Right-Sizing Risk Management: Four Steps to Avoid the Mistakes of Big Banks

For many financial services companies out there, look out – the risk management carnival may be coming to your town!

Virtually every “non-bank” segment of the financial services industry is bolstering risk management functions, in areas such as cyber and information security, third party risk management, and operational and enterprise risk management and governance.  

Asset and investment managers, insurance companies, payment companies, large FinTechs and financial utilities – their boards and their regulators increasingly expect them to establish some of the key risk management practices that large banks have put in place since the financial crisis.  

The same holds for small to mid-sized banks, notably those that are approaching $10 billion in assets and those that are larger but have yet to demonstrate a command of the risks covered by these disciplines.

In many cases, some of the standard, large-bank risk programs will not apply.  Firms are simpler, they play in a narrow segment, they are less regulated.  Nonetheless, they’re nudged to look in the direction of the large banks: what do they have in place? How did they get there?  And this glimpse causes foreboding.

“Beware the risk management industrial complex.”  

Thus quipped a U.S. senior policy maker at an address at the Clearing House’s recent Annual Conference. The remark triggered laughs from the crowd of several hundred financial executives, many who work at large banks and have suffered through the build-out, remediation – and in too many cases, over-engineering – of risk management-related functions over the past decade.

Three weeks earlier at the 2018 Risk Management Association Annual Risk Conference, bankers from large and regional banks recalled similar challenges throughout three days of panels, presentations, and workshops.

Common complaints:  The processes were check-the-box exercises.  There was a lack of role clarity and accountability. The processes were task heavy and too manual.   We were reacting to numerous issues related to smaller risks and not focused on the risks that were keeping me up at night. We’d spent a lot of money – and weren’t seeing the return.  RCSA (risk and control self-assessment) was tedious, resource intensive, and a waste of time.

The strongly encouraging news is that the vast majority of large banks have moved beyond build-out and remediation and on to right-sizing and refining these programs.  The large banks endured the growing pains; and, the programs work, in that they generate valuable information for the risk profile and aid strategic decision-making.  

So, what can firms learn from the experiences of large banks on how to select and develop – but not over-engineer – risk management functions which are right-sized for the firms’ size and complexity? How can these firms skip the growing pains?  And develop programs that truly drive business value?  

Below are four key takeaways:

1.     Risk Needs to Understand the Business

Those charged with designing and implementing risk management of a business should, well … understand the business.  But, of course, you say! How could it be otherwise?

Sadly, during build-out a common criticism by business leaders was that their risk partners, when pressed, stumbled to articulate the business value of risk management activities.  And, although conversations got mired in the merits of the program, often the underlying problem was that the risk partner did not understand the business to begin with. The risk partner wasn’t a strategic partner but merely a risk technician.

In order to tailor, direct, and course correct the scope of risk management activities, a risk leader needs to understand the fundamentals of the business:  financial and operational wiring, external and internal dependencies, weaknesses and competitive advantages, and strategy. This is no different than a trial lawyer needing to understand the facts and evidence before trying a case, or a doctor needing to understand the patient’s history and symptoms before making a diagnosis and prescribing a course of treatment.

A failure to understand the business often results in employees executing risk programs rigidly and too broadly.  Program execution may become an end in itself, a time-consuming check-the-box exercise, rather than a key driver of business value. 

2.     Focus on Key Risks

Another frequent observation was that, as risk programs were deployed, the business leader began to experience disturbances to the daily environment:  invites to new meetings; thicker board decks; a marked increase in employee activity, motion and unspecified anxiety; reports with dashboards of red, amber and green; trackers for completion of unintelligible milestones. And, in very few places – or, sometimes, nowhere – could the business leader find reference to the big risks keeping him or her up at night.

Risk processes should be catching the big and little risks. And, often, may indicate that there is nothing much to see here (which is a comfort certain risk programs are designed to reasonably provide).  But, again, the complaint:  everything gets tracked, everything gets reported, and it’s difficult to determine what is important and what is not.

First, reports should be structured around what’s important – I don’t need the kitchen smoke alarm to beep when there is no smoke.  Second, although developing a risk program requires more activity and tracking of the build-out progress, the rollout should be incremental and orderly, absent compelling or urgent circumstances that warrant massive and rapid remediation (e.g., your firm is hemorrhaging losses, your regulators have set up a permanent office in your executive conference room).  And, regardless, in no case should the organization feel like it’s losing sight of the ongoing identification and monitoring of its key or “material” risks.

