Ed Dwyer and Ellen Rose
Imagine a time in the life cycle of your financial institution when you truly find the right balance between revenue growth and risk management. A time when your employees have such clear expectations and role clarity that minimal obstacles exist in their paths to career success. Imagine actually thriving in an industry fraught with change. Now is the time to put that imagination to work in deploying Next Generation (Next Gen) Enterprise Risk Management (ERM) within your organization.
ERM and the concept of a financial institution’s risk framework have been promulgated by various regulators since 2014, when the Dodd-Frank Act was enacted in the wake of the financial crisis, and banks have accordingly prioritized compliance in risk management. With compliance management systems now well in place, the emphasis shifts to balancing growth with risk management and preserving your organization for the next generation of employees and customers.
Next Gen ERM achieves this balance with strategically aligned people, processes, information, and technology. It empowers employees and reduces costly redundancies by clarifying roles and responsibilities, encouraging collaboration, streamlining processes, and increasing the transparency of management and governance. Notably, it increases the focus on business units as the first line of defense against risk.
Ten Years After
As the industry continues to evolve into late 2018 and beyond, most financial institutions are taking a hard look at the effectiveness and efficiency of their three lines of defense (business lines, compliance departments, and audit teams).
The regulatory environment has shifted, as a new leadership team has been put in place by the Trump administration—but not necessarily toward a less stringent approach. It is common at industry conferences to hear senior officials from the Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Consumer Financial Protection Bureau deliver a clear message: Do not think regulators are going to relax their oversight or enforcement of the laws and regulations of this country. Safety and soundness remain the mission of these and other regulators.
There is another reason financial services companies need to be as diligent as ever. The deeper we go into the now decade-long recovery, the higher the probability of a recession or downturn. That is simply the nature of the business cycle. Therefore, preserving the three lines of defense is paramount to systematically control risk-taking.
ERM is also essential in supporting the board of directors, ensuring it has sufficient information on the institution’s risk profile and risk management practices to provide credible challenges to management’s recommendations and decisions. While all three lines of defense should ensure that the board is adequately informed, the independent risk management and internal audit units must have unfettered access to the board (or a committee thereof), delivering their risk assessments, findings, and recommendations independently from front-line unit management and, when necessary, the chief executive officer. This direct access to the board is critical to ensuring the integrity of the ERM framework.
Cost is another driver. A 10-year succession of new regulations has increased the cost of compliance—in some cases to the point of constraining revenue-producing operations and impacting overall profitability. Institutions now have more people, processes, data, and technology than ever to manage regulatory risk. Going forward, the most effective ERM framework will require that the standard three lines of defense work collaboratively to manage risk in alignment with an institution’s strategic plan and risk appetite.
Ultimately, the question you need to ask yourself is this: “Is my organization’s risk framework achieving its intended function of effectively identifying, measuring, monitoring, and controlling aggregate risks?”
Next Gen ERM focuses on reducing costs resulting from redundancies in functionality across the first and second lines of defense while increasing revenue by optimizing staffing, improving processes, streamlining technology, and managing information.
Enterprise Risk Management
Next Generation Enterprise Risk Management practices include:
- Having a clearly defined risk management strategy and risk appetite statement. The first step is having a comprehensive ERM strategy, approved by the board. The strategy lays out clear roles and responsibilities for the three lines of defense along with reporting guidelines to eliminate uncertainty. Accompanying the ERM strategy is a well-defined risk appetite statement that provides the narrative describing the institution’s risk parameters along with specific key risk indicators to properly manage the boundaries of risk.
- Aligning the ERM framework with the overall strategy and risk appetite. The framework represents the overall outline of how the institution is structured to manage its risk, with detailed instructions of the role of the first line (where the most risk resides) in managing its risk controls with the customer.
- Training and socializing the ERM framework and risk appetite with the entire organization. Creation of an ERM framework and risk appetite is insufficient unless the concepts are cascaded down the organization with comprehensive training and support. Leaders throughout the organization must understand the role they play in managing and monitoring their risks.
- Unleashing revenue-producing resources to thrive. As roles and responsibilities are better defined and proper risk management personnel are in place within the first line, in the form of operational support, revenue-producing personnel are free to concentrate their efforts on their customers and prospects. Training on a regular basis keeps customer-facing employees well-informed about what they must learn from their customers in order to satisfy regulatory requirements while maximizing customer experience.
- Simplifying and strengthening processes and controls. In-line efforts to align procedures with policy are critical to the success of risk management. It is always a good exercise to review procedures, to ensure they accomplish what they are intended to do, while looking for efficiencies in an environment that may have changed from the time they were first written. It is common to see institutions with procedures that are decades old—very likely not leveraging today’s efficiencies. Once you simplify and clarify your procedures, building controls for high-risk transactions becomes clearer.
- Developing quality control (QC) and quality assurance (QA) in the first line of defense. The first line owns most of the risk, so it must devise its own QC and QA to manage that risk. This is the most critical step in Next Gen ERM. First-line employees can identify and avoid issues prior to completing transactions, when supported with well-defined controls, ongoing training, and on-site operations staff. The first line must also possess its own QA team, which does in-market testing of first-line personnel to ensure employees are following procedures on a regular basis. The first line should catch and remedy up to 90 percent of all issues before the second or third line even know they existed. To reiterate, QC is in-line/real-time review of transactions, while QA is after-the-fact testing done by a dedicated team in the first line.
- Empowering the three lines of defense to work together. Collaboration among the three lines of defense is critical to the success of Next Gen ERM. Everyone works for the same institution, so it is critical that leaders within the three lines build a culture of mutual respect and cooperation. The purpose of the three lines is to build a mechanism of checks and balances to protect the organization. Leadership in the first line should build healthy relationships with the leadership of the second and third lines. All lines should build solid relationships with regulators.
- Leveraging technology and eliminating redundancies. One of the most common, unintended consequences of the build out of ERM over the past years is overstaffing of the three lines of defense. By leveraging technology and human resource reporting, redundancies such as the overlapping of QA testing will materialize, offering opportunities to optimize employees’ time while maintaining effectiveness.
The benefits of Next Gen ERM revolve around the powerful value proposition of transparency in management and reporting. In order to unleash this value proposition, the institution must have the appropriate meeting structure in place, where leaders from the various lines of defense are interacting on a regular basis to learn from data and make adjustments to stay ahead of emerging risks and trends.
An optimized ERM framework is a critical part of an institution’s compliance management system. As regulations and regulatory bodies continue to change, so should an organization’s risk management framework. The same rigor that is applied to business lines should be applied to risk management to achieve improved processes, greater controls, streamlined resources, greater business intelligence, and increased profitability.
In conclusion, before looking for opportunities to improve any particular area of focus within risk management, such as compliance or financial crimes, take the time to step back and look at the overall framework and use Next Gen ERM to reinvent your institution. Unleash the real potential within your framework and greater bottom-line performance within your organization.
View as PDF
Treliant, LLC, Compliance, Risk Management, and Strategic Advisors to the Financial Services Industry and Consumer-Oriented Businesses, brings to you New Coordinates, a quarterly newsletter offering insights and information regarding pertinent issues affecting the financial services industry. This article appeared in its entirety in the Fall 2018 issue. To subscribe to our quarterly newsletter, please Contact Us.