By Steven Minsky
Risk managers handle pressure from a variety of angles. The board needs confirmation its risk program is effective (without hindering productivity), the regulatory environment is unpredictable and frequently changes, and managers in other governance areas often appear unwilling to participate in risk assessment tasks.
Despite the ever-increasing importance of risk management, many organizations don’t reap the benefits of their programs. Consider the following issues, which are some of the most common and significant impediments faced by risk managers:
1. Many organizations struggle to define risk with a common framework, hindering efficiency. Departments often operate as individual silos. Silos have unique processes, procedures, and terminologies, leading to problems with communication and collaboration. Even when departments properly collect and analyze risk data, a siloed structure can prevent information from reaching the relevant party; if it does get to the right place, its priority may not be understood.
The result of miscommunication and prioritization issues is twofold: poor risk mitigation and wasted resources. Risks are rarely isolated to one department – usually, one risk has multiple touchpoints throughout the organization. Silo A (origination) might not pick up on a risk identified by Silo B (securitization), which can lead to a loss when Silo A takes no preventative measures. By contrast, Silos A and B might unknowingly run redundant tests (on loan quality, servicing addresses, HELOC product add-ons, loan documentation, etc.), wasting valuable resources. In either scenario, collaboration prevents collateral damage to each other’s interests.
Solution: Risk managers should set enterprise-wide standards and criteria. ERM reaches across silos by providing a common framework that each department uses as the foundation of its risk management effort. Data and sensitive information are contained and protected, but a common approach (and a central information location) allows risk managers access to resources, relevant people and existing records. A risk-based approach reduces the cost of changes to systems and operations, which are necessary when adjusting to new requirements or undergoing implementations requiring extensive coordination with third parties.
2. Risk assessments aren’t collecting valuable information.
This issue results from a variety of contributing factors:
- Risk management is a perfunctory process, used merely to satisfy compliance requirements
- Silos operate independently, leading to the inefficiencies discussed above
- The organization lacks a central hub for its risk management program, preventing assessments, surveys, and reports from engaging those who can make a difference
- The organization has not connected the dots by using risks assessments to streamline solutions
Risk assessments are the building blocks of successful risk management. When they are conducted at too high a level, they tend not to reveal new information. That is, they highlight issues senior management is already aware of. The true value of a risk assessment is unlocked when it’s pushed to the front line, or process level, where issues first materialize. That information can be used to identify cost-effective solutions, building the business case at the appropriate decision-making level.
Solution: The best way to disseminate risk assessments is through a central system, as discussed in the previous section. Front-line managers (i.e. those directly involved in everyday activities) are most knowledgeable about operational risk and should be intimately involved in the risk assessment process. These employees contribute subject-matter expertise, providing clarity so that others – even those without an understanding of the technical details – know what needs to be done. Risk managers can use software to automate alerts and deadlines, ensuring solutions are actually implemented and sustained.
3. Difficulty aligning risk management with long-term strategic goals.
If risk management is considered a completely independent initiative – reducing it to a “compliance checklist” – it’s difficult to align it with strategic goals. The program then turns into a burdensome responsibility, not a useful tool. It also becomes difficult to identify which activities are the greatest hindrance to strategic goals and objectives, and allocate limited resources to those areas.
Solution: Map the relationship between strategic goals and organizational processes: what processes are integral to the achievement of this or that board objective? Few, if any, long-term goals can be achieved within one silo. Any task must have a known “critical path,” or priority list of people and resources. Also map the relationship between specific risks and processes; with processes as the middle ground, you can map risks to high-level objectives.
4. Effectively demonstrating the value of risk management when reporting to the board.
Risk managers are responsible for setting standards, practices, and procedures for effective risk management and embedding them in organizational processes. Later on, they must measure the program’s effectiveness and demonstrate it to the board. Even if a program is effective, the board is unlikely to provide continued support if a manager can’t produce illustrative, flexible reports. For example, when operating metrics aren’t integrated across multiple product lines – like asset-based lending, factoring, and unsecured lines (to name but a few) – loan committee data more easily becomes out of date. This is problematic; different risks impact each product differently, and without clear data, a bank’s true position is more obscure at any given moment.
Now that boards are held directly responsible for risk (by the SEC Proxy Disclosure Enhancement, Anti-Money Laundering (AML), the Bank Secrecy Act (BSA), Suspicious Activity Reporting (SAR), and more), there’s significant pressure on risk managers for effective ERM reporting. Risks need to be identified at the business-process level, and reports should follow a risk’s progression: identification, mitigation, and ongoing monitoring across all business lines.
Solution: Ensure a few types of reports are included in presentations to the board:
- Metrics reports: Aggregate information from across business lines and products, showing development of risk tolerances over time
- Root-cause risk trends: Drill-down capabilities provide an objective view of risk across all departments
- Enterprise reports: Map risks by strategic imperatives like cybersecurity, as well as across product areas like lending, wires, fee-based services, etc.
- Risk management progress: Dynamically display stats such as total risks identified, percentage mitigated, and control effectiveness. Track in real time how quickly risks are dealt with if they exceed preset tolerance levels.
5. Reducing costs associated with risk management.
Although the trend is changing, a great number of companies still manage risk (across business areas) within spreadsheets and shared drives. This method may appear cost-effective, but the disadvantages and complications associated with spreadsheets negate any initial savings. Spreadsheets provide no audit trail, fail to meet many regulatory requirements, usually contain errors (94 percent do, according to the University of Hawaii), complicate reporting, and make it difficult to assign assessments to different departments. These deficiencies lead to a range of costs down the road, also making it difficult to remain compliant with BSA, AML, and SAR.
Some organizations, hoping to avoid spreadsheet difficulties, purchase expensive solutions or hire third-party consultants. Many of these solutions require on-premise implementations and significant customization; this involves high startup costs and continual professional-service fees. Traditional implementations are enormous time investments and can take your risk management program offline for months.
Solution: Risk managers should stay away from spreadsheets and expensive, on-premise, siloed solutions. ERM software platforms are both affordable and robust thanks to software-as-a-service (SaaS) deployment options and taxonomy technology. It’s critical to properly evaluate vendors before making a decision, however. Just because a software does not require an on-premise implementation doesn’t mean there aren’t other hidden costs. Inquire about customer service policies, professional service fees, ease of customization, and security during and after the selection process.
6. Improving regulatory compliance management.
Since compliance is more than just meeting minimum requirements – it also involves meeting stakeholder expectations – minimizing compliance risks is a big priority. A “checklist approach” is common but problematic; regulations are frequently amended, and organizational policy must change in kind. The difficulty is a) pinpointing which policies need to change and b) which persons/departments are to be responsible for implementing those changes.
Solution: In order to keep compliance scalable and manage change quickly and inexpensively, risk managers need to focus on common denominators, not individual requirements. In other words, which requirements can be addressed with a single, shared control? When the number of controls is reduced, so too is the number of necessary testing activities. Eliminating unnecessary redundancy is key if an organization is to consolidate the thousands of changing regulations it must comply with.
The first step to surmounting these issues is adopting a risk management solution that gets your entire organization on the same page. You can then more easily prioritize resources when your team is operating with the same measurement scales and risk criteria – within the same platform – as every other department.
NOTE: To improve your risk management program and avoid these six common issues, take advantage of the RIMS Risk Maturity Model (RMM). The RMM is a free best-practice assessment tool that evaluates your current program and generates a roadmap for improvement.