Ask the Author: Where Does Risk Management Go Wrong?
Financial institutions know that risk management is important, but in order to get it right, FIs must view it through the lens of strategic planning.
It’s a topic Ncontracts founder and CEO Michael Berman covers in depth in his new book, The Upside of Risk: Turning Complex Burdens into Strategic Advantages for Financial Institutions. As part of the book’s launch, Berman sat down with Rafael DeLeon, former National Bank Examiner for the OCC, to talk the essential role risk management plays in strategic planning and the many ways banks, credit unions, and mortgage companies get it wrong.
Rafael DeLeon: In your book, you talk about how banks, credit unions, and mortgage companies really need to understand how they can embrace risk and how that creates a competitive advantage for them. Can you talk about strategic planning and how that fits into risk management?
Michael Berman: Strategic planning is an integral part of enterprise risk management. Unfortunately, most people have a pretty poor strategic plan or they view strategic planning as a budget exercise instead of long-term goals toward what they're trying to accomplish. What makes the financial services industry different is all of those risks can be taken into account as part of that strategic effort.
Strategy is high-level and easy to articulate. What makes strategy different from a strategic plan are the milestones along the way on the path we’re going to use to get there.
One of the downfalls we see with far too many financial institutions is they view their strategic planning activities as “Let's go do what the big banks are doing.” It’s not really a great strategy to just follow what other people do. Even though there might be a lot of similarities from town to town or state to state or region to region (and we can take best practices), but your strategy is more about envisioning where do you want to go and not just where other people are going. What works in New York City or Boston as a strategy for community bank probably will be very different in rural Tennessee or rural Kentucky or Alabama.
Let’s touch on a subject that I've talked a lot about in my training and outreach to bank directors: culture. Talk a little bit about that and the impact it has on an organization.
Culture is absolutely, fundamentally key for compliance and risk management, but it's also key to accomplishing your goals for profitability growth. When the culture at a financial institution is cutthroat, meaning we only care about the bottom line, it shows in the institution’s culture and all the way to frontline interactions with customers. When tellers and loan officers care deeply about the client or member, they are going to be far more attuned to compliance, privacy, and all of the institution’s standards.
What are some of the limitations of risk assessments?
Risk assessments can be limited based on the scope or size of the risks as well as the controls. It needs to be right sized for each institution. You can get lost thinking of everything that could possibly happen. Just think from a personal risk management perspective all the risks that could possibly impact my commute to work or just walking down the hall. You can get lost in a lot of negative thoughts. The idea behind a good risk assessment is to understand categories of risk and what controls we can put in to mitigate them.
When we think about it that at an organizational level, we need to keep that in mind because I've seen far too many financial institutions really get lost in that first exercise and over rotate on risk. They do a risk assessment on an item by item or inventory basis, which is a thought process from the 1970s or 1980s, and they want to know how many locks and alarm systems they have. When you take that risk management approach and try to modernize it, the risk is that you’ll get lost in inventory.
The first sign of a good risk assessment is whether the institution has asked:
- Do I have the right risks identified?
- Do I have the appropriate controls to help mitigate those risks?
- What’s the frequency of measurement for each of those controls?
We’ve talked about how we are all risk managers in our day-to-day life. Why do so many find it hard to wrap their heads around risk management and evaluating risk at the institutional level?
Back in the 1950s and 1960s, there was a big controversy over whether or not people should be required to wear seatbelts in automobiles. One of the arguments was that if everyone wore a seatbelt, they’d feel safer and drive even faster—resulting in even more frequent and more destructive wrecks.
If we start applying that kind of logic—that as we do some things to make us feel safer, we may feel too safe—then we might think that if the institution has a great enterprise risk assessment program with many people hired to manage risk, the institution can now safely engage in all sorts of high-risk lending. As you know, it doesn’t work that way.
A lot of people will use their own experience rather than data to make a risk calculation. They may underestimate the likelihood or impact of a car wreck because they’ve never been in one. Conversely, if someone has been in a car wreck, they may be extremely worried about it happening again.
We need to balance and be thoughtful about how we’re taking in information and how we're then applying that information. Just because an institution has never been written up by examiners before doesn’t mean there is no risk of it happening in the future.
One thing that separates the great enterprises from those that don't make it is the ability to take all that outside data and not just their personal experience and incorporate that into their own risk management.