Risk Management in an Uncertain World
By Kevin K. Watson, AuditOne LLC
Piloting the bank in an uncertain world is not easy. Most of us in the banking industry have taken some major hits over the years, even to the point of sinking the ship. This is especially so in recent times. A bank director must be able to provide management with the direction and oversight that ensures the proper course is set to avoid the biggest waves, but still reach the destination on time and with the cargo intact. This is risk management. Before getting caught up in the fine details of risk management, a director must understand the big picture. It really only involves three steps.
The first step is risk identification. It is of no use performing fancy risk management techniques if you don’t have a mechanism to see the big waves before they hit you. This mechanism is your risk management policy and also supplemental policies for other risks such as your loan policy and your ALCO policy. These policies should describe the method, timeframe, and responsibilities for risk management.
One of the important elements
of the methodology is the enterprise risk assessment.
Properly implemented, the enterprise risk assessment is updated regularly
and considers all of the major risk events that could occur. Of course, that is
much easier said than done because we can’t easily visualize major swings or
paradigm shifts in the economy or banking environment. However, we must
acknowledge the possibilities. For example, asset prices that have experienced
extreme appreciation or depreciation will eventually result in a pronounced
correction like the one we are experiencing now. We just don’t know when it
will be. A risk model that analyzes risk from multiple directions will help
ensure you’ve covered such major possibilities. We suggest rating risk by
function and also by a risk framework such as COSO,
Once you’ve identified your risks, the second step is mitigation. This can take many forms including, but not limited to hiring the appropriate management, experts, and clerical help, or tightening standards and policy limits. Also, internal controls such as segregation of duties or additional review points may be added or enhanced. Mitigation activities are only effective if they are actually working so a monitoring program needs to be in place to ensure effectiveness. The primary monitoring tools are reporting mechanisms to track mitigation including monthly and quarterly board reports and also an effective internal audit program. In regards to internal audit, it is the audit committee’s direct responsibility to ensure the audit plan appropriately covers the higher risk activities identified in your risk assessment. This can be accomplished with a risk based audit approach. An effective audit approach is to consider the assessed inherent risk for each audit scope area. Ideally, this information will be available from the risk assessment model.
The third step in risk management is risk acceptance. You can never mitigate or resolve all of your risks. To do so would be so costly as to consume all of your profit margin. For many risk elements, you will be left with some residual risk that cannot be cost effectively mitigated. Of course, that’s what the business of banking is all about, accepting some residual risk, such as credit risk, and being compensated for it. However, the prudent response to living with material residual risk is to ensure capital is sufficient to withstand a risk event.
Realistically the board will hire banking executives who will hire a risk manager to deal with the fine points of all of these risk concepts. However, it is the board’s direct responsibility to ensure that risk management is appropriately implemented. The alternative is an imprudent gamble that the bank won’t be steered into the path of a “titanic” sized iceberg.