Are You an Aggressive Risk Taker? The Answer Might Surprise You
There’s a difference between being risk-averse and risk-aware. It’s a misunderstanding we sometimes run into when financial institutions decide they don’t need to invest in risk management.
“We are very conservative when it comes to risk,” they’ll say. “Since we take on very little risk, we don’t need to worry about risk management.”
My response is always the same: Without proper risk management, how do you know?
Risk management isn’t just about managing the obvious risks. It’s understanding your institution’s total risk exposure and risk appetite and ensuring they are aligned. If a financial institution doesn’t have a risk management program, it doesn’t mean it’s not facing risks—it means there are risks that aren’t being managed.
Are you an aggressive risk taker? Here are some examples of how self-proclaimed risk-averse FIs can unknowingly expose themselves to risk.
Not conducting ongoing due diligence on a critical vendor
Your FI checked the regulatory requirement box when it onboarded critical vendors by engaging in due diligence. Everything checked out. Crisis averted!
Not so fast. Do your risk management programs include vendor management to ensure ongoing due diligence? Is your due diligence adequate? Do you know everything you need to look at? Vendor due diligence is not a one-and-done activity. A good risk management program has effective vendor management to ensure that critical third-party relationships continue to align with the FI’s interests. Failing to conduct ongoing due diligence exposes your FI to potential vendor risk.
Manually tracking regulatory change
You’ve got a super smart compliance officer and tons of subscriptions so your FI always recognizes regulatory change—but how do you know whether that change has been effectively and accurately implemented from beginning to end?
Were policies and procedures updated? Did staff receive training? Were controls put in place and reviews conducted to ensure the new policies and procedures are effective?
Are you paying extra attention to areas of increased compliance risk? Good compliance requires strong risk management. If you’re not measuring compliance risk and proactively managing regulatory change, you can be exposing your FI to potential enforcement actions, civil money penalties, lawsuits, and reputational harm.
Static business continuity plans (BCP)
If your FI occasionally dusts off its business continuity plan, there’s a good chance it’s out of date. Key personnel may not be with the company anymore. Vendors and suppliers may have changed.
Risk management helps connect all the pieces of your institution, from vendor management to IT and cybersecurity. It helps ensure that when a new critical vendor is onboarded, a staff member leaves, or the FI develops a new business line, its impact and criticality are evaluated and addressed in your FI’s BCP. You don’t want to discover a gaping hole in your BCP when you’re in the middle of a disaster.
Postponing IT system upgrades and maintenance to save money
Deferring IT and cybersecurity maintenance and updates may save cash today, but it may expose the FI to increased IT and operational risk. If you can’t afford technology, you can’t afford the aftermath of a cyber breach.
Don’t defer IT upgrades and maintenance without first assessing the risk. Just consider the Reserve Bank of New Zealand (RBNZ). The bank was using a 20-year-old Accellion product for secure third-party communication that was scheduled for sundown later in the year. In 2020 the file-sharing product, FTA, was breached in a cyberattack, exposing RBNZ’s data.
While it’s not necessary to have bleeding-edge technology, an important part of vendor management is ensuring that the products and services provided by third-party vendors remain suitable and appropriate. Did RBNZ consider using a newer or cloud-based technology to improve security? Had it taken steps to evaluate alternatives? These assessments might have saved RBNZ from falling victim to a vendor breach.
Complacency Is Risky
Ineffective risk management, poor internal controls, and lax compliance can harm an institution, as Acting Comptroller of the Currency Michael Hsu testified before the Senate Banking Committee in August 2021.
“I am concerned that overconfidence leading to complacency is a risk as the economy recovers. Sound risk management remains critical,” he said. “…Complacency is not a binary state. It often starts with small tradeoffs…Being vigilant and guarding against complacency will help ensure that the banking system remains safe, sound, and fair, and can continue to support a strong economic recovery.”
That leads us to yet another risk: Failing to live up to regulatory expectations for risk management. All the federal banking regulatory agencies expect FIs to have risk management programs that identify, measure, monitor, and control risk. While the agencies give FIs flexibility on how they structure their programs, they expect formal, documented programs in specific areas, like board oversight.
Don’t make the mistake of assuming that a conservative approach to risk means that risk management, including risk assessments, are unnecessary. You can’t limit exposure to a risk if you don’t know it exists—don't be a risk-taker without realizing it!