approaching internal limits), senior management
could easily correlate poor employee satisfaction to poor work performance. By viewing this
information collectively, management can get to
the root of the problem—the subculture of the
affected branch—and actually fix the problem
and not just the symptom. The Bank can then
take action to resolve the root cause by evaluating what is driving low morale in branch staff, in
hopes of improving performance and preventing
potential compliance violations.
A qualified, trained Board
member is a Board member on
The traditional method of evoking shock and awe
in your Board members with materials detailing
staggering regulatory fines and penalties recently
levied on institutions, is a bit tired. They say
things like, “We are risk-adverse. That will never
happen to us.” But, does the Board truly understand their bank’s holistic risk position enough to
make that argument or is that statement based on
the fact they approved a recent request for automation within one specific area of compliance?
Are they intimately aware of the institution’s
potential cybersecurity exposures? Do they understand the risk associated with heavy reliance
on vendors? Are they aware of the controls and
governance implemented around the use of said
automation? These factors are among many that
are overlooked by the Board when considering
whether or not an institution needs additional
funding to appropriately mitigate risk.
Bankers must arm their Board members with
rich and meaningful data that shows an aggregated risk portrait across the institution in order
to paint a holistic and realistic risk picture. Banks
must have systems that can aggregate risks across
various business lines and regions depending on
the complexity of the organization. Implementing systems and data engines capable of aggregating across all risk categories exposes potential
weaknesses and risk exposures. Consolidated
reporting results in an informed, well-trained
Board that is armed with the kind of information
needed to make solid risk management decisions.
Above arming your Board with accurate,
complete and timely information, is ensuring
qualified individuals fill your Board seats. Con-
sider guaranteeing that one seat at the table is
occupied by someone with risk talent. When a
bank recruits for personnel, risk talent should
be a hot-ticket qualification. The same should
be true when filling vacated Board seats. The
Board should have an understanding of risk
governance and what it takes to successfully
mitigate risks. This helps senior management,
including compliance and risk leaders, gain
traction on their case for adequate funding.
Board members that understand their in-
stitution’s risk-taking activities, will want to
manage those risks in whatever way feasible.
The bank’s risk appetite should be top-of-mind
for every Board member, and that risk appetite
should factor into every decision made. It is a
scary regulatory environment out there, folks.
Decision makers that clearly understand current
industry and regulatory pressures will stop at
nothing to protect the bank as well as them-
selves from ultimate liability.
Getting where you need to be.
Ultimately, managing regulatory risks does not
have to break the bank (literally). An institution’s risk management program should be
commensurate with its size, risk profile, and
complexity. That is true for both the framework
and the price tag. Resources come in a variety
of shapes and sizes. It is important to find the
ones that scale to the institution and its budget.
A bank’s risk governance framework should
evolve in sophistication commensurate with
asset growth, complexity and risk. Therefore, a
risk framework developed two years ago may no
longer be adequate to mitigate the risks present
in the bank’s current profile. However, internal
self-assessments and gap analyses can help you
get where you need to be. To save money, these
can be facilitated internally by an independent
party. Conversely, banks could engage a third
party to facilitate one or all of these activities.
Self-assessments can be facilitated to identify holes in the risk governance framework, a
failing risk culture, or areas where controls fall
short. These can be facilitated via anonymous
surveys, one-on-one interviews with personnel
or peer evaluation exercises.
Arguably one of the cheapest components to
the risk governance framework is also the most
valuable—the risk culture. Measurement of employee engagement is crucial for culture and conduct risk. A job satisfaction survey is a quick and
cost-effective way to see where the institution’s
culture currently stands. Free text sections within
a survey provide a safe place for whistleblowing.
Individual employees often feel safe in anony-
mous formats to identify areas where there are
gaps in controls, or on actions of their peers or su-
periors that deviate from the bank’s risk appetite.
Gap analysis exercises are equally as valuable.
These exercises help identify how to get from
where a bank is today to where it needs to be.
Analyses can be conducted around data, systems,
skills, or expertise. A gap analysis around systems
takes inventory of all systems used to mitigate
risk. The complete inventory is then analyzed to
determine how effectively the systems integrate
and work together in the bank’s current environ-
ment. From there, a bank can create a roadmap
designing how systems can be enhanced and in-
tegrated to achieve Utopia, which is consolidated
reporting across all business lines. However, can
an institution simply add a dashboard to bring
various systems together, or do they need to do a
complete overhaul of the baseline systems before
implementing a dashboard? The outcomes of
these exercises should be communicated to the
Board so they are able to thoughtfully allocate
resources with a mature risk governance frame-
work as the end goal in mind.
Funding continues to be an uphill battle as business lines struggle to get adequate resources to
keep up with increasing regulatory expectations.
While risk management activities are not cheap,
they do not have to break the bank. The risk
governance framework needs to be poised to appropriately mitigate all risks—including compliance risks. Lobbying for systems that allow for a
holistic risk picture across all business lines will
allow for an elite risk governance framework
and ultimately lead to regulatory success. ■
ABOUT THE AUTHOR
JESSICA CABALLERO, CRCM is a
senior manager of strategy and
engagement for Abrigo. Abrigo
provides market-leading compliance,
credit risk, and lending solutions to
community financial institutions to enable them to
think bigger, allowing them to both manage risk
and drive growth. As a former OCC Examiner,
Jessica was responsible for examining all functional
areas including asset quality, consumer
compliance, capital markets, and information
technology for financial institutions of varying risk
profiles and asset sizes. Jessica’s role now focuses
on providing education to bankers and nationwide
training on risk management topics. Reach her at