Risk Management: How Do You Measure Up?
There’s something tantalizing about comparisons. It’s nice to know where you stack up when it comes to both your peers and the institutions you aspire to be. Fortunately, when it comes to risk management, there is no shortage of surveys and studies telling you what everybody is up to.
So what do the most recent surveys say about risk management trends? Read on to find out.
A Growing Focus on Risk Management
It’s no surprise that surveys show risk management is a growing challenge at banks and credit unions. Nearly two-thirds of institutions are concerned about managing risk across all business lines, according to a December 2017 study by Wolters Kluwer. That’s up 24 percent (from 52 percent) in 2016.
Notice how the survey indicates “across all lines.” That’s because financial risk is no longer the only concern facing an institution. Operational, transaction, strategic, compliance, cyber and reputation risk are just a few of the risks that can potentially impact an institution. That’s why risk management is moving from a piecemeal to a more strategic and enterprise wide approach.
Just over a third of banks and credit unions have implemented an integrated or strategic risk management program, Wolters Kluwer finds. Another third have a well-defined or formal program, but have yet to implement it across the enterprise. The other 22 percent are in the early stages of risk management. It’s a concerning trend considering the growing importance of enterprise risk management in achieving both regulatory expectations and strategic goals. Many institutions still have work to do to reap the full benefits of risk management.
Top Risk Management Concerns
Cyber risk is by far the number one risk-related concern at banks. That’s according to just about every study out there. For example, 84 percent of banks worry about cybersecurity risk, according to Bank Director’s 2018 Risk Survey, which surveyed 224 independent directors, chief risk officers, chief executives and other senior executives at U.S. banks with more than $250 million in assets. It’s a growing concern, with 17 percent of banks reporting a data breach or other cybersecurity attack in the past two years. Another 4 percent weren’t sure if they’d been attacked.
Compliance risk comes in at a distant second, with 49 percent of banks responding to the Bank Director survey listing it as a one of their top three concerns.
What else is keeping risk officers up at night? It depends on the size of the institution. Banks with more than $5 billion in assets are focused on strategic risk and credit risk. While those are also concerns at mid-sized banks, banks with less than $500 million in assets rank interest rate risk their third most pressing risk issue (38 percent).
This is reinforced by a Grant Thornton study of banks with more than $5 billion in assets, which found cybersecurity risk, IT risk, and regulatory/compliance risk ranking among banks’ top three concerns. It’s also worth noting that more than 80 percent reported that third party/vendor risk significantly, very significantly and moderately affected their banks. It makes sense that banks are becoming more engaged in vendor management due to the increased regulatory scrutiny of this area in recent years.
Over the next 12 months, institutions’ risk management priorities will be cybersecurity/data security (83 percent), IT risk (54 percent), regulatory risk (50 percent), credit risk (33 percent), third-party risk (28 percent) and data governance/management/analysis (26 percent), according to Wolters Kluwer.
Measuring Risk Management Success
More than three-quarters of banks are planning to improve risk management in 2018, according to the eighth annual global EY/IIF bank risk management survey of the largest banks across the world. Over the next three years, 50 percent of these banks are hoping their technology investments will allow for more effective risk mitigation.
Today most banks assess the effectiveness of their risk management programs through regulatory observations or fines, the Grant Thornton study reveals. Looking ahead to the next three to five years, banks are hoping to improve the efficiency of their risk management programs by coherently standardizing risk control self-assessments across business lines. Seventy percent of banks with between $5 billion and $50 billion in assets expect to see more bank-wide risk management cohesion and 10 percent expect to see much more. They are also hoping to implement more quantitative methods of risk management. Budget constraints pose a high, very high, or moderate obstacle at nearly three-quarters of banks.
Governance & Risk Management Culture
While 44 percent of banks have a board committee dedicated to risk governance, that number declines with the size of the institution. The vast majority of banks with $5 billion to $10 billion in assets (85 percent) have a risk governance board committee compared to just 19 percent of banks with less than $500 million and 23 percent of banks with between $500 million and $1 billion. Those institutions are most likely to task the audit committee with risk management at 48 percent and 42 percent, respectively. The rest have delegated risk management to the board as a whole (21 percent of banks).
Wells Fargo may be forced to limit growth while it reinvents its approach to governance and risk management, but it’s definitely not the only one examining its culture. Nearly a third of CROs at the world’s largest banks say culture and behavior are “top of mind” when it comes to risk, up 8 percent from last year. “Conduct risk,” or the risk that employees will make bad decisions, concerns 41 percent of banks, up 16 percent from the year before, according to EY. When managing non-financial risks, 66 percent of banks are defining risk appetites for specific forms of risk and using that information to make operational decisions (62 percent), using the risk appetite as a dynamic tool to manage risk (52 percent), and linking risk appetite to strategy (48 percent), and culture and behaviors (42 percent).
How Are Banks Leveraging Risk Management Data?
Most banks find the greatest benefit of risk management is the ability to limit business losses and regulatory penalties and fines, according to Grant Thornton. Other common benefits include optimizing capital and gaining business insights from risk management data. A handful of banks with more than $50 billion in assets were using it for real-time transactions and customer account level risk-based pricing. Among banks with between $5 billion and $50 billion in assets, 42 percent expect to leverage their risk management infrastructure for profit-making within the next three to five years.
The banks reported risk and capital modeling and key risk indicators as the areas with the most developed analytics. Nearly every bank believes it can significantly improve risk management processes and systems related to data and risk information management; risk analytics and measurements; and risk governance and operating models, Grant Thornton found.
Risk Management Solutions
While not every financial institution is ready to adopt artificial intelligence and other cutting-edge risk management tools, it’s obvious that there is room to improve and streamline risk management at every size and type of financial institution. As risks increase, it’s more important than ever that banks and credit unions adopt an enterprise risk management approach to managing risk and develop strong controls to limit risk and tools to measure them.
It’s not about being the first or the biggest. It’s about being the smartest. How do your risk measurement systems and processes measure up?