Looking For Risk Management (6 Action Steps)
There is no absolute for designing a risk management program. Each institution's program will be different because the program should be designed to respond to and manage a unique set of risks presented by that institution and its market. In addition to guidance from the agencies, the best resource is experience. This article presents ideas from several battle-scarred veterans and from us.
Defining the Concept
Managing people or managing products is pretty clear. Managing risk is amorphous at best. So the starting point is to have a clear idea of what should happen - what managing risk really is.The agencies have made one thing clear: buying insurance is not managing risk. Insurance may prove helpful with the dollar damage, but it neither manages risk nor controls it.
Risk management means knowing the amount and type of risk the institution faces, how that risk is affected by markets and products offered, and how that risk can be managed to an acceptable level.In one large institution, the approach has four key steps. These are a governance structure, a culture of compliance and ethics, risk identification, and risk ranking. The bank then designs both preventative controls and detective controls to manage risk.
Several aspects of this approach are significant. First, risk management is part of governance. Without belonging to corporate governance, risk management has no roots. Corporate governance gives form, structure and authority to risk management. Corporate governance also establishes the institution's culture and ethical environment.
An institution's culture has a great deal to do with the acceptance of risk. A culture that is careful and ethical, that places accountability for ethical action, is a key component of managing risk and influencing risk-based decisions. Without this culture, individuals throughout the institution are more likely to take dares, ignoring risk, in order to meet targets or reach some other personal benefit. The culture and ethics of an organization have everything to do with the amount of risk an institution will accept and the way in which that relates to customer service.With governance and culture in place, the institution can turn to identifying and ranking its risks.
Some risk is the direct result of regulations. Those regulations that top the common violations list, Truth in Lending and RESPA, are simply harder to comply with and easier to violate than many other regulations. This can be defined as inherent risk. It is simply there, by definition.The actual amount of inherent risk varies based on many factors, including products offered, product delivery methods, markets, and tools. The analysis of inherent risk should lead to the methods for managing that risk.
Residual risk is the level of risk that is left after risk management and controls have done all they can. An assessment of residual risk is the point at which the institution must make the choice to accept the risk or not. If the residual risk is unacceptably high, there are two choices: eliminate the product and the risk associated with it, or increase risk controls.
The simple way to describe sources of risk would be to say "everything!" But for purposes of a management program, there are specific areas you should study.
The products and services you offer are the core around which regulatory requirements - and therefore risk - revolve. Complex products generally entail more compliance risk. Aggressive marketing for certain products, such as interest-only loans, can involve risk. In contrast, the basic products offer less risk. But if you choose to offer only basic products, you are likely to take on the risk of losing market share. How much risk to take and in what form is a business choice.
Next, you need to consider your location. The nature of your market may have a great deal to do with risk. Some offices may be vulnerable to crime because of their location. Branches with easy access to highways are also easy targets because they offer an escape route. Or, the market may be vulnerable to natural disasters. A hurricane or forest fire can present risk. Markets that are economically dependent on a single large employer can be crippled if that employer announces a major reduction.
Some markets offer culture and language challenges. And many markets have a great deal of diversity. The market may include sophisticated customers or may be dominated by customers who are new to banking. These customers have very different product and service needs - and different expectations.
Risk can come from some unusual places, such as the number of regulatory agencies you must deal with.
Finally, don't overlook your vendors or other third parties. In many ways, you are dependent on them and the way in which they structure their products.
Mitigating Risk: Prevention
Inherent risk can be mitigated with properly designed preventative controls. Step one, as always, is policies and procedures. The policies and procedures lay the framework of expectations and performance level. It is in policies that non-discriminatory practices are addressed. It is in procedures that content and timing are specified.
Next comes accountability without which policies and procedures have no power and no effect. Accountability is what communicates the expectation that the job will be properly performed. Accountability says "we mean what we say." And, accountability enables the institution to hold employees to the expected standard and to take action if the employee fails.
Training and communication are essential. You cannot expect an employee to do the job and do it correctly unless the employee has been fully instructed on methods and expectations. Training is where this happens. The higher the risk, the more training is needed to ensure that the jobs are properly performed. Training is when we tell staff what to do. It is also important in training to tell them why - to communicate the consequences. Without knowledge of the consequences, staff may feel free to set their own risk priorities - and ignore yours.
Communication - clear and straightforward - is also essential. Communication is part of training, but communication about regulatory requirements and job expectations must continue in between training events. Too often, we fail to communicate clearly. We also overlook people who need to get the message.
Tools are the next most powerful tool for mitigating risk. Some tools are manual. The tool may be as simple as a list of local routing numbers at the teller's window, or it may be a detailed checklist on how to determine whether a loan is a high-cost mortgage.
Tools can also be sophisticated. Compliance software is everywhere. But buying software is not enough. You need to be sure that the software does what you need it to do and you need to be sure that staff knows how to use it. This kicks back up to training. Some of the most expensive systemic violations have occurred when an employee uses software incorrectly.
Finally, all risk mitigation must be subject to constant oversight and reporting. This not only provides management with an accurate measure of the risk program at any given time, it also alerts management to emerging areas of risk. Sending all those reports around is essential to a successful risk management program.
Mitigating Risk: Detection
It isn't enough to develop and implement plans to manage risk. You must take steps to be sure that the plan works and continues to work. In general compliance parlance, this would be the monitoring and auditing components. When thinking about risk, however, you may want to add some dimensions or responsibilities. Monitoring is the business unit's self assessment. Rather than monitoring, the term self assessment may communicate greater responsibility to look for and think about risk beyond the checklist assignment.
The business line should have specific steps to cover in compliance monitoring. However, the business line should also have the responsibility of recognizing emerging risk, or existing risk that somehow escaped notice. This is an affirmative, active responsibility that means much more than filling out a monitoring check list.
Risk detection also entails both internal and independent audits as more detailed analyses of risk and compliance levels. So audits and examinations must remain a core element of the program. However, they are only as useful as the use you make of the findings.
- Think through how you communicate about compliance and risk throughout the institution. Identify any changes to ensure that the word gets to the right place.
- Look at your markets and identify the three most significant features in each market and the risk these features present.
- List all your products and rank them by the type and extent of risk they present.
- Go through the list of regulations on page 4 and study the risks carefully in the context of your institution. Add, delete, or edit as appropriate to develop your own regulatory risk list.
- Review the tools and systems you have for risk management. Identify inherent risk and residual risk on your list. Consider whether more or different tools are needed.
- Consider how the institution responded to recent audit and examination findings and decide whether the response was appropriate. If not, there's work to be done!
Copyright © 2006 Compliance Action. Originally appeared in Compliance Action, Vol. 10, No. 16, 1/06
First published on 01/01/2006