By Monica C. Meinert
Enterprise risk management has become a widely talked-about topic across the industry by both bankers and regulators. As risk managers and bank executives work to keep pace with rapid innovation and increased regulatory pressure, ABA recently held a briefing on the top risks facing financial institutions in 2016.
“Examiners are asking [banks] tough questions,” observes ABA SVP Ryan Rasske. “How their governance is set up, how the information is flowing both up to the board and back down to the business lines. Does the first line understand that they own the risk and have the controls in place to mitigate [those risks], along with second and third line oversight?”
With examiners continuing to raise the bar for enterprise risk management, presenters at the briefing identified several risk categories that banks should pay particular attention to this year.
Credit risk
When it comes to credit risk, risk managers must have a good “situational risk awareness” of current market conditions, monetary policy and potential sector-specific disruptors, and understand how those factors affect the bank’s balance sheet, says Clifford Rossi, a finance professor at the University of Maryland’s Robert H. Smith School of Business and a keynote speaker at ABA’s Risk Management Conference in April. “It’s important to constantly refresh the information that you’re getting,” Rossi explains. “These things can come home to roost very quickly within your own balance sheet from a credit risk standpoint if you don’t focus on understanding how [they] can actually migrate into your portfolio.”
High loan concentrations continue to be an area deserving of extra caution, particularly for banks that are closely connected to the volatile energy sector, as they can leave the portfolio more vulnerable to sudden market fluctuations, the presenters pointed out. Commercial real estate, for example—which has been especially attractive in recent years—could weaken if interest rates move higher or as a result of changing office space trends, notes Jason Painley, chief risk officer for Park National Bank, a $6.9 million-asset institution based in Newark, Ohio. Painley will also address the Risk Management Conference.
In addition to having a good awareness of external factors, Painley says it’s important for the board and bank management to continually revisit their risk appetite framework as market conditions change or new products roll out. And when considering growth opportunities, banks should carefully assess whether risk exposure will increase.
Market risk
Uncertainty surrounding the current rate environment is among the top concerns related to market and liquidity risk. “[Global] markets are realizing that since the crisis, central banks don’t have a lot of policy ammo left to tackle emerging crises as they happen,” Rossi says, pointing out that some overseas economies are starting to see negative interest rates, and that there has been speculation in the U.S. that the Federal Reserve could explore that option at some point in the future.
While the Fed previously signaled that rates may start moving upward following an initial increase in December, lagging inflation and a continued decline in oil prices have slowed that progress, and Painley says it’s becoming more likely that there will not be an additional increase in 2016. With that in mind, banks should ensure that boards and management understand the implications of the current rate environment and their level of interest rate exposure, and conduct sensitivity testing under different rate scenarios. They should also carefully consider whether reaching for extra yield is worth taking on higher liquidity risk, he adds.
Operational risk
As new rules and regulations are issued, expanded and revised, many banks are layering new compliance functions on top of existing operational practices, which can lead to inefficiencies that not only expose the bank to more risk, but also negatively affect the bottom line, Painley says. One way to mitigate this risk is to implement a process review and improvement program to identify and correct operational inefficiencies. Bank management should work closely with compliance, risk management and audit teams to set operational performance targets for the institution while ensuring that any improvements don’t compromise compliance standards.
Another area risk managers should be focused on from an operational perspective is information security. With cybercrime continuing to evolve, Rossi believes that the potential for a large-scale, coordinated cyberattack by a terrorist organization is increasing—something the entire industry should be preparing for.
From a practical standpoint, he recommends that banks thoroughly evaluate their internal vulnerabilities and develop a “playbook” that outlines a response plan for a variety of different scenarios. “Having the right security protocols in place to understand what’s coming at you in this day and age is vital.”
Painley adds that awareness, training and education are crucial in the ongoing fight against cybercrime, and that regulators are beginning to expect banks to take the lead on educating not only their employees, but third party associates and customers as well.
Compliance risk
Compliance has become a central point of focus in the years since Dodd-Frank, says Rossi, and as a result, bankers have become so concerned with “crossing the T’s and dotting the I’s on the regulatory side that they may be distracted from other areas that could impact the institution down the line. With more staff time and resources being diverted to compliance functions, “there is an underlying risk of what’s not being focused on as a result of focusing on all the rules and regulations [banks] have to comply with,” he cautions.
Painley adds that it’s critical for banks to understand how compliance functions intersect with operational risk. When banks use modeling tools to assist with their compliance processes, for instance, accurate data input is critical. If the wrong assumptions go into modelling, it could lead to greater risk exposure, he says.
Strategic and reputational risk
When assessing strategic and reputational risk, “it’s really thinking about change, and knowing that game changers are currently at play within the industry,” Painley observes. As new technologies and alternative financial service providers emerge, banks must be forward-looking and strategic in meeting challenges and opportunities they present.
“Resistance to change is probably one of our greatest risks on the strategic side,” he says. “Banks need to be flexible. They need to adapt, they need to innovate. If we don’t, someone else will come in and call those shots for us. It’s either change on our own terms or change on someone else’s.”
The future of enterprise risk management
Enterprise risk management will undoubtedly continue to take on even greater regulatory significance for institutions of all sizes in the months ahead. Rossi and Painley both agree that it’s essential for banks to understand not only the risks related to specific areas, but how those risks intersect and affect the entire enterprise.
And while banks are building out their risk management systems and practices to satisfy regulatory expectations, Rossi emphasizes that building a strong risk management culture should be first and foremost a business priority. “Do [ERM] for your firm first, and secondarily for any regulatory requirements,” he says. “If you focus on it at the firm level, you’re going to build the right culture and instill the right discipline that goes all the way for the board level down.”
