By Bud Genovese, AuditOne LLC
Bank directors need to know that in the eyes of regulators, risk management is trending up and trending hot. Because what impacts large banks often trickles down to smaller community banks, directors in banks under $10 billion should pay close attention to the new requirement from the Dodd-Frank Act requiring larger banks to set up separate Risk Committees. Regulators have “heightened expectations” for banks to enhance risk management processes in order to be able to maintain ratings.
This is not a bad development. Many banks already incorporate risk management into their Audit Committees. Directors need to ensure the proper monitoring and management of risk, whether as a separate group or within the charter of the Audit Committee. Remember that managing risk is a strategic business function and is forward-looking. Directors must keep the objectives separate from the auditing objectives, which review results of past activity.
Enhanced Risk Management Can Boost Business
There are business benefits for banks of all sizes to enhance risk management. Banks can gain competitive advantage by being better able to grow profits and meet strategic goals while better managing risks. Banks benefit when they understand what their risk appetite is and put in policies and controls to make sure that throughout the organization they truly understand the risks in the business, and not just discount something as not probable or not possible.
Create a Risk Appetite Framework
Many banks are implementing a Risk Appetite Framework (RAF) as the way to provide an overall governing risk management architecture. The RAF serves as the operating principle to align bank strategy, capital allocation and risk. In the past, the focus was on strategy and capital; however, risk is now a key consideration.
The RAF states the maximum level of risk that a bank is prepared to accept in order to achieve business objectives. The RAF should be used to develop the RAF Statement with collaboration from the CEO, CRO and CFO. This RAF Statement translates the overall strategy into measurable targets and thresholds across material risk categories. These risk tolerances enable performance monitoring and management which aims to identify optimal growth options considering the risk involved and the allocation of available capital resources to drive sustainable performance.
The RAF Statement should not be complex, but rather a concise statement that identifies the most important and applicable risk tolerances and limits. This statement needs to specify the action to be taken if exceptions or out-of-tolerance conditions surface. From the RAF Statement the risk appetite tolerance levels are established and should be set at different trigger levels, with clearly defined escalation requirements which enable appropriate actions to be defined and implemented as required. In cases where the tolerance levels are breached, it is the responsibility of the bank managers of that functional area to bring it to the attention of the board. The board should review and approve the RAF and RAF Statement on an annual basis to ensure that it is consistent with bank strategy, business and the regulatory environment.
Risk Assessments are Key Tools
Directors should insist their bank performs an annual Enterprise Risk Assessment (ERA) that takes into consideration the bank’s strategic plan and regulatory risk factors (CAMELS). The ERA can be performed in-house if staff expertise in this area is available or contracted with an independent risk management consulting firm.
The ERA should analyze each operational bank function and calibrate the precise level of risk and internal control auditing necessary to meet safety, soundness and the latest regulatory requirements. The ERA methodology should a) risk-score each area and activity, b) translate that score into a risk rating, and c) map that rating to a recommended audit frequency. Ensure that stress testing is regularly performed that covers the major risk areas. The ERA can save banks money by identifying and applying appropriate risk-based resources.
Regular Review of Risk Management Program
Regular – meaning at least annual – review of the effectiveness of the risk management program is essential. Employ the resources of your bank’s internal auditor or a third-party consultancy to provide an independent assessment and resulting audit report of the effectiveness of the risk management function. Regulators will be placing this new expectation on the bank’s internal audit function to assess the bank’s risk management program.
The Role of Directors in Risk Management
Directors need to train, prepare for, and demand enhanced risk management at their banks. Strong risk management should proactively point to potential problems, and better handle new risks that technology and the economy present, all adding to greater operating and profit results.
Published in Western Independent Bankers Association’s Directors Digest, Issue 81 – March 2014.