Risk Across the Enterprise

By Evan Sparks

As the U.S. economic expansion stretched into new records, banks of all sizes continue to feel the pressure of growth. Persistently low interest rates—now falling once again—compress net interest margin, which pushes banks to grow so that they can spread their fixed costs over more loans. Meanwhile, rising consumer technology and IT security expectations are pushing banks to merge to gain scale. The past year has seen numerous mergers, including one that created Truist Financial, America’s sixth-largest bank, as well as other deals above the $50 billion asset threshold, such as TCF Financial/Chemical Bank and First Horizon/Iberiabank.

In fact, much of the growth in the industry is taking place in the midsize and regional category. And there to support that growth is the enterprise risk management function—an essential component of a growing bank’s governance infrastructure and, when done right, a key to fueling responsible and sustainable growth for the bank.

Midsize bank growth through M&A, however, requires commensurate growth in the ERM/ORM functions. The $26.2 billion Investors Bank has stepped up, says Ann Caruso, SVP and head of operational risk at the Short Hills, New Jersey-based firm. “It had grown rather quickly through acquisitions and needed a more robust risk function commensurate with the size and maturity and sophistication of the bank.”

The ERM function supports this channel of growth. One midsize bank in the Carolinas has an M&A risk assessment with seven risk categories that get reported up to the risk committee on any potential acquisition target—the kind of reporting that requires scalability in every process.

An M&A transaction involves a healthy dose of reputational risk management—with the acquiring side needing to assess what might happen when it takes over a bank with a strong local presence. And the other side of the coin is that there are sometimes risk-related reasons that a bank is in the position of being acquired. Perhaps it has problems with enforcement actions or a tarnished reputation. ERM must factor in the risks associated with integrating a “problem child” acquiree.

ERM proves its value

M&A gets a lot of attention, of course, but it’s hardly the only risk factor facing midsize banks. Regardless of how banks get larger, it doesn’t necessarily change a bank’s overall risk profile, risk professionals say.

The bigger issue for enterprise risk managers is ensuring the growth of the organization does not overwhelm the people, processes, or technology of the bank, says Nick Piger, VP and senior enterprise risk officer at Banner Bank, an $12.5 billion institution based in Walla Walla, Washington. “Regardless of how we grow, it’s about scaling while meeting the risk profile set by our board, and that may require challenging our frontline partners.” Any growth—organic or otherwise—can be a stressor for ERM, and at the same time a moment for ERM to prove its value.

Ultimately, ERM has to deliver the big picture. “I think that’s the value of ERM,” explains Atul Malhotra, managing director for enterprise risk management at $20.9 billion Fulton Financial in Lancaster, Pennsylvania. “It’s the aggregation of information so that you can tell the story. Otherwise you end up with these little reports. Technically, it’s not even data. Some of it is just information. Literally a PowerPoint here or an Excel report here. We have to figure out a way to bring it all together.”

That big picture analysis sometimes brings challenging news to the fore—information that a business line might have tried to sweep under the rug. When the ERM/ORM function finds out, it goes in the report. The key to ERM’s success, given this sometimes contentious nature, is to build rapport across the enterprise. “If you don’t have that rapport—instilling risk [culture] throughout the institution, which is really our job, the culture is never going to happen,” says Piger. “We’re not going to get anything done if we can’t get rapport with the first line and build relationships.”

When a bank gets that high level of rapport, it can embody the spirit of ERM—risk culture throughout the organization, with every employee held accountable to managing risk in their own areas. “Whether you’re an executive leader or a teller, what can you do to mitigate risk in your area?” as Piger puts it. “If you’re a branch teller, maybe it’s letting [the] BSA/AML fraud [department] know of a suspicious customer. That might be your biggest avenue of mitigating risk. [It’s] a huge avenue for instilling that risk culture.”

Beyond a cost center

ERM can deliver business value as well. One midsize bank ERM executive points to how her team identifies control efficiencies that affect business performance. “In my group right now, we’re going around the bank to all of our level-one business unit owners and we are giving them efficiencies with their documentation structure,” she explains. “In some cases, our accounting department has, say, 14 policies. They could drop most of those non-critical policies into one, drop it down a level for approval, and you have an efficiency at the board level and in the accounting department. Those type of wins help build the rapport.”

Traditionally, Malhotra points out, risk management has been viewed as a cost center. In the highly competitive midsize bank sector, with shrinking margins and pressure from larger institutions, “being a cost center makes it even more important to build that relationship and demonstrate value,” he says. “It doesn’t come naturally sometimes.”

The need for rapport underlines the silo-breaking nature of ERM/ORM. “Even though credit and liquidity are the drivers of significant events or what could really hurt an institution’s capital, when you root cause some of this stuff, just going to the crisis and prior to the crisis too, it invariably ends up being an operational process that didn’t work,” says Malhotra.

Over the past five years, regulators increased their focus on enterprise risk management—in part, risk professionals explain, because the credit risk and liquidity environments have been relatively benign.

Today, after a period of staffing up, risk executives emphasize the importance of right-sizing the ERM function to the bank—making sure that what the bank is implementing meets regulatory expectations but at the same time fits the institution. Fast-growing teams can create challenging dynamics, and a risk team out of proportion to the rest of the organization can be imbalanced.

ERM units are often in charge of risk culture training throughout the organization. “It is almost like religion,” says Caruso. “You’re going out and preaching and saying, ‘You should do this.”

“That’s the new mantra: “We will be evangelical about risk management,’” jokes Malhotra.

But on risk talent, he turns serious again. “When I started at our firm, the single biggest challenge was making sure we had the right talent on the ground that could build the program and tune the program rather than simply execute the program,” Malhotra explains. “Then you have to have a shift. But it can be very disruptive at the same time.”