For years, risk governance meant risk management, with a relatively narrow focus on specific areas: loans, legal, and possibly IT.
Then, everything went sideways in 2008-2009, and regulators saw the need for a more proactive, comprehensive risk governance strategy. Within the past five years, new rules and guidelines have begun changing the flaws regulators could see:
- Boards of directors were not engaged at the right level.
- Board members and executives weren’t getting the right information to make informed decisions.
- Management didn’t have tools in place to facilitate a timely and comprehensive analysis of overall risk.
Regulators set out to establish new expectations for risk governance. The results, based on preliminary proposals, could reduce risk and support better decision-making for banks and other financial institutions.
What is risk governance?
Risk governance is another term for enterprise risk management (ERM), which encompasses virtually every aspect of banking management: IT, operations, legal, credit/lending, and compliance. Until recently, there was no definitive industry or regulatory agreement as to what ERM meant, what it encompassed, or how to implement it.
New proposed guidelines will, for the first time, codify in rule-making comprehensive ERM that will not only provide a blueprint for risk governance, but also require regulatory compliance with new standards.
The proposed framework, developed by the International Risk Governance Council (IRGC) and announced by the Office of the Comptroller of the Currency (OCC), includes five elements:
- Risk pre-assessment: Early warning and “framing” the risk to provide a structured definition of the problem, establish relevance to different stakeholders, and propose a management plan
- Risk appraisal: Combining a scientific risk assessment (of the hazard and its probability) with a systematic concern assessment (of public concerns and perceptions) to provide the knowledge base for subsequent decisions
- Characterization and evaluation: Using scientific data and the societal values affected by the risk to evaluate it as acceptable, tolerable (requiring mitigation), or intolerable (unacceptable)
- Risk management: The actions and remedies needed to avoid, reduce, transfer, or retain the risk
- Risk communication: How stakeholders and civil society understand the risk and participate in the risk governance process
Put simply, the ERM framework goes beyond policies and procedures. The goal is to help boards of directors and upper management make business decisions that are based in large part on an established risk threshold. Not only will this framework hold banks accountable in critical decision-making processes, but it will also help them openly consider the risk on an enterprise-wide basis associated with those decisions.
Unlike the way many banks operate now, critical business decisions will not be driven by silos, but will encompass the entire organization. Decisions won’t be made by an IT manager or compliance manager who only thinks about how the decision will affect his or her department and operations, but on how it will affect risk institution-wide.
Rewards and risks
The rewards to banks and other financial institutions of comprehensive risk governance are plain: better risk-based decisions and more involvement and communication between the board of directors, the executives, and other upper management.
The risks can potentially be the same as any other compliance issue. Although the current proposed framework doesn’t outline penalties, presumably any perceived violation of the components of the proposed rule by regulators would be subject to all of the available actions the OCC has, which include civil money penalties and cease-and-desist orders, among others. The assumption is that the penalties won’t be as severe as those for, say, not meeting reserve requirements or lending ratios.
Although the final rules may change due to comments received by the OCC, there are three requirements within the proposed rules that banks should be aware of:
- The requirement to establish quantitative risk measures against which management and the board will be evaluated.
- The requirement that boards of directors and individual members own the risk governance framework. It is not something that can be delegated to management. Execution can be delegated, but boards of directors own the structure and bear the ultimate responsibility.
- Heightened expectation that there is a definitive, measurable link – for both boards of directors and management – between risk management and compensation. A meaningful part of the individual’s compensation should be linked to the risk that he or she handles for the institution.
How to prepare
This may change depending upon the final rules, but for now banks should prepare by:
- Taking a comprehensive inventory of all activities that contribute to risk management or that directly/indirectly support activities of boards of directors
- Creating a set of standards for a risk governance framework
- Performing a comprehensive inventory across all business lines and determining that they’ve addressed all risk considerations
- Mapping those considerations to the activities of the boards of directors
- Ensuring that ERM is in compliance with Sarbanes-Oxley and other regulations
- Educating the chief compliance officer, chief financial officer, chief credit officer, and other officers and securing buy-in for ERM
- Taking a top-down approach in smaller institutions; this means ensuring that the board of directors understands its new responsibilities
Leveraging third-party expertise
Because much of ERM is based on best practices, a third party with broad expertise gained by working with many institutions can be an invaluable resource.
For larger institutions, a third party can help prepare a comprehensive assessment of capturing risk and then assist in developing both a framework and a dashboard for managing and reporting.
For community banks, a third party can work with both executives and boards to understand, develop, implement, and manage the ERM process, including educating board members about their expanded responsibilities.
Above all, understand that much of this process is an attempt to quantify something that is currently often subjective. Assume that regulators will be learning the new process and expectations just as a bank will.
Baker Tilly insight
Risk governance has become an essential component of banks' internal discussion. Boards of directors and management must make the investment of financial and human resources necessary to identify, understand, measure and respond to a complete range of risks. Success will no longer be defined as a standard list of financial metrics, but will forever include an assessment of the bank's ability to achieve those results within a defined risk governance framework.
For more information on this topic, or to learn how Baker Tilly banking specialists can help, contact our team.