In the last few years, this notion of risk has taken center stage.
Today, risk is marked by increasing complexity and velocity, and in light of our mobile, social and big-data landscape, there is urgency around proactively identifying and managing risk. As such, organizations are reassessing fundamental risk management strategies and best practices needed to create and sustain a thriving business.
Risks today are interconnected and horizontal, running across departments and business units. In conversations with CEOs, board members and banking executives, there are a few key overlapping risk areas that are most top of mind going into 2013.
Strategic risk is more connected to compliance risk. New regulations are impacting how banks make money and develop products. There are complexities resulting from the Durbin Amendment, new capital requirements under Basel III and increasing costs associated with understanding and adhering to the expansive Dodd-Frank rules. The demand for mobile payment products exists, but the uncertainty around consumer compliance and vendor governance creates additional hurdles and costs. Product development lifecycles expand as banks take time to review and understand existing and expected rules.
Compliance risk is complex. "Fair lending" requirements seem to impact most products offered by banks. Every loan, every overdraft and every mortgage default resolution requires a fresh eye.
Reputational risks are increasingly linked to operational missteps and compliance violations, civil money penalties and fines. Thanks to social media, pervasive content sharing and strong opinions are the new norm. Smartphones, real-time newsfeeds and geo-located review sites enable stakeholders to publish content that can put entire organizations – or individual employees – in the hot seat. Compliance violations are headline news and penalties can impact earnings.
Operational risk is unavoidable. A greater reliance on vendors and third-parties, and a vulnerable IT environment (as witnessed by recent distributed denial-of-service attacks), means that banks no longer have complete control of their business operations.
Prior to the financial crisis, banks were encouraged to take risks and the government promised to insure their deposits and act as the last resort lender. Elijah Brewer, professor of Finance at DePaul University and former economist at the Federal Reserve of Chicago shared with me some facts he presented at Lawrence University in October 2012: Research shows that roughly 60% of financial firms' liabilities worth an estimated $25 trillion had access to some type (explicit or implicit) of government safety net at the end of 2009. This kind of support for bankers can distort their incentives, and could cause banks to take excessive risks in their loan portfolios. It is this type of behavior that resulted in the probability of default among subprime lenders reaching alarmingly high levels from 2007-2009.
Since then, the government has responded swiftly, raising lending standards and capital requirements. Furthermore, banks have broadened their focus to assess the quality of a customer's underlying assets before approving loans. According to a 2012 research paper written by Minh Nguyen, macroeconomic researcher at Lawrence University, "Lending standards and the corresponding screening process have gotten stricter, and therefore credit risk is likely on the decline." As a result of scrutiny from their boards, a tighter review process and more frequent loan reviews, most banks have a better handle on their credit risk going into 2013.
When it comes to New Year's resolutions, there are plenty of best practices to consider. Some of the most successful banks are rethinking their approach to risk management and have defined their business processes and linked them to risks, controls, policies and even their vendors. This helps ensure that stakeholders can collaborate to assess the impact of key risks on broader business objectives. Successful banks are also focusing on education and employee training courses.
Additionally, successful banks are establishing a formal enterprise risk management department that creates frameworks and processes to routinely assess risk, ensure continuous monitoring and provide "enterprise-level" reporting to management and the board. The EVP of Enterprise Risk is emerging as a key role, but more than ever, banks are looking to every single employee as a risk owner acting as the first line of defense.
Audit departments are also tying resources to real risk exposures, and audit plans themselves are becoming risk-based, not calendar-based. Auditors are also moving away from merely executing audit-related tasks to analyzing trends and connecting the dots.
Lastly, successful banks are tying compensation to risk management by establishing performance scorecards that allocate 10%+ of variable compensation to metrics around audit findings, repeat findings, closed issues, risk self-assessments and scheduled control testing.
No doubt the uncertainties facing banks will continue, and risk management will continue to require more innovation, more resources and more qualified people.