The year of 2014 was a transformative one for risk and regulations in the banking sector. In the past 12 months alone, the industry has faced increased pressure, scrutiny and fines from regulators, along with emerging risks that challenge nearly every facet of governance, risk management and compliance programs. Then there are the harsh realities of cybercrime and losses in shareholder value, and banks' increasing awareness of the need to cultivate and foster risk-aware corporate cultures.
As the industry looks to dust off past missteps and pivot in a more positive and productive direction, the following lessons from 2014 will no doubt shape the way banks adjust, expand and in some cases reimagine risk management programs in 2015.
Regulators have tightened their grip on Wall Street. The past year brought a slew of negative headlines revealing that many of our nation's largest financial institutions have failed to understand their overall risk exposure, including third-party risks and anti-money-laundering and Bank Secrecy Act risks. Moreover, many banks demonstrated that they lack adequate capital reserves, contingency plans and execution strategies, especially in times of crisis. As a result, regulators have exacted more prescriptive requirements and penalties on the banks they govern.
In just the past several months alone, standards and enforcement evolved in a variety of ways. Banks are struggling to keep pace. For example, regulators are issuing "matters requiring attention" at an alarming rate, with a corresponding increase noted in "matters requiring immediate attention." These consent orders reflect a shift from a consultative regulatory environment to a legally binding regulatory environment. It is fair to say that the regulators don't trust financial institutions to make appropriate changes without these orders in place.
Consumer lending has also witnessed a regulatory transformation, with the Consumer Financial Protection Bureau expanding its reach to include everything from student loans to auto loans and even telecommunications companies. Lastly, regulators such as the Office of the Comptroller of the Currency have become keen to more closely examine the risk profiles of banks' vendors. Banks are now required to have closer oversight of due diligence, contracting and governance in order to better identify, assess and mitigate risks in vendor relationships.
Emerging risks caught banks off guard. In 2014, we witnessed a completely new breed of risk factors that infiltrated the banking industry and exposed vulnerabilities in ways that many people could not have imagined (nor planned for).
First and foremost, cybersecurityarguably one of the biggest headlines from 2014has quickly escalated from an IT issue to a top priority for boards and executives. But while the recent Sony data breach has moved the conversation about cybersecurity from the board room to the State Department, cyber risks are not represented as operational risks in regulators' stress test scenarios for 2015. While the 2015 scenarios address global financial risk, one could argue that the global risk environment extends to threats beyond the financial sector.
The litany of data breaches over the past 12 months demonstrate that data breaches are no longer a probability, but a certainty. Not only is financial data at risk, so are Americans' personally identifiable information, social security numbers, healthcare data and even human resources records. The problem has been made worse by companies' failure to fully invest in the technology, people and processes necessary to identify, manage and mitigate critical security threats. Banks in particular are guilty of this.
But cybersecurity is not the only emerging risk requiring banks to adapt their risk management initiatives. Social media has amplified the voice of the customer, the employee and even the shareholder. With this development, risks related to reputation, data privacy, defamation and a long list of others follow. Additionally, innovative technologies and trends such as ApplePay, Bitcoin, the Internet of Things and even delivery drones bring with them uncertainty about the true risks they may pose in the future. Most banks are still in their infancy of both fully understanding these risks and putting the proper controls in place to manage against them.
Risk culture tone should be set at the top. The world's most robust risk management programs, processes and technologies will fail unless bank leaders take responsibility for them. While banks have strengthened their credit programs and are discussing concentration risk, the folks at the top have little operational risk experience and are woefully late in their programs and oversight. The view that the risk manager or enterprise risk management department is solely responsible for identifying, managing and mitigating the organization's risk is outdated and must be updated in banks globally. Every employee in every business line, from the boardroom to the mailroom, needs to feel empowered and committed to managing and escalating risks.
In order to achieve this goal, senior leadership must introduce, practice, encourage and reinforce a culture of awareness and accountability. They must also set sound expectations for an organization's risk appetite, establish a code of ethics and communicate a unified, sound vision for risk management. Then they must measure actual behaviors against those parameters.
In addition, companies must invest in recruiting and developing top risk management talent. This includes offering ongoing professional development and training, recruiting and retaining those with exceptional experience, and incentivizing wanted behaviors via performance reviews and compensation packages/benefits.
Susan Palm is vice president of industry solutions at the risk management and compliance software company MetricStream. She previously served as senior vice president of audit and risk at Sterling Savings Bank and as senior vice president of enterprise governance and risk management at Norwest and Wells Fargo.