The prescription for risk management sounds easy enough: Stay diverse, stay capitalized and stay in compliance. But the execution is so complex that an industry blueprint for achieving those goals remains elusive.

Banks struggle with identifying risk across operations and product lines, tasking the right individuals, whether directors or executives, with monitoring each potential trouble spot regularly, and creating systems to keep it all in check.

Exacerbating the usual challenges is the uncertainty of far-reaching regulatory changes in issues such as capital or compensation practices. This has many seeking balance between their business needs and a nearly paralyzing caution.

"We ran a survey last year, where 85 percent of chief financial officers and chief risk officers said they lack that alignment between the company's strategy and their risk appetite," says Chris Thompson, a senior executive for finance and performance management with Accenture. "You can't have that gap."

Fresh from a devastating financial crisis—and mindful of examiners' increased scrutiny of risk—directors and executives largely remain reticent about pursuing new opportunities that ultimately could make for a stronger and more profitable bank. So the race is on to resolve the dilemmas they find in establishing a better risk management culture, one that allows for confidently protecting-and growing-the business. Here's a look at six key questions before them.

What is an appropriate risk appetite?

The fear of losses from excessive leverage and concentration contributed to a retreat from lending at many banks. But that doesn't mean they are necessarily averting risk.

The lack of a defined risk appetite that is communicated to all employees is a risk in itself, leaving many banks with troubling blind spots, according to a recent study of 19 global financial firms by the consulting firm Oliver Wyman and the Risk Management Association.

What drives risk appetite, in the absence of a written plan, are ad hoc decisions, the study warns. This plagued many banks during the height of easy credit and continues to be an issue now.

A separate study by the technology provider SAS found that 40 percent of financial services firms still do not have risk strategies in place.

Mark Twerdock, KPMG's advisory partner for bank and finance, strongly recommends hammering out a formal framework. "In the past I would say most banks had a known risk appetite, but it was never articulated on paper what boundaries, thresholds and tolerances that board and management all agreed to," he says.

Problem banks often have weaknesses like failing to engage their full executive teams in risk management and "chronically" investing too little in data analytics for monitoring enterprise risk, according to the Oliver Wyman/RMA study.

Philipp Wackerback, a senior associate in Booz & Co.'s banking practice, says other banks should avoid these pitfalls. A risk-appetite framework needs to include shareholder and management expectations for key performance indicators such as revenue or return on equity.

He advises using these indicators to produce peer-group comparisons and calculate what the bank needs to do—and how much risk it would have to take on—to achieve a particular goal. One question to resolve: "What risk do I need to set as the bank in order to come up with a certain ROE target?" says Wackerback.

Then apply the results to how the bank operates and deliver the risk message throughout the organization.

"It's the alignment of strategy, risk and capital allocation," says Wackerback. "You need to operationalize it for risk categories so people on the business side know what to do, where the limits and the tolerances are."

How is a risk culture built?

Coaches emphasize there's no "I" in "team" to foster better squad chemistry. But emphasizing the individual is a way banks can encourage their teams to think about how isolated actions reverberate as risk elsewhere in the organization.

At KeyCorp, promoting the "I" in risk management under its chief risk officer, Chuck Hyle, has been elevated to an evangelical mission. In its recent annual report, it declared risk management will become part of "our DNA at all levels of the company."

To that end, Key has regular meetings to train staff on the interrelated risks that run across credit, operations, liquidity and markets. In October alone, it hosted 11 town hall meetings for 2,000 Cleveland-area employees.

As Key suggests, a risk-culture transformation has to start at the top. And communication both from executive suite down, and from staff up, is critical.

Bill Githens, the chief executive of the RMA, says one of the major post-crisis changes at institutions has been creating new reporting channels to funnel key information to boards. Often a risk committee of high-level employees—department heads and managers—must file reports directly to the board.

Bob Rose, the chief credit officer at Brookline Bank in Massachusetts, says CROs are bringing along their quants and IT operations experts to explain quantifiable risk data to directors, or "explain the fundamentals of a CDO."

In some cases, boards themselves also need to be strengthened, either with new members or more education to ensure they ask the right questions."There are a lot of discussions around whether boards have the right—or sufficient—risk expertise," says Githens.

A stronger risk culture is a preoccupation for large and small banks alike. Last year Fred Gennari, a former Citigroup auditor working at Paragon Commercial Bank in Raleigh, N.C., suggested forming a risk management committee to Michael Story, its chief operating officer. It didn't seem pressing enough for a $1.3 billion- asset bank, with no securities, derivatives, insurance or bond desks to worry about, Story says.

