What is Risk?
The latest examination procedures are based on risk. They direct examiners to take a top-down look at the institution and evaluate policies and procedures in the context of risk. CIP rules require institutions to base their procedures on risk. Anything you hear about seems to be in the context of a risk-based analysis.
Risk is today's watchword. We hear it talked about, we use the term, we even pretend to know what we are talking about. But there is a moment when things hit the wall and we have to ask ourselves what this risk stuff is really all about?
Simply defined, risk is something bad that might happen. Risk is figuring out the likelihood that something bad will happen. Risk management is managing the business to minimize the bad things that happen.
This sounds simple, and it is - more or less. The hard part is figuring out what might go wrong. This is where risk management becomes an art as much as a science. It is tempting to look at risk in only one dimension. The most common method of looking at risk is to look at specific aspects of the internal functions, such as software, staffing, or training.
But the fact is that risk comes from many sources, and you must consider all of these sources when you assess your institution's risk. Sources of risk may be outside of your organization and even outside of your control. For example, your market demographics may present a type of risk. Your location can be a source of risk. Even your climate may generate risk.
When you evaluate your institution's risk exposure, be sure to consider all sources. Look at the risk sources highlighted below in the context of your institution and your market. Be sure to look hard at your organization's culture as well as the more easily measured risks from products and systems.
Internal Sources of Risk
- Complexity of the activity: The more complicated the activity, the more skill is needed to get it done right. Would you ever tell an untrained person to prepare a commercial loan for closing? Complexity also includes product structures. Discounted adjustable rate mortgage loans are more complex than a 3-year unsecured consumer loan.
- Frequency of activity. There are two types of risk related to frequency. One is that a built-in error on a frequent activity will happen a lot. Alternatively, an infrequent activity has high risk because of lack of practice.
- Breakdowns of systems: We went through this in Y2K and again for Hurricane Isabel. What happens when there is no power or the system goes down? Doing business in Hurricane City, Florida has different risks than doing business in blizzard-driven Buffalo, NY. Different disasters cause different types of breakdowns.
External Sources of Risk
- Location: we all know that location in a high crime neighborhood or in certain types of locations can increase risk. Location also affects your ability to deliver products and train and manage staff. Remote locations increase the difficulty of consistent handling of transactions and situations.
- Types of Business: Basic checking and consumer loans may not get very complicated. But as bells and whistles are added to make products attractive or competitive, risk increases. Complex products require higher skill levels to develop and to deliver the product.
- Customers and demographics: When it comes to the risk your customers bring, the possibilities are numerous. They range from lack of skill in banking with related mistakes, to highly skilled crime. Customers may also bring unusual transactions, especially if they come into your market from other cultures.
Controls for Risk
- Training: Training is the most basic and most important aspect of minimizing risk. Without adequate training, you cannot have confidence that all staff have the necessary skills to do the job right.
- Practice: People don't say "practice makes perfect" for nothing. The fact is, the more someone performs a task, the better at it they become. They get faster and more accurate. So a common task should present lower risk than one that is performed only rarely. And of course, the simpler tasks on basic products get more practice. It is the complex products and services that provide the most challenge.
- Tools and Software: It's how we get the job done. Tools range from little cheat sheets, such as a list of local routing numbers, to checklists for loan files. Software can ease the job by doing part of the work. It can even be hard-coded, such as automatically placing holds, to ensure that the job is done right.
- Communication: How an organization communicates within itself is critical to managing risk. There must be two elements to communication. First, the communication itself. If information does not pass through and around an organization, things can go wrong without management's awareness of any problem. Second, and perhaps most important, is the willingness to communicate. Staff must feel safe reporting problems. The organization's culture should support communications, not discourage them.
Copyright © 2004 Compliance Action. Originally appeared in Compliance Action, Vol. 8, No. 15, 1/04
First published on 01/01/2004