Risk Management: Tackling the SilosEnterprise-Wide Communication Needed
"You really have to communicate broadly throughout the organization," DeMarco says. "Risk-management professionals need to be able to identify and assess risks and communicate those risks to business-line managers up the corporate ladder so that risks are managed across the enterprise."
Conquering a siloed approach to risk management, where credit risk, market risk and operational-risk often are separated in an institution, is top-of-mind for risk-management professionals. "We don't want something in a particular silo where it could affect other areas of the bank, but the lack of communication keeps it siloed until there's a real problem," he says in an interview with Information Security Media Group's Eric Chabrow (transcript below).
Peer-sharing for established professionals and training for younger practitioners are steps in improving the communication and efficiency of an institution's risk management process. "Especially in my area in operational risk, you see a lot of people from op-risk come in from internal audit, compliance, credit or just some other function of the bank," he says. "You really have to avail yourself of not just your internal training opportunities, but external training and peer-sharing to really get up to speed on things."
In the interview, DeMarco also addresses:
- Top challenges the risk management profession will face in 2012;
- Skills gaps that need to be filled in the risk-management professional ranks;
- Growing influence of risk-management professionals in the enterprise.
DeMarco also serves as RMA's general counsel. Joining RMA in 2006, he was a partner in the business and finance department of the Philadelphia law firm of Ballard Spahr Andrews & Ingersoll. He also was a partner at another Philadelphia law firm, Mesirov Gelman Jaffe Cramer & Jamieson, where he served as the co-chair of the Corporate Finance Department.
Risk Management Association
ERIC CHABROW: First off, please take a few moments to tell us a bit about the Risk Management Association.
EDWARD DEMARCO: We're approaching 100th anniversary. The association was founded in 1914. We are unlike many other trade associations that represent financial services firms in that we're member driven. Our sole purpose - and we're limited in scope to what we do - is to advance the use of sound risk principles in the financial services industry. We do this by promoting an enterprise-wide approach to risk management. Risks have typically been housed in silos, whether that's credit risk, market risk, operational risk, and an ERM approach would be looking through the silos and pulling the risks together and reporting them up and down the line in the company, so that you can operate the business in a holistic sense.
We do a bunch of interesting things as a professional association. Obviously we offer training opportunities and conferences, but more importantly, the real work that we do is thought leadership. We do a range of practice studies, and they're important because it allows the bank the opportunity to see if it's conducting risk management practices on a particular issue sort of in the larger herd, or is it an outlier and do you need to adjust your practices or not. What can you learn from what your peers are doing?
Similar to that, we do a lot of peer-sharing events which we call round tables or working groups, and that's basically a collective of similarly situated professionals that talk about current issues and how they're approaching them. You provide a lot of value to membership by having that ability to harness the intellectual capital of the members. As things move very quickly in the industry, it's important to think the issue through, react and react in a way that's advantageous.
2011's Top Challenges
CHABROW: What have been the top challenges for risk management professionals in 2011?
DEMARCO: In a word you could say Dodd-Frank. It's no surprise that the top challenge has been the increased regulatory demands in the wake of the crisis. We went out, we surveyed our members roughly this time last year about what their top challenges were and we did this in anticipation of the sit-down meeting with the OCC's National Risk Committee because they wanted to know what strategic challenges our membership was facing. Uniformly, the members that we surveyed, regardless of bank size, whether the responder was a community bank or somebody from a very large institution, what they all talked about as challenges were operating in an uncertain global economic and regulatory environment.
Everybody understands the volatility of the markets. You look at the situation and it creates an Italy, and that's clear. But what people forget about Dodd-Frank is that act is really vague. How can something that's 2,300 pages long be vague? Well, it really misses a lot of detail. What really has happened is Congress delegated to the banking agencies and other agencies, and there are a total of 11 regulatory agencies involved in the rule writing, the conduct of studies to decide how an issue should be treated and then rule writing. There are 70 studies that had to be conducted under Dodd-Frank and more than 240 new regulations to be written, so when you look at it from a regulatory scope that's an enormous, enormous amount of work for the regulators to undertake, and continue to manage from a regulatory standpoint through the crisis.
Then there are obviously other day-to-day issues that are top of mind for risk management people: stress testing and revenue-growth issues. There are not a lot of new deals in the pipeline. You see that in the financial and popular press. That lack of deals really contributes to a revisiting of looser underwriting standards because there's so much competition, which means that maintaining credit discipline is a real challenge for risk-management people.