But Gennari, who headed quality assurance of audits at Citi, convinced Paragon executives there were still risks to monitor in the day-to-day business-asset quality, interest-rate management, even reputation and security issues. "The fact is, we all have these same fundamental risks in our industry," says Story.

There's a common feature among many banks that have survived the financial crisis: humility. These institutions realize that a keen business strategy may have played no more a role in their endurance than the circumstances of fortuitous geography or demographics. "Even banks that are in pretty good shape are really stepping bank to assess, 'Were we smart, or just lucky?'" says Konrad Alt, managing director of Promontory Financial Group.

What's holding up enterprise risk management?

After Fifth Third Bancorp in Cincinnati reported a 19 percent drop in net income for the first quarter of 2008, its credit risk team studied hypothetical loss scenarios that it faced for the remainder of that year and 2009.The results were sobering: The $113 billion-asset company would need $3 billion in capital and expense reductions.

It cut dividends, sold more than half its credit-card processing business and issued $1 billion of preferred stock.

Fifth Third's CRO Mary Tuuk says, "It was all done on the basis of our own stress-testing," more than a year before the Treasury Department's own stress-testing exercise that ordered 10 of the nation's 19 largest banks to raise capital. Had it not been so aggressive early on, Fifth Third's required capital infusion would have been $2.6 billion, rather than the $1.1 billion that the government ordered.

Such internal stress-testing is a challenge for many banks because of the poor state of enterprise risk management across the industry, analysts say. In the SAS survey, less than half of respondents were confident they understood the interaction of risk across business lines. And only 39 percent of banks and insurers said they are "effectively" aggregating data for risk management reporting.

This shortcoming undermines not only risk-based strategy, but also the ability to contend with growing external compliance demands. Bank regulators want more details on risk management procedures. The New York Stock Exchange requires listing firms to share risk assessment policies, and Standard & Poor's factors risk management capabilities into its credit ratings. In December, the Securities and Exchange Commission began requiring disclosures on a board's involvement in risk oversight.

All this heightens the pressure to have fresh information at the executive level. Evaluating data from two or three months earlier is a waste of time, KPMG's Twerdock says. "Quite frankly eight to 10 weeks can be a problem" in spotting emerging risk scenarios, he says.

Management support for risk programs also has room for improvement. In a survey from the Society of Actuaries and other groups at the 2010 Enterprise Risk Management Symposium, only 47 percent of the risk experts (at both bank and nonbank organizations) felt that senior leadership was on board with a holistic risk framework. Nearly half didn't think their disclosures to external shareholders convey a real understanding of a company's risks; and more than 40 percent reported negligible or nonexistent involvement in enterprise risk initiatives by their board.

Who leads risk management?

The job of a chief risk officer has come a long way in the last three or four years, says Rose, who had been the CRO at Sovereign Bank before joining Brookline.

Before the crisis, growth trumped risk as a priority. "The pressure to do business over and over again was so huge, that [the risk officer] was a voice that wasn't as respected and followed," he says. "Today, they are being paid attention to."

There are also more of them. Since 2006, the percentage of publicly traded financial institutions with a CRO on the management team has swelled from 40 percent to 71 percent, according to the consulting firm Grant Thornton. The increase coincided with the growth of risk management committees—now at more than one-third of institutions—that report directly to the board and work independently of management and the audit committee, says Bailey Jordan, a business advisory partner at Grant Thornton.

The more senior roles for risk officers and the growing abundance of risk committees are an outgrowth of risk management's complexity and shareholder demand for greater oversight of previously unfettered management ambition. "If I was the chief credit officer, I would welcome this risk committee," says Jordan, because then a single individual is not faced with "taking on the CEO" alone.

Many, like Fifth Third's Tuuk, have the authority to meet with directors independently. This has allowed Tuuk and the credit committee to escape business-line pressure, such as in 2008 when Fifth Third curbed commercial and consumer lending and strengthened underwriting. "It works both ways, and gives the board more direct access into the risk management of the company," says Tuuk.

Regulators are leaning on risk officers more too. Rose notes that regulators, pushed by the Federal Reserve's proposed guidelines on incentive compensation practices, have asked some risk officers to "opine" on the plans at their banks.

