Is your bank risk-ready?
Research from The Disaster Recovery Journal indicates that only 36% of firms have a formal ERM program in place headed by a chief risk officer or similar role. Yet stakeholders — from boards to regulators — increasingly expect banks’ risk management function to focus on enterprise-wide strategic goals, rather than a “tick-the-box” approach to avoiding major risk events or maintaining compliance.
Here’s a common scenario:
A C-level bank executive is concerned about their institution’s siloed approach to risk management. The bank doesn’t have a formal ERM program, and examiners have been pushing for the bank to implement support for risk-based decision making. Meanwhile, the bank has been preoccupied with either getting up to speed or putting out fires in specific risk areas such as compliance, IT, and vendor management.
While the executive recognizes the importance of having the kind of big-picture perspective that an ERM program enables — and, conversely, the dangers of having tunnel vision when it comes to risk and compliance — developing a formalized program has only made it onto the to-do list thus far. Due to budget, headcount, and buy-in constraints, any initiative to invest in an ERM program will likely get pushed out a couple more years. The executive faces the challenge of not only gaining internal support for the program itself, but also approval to allocate or acquire resources (both personnel and technology) to run the program effectively.
The question is, can this bank afford to wait?
We’re in an environment where proactively understanding how risk and compliance impact your bank’s business performance and its outlook for the future is an urgent need rather than just a nice-to-have capability. And, unfortunately, many financial institutions don’t have the management framework or technology in place that enable that kind of oversight.
Like the executive in the example scenario, decision-makers at banks may recognize the strategic advantage of implementing an ERM program. But many may find the prospect of selling the concept internally difficult to overcome, considering the dual challenge of building or maturing their capabilities and finding a technology platform to support those efforts.
So perhaps the question to ask is not only about when to implement or improve your ERM program, but why. What kind of immediate and long-term value could it provide to your bank? How would it improve efficiency and oversight? How would it help you meet stakeholder, shareholder, and regulator expectations and obligations?
By presenting the benefits of creating a program, ERM advocates can help alleviate many concerns about budget and other resources. This approach also applies to institutions that have some existing risk management capabilities but are considering investing in an ERM solution to accelerate program maturity.
Let’s explore several talking points and action items to help make a convincing case for a bank ERM program:
How much time do your risk managers spend on administrative or hands-on management activities? If your bank relies on spreadsheets, shared files and drives, manual data aggregation and reporting, and the like, you might be surprised by how those repetitive tasks add up.
A Global Association of Risk Professionals survey found that risk managers working in financial services are only able to spend about 50% of their time actually managing risk. Let’s assume, as an example, that the average risk manager at a bank spends 20% of their remaining time each workweek on manual tasks like wrangling spreadsheets and other documentation to find and process data. That’s 8 hours, or a full workday, that could be spent on strategic initiatives like assessing risk exposure or evaluating and prioritizing mitigation options.
Over the course of a year, at a base risk manager salary of $100K, that time translates to just short of $20K. Would you rather have that time and money lost to inefficiency or invested in work that contributes to your bank’s business objectives and performance?
Ask your bank’s risk managers to estimate the time they spend on non-strategic or administrative activities. Think in terms of tasks that could be streamlined or eliminated if processes were standardized as part of a technology-enabled ERM program. Convert that time to a proportion of their salaries. This number can be a powerful argument for investing in an ERM program and an automated risk management solution that frees up employees to spend their time on more value-driven activities.
Breaking out the cycle of siloed risk management has significant ramifications for cost efficiencies and loss prevention. A technology-enabled bank ERM program provides visibility into how risks impact business strategy and performance. This allows bank leadership to make data-driven decisions about how to allocate limited risk management resources and reduce losses.
Management consultancy Bain & Company found that banks that implemented risk management best practices reduced their losses from operational risk from 6.2% of gross income to 1.6% of gross income over a five-year period.
Take a look at some of the metrics your bank tracks related to risk and compliance management — perhaps risk events, risk-related losses, or audit findings. How many of those issues would have been preventable with better quality risk data or improved data access, actionable risk reporting, or a more accurate understanding of bank-wide risk exposure and mitigation options? These are some of the advantages that a comprehensive bank ERM program can provide when supported by standardized processes and a flexible technology infrastructure.
Compliance issues can be a significant source of operational risk, and banks’ compliance function should be closely aligned with a comprehensive enterprise risk management program. When considering the value of ERM, don’t forget to calculate the costs related to compliance management, since compliance practitioners will also reap benefits from a risk management solution. According to a McKinsey & Company compliance benchmarking survey, personnel costs account for nearly 80% of banks’ compliance spending.
Additionally, this year, 48% of compliance teams are averaging between 4 and 10 hours each week tracking and analyzing regulatory developments. The number of teams in the higher end of that range (spending 8 to 10 hours weekly) has increased by eight percentage points over the last several years, according to a cost of compliance study.
If your bank invested in a GRC solution that automated compliance monitoring with a built-in law and regulation library and regulatory change alerts, how much would that cut down the headcount or employee time needed for compliance management?
What opportunities would that open to re-allocate some of your risk and compliance management resources? What strategy or budgeting recommendations would you be able to make to executive management or the board of directors? Write down some ideas for how redistributing resources could help your bank meet its strategic objectives or improve risk management program maturity.
When weighing the benefits, you’ll need to take into account any technology solutions that are necessary to realize the full potential of your bank ERM program. This facet of maturing your risk management capabilities has its own set of value propositions to consider, not least of which is its potential impact on costs and revenue.
An analysis of Financial Times data found that banks that improve the efficiency and effectiveness of their risk management function through digitization can reduce operating costs for risk activities by 20 to 30%, with the greatest potential for reducing losses and fines in the areas of operational and compliance risk.
We’ll explore the value of implementing bank ERM technology in more detail in Part 2 of this series.