Another thing out there that's sort of the great unknown - you hear it politicized so much - is what's going to be the impact of the Consumer Financial Protection Bureau? Elizabeth Warren was the head of it before it became a full-fledged bureau. We have a nominee that's not going to get voted upon. The process has become politicized. What's going to be the impact of the CFPB on a go-forward basis? I think that's going to continue to be a big issue for banks as we head into 2012.
Dodd-Frank is enormously complex and what it really does from a risk-management standpoint is banks have to take a really comprehensive review of their different business lines. You've got to understand what the cost-and-revenue implications are of Dodd-Frank on the lines. Does the line that was profitable in 2009 or 2010 make sense ... now? You can read the financial press and see where banks have sold business lines to other banks. Some part of that you can attribute strategically to the new economic reality and regulatory environment, where in that business line it didn't make sense for the seller anymore, even though it may have been profitable in the past.
As you look at Dodd-Frank, the real challenge is: how do we roll out changes in the business lines? How are business models going to be impacted? How can we minimize disruption to the business, because there's a very large compliance burden that's placed on the banks as a result of Dodd-Frank? When you look at it, Dodd-Frank applies up and down throughout an institution, and so that requires an enormous training burden. You're not just training a discrete group of people on particular aspects, but you really have to think comprehensively. How do I have to train people for the new regulatory environment that they're going to be operating in?
At the end of the day, when you look at 2011 and the volatility we're in, I don't think it's any great secret but banks have to improve their earnings and their risk-management capacities. They're going to have to adopt risk appetites to drive sustainable, less-volatile results that are capital efficient. You've got to have product lines that you understand and that make sense from how the bank is capitalized and that you can generate a return on investment that's really commensurate with the risk that the institution is willing to take.
Top Trends and Challenges for 2012
CHABROW: Besides Dodd-Frank and the start-up of the Consumer Protection Bureau, what do you see as other top trends or challenges for 2012?
DEMARCO: That's an interesting question. Given where we are at in the calendar year now, probably the top challenges will continue to be dealing with the fallout of the European debt crisis and implementation of Dodd-Frank, but there are other specific things that I think are going to be top-of-mind to risk-management people. One of them is FSOC, the Financial Stability Oversight Council. That and the Office of Financial Research are really designed as data warehouses for reporting and what you've got now is yet another two groups that banks have to report to. You're really talking about enormously complex data requirements that require large expenditures for system development and so forth. Again, regulatory burden associated with FSOC and the Office of Financial Research I think will be important.
Regardless of bank size, earning an appropriate return on investment to attract new capital and remain independent - if you're a smaller bank - is going to be a huge challenge. Developing new strategies or new products to serve customers and offset the revenue growth constraints that we're seeing through Dodd-Frank is going to become important. We saw some of that happen earlier in the fall in certain banks, when asked if they were going to be charging a fee if you used a debit card. That was an example of developing a new strategy to offset slower revenue growth elsewhere in the bank, and you see what the public reaction to that was. Thinking those strategies through, the emphasis here is how do you better serve customers? Not just offsetting revenue, but better serving customers has to be the emphasis and that's a real challenge.
Flowing from that, we've had the crisis starting in 2008. We are at the end of 2011 now. It's not a great secret that the banking industry has taken a reputational hit, and I think it's going to be an important challenge for the industry to understand this and to operate in a way to restore trust in the marketplace, and if you do that you restore the trust. You're going to attract and retain profitable customer relationships, the kinds of relationships that a bank wants to have and is its target market.
From our standpoint at RMA, I think one key lesson learned as a result of the crisis - and it's always going to be a challenge for the banks - is that you constantly have to look at your risk-management practices, make sure that they make sense for your institution, you're your institution in a static way, but as it grows. It may be in a new business line or through acquisitions in the new geographies, new products, etc. Really, does the bank have the kind of robust risk-management practices that will help keep it out of the kind of trouble that the banks saw themselves get into as a result of this current financial crisis?
CHABROW: Where is the skills gap? What areas do risk-management professionals need to develop?
DEMARCO: It's really a two-fold question. First you've got to think about risk management and embedding it in the very fabric of the organization and attracting and retaining qualified risk-management professionals. On the first issue, you can see in banking and other industries that where you develop really disciplined, reliable and comprehensive risk-management systems, and good corporate governance practices, you can really enhance a company's reputation and increase shareholder value. If you think about it for a minute - the goal of the risk-management practitioner - it's not to avoid taking risks, and often you talk about the crisis, well if they didn't take this risk they wouldn't have had this issue. It's not about not taking risks. If a company doesn't take risk, then it won't generate profits.