Don Borge, a director at the consulting firm LECG, advises banks to make sure risk management responsibility is solely vested in senior officers—and not in the CEO or CRO alone. With CEOs setting the tone for risk culture and reputational protection, risk management is a façade, he says. Even a CRO is just one cog of the business strategy that is the purview of the CEO and senior management.

"Handing off full responsibility for the bank's enterprise risk management is the wrong reason to have a CRO," says Borge (see related op-ed, page 38). "The result is likely to be an expensive compliance bureaucracy that creates a false sense of security."

How can risk be scored?

Superior Bank in Birmingham, Ala., has what it calls its "heat map." Laid out in an Excel spreadsheet, it's a typical four-quadrant graph, where at any given moment the $3 billion-asset bank rates the risk status of its position in areas like operations, legal, compliance, liquidity or interest rates. Any risk factor falling into the top right is treated like a next-shoe-to-drop. "We tell the board, 'This is what should keep you awake at night,'" says Barbara Medley, Superior's CRO.

Not surprisingly, the chief concern of risk officials is managing troubled assets—or those heading that way. Brookline's Rose says that audit and risk committees, stung by surprises like out-of-state commercial real estate developments or derivatives exposure, are more carefully examining investment and lending portfolios and breaking them down by geography and other factors. Rose says hedges and derivatives have to be justified, and all the information needs to be included in a risk appetite framework.

Yet, some bank committees have limited experience at recognizing risk when they see it. That's why Rose, an RMA board member who leads the trade group's enterprise risk managementcommittees, is helping to develop benchmarks for banks to rate their risk exposure.

"There's no reason you couldn't develop an outline of issues and points and rate yourself on how do we stack up," says Rose.

What should dominate any self-examination, of course, is lending. More than ever, banks must mitigate risk in a fast-changing environment where new factors to consider keep coming up—such as well—heeled mortgage customers who choose to strategically default due to underwater home values. This is leading more banks, even small ones, to invest in credit-risk management tools. Instead of just considering a customer's propensity to pay or credit history, banks can use the technology to gauge how external events might affect a loan.

At Investors Community Bank in Manitowoc, Wis., senior credit analyst Scott Schroeter has new Web-based executive analysis software from WebEquity that tracks his primarily agricultural commercial client base. "If milk prices went down $4," Schroeter says, "we could see how that affects our loans, and which loans move from acceptable risk to ones to watch."

What about reputational risk?

Give it up for Goldman Sachs—even its investor relations team has a Babe Ruth—like knack for calling shots. In a securities filing issued months before fraud charges were levied by the SEC, Goldman told shareholders that adverse publicity could be a significant regulatory and legal risk factor for the company this year-a new addition to its usual list of risks.

The prudence turned to prophecy when Goldman shares tumbled 14 percent the day the SEC filed suit, based on allegations of Goldman structuring and marketing risky mortgage-backed securities without disclosing ties to hedge fund kingpin John Paulson. He had helped choose the loans in the securities and made separate investments that would pay off handsomely if the securities tanked—which they did.

Public and Congressional anger over Wall Street's business practices and billion-dollar bonuses had already underscored the "vampire squid" image of Goldman. The outrage helped shape key regulatory proposals this year—and partly inspired the proposal of a financial crisis responsibility fee—that could severely impact the bottom line at all banks.

Was there any way of combating the daily barrage of bad press? Goldman, according to a crisis communications firm, apparently didn't even try. "Unfortunately Goldman Sachs has not, until recently, worked hard at creating goodwill," says Davia Temin, president of Temin & Co. "Main Street, populist legislators, and those who do not know them first-hand have largely been ignored."

In contrast, consider Citigroup, which last fall introduced a marketing campaign to address its role in the financial crisis, economic stabilization, small-business lending and community development. Some of its ads featured CEO Vikram Pandit. "Citi's ad campaign is good. It's saying a lot of the right things and talking person-to-person," says Temin. Though it's difficult to say definitively whether the ads made a difference, there are fewer public diatribes against Citi these days.

It's more than what the CEO says, though, that can speak for an organization. In today's rapid-fire, social media tapestry, an errant email, Tweet, or blog can mean significant public relations damage.

Another risk arises from bank employees engaging online. Banks can be held legally responsible for libel and slander, says Ken Goldstein, the worldwide media liability manager for Chubb. Misappropriation of copyrighted material also can result from inappropriate posts to a bank-sponsored Facebook or Twitter account.

At Chubb, even the simplest 140-word Tweet has to be vetted by legal and public relations departments.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.