It’s that regulatory time of year again, GonzoBankers. Time to shovel out the driveway, check your risk dashboard, and head out to the big industry association conferences covering all those tantalizing reg topics and lobbying. And, it’s time to hear for the 1000th time about how the regulatory burden has increased since the financial crisis.
We get it. You aren’t just shoveling the snow, but shoveling out the money on people and technology to meet Consumer Financial Protection Bureau and other new requirements.
According to The Cornerstone Report, 7th Edition, bank assets per enterprise risk management FTE decreased from $147 million in 2010 to $55 million in 2012. Furthermore, the gap between median and 75th percentile performers was much wider than the gap between 25th percentile and median performers.
|Assets per enterprise risk management (total)||$55,285,150||$37,575,558||$171,420,985||$147,112,664|
This data suggests that ERM programs are still evolving (and are relatively inefficient) as institutions sort out what is the best ERM model for their organizations. It also suggests that the top performers have a competitive cost edge (not to mention stronger risk management effectiveness) over their peers – a key imperative in a low-revenue growth environment.
The tech investments now help reporting on new balance sheet and capital requirements, not to mention emerging fraud and information security risks. The bad news: This new cost of doing business is likely permanent. The good news: The costs don’t need to be a black hole as an organization can still be cost effective while managing the risk profile.
Make no mistake, significant outlays will need to be made to better manage risks. But, don’t get caught in the trap of thinking these costs should rise at the same pace as the burden. The best ERM approaches recognize that, if the organization is engaged and a mature risk management model is in place, the actual management of risk becomes part of people’s day-to-day activities and the level of “overhead” should be reduced. More importantly, there is a much clearer definition of what residual risk remains, making it easier for management to make better decisions on what risks to accept versus reject. Too often, we see management and boards accept the “sky is falling” business case when making risk-related investments. Sometimes the sky IS falling. But most of the time it really isn’t.
Look at information security as an example. I have not been at any institution where an investment request from information security has been flat out refused. Delayed? Maybe. Refused? Never. Is the decision to invest due to a zero tolerance for security risk (totally acceptable if it is the board and management’s decision versus just abject fear of the unknown)? Or is it based on a fact-based review of residual risk and where to best focus those investments?
Let’s take the case of the recent Target card breach, which American Banker estimates impacted one in three Americans. One of our client institutions was reaching out to its impacted customers when it realized its customer contact information was all over the place and difficult to access. The institution ultimately did reach its customers but after unnecessary delay and added cost. In this case, the institution had strong information security capabilities but it did not define and manage other relevant risk factors associated with a data breach situation. So, were investments made? Yes. Did it help manage risk? Probably. Were the investments focused in the right places? Clearly not all of them. I am not advocating reduced information security related investments; I’m just saying institutions need to be smart and informed on where to make the investments.
A residual risk focus likely would have addressed this situation. A properly executed residual risk analysis incorporates both events and business processes. It would take into account more risk types and factors, including the most important piece – interrelationships between the risk types. In the example above, the risks covered include reputational, strategic, transactional and compliance. Chances are, most institutions affected by the Target breach considered two or three of those risks, but only the most mature ERM models anticipated all of them. At the end of the day, investments and resources were not fully leveraged or focused, resulting in added costs. We can’t blame the regulators for that. A “check the box” approach has value but it ultimately does not lend itself to long-term cost efficiency and ERM effectiveness
Bigger spending on risk management is now a fact of life. If done right, it can and will help organizations better manage their businesses. And, that’s really the point. While risk management maturity does not mean compliance or ERM oversight goes away (business managers can be very good at managing their own risks but they often don’t understand the interdependencies inherent in their actions and businesses), it does mean a better focus of resources. Stay thirsty for the right focus, my friends.
“Do not be too timid and squeamish about your actions. All life is an experiment. The more experiments you make the better.”
-Ralph Waldo Emerson, Author (not a regulator or compliance manager)
What’s your RMF?
Your Risk Maturity Factor defines your organization’s strategic and operational readiness to respond to Consumer Financial Protection Bureau and other regulatory requirements affecting financial institutions now and in the future.
Cornerstone Advisors can help your organization assess its risk appetites across a variety of areas and enhance the maturity of your overall risk management efforts.
Contact us today to learn more.