique challenges that other businesses don’t. You must develop and establish a robust enterprise risk management framework that is appropriate for your size and level of complexity to account for your material risks and keep your business safe.
We understand just how important it is to have your risk management framework built right. That’s why we’ve created a free online training program to ensure that nothing slips through the cracks.
We’ll show you how c-suite and high-level risk managers:
- Elevate risk posture
- Identity threats
- Mitigate threats before they happen
- Discover what you need to create a culture of risk management and compliance
To kickstart your risk management and compliance program, we recommend taking our self-assessment quiz. Use these findings to identify gaps and take your organization's risk management and compliance posture to the next level. After the quiz, you'll be given an opportunity to schedule a free consultation to discuss results.