Inertia is one of the greatest forces in the universe. Sir Isaac Newton dedicated the first law of motion to it: a body at rest will stay at rest unless an outside force acts on it.
He was talking about physics, but he may as well have been speaking about human nature. People generally maintain the status quo. We take the same route to work, order a drink at the same coffee shop and read the same news sites every day.
We do this because it’s easy and comfortable. We stick with what we know and regularly do because we perceive it as risky to make another choice, but we don’t often think about the cost of that choice because we’ve already made it.
But there are costs.
The Cost of Inertia
When we take the same route to work automatically, we’re not considering that there might be a quicker, more efficient way to get there on that particular day. When we order from the same coffee shop, we’re not thinking about the possibility that there might be another coffee shop we’d enjoy even more. When we read the same news sites, we’re limiting the ideas that we’re exposed to.
Most of the time, this isn’t a big deal. But when you’re running a business, inertia can create risk.
This is particularly true when it comes to risk management. Back in the day it was much simpler to run a financial institution. There was interest rate risk and credit risk and concerns about the physical security of the building. Risk management was a relatively small task.
Today thanks to the Internet, the cloud, a huge influx of new regulations, interstate banking and myriad other things, there’s far more risk in running an institution. Yet many banks and credit unions continue to handle risk management the same way they did in simpler times. They use an ad hoc approach, dealing with issues as they come up, instead of a unified process in place to identify, manage and mitigate risks at an enterprise level.
They think it’s working because they haven’t encountered any major issues yet, but that’s just because they don’t know what they don’t know. They don’t know that:
- They’re taking far more risk than they think. If you’re not measuring risk, you’re underestimating it. Can you imagine operating a business with no management team? Everyone would independently do what they thought was best and set their own priorities. Some people would care a lot more about doing a good job than others. It’s a recipe for disaster.The same thing happens when there isn’t top-down approach to risk management. With no one in charge, there’s no way to know what’s important and what’s getting done.
Many institutions have faced hefty fines for violations of BSA and OFAC regulations. I’m sure none of these institutions made a conscious decision to ignore federal rules and regulations. But they probably didn’t make a conscious decision to take the time to understand the magnitude of the risk and develop a good risk management either. If they took the time to understand the potential fines and regulatory consequences of falling short, they’d have paid more attention to the issue.
- They’re spending money in the wrong places. When you don’t have a system in place to objectively evaluate the amount of risk an activity presents, you’re not using your resources wisely. Not all risks are equal. Some are very big while others are quite small. The risks posed by the potential loss of private customer data due to an insecure server are much greater than the risk of running out of business cards or the law growing too high.
When an institution doesn’t have a clear way to measure risk, it often resorts to playing risk management Whack-A-Mole, using the same sized hammer to hit each mole. It’s a wildly inefficient process. When an institution uses the same approach to tame each risk, it’s overdoing it on the small risks and underestimating the effort needed to address the larger ones. It’s much smarter to allocate resources to the biggest risks, but you can only do that if you understand and rank risks.
I’m sure each one of those CEOs and management teams facing BSA and OFAC fines thought they were spending money in the right place.
Most people think of taking action as the riskier choice when inertia is just as risky. Instead of asking what would happen if it changed its risk management procedures, institutions should ask what would happen if they didn’t change them.
Phrased another way, institutions should compare risk management models without using the weighted labels of “existing” and “proposed.” They should look at them objectively and ask, “If we were choosing a risk management model today, which would be a better choice: an ad hoc model that addresses risks as they emerge or a top-down approach that measures, monitors and mitigates risk across the entire enterprise?”
Looking at it that way, the risk of inertia is obvious. Now is the time to think why your institution is making its risk management decisions. If the answer is “we’ve always done it that way,” ask yourself why? You may find that that status quo is riskier than you think.