Published in RMA Journal: https://rmajournal.org/rmajournal/april_2022/MobilePagedReplica.action?pm=2&folio=64#pg66

Banks and other financial institutions in the United States are required—through legislation and regulatory rules—to establish risk management policies and practices. The aim is to promote stability, resilience, and transparency in the country’s financial systems and provide protection to consumers and investors in their financial transactions.

Perhaps due in part to such requirements, many companies treat risk management as a necessary evil: a matter of compliance, a cost to be minimized, an activity to be held “out of the way” of normal business pursuits. This stance can lead to high costs in recovery and remediation. Regulatory actions can run into billions of dollars and may include restrictions on future business or acquisitions. Lost business and damage to reputation add to the erosion of worth.

A reversal of mindset is needed. Companies need to look beyond obedience to rules. Though related to compliance, risk management merits separate and distinct handling since, if properly nurtured, it creates value and not just cost.

News headlines help illustrate why risk management deserves attention.

The Office of the Comptroller of the Currency (OCC), a bureau within the U.S. Treasury Department, is charged with regulating and supervising national banks and federal savings associations to ensure that sound risk management and internal controls are in place. The OCC and other regulators have acted recently against several financial institutions pertaining to risk management.

For example, in 2020 alone, well over $4 billion in fines were levied against several institutions for a broad array of missteps. Examples include ineffective and/or lack of compliance risk management programs, data governance weaknesses, ineffective IT risk governance programs, and inadequate internal controls and internal audit programs.

Regulators often require banks to develop an acceptable remedial plan within 90 days of receiving the instruction. Until an acceptable plan is in place, the bank can be precluded from certain practices beneficial to the bank’s business.

Bank fines represent only a portion of remediation costs. Litigation costs can total more than half the amount of regulatory fines themselves, particularly when customers are harmed. Internal costs to remediate regulatory findings have been expensive. Often, the job responsibilities for companies’ risk professionals have a burdensome span from value-added activities to remediation; this has led to high turnover and costs related to recruiting and training. Lastly, regulators can institute asset caps and/ or limit acquisitions that stifle growth in a competitive marketplace.

In each of these cases, the damage could have been avoided or, at least, minimized by someone asking, “What risks do we face by making this decision?” It is unlikely that risk management policies, practices, and staffing that are established simply to comply with a set of government rules will pursue the right questions at the right time.

Compliance and risk management ask different questions and look in different directions.

Compliance is straightforward, with defined processes and controls. It looks back in time to verify that rules have been met. The OCC requires that risk management policies and practices be established. Has that been done? Yes (check!). The policies require that certain staffing is in place. Has that been done? Yes (check!). As long as the rule is satisfied, then the job of compliance is complete. It is not a matter of compliance to judge the value of what has been done.

On the other hand, risk management looks forward and deals with unknowns. It is an opportunity to explore potential outcomes (both good and bad), understand how those outcomes might affect the business, and make high-quality decisions based on the available data. Risk management evaluates risk versus reward and compares any significant downsides to the company’s overall appetite for risk. The process can be used to select and advance beneficial business strategies or to avoid those that could prove disastrous.

Boards of directors and executive management teams certainly need both compliance processes and risk management to gain a complete picture of the company’s health. While compliance ensures that any gaps in between rules and results are identified and corrected, risk management focuses on business issues with an opportunity to:

• Make informed decisions.

• Predict where threats will appear.

• Reduce costs by identifying and eliminating actions that do not balance risk and reward.

• Innovate, leverage disruptive technologies, and improve speed to market by understanding the product’s risk profile and being prepared to address uncertainties.

By looking toward the future, risk management can also help to offset market entry of and competition from non-traditional players. Banks are playing an increasingly smaller role in the financial system due both to bank attitudes and regulatory differences between banks and non-bank companies.

Risk management brings value to the enterprise but only if it is properly applied and given a chance to succeed. The following four steps are key to unlocking that value.

1. Strengthen the Risk Culture

All employees should be responsible for risk management. Risk should not be the role of only a few. Its principles must be embedded throughout the organization with the entire workforce understanding and supporting the company’s risk attitude and appetite. With the employees’ active involvement both empowered and encouraged, there are more eyes and more attention devoted to identifying, evaluating, and managing risk—all to the company’s benefit.

Building a risk culture starts at the top. The board of directors and senior executives must possess a sincere desire and intent to improve the organization’s awareness of and approach to risk. Values, principles, and expectations should be defined and communicated throughout the company in a manner that is genuine, unambiguous, and compelling.