In fact, risk practices are generally designed to inform the material risk profile, by providing new data points that either affirm or alter your views on key identified risks or alert you to previously unidentified risks.  An astute risk leader will structure agendas, discussions, program activities, and reports around “material risks” – or at least lead with the material risks.  And, if any risk management activity doesn’t lead to or clearly affirm the absence of something material, then it has minimal business value and should be rightly regarded as a waste of time.

3.     Clarify Roles and Responsibilities

Risk identification, assessment and mitigation involve many stakeholders; so, when it comes to hashing out responsibility and then executing, nobody should be surprised at a few early-stage missteps.  However, firms should take note that large banks continued to struggle – even after many years of operating under the three-lines-of-defense model, which assigns risk ownership, oversight and assurance.  

The confusion isn’t so much about the division of labor across the three lines of defense (an org model, by the way, that is generally not regulatorily required of smaller banks and non-bank firms).  Rather, the questions of accountability seem to crop up around who owns the risk and who owns the control and its remediation.  

The line of business usually owns the risk, but often technology or back-office operations own the control.  So, when that control breaks – who pays?  Whose resources are used to remediate?  Whose report is flashing red?  Suddenly, there are two execs looking at each other like a doubles pair in ping pong (“No, wait, I thought you had that one….”).  And, more often than finger-pointing, they with good intentions agree that each is equally responsible – which means nobody is responsible.   

Clarifying accountability early on and reconciling pain points periodically are critical for efficient day-to-day risk management and also, more importantly and strategically, for creating a strong sustainable risk culture.

4.     Build on the Risk Management Practices Already in Place 

Following the financial crisis, large banks scrambled to remediate risk programs.  Timelines were aggressive, and failure was not acceptable to the regulators and boards.  To “get it right,” many firms brought in external experts across multiple disciplines and, in some cases, designed new programs from the ground up rather than leveraging existing but broken processes.   

Results were mixed, but two common problems emerged.  First, the “broken” programs included a lot of things that worked just fine; it would have been less costly, quicker and better for morale to build upon what was working rather than taking a new gold-standard process and trying to conform current practices to fit.  Second, new programs grew up autonomously and weren’t aligned.  For example, many banks developed separate assessment programs for information technology, operational risk, and compliance, notwithstanding that they share some common controls.  So, business partners might find themselves testing the same control under multiple uncoordinated assessment exercises, which is about as much fun as going to three different dentists to fill one cavity.    

Smaller banks and non-bank financial services firms today are in a much better spot.  Not operating in a harried environment, they can thoughtfully decide whether to build upon what they have rather than start from scratch. Consider those control processes you already have in place across your organization, in finance, technology, operations, legal, compliance and risk! 

There are numerous examples, some applicable only to certain companies, and not enough space here to list. But here are a couple:  Procurement.  Although not thought of as a control function, Procurement performs due diligence, defines controls, and reports out on third parties.  If you need to develop third party risk management, why not incrementally layer those responsibilities on Procurement?  May be cheaper and more effective than standing up a separate third party risk management function….  Payment companies that need to strengthen operational risk controls?  If you deal with credit cards, you likely already have related controls in place to comply with the Payment Card Industry Data Security Standard (PCI DSS).  Consider using any existing control assessment program as a platform rather than creating a separate one.

To Wrap Up

Although the journey to risk management maturity was painful for many large banks, they should be commended for their fortitude (Winston Churchill:  “If you’re going through hell, keep going”) – and especially their results.  The large banks have the best practices, and other financial firms smartly draw on this expertise.

These firms have numerous advantages to avoid the growing pains of the large banks after the financial crisis.  They are not dogged by regulatory problems, they are less complex, they are generally more entrepreneurial, they operate more leanly, they likely don’t need the gold-plated versions of many large bank risk programs.  Leadership’s insistence on business value in all things – so embedded in their culture – should serve them well, in that they are predisposed to the four key practices above:

-      Understand the business

-      Focus on what’s important (key risks)

-      Make sure everyone knows their job

-      Build on the good stuff you already have in place

Sounds easy, doesn’t it? 

Much better to go to the carnival for fun, rather than making it your workplace.