Do You Want to Manage Risk – or Reduce It?
By Pam Perdue, Continuity Control
I was talking with a group of bankers the other day who had just heard the rallying cry that “risk management” is a hot topic. When I clarified that the concept of risk-focused supervision had been around since 1995, when the Fed’s landmark Supervision and Regulation Letter 95-51: “Rating the Adequacy of Risk Management Processes and Internal Controls” was published, they were shocked. This seasoned group of top-level executives was even more astounded when I asserted that the traditional models of managing risk would fail in 2012 and beyond. Why? Because traditional models fail to reduce risk exposure; they look backward, not forward; and they neglect to leverage the technological advancements that have occurred over the past two decades.
When you stop to think that the basic compliance risk management tools (calendars, word processors and spreadsheets) now used by most community banks were invented almost thirty years ago (Microsoft Word came out in 1983), it’s no wonder that our ability to reduce risk has been constrained in the ways it has. Using these antiquated tools, an institution’s chief risk officer (a career field that’s grown exponentially in the past decade) is forced to apply three basic methods used to cope with risk. Your bank can:
Assuming you’ve decided to accept the risk, now comes the task of reducing it. This is where traditional models for managing risk start to crumble. They call for risk reduction to occur through a convoluted, time-consuming series of events – beginning with a risk assessment process which does little to improve the effectiveness of the controls that reduce your risk exposures. This misallocation of resources reduces the best minds in the bank to creating massive spreadsheets and wasting hundreds of hours, while forgetting the regulator’s mantra: Identify, Measure, Monitor and Control. The result is usually a hefty document, a “paper tiger” that may look fierce at first glance, but fails to satisfy the regulator’s expectations.
Using traditional models, after defining where risk is coming from, institutions then identify and adopt a series of procedures to reduce that risk. Those procedures are then evaluated for effectiveness through an audit process that defines the remaining risk, otherwise known as residual risk. In an environment where risk conditions and regulations can change daily, what good is it to know what went wrong nine months ago? Not much. Yet most institutions rely on a periodic look-back, such as an audit, to inform their management decisions. They do so because they have not deployed the right tools or methodology that would allow them to gather real-time results, and achieve real-time risk reduction.
The flaw here is that traditional models do not devise and deploy any reliable means of measuring or monitoring risk exposures. With so-called controls (like policies and procedures) entombed in binders and files that are rarely referenced, measurement becomes a challenge, if not an impossibility. This ineffective method leaves bankers, like you, wondering why actual risk reduction didn’t occur. When risk reduction is treated as an afterthought because so much time is spent on the detail of assessing risk on paper, the primary objective is not met.
The true determinant of risk is the proper completion – or lack thereof – of daily frontline activities. The traditional mindset has held that it is the compliance and/or risk officer’s responsibility to reduce risk. In reality, it is the performance of your frontline as they go about their daily business that determines whether the institution is in compliance – or not. Remember that pristine risk assessment that consumed vast resources? In some scenarios, the message failed to trickle down to the frontline, so they continued their errant behaviors, unchecked.
The alternative solution is to rethink this process. Flip it on its head. Focus on the controls you need to deploy to vaporize risk exposures. When you create a well-defined and well-enforced controls environment, you empower your frontline staff to actively confront and reduce risk as they encounter it. Using well-articulated processes and reliable monitoring methods offers you real-time risk reduction. Your reward is the ability to control risk to levels which, as the regulators themselves say, are “commensurate with the institution’s risk appetite.” Instead of a point-in-time method that sorts through the aftermath, you have a real-time approach that prevents problems before they happen. In addressing the entire risk reduction process, rather than falling into the trap of endlessly assessing and re-assessing risk, you provide regulators the fundamental risk-reduction evidence they seek.