Programs, based on management’s message, will be required to set policies, educate employees, and drive cultural change. It is not meant to imply a one-and-done approach (in other words: write it, share it, put it on the shelf) but rather a likely multiyear process to embed a new mindset regarding informed risk-taking, ethics, and governance.

As the message starts to move out into the organization, senior managers must serve as role models. Employees are typically skeptical during any change and are quick to identify hollow statements coming from above. If management’s conviction is not obvious and demonstrated, employee support is promptly lost.

2. Integrate Risk Management into Business Processes

A center of expertise will always be needed to govern and guide risk efforts, but this should not be a band of outsiders held apart from the business. By working closely with the business groups, the risk function can help reinforce the risk culture and drive risk practices to the front line. Even better, risk management professionals should understand business processes to ensure activities help drive positive business results at an acceptable cost. As the risk culture grows and the value to the business becomes more obvious, business teams will readily invite the risk experts’ participation.

Embed risk management in the day-to-day thinking for all employees. Every opportunity—reducing cost improving efficiency, enhancing value to customers, etc.—deserves a review of risk and reward sufficient to ensure that decisions account for the potential range of outcomes. When developing new products, consider risks during definition and design rather than during deployment (or, worse, when bad news hits). Make risk a matter of understanding and preparation (less costly) instead of reaction and remediation (more costly).

3. Optimize the Organization’s Design

Many companies task their risk departments with achieving regulatory compliance rather than adding business value. Such activity tends to be reactive rather than proactive, diminishing the value that a risk function can provide if it is positioned to look forward rather than backward.

The compliance and risk roles are both necessary; however, each has a different focus, should have a different mandate, and requires a different skill set. Combining the two roles organizationally is, at best, suboptimal. Instead, handle compliance and risk as separate functions.

The integration point for compliance and risk management can be through reporting. It may be advantageous to adopt digital reporting solutions that provide real-time data and higher visibility to the risk that affects various segments of the business (for example, credit, market, operations, products). Such tools may allow deeper analyses and faster information on which decisions can be made. These tools can be used to consolidate reporting of key compliance indicators (KPIs), key risk indicators (KPIs), and key performance indicators (KPIs). While these indicators may be initiated within discrete departments, be sure to merge the information into a unified scorecard and consolidated reporting that provides the board of directors with an easily understood profile of the firm’s risk and how that risk affects the business.

4. Bring Strong Talent to the Risk Management Team

Risks are evolving.

Market and credit risk are no longer the central concerns as a variety of non-financial risks move to the forefront. A talented team is imperative to identify tangled and complicated threats and assist the business in responding appropriately.

To keep up with emerging trends and to ferret out fresh hazards, skill sets will be heavy in data analysis with expertise in advanced digital tools such as artificial intelligence and machine learning. Business awareness and effective soft skills will support collaboration and communication with other parts of the company.

The ideal candidate to lead the risk team and champion the risk management journey (in most cases, the chief risk officer, or CRO) arrives from a diverse background with broad knowledge skills. An understanding of business and risk is critical. Fluid movement between CRO, COO, and even CEO positions can create an ideal career path to merge business and risk awareness. For example, the CROs for Visa Inc. and State Street Corporation each served as senior leaders in an array of business divisions before assuming their risk roles.

In addition to business knowledge, the CRO candidate must possess an essential set of traits and abilities effective for integrating risk into the company culture:

• Can effectively communicate with disparate stakeholders regarding any aspect of risk, including vision, strategy, appetite, policies, and processes.

• Has the confidence and independence to ask questions, probe for answers, and challenge people to think in new ways.

• Can build relationships and influence others both horizontally and vertically in the organization.

• Contends easily with change, ambiguity, and disagreement.

• Holds an awareness of the digital world and its power to both wreak havoc and provide protection.

To draw employees to the risk role and maintain strength over time, the company must create a safe and desirable career path to enter the risk arena and make plans for keeping the pipeline full (for example, through succession planning). Especially in the early days of a cultural change, there will be skepticism and reluctance to change; this may be a barrier to staffing a risk unit. What are the opportunities for advancement? Will employees be able to move freely in and out of the risk team? Senior management and the new CRO need to understand the concerns, create interest in risk, and fashion job paths that allow employees to find comfort in a change of venue.

Conclusion

Risk management handled correctly is not a check-the-box activity; it can be diluted or obscured if jumbled into compliance activities. It is a forward-looking process that contributes to the bottom line, especially if integrated into the business. Do not treat it as a must-do task but rather as a value-added practice. It provides the opportunity for informed decision-making by judging risk in relation to anticipated reward.

For many companies, separating risk from compliance requires a signicant change of approach. Though an investment in effort, time, and resources, this new direction can bring lasting value and a fresh competitive advantage.