How banks can transform through strategic risk management

Gayle Woodbury, Ryan C. Luttenton, Clayton J. Mitchell
How banks can transform through strategic risk management

Three strategic risk management scenarios offer three paths toward the same goal.

Risk management professionals and compliance leaders know all too well that “perfect” doesn’t exist when it comes to strategic risk management. But what does an effective program look like?

Ideally, both first and second lines are on the same page in terms of strategic risk management – simpatico. The first line knows where the organization’s risks lie, who’s managing risk, and who to talk to when a problem comes up. The second-line risk and compliance team doesn’t spend too much time managing risk; instead, they provide oversight while helping the first line understand and manage risk.

With this highly proactive approach to risk management, the first line can react fast and execute bold business strategies knowing they’ve got a qualified and prepared second-line team ready to triage and mitigate risk right away.

For most banking risk leaders, the reality of their risk management and organizational strategy probably looks less like the ideal and more like one of the following three scenarios. Read on and see which story resembles your experiences, past or present.

Your bank can’t afford not to take risks. Let Crowe specialists help you find, manage, and mitigate them.

Story 1: Edward needs more risk management resources – and a life preserver.

Edward needs more risk management resources – and a life preserver.

Edward works as the chief risk officer for a large regional bank. With a recent shift in strategic initiatives, the bank’s environment has grown more dynamic and complex. These initiatives marked a big change in terms of how the bank aims to conduct business.

With this shift in strategy, new risks have emerged, and those new risks keep demanding more of Edward’s time – but that extra time doesn’t exist. The risk management to-do list keeps growing and growing, but resources and talent haven’t expanded to match.

Acquiring available talent is a constant struggle for Edward. Very few individuals have the niche enterprise risk management skill set and experience to fill the roles that Edward needs most. Consequently, Edward takes on responsibility for doing everything, all at once, all the time – and that’s certainly unsustainable.

Sometimes, Edward is simply too busy putting out fires and managing too many disparate risk disciplines to focus deeply on any area of risk. He knows that he could get some traction if only he had more resources.

Story 2: Jeanine’s big risk management budget hasn’t translated to focus and strategy.

Jeanine’s big risk management budget hasn’t translated to focus and strategy.

Jeanine works as the chief compliance officer at a larger bank, and a lack of resources is one problem she doesn’t struggle with. Jeanine’s position is more manageable than Edward’s in a lot of ways, but she has her own challenges to tackle.

A few years ago, Jeanine’s bank received a notice of regulatory enforcement action. In the wake of that challenge, the direction from the top was clear: Open the checkbook for risk management and spend whatever it takes to get the bank into compliance and in good standing from a regulatory perspective.

Now, Jeanine’s team has plenty of people – so many, in fact, that it’s hard for Jeanine to remember who’s who and who does what. The lines of communication constantly feel jumbled. The entire risk management framework was dashed together to solve a pressing regulatory problem. But with that task in the rearview, what’s next?

The first line feels like it’s stuck in a maze of risk management processes. Without an ability to see through the inner workings, first-line team members don’t have a solid sense of where risk is lurking in the organization. At the same time, stakeholders are evaluating the organization’s big risk management budget, and they wonder what value they’re getting.

Despite all the resources at her disposal, Jeanine is concerned that the dots aren’t connecting. She’s not sure how she can untangle the complicated knot of her enterprise risk management program, and sometimes she wonders if she should just strip it back and rebuild it in a way that makes sense.

Story 3: Pierre’s risk teams do it all, leaving the business team uninvolved and uninvested.

Pierre’s risk teams do it all, leaving the business team uninvolved and uninvested.

Meanwhile, Pierre is a chief risk officer whose life is less stressful than either Jeanine’s or Edward’s. As a relatively young startup banking organization with a lot of fintech partnerships, Pierre’s bank decided early on that it wanted to focus on a highly efficient approach to strategic risk management.

