Integrated Risk Management in the Banking Industry
Integrated risk management requires a highly disciplined approach to identifying and mitigating the risks inherent in managing a large complex organization. Perhaps nowhere is this more evident than in financial services.
Through its many product offering and operating divisions, banking tends to be a highly matrixed but also siloed organization. For example, imagine just at face value the differences between a large bank’s wealth management division versus their credit card operation – two very different customer bases, different regulations, terminology, and thus disparate types of risk facing them.
In the IRM approach, one looks across the organization top to bottom and considers all of the risks in the business and, more importantly, the interplay between those risks – think of it this way, step on a semi-filled balloon – you shifted the oxygen or helium inside and maybe transferred some of it to a different part of the balloon, but you have changed the overall structure – the same is true of risk – pushing risk practices in one place may very well blow up the risk in another place. Changes in credit risk undoubtedly will influence operating and transaction risk and perhaps even financial risk – so the relationship of those risks must be carefully considered, rather than making decisions in a silo.
Of course, underpinning all of this is the crucial role each member of management plays and the communication among those managers, whether formally at a risk or audit committee type of meeting or in the day-to-day interactions. One particular area that has benefited from an IRM approach is the role of the chief information security officer – no longer can issues related to cybersecurity or business continuity be considered as a once-a-year exercise or some esoteric discipline; the CISO has a firmly established place at the table and needs to communicate and be responsive to concerns.
In managing risk at a financial institution, particular care should be given to documenting and evidence in real work products the effectiveness of the IRM program. Whether it’s through reports provided to management, clear minutes of meetings showing discussion of and direction given to emerging risks, there must be appropriate attention paid to the clarity and depth of the information provided. In examinations, either by internal audit or external regulatory exams, explaining the risk methodology in unambiguous terms is important – a little education can go a long way towards evidencing a fully integrated and effective risk discipline.
IRM is the latest evolution toward full-fledged management of risk throughout the organization and requires true understanding and expertise, rather than relying on a dashboard and reporting system.
Connect with our experts to learn how we can help you.