Over the last decade or so, banks’ compliance priorities—and compliance budgets—frequently funded only priority risk activities. A new era is now in full bloom with an agenda for increased overall operational efficiency and increased expectations for the effectiveness of the risk function. Financial institutions are establishing measures for the total cost of risk management activities and the value they contribute to meeting business objectives. Boards and senior management are setting high expectations for the alignment of the risk function to business strategy. The risk function is increasingly expected to act both as a cost-avoidance and brand-protection lever for the business as well as one that informs on value creation.
This all comes at the same time new technologies in banking are introducing new risks as well as opportunities for operational efficiency. The rapid emergence of the generally unregulated fintech industry also ushers in a new way of looking at the traditional risk management operating model. The new banking ecosystem that extends beyond chartered banks and into technology and process providers elevates operational risks such as cyber simply by virtue of the data that is being transmitted across them and the channels that connect these networks.
According to Grant Thornton and MIT’s The Risk Management Function of the Future study, its operationalization beyond compliance is transforming risk management to a value-added function.
Some mid-size banks are starting to combine risk management and compliance functions. One super-regional bank is evaluating the effectiveness of its risk function and incorporating branch strategy and cybersecurity as part of an overall financial efficiency program. Many banks have already starting to deploy artificial intelligence in first line of defense processes such as underwriting and pricing and reducing emphasis on traditional risk “monitoring” functions. Even the accounting profession, through FASB’s ASC-326 (commonly known as CECL), which introduces significant changes in credit risk impairment recognition, requires close alignment and collaboration between the risk and finance functions.
The cost associated with an institution’s risk function is especially salient. The attribution of the cost of risk management to revenue generation has not been standard practice across all banks, especially for highly regulated institutions. In fact, the notion that risk management is regarded as a strategically important function is still nascent. In comparison, the risk function of non-regulated financial entities is typically leaner and more streamlined from a process perspective. As one executive from a non-regulated financial entity explained, “The role of risk management is to define what is needed to approve a certain type of loan or deal, not to always be the bad credit guy declining deals.”
For institutions to realize risk transformation, the industry must embrace the performance of the risk function in terms of effectiveness. Second, measures for risk effectiveness must be defined to enable business strategy alignment.
The quest for gauging risk effectiveness starts at the very top. Institutions have begun evaluating the role of the board versus senior management in terms of risk management in response to recently proposed supervisory guidance from the Federal Reserve Board. There is a movement toward establishing clear expectations for both board members and senior management on accountability of risk management and overall board effectiveness. At the operational levels, there is lots of opportunity to practically improve the effectiveness of risk activities from deploying an industrial strength “RCSA 2.0” (Risk Control Self-Assessment) to integrating key risk indicators (KRIs) with bank performance, aligned to business strategy and granular risk appetite statements.
Establishing a baseline for an institution’s total cost of risk is an excellent start at measuring risk effectiveness. This would require cost attribution to risk activities followed by aggregation at the right level in the organization. Measuring the quality of how risk activities are being performed should also be considered as a contributor to efficiency. Data risk as a category of operational risk, and how it is managed, will also affect the accuracy of as capital and financial forecasts. With respect to regulatory “matters requiring immediate attention” and “matters requiring attention,” the timeliness of responses should also be a measure of effectiveness. Finally, institutions are also identifying income generated or financial or strategic benefits resulting from risk management activities.
Transforming the risk function to be more effective is becoming an explicit objective. Cost containment is one of those imperatives that directly feeds into effectiveness metrics. Institutions need to establish a framework for measuring risk effectiveness as a first action. The framework should include resiliency as a key concern. A second action would be to integrate new data and workflow technologies that will facilitate risk management effectiveness. Institutions should embed new non-financial risks into existing risk management frameworks. Banking operations, third-party vendors, customer channels and other industry elements are continually evolving, introducing new risks into business processes. Finally, organizations need a robust change management program to adopt a risk-conscious culture that supports a new way of executing risk management. No longer relegated to a second-line activity, the evolved function will have a prominent role in improving business performance.