An experienced chief risk officer, Pierre had seen the pitfalls at other organizations, and he worked hard to design a risk management approach that was right-sized for his bank’s needs and complexity. That strategic approach led to a second-line team that is organized, honed, and efficient – but Pierre isn’t sure that the efficiency always translates to effectiveness.

The problem: Pierre’s second-line team has taken on all the risk management activities for the business, and the first line barely thinks about risk and compliance. When a new opportunity comes up, the business area of the organization doesn’t know how to think about or quantify risk. Without constant input from the risk management team, the first line is afraid to move.

The disconnect works both ways. Pierre’s team spends all its time on risk management activities, leaving team members unable to think about and engage with the organization’s overall strategy. Even with a relatively smooth relationship between business and risk management teams, the gaps of knowledge, language, and focus between the first and second lines at Pierre’s organization are as wide as ever.

Stakeholders at the business see this problem, and they want Pierre’s help solving it. They’re willing to invest more in risk management, but that’s not the real issue.

The question that Pierre must answer is the same one that can help Jeanine and Edward solve their tough risk management challenges: How can we implement more strategic risk management activities that will inform our first-line professionals and help the business grow?

Embedding risk management in the first line can help solve a wide range of challenges.

Embedding risk management in the first line can help solve a wide range of challenges.

The risk management approach at each of these fictional banks is held back by fundamental problems. And though Jeanine, Edward, and Pierre have unique challenges and different ways to address them, their goal is the same: a new approach to strategic risk management that shifts the responsibility for managing risk to the first line.

As strange as it might sound, second-line risk and compliance teams at organizations with the most effective, agile risk management programs don’t spend too much time managing risk.

Instead, these second-line teams empower the organization’s business teams to understand and manage risk. With the first line driving risk management activities, the second line can provide the governance, feedback, and oversight that supports those first-line controls and activities and helps them run smoothly and evolve to address new risks.

Organizations that want to practice truly proactive, collaborative, and strategic risk management need their organizational stakeholders and risk management leaders to ask questions such as:

  • What products and services does our business depend on?
  • How do we deliver those products and services?
  • What day-to-day activities do our first-line professionals engage in?
  • Where does the risk lie in our first line? Within the range of our products, services, delivery methods, and activities, what could go wrong and how?
  • Which of the first line’s current day-to-day activities function as controls that address specific risks?
  • How can we talk about risk management in a way that makes sense to our first-line teams and frames risk management activities in terms of products, services, and business activities?

Imagine if your organization’s risk and compliance activities didn’t feel like risk and compliance.

With a strategic, business-embedded approach to risk management, risk and compliance activities become a natural byproduct of the business processes that support the organization’s bottom line. And bridging the gaps in your risk management program becomes a process of conversation and collaboration instead of a never-ending quest to expand or justify risk and compliance spending.

Crowe specialists can help you rethink risk management.

It can take a long time to overhaul your organization’s enterprise risk management framework and weave strategic risk management into first-line activities. But the only way to reach the destination is to build a road map and start taking steps.

Understand your influences to find sustainability.  

Financial services companies looking for up-to-date information to make decisions are on the right track, but how can they effectively gather data? Organizations must know what contributes to their risk appetites and what influences will move the needle.

Download our guide to understand how to identify triggers, measure data, and apply insights for better business decisions.

Download the guide

Ready to generate more business value from risk and compliance activities?
Let’s talk.

Crowe banking risk management and enterprise risk management specialists have the deep skillset, resources, knowledge, and perspective to help your organization build a fundamentally different and more holistic approach to risk management.

Contact us and let’s get the conversation started today.

Gayle Woodbury
Gayle Woodbury
Principal, Financial Services Consulting
Ryan Luttenton
Ryan C. Luttenton
Partner, Financial Services Consulting
Clayton J. Mitchell
Clayton J. Mitchell
Managing Principal, Fintech

The names, businesses, situations, events, and incidents are the creations of the author's imagination and are being presented for demonstration purposes only. Any resemblance to actual companies, persons, living or dead, or actual events is purely coincidental.