What Banks Learned About Risk Management in 2013

Register now

2013 was marked by unprecedented regulatory scrutiny, the rising importance of reputation, market volatility, greater demands from stakeholders, diverse vendor and third-party ecosystems, and new risks posed by mobility, big data and social media. For banks of all sizes, the challenge of building a strong risk management program and Governance, Risk and Compliance-focused culture remains daunting. Here are some key takeaways in the area of risk management that banks should be cognizant of as we move into 2014:

Compliance is a top growing expense. 2013 saw the enactment and enforcement of legislation aimed at protecting the consumer and promoting financial stability. The implications for consumer protection under Dodd-Frank are far-reaching and financial services companies need to think defensively. Under Basel III, community and midsized banks, in particular face new and changing requirements around stress testing. This is a costly challenge, which also ties up bank resources, hinders the bank's ability to make good customer loans and impacts the bank's ability to partner in community development activities.

To best leverage their resources, community and midsized banks should focus on centralizing and bringing consistency to their compliance efforts, leveraging compliance content from leading experts, streamlining and consolidating common risk activities, and aligning their compliance programs with broader enterprise risk management efforts.

Cybersecurity is everyone's problem. No doubtcybercrime has emerged as a top concern and a systemic threat to the financial services industry, reinforced by insight shared throughout the year by the Office of the Comptroller of the Currency and senior officials from the Federal Reserve and Federal Bureau of Investigation. In 2013, we witnessed several denial of service attacks, account takeovers and incidents of identity theft against large multinational, community and midsized banks alike, proving that no one is immune.

Adding to the complexity, the attackers themselves have become more sophisticated, with varying motives, ranging from individuals, to organized crime groups, to state-sponsored organizations with a wealth of resources at their disposal. In response, the financial services industry will need to build out stronger programs to combat cybersecurity risk and enhance their overall level of threat intelligence. This will require greater collaboration and stronger relationships within the industry, local law enforcement, the FBI and their prudential regulator. Information and best-practice-sharing will be critical, as budgets and resources for cybercrime differ drastically across organizations.

Banks need better talent management. Amidst increasing risks and compliance complexity, it became clear in 2013 that there just aren't enough people with the right skills to do what needs to be done. The work of the Human Resources department is more critical than ever, and banks need to get smart about their talent management programs. Rather than hire and train new staff, the focus should be on employee retention, training and professional development opportunities.

Additionally, creating centralized knowledge repositories that contain the collective wisdoms from the crowd will help ensure that critical knowledge doesn't ever just rest with a handful of people. Organizations should depend on systems to retain and retrieve critical information in real-time, not on individuals.

The regulatory bar for enterprise risk management has increased. Over the last year,the regulatory community has significantly increased their knowledge base and expectations around Enterprise Risk Management programs across the banking sector, including midsized and community banks. The days of the Annual Risk Assessment – which, once completed, was put away and then revisited on its next birthday – is no longer considered sufficient risk management, and rightfully so.

Today, there are expectations around establishing baseline assessments, where each risk is mapped to a number of indicators. Risk managers are expected to be able to communicate how the assessment results change as the indicators change over the course of the year. Demonstrating how assessment changes impact the limit structure, risk appetite statements and capital allocation is key. When considering a new business, the potential impact and outcome need to be considered using the same process. In 2013, we saw just how important it is that these activities are quickly, easily and accurately linked so that management can make sound business decisions.

Frank Santora is first vice president and head of the Operational Risk Management Group at Hudson City Savings Bank. Susan Palm is vice president of Industry Solutions for MetricStream, a provider of Enterprise-Wide Governance, Risk, Compliance and Quality Management solutions.



For reprint and licensing requests for this article, click here.