The Office of the Comptroller of the Currency's proposed rules heightening standards around risk governance reinforces the importance of a bank's risk management culture.
Forcing banks to establish a framework for risk governance will not by itself be a sufficient inducement for banks to adopt a "fortress" risk management mentality where in all areas of the company, risk management is everyone's business. Effective risk governance practices are no doubt essential to robust risk management.
However, the quality of the infrastructure used to take risks must also be part of the evaluation process. Rather than just meeting the requirements of yet another set of regulations, banks should build capabilities that comprehensively assess the quality of their risk management processes and tie that performance to strategic business goals. Likewise, the regulatory community should take this opportunity to create a risk management quality rating that may be used in examinations and deposit insurance pricing.
Strong risk governance lays the groundwork for promoting the long-term viability of an institution. While risk governance is a necessary condition for long-term performance, the quality of the bank's risk infrastructure (i.e., the processes and controls, policies, analytics, reporting, underwriting and portfolio management activities) is a sufficient condition for staying power of the organization. Both aspects of risk management, however, are not easy to pin down and standard risk control assessment practices do not satisfactorily address this concern.
A consistent theme from examiners asked to opine on a bank's desire to grow a particular business is that risk infrastructure needs to be in place ahead of growth. But, beyond speaking with staff and looking over reports, how do regulators and banks really know what's under the risk management hood?
Once, as a relatively new senior risk officer, I was asked to give an opinion about the quality of the bank to take risk relative to its risk profile.
I used a method I had previously developed to conduct the assessment. Using a simple 2x2 table with quality of risk infrastructure (labeled Low or High) against level of risk (Low or High), I created four possible outcomes of risk infrastructure and risk profile. Institutions with highly evolved risk infrastructure that pursued higher levels of risk were designated as "Risk Leaders". By contrast I called banks that had poor risk infrastructure, but were already taking high levels of risk "Market Leaders" – an attempt not to offend senior management with a more apt description sure to incite hostility. This particular bank was in the market leader quadrant based on a couple of months of informal observation and review of existing risk assessment documents. When I disclosed this to its executives, I was, unsurprisingly, asked not to come back to the executive committee without having more facts.
This request inspired me to work with the bank's risk organization to construct an assessment tool that assigned ratings to each component of the risk management process, starting with risk governance all the way down to data quality and everything in between. Although not statistically-based, this analysis allowed the bank to have a better understanding of the quality of their risk management practices and track changes over time in a structured fashion.
Part of the exercise was aimed at tying risk infrastructure scores for each business unit to their strategic objectives. So, for example, if a business unit planned on expanding into a new product in the next year but had a risk infrastructure score that was only average, it would be precluded from doing so until it had addressed the deficiencies giving rise to the poor score in the first place.
Taking this concept further, regulators should establish a bank risk infrastructure index that allows them to monitor important shifts in risk governance, processes and activities over time as well as across peer institutions. It could further be used in determining a bank's Camels supervisory rating and, in turn, to differentially price deposit insurance.
The risk index would reinforce the OCC's proposal for strengthening bank risk governance, but would go a step farther by putting more structure behind how we assess the quality of risk management. Not everything can be distilled to a single number and sometimes we overreach in our attempt to quantify as much as possible. Nevertheless, the regulatory community and banks would both be better off putting in place capabilities that better rate the quality and effectiveness of their risk management practices.
Clifford Rossi is the Professor-of-the-Practice at the Robert H. Smith School of Business at the University of Maryland and a Principal in Chesapeake Risk Advisors LLC.