While new risks, compliance woes and challenges emerged in 2013, we look to 2014 as a defining year for banks to innovate, differentiate, grow and thrive. Here a few predictions that we believe will shape banks' risk management programs in 2014:
It is a tough road ahead for previously unregulated entities. The regulatory environment created by regulations such as Basel III and the staggered enactment of Dodd-Frank rules means that many financial services organizations will continue to struggle with compliance in the days, months and year ahead. Under Dodd-Frank, previously unregulated entities and financial institutions, such as options clearing houses, private capital firms and hedge funds are now evaluated for safety and soundness. These kinds of organizations are new to this level of regulatory scrutiny and oversight, and therefore will need to implement even stronger compliance and operational risk management programs.
More banks will align information technology risk with enterprise risk management. Today's IT risk programs typically provide layered security through firewalls, antivirus programs, vulnerability management, patch management, data loss prevention programs and penetration testing programs. Although important, these programs reflect a more defensive posture, and don't necessarily keep pace with, or stay ahead of the risks at hand.
In fact, oftentimes these programs result in thousands of alerts per month, the majority of which end up being benign and the IT risk team has to spend a significant amount of time just to clear them. When it comes to IT security, the best defense is a good offense. In 2014, we will see IT risk programs continue to evolve, supplemented with more robust risk-based threat identification programs. This will be done by further aligning and integrating IT risk functions with enterprise risk management. A good way to achieve this is to combine traditional IT risk activities with well-established proactive risk processes such as stress testing, risk assessment, scenario analysis and tabletop exercises with management.
Banks will place a heightened importance on establishing their governance, risk and compliance vision. Banks today are at various stages of maturity with regard to their governance, risk and compliance programs. Some are still struggling with siloes of unmanaged information and thousands of spreadsheets and documents. Others have gradually started moving toward an integrated, top-down approach, aligned with their business strategy. Yet in most organizations, the onus of these programs still rests with a few entities primarily those leading assurance, risk and compliance functions that must ensure risks are being managed effectively, and regulations are complied with. In light of emerging risks, new complex regulations, including the most recent Federal Reserve requirements around risk-based audits and control monitoring, a smartly architected and integrated governance, risk, and compliance program will become critical as we head into 2014.
Governance, risk, and compliance data architecture will emerge as a core competency. The vision for a mature governance, risk, and compliance program can only truly be brought to life by engaging the right key stakeholders from across the organization, each bringing different perspectives, best practices and skill sets. One skill set that is emerging as critical is that of the governance, risk and compliance data architect. Creating a smartly architected risk infrastructure requires people who are highly collaborative, analytical, technical and systems-oriented, which is a rare find in today's market.
Meeting all of today's regulatory expectations around enterprise risk management will increasingly require the integration of risk information from across the business, and the ability to link this information to metrics, policies, regulations and losses. In 2014, banks will need to become smarter and more strategic when it comes to their employee recruitment and employee cultivation.
Frank Santora is first vice president and head of the operational risk management group at Hudson City Savings Bank. Susan Palm is vice president of industry solutions for MetricStream, a provider of enterprisewide governance, risk, compliance and quality management solutions.