So instead of prudent risk management, it really means that a firm should be compensated for the risk that it takes, so it's sort of the eyes-wide-open approach. This is something that RMA is really promoting a lot the last couple of years - firms should really develop risk-appetite policy statements at the board level which guides risks taken by the enterprise. Certainly, the financial crisis demonstrated that banks really got into trouble when they offered products or services that they didn't really understand, and not only didn't they understand them, but they didn't have the proper framework in place to really manage the risk coming from those products or services.
At the end of the day, what you're really talking about is the strategic application of risk-management practices. Much like you would want to think strategically from a marketing perspective, you would think strategically from a risk-management perspective. If you develop a sound, clearly articulated risk-appetite statement, it's not the end of the game. You really have to communicate that broadly throughout the organization where it's understood, embraced and really used to manage the business. Then, from purely the individual's point-of-view, risk-management professionals need to be able to identify and assess risks and communicate those risks to business-line managers up the corporate ladder so that risks are managed across the enterprise. We don't want something in a particular silo where it could affect other areas of the bank, but the lack of communication keeps it siloed until there's a real problem. From an individual standpoint, this really requires training for younger practitioners, whether it is credit risk, market risk or operational-risk training.
For more experienced people, it's not so much a question of training really. It's about peer-sharing, learning what somebody in a similar institution is doing to cope with a particular issue. Here at RMA, we offer a full range of training courses, round tables, discussion groups, etc., and if you partake of those it's a way to keep learning outside of your organization what's going on in the industry. Maintaining the self-discipline to manage your career and keeping current if you will on risk-management techniques and issues is really going to help bridge the skills gap. Especially in my area in operational risk, you see a lot of people from op-risk come in from internal audit, compliance, credit, or just some other function of the bank that they rotate into an operational risk, so you really have to avail yourself of not just your internal training opportunities, but external training and peer-sharing to really get up to speed on things.
Gaining Influence within Organizations
CHABROW: As risk management becomes more a focal point in organizations, have risk-management professionals gained more influence within their organizations?
DEMARCO: They have and they can always obtain more influence. The way you do that is really by partnering with the business line. You've got to be able to engage in a dialog with the business-line people about current and anticipated risks. Again, here I'll speak from an operational-risk perspective. If I'm a business-line manager, I'm going to be visited by somebody from internal audit, someone from compliance and someone from op-risk, and a lot of the questions are going to sound kind of the same. I'm going to sit here scratching my head going, "Didn't I just have this conversation with this other guy last week? Why are we having it again now?" You really need the dialog and have a good, fair agenda when you have that conversation so that the business-line person thinks that they're partnering. You really want to talk about risk. That's why you are there.
We just had an operational risk forum in Washington last month and we took an informal poll of the people attending about what are the largest external risks that their banks are facing. We got 34 different risks. It's no secret that the most votes went to regulatory changes, but they were followed by the economy, interest rates, future housing prices and cybersecurity. Some of those are macro-economic; some I'm going to call it risk types, like cybersecurity. If you're a risk manager, you want to have a periodic dialog if you will with your business-line counterpart about risks like these and how they may affect the business on a go-forward basis. And operational risk being about the risks associated with people, processes and external offense, it's important to talk with your business-line counterpart about how these risks would affect you, the product that they're offering, the service that they're providing, etc. Really think it through. Have that dialog on a regular basis, but not just go in there in your hip pocket with sort of generic external risks, but really talk about risks that you're seeing now in the marketplace, that your colleagues at other institutions are seeing or talking about, and really maybe analogize to other industries.
Say you're in Philadelphia, where we're located. Healthcare and pharmaceuticals are really important industries in Philadelphia. What happens if you're a bank that does business in Philadelphia, from a risk standpoint, if those industries take a hit? You've got to think that kind of thing through constantly. Evolve your thinking from a risk standpoint.
The other thing that risk managers have to do is they really need to be able to engage senior management and the board on these current and emerging issues. But there are so many of them if you really think about it that you can't overwhelm the board with details because they get bogged down. At the end of the day, you've got to communicate in a clear, concise fashion with the board and make things easily understood and easy to operationalize, or for them to make decisions upon. I think if you do that, risk management will become more of a focal point. Its stature in the organization will be elevated, and it won't be viewed as a "compliance function," but it will be really viewed as something that drives demonstrable value for the organization.