The goal of banks is to create financial stability and profit while building strong relationships with customers, employees and the community. What’s standing between your bank and that goal? Asking that question is the first step to finding out.
Banks measure performance in financial terms: they compare loan rates, customer growth and other key performance indicators (KPIs). But looking at performance in this way only shows how things are going, not why they are going that way or how performance could change in the coming weeks, months or years.
Understanding the “why” requires deeper analysis — an analysis that comes from enterprise risk management, or ERM. ERM is a system for managing risk holistically throughout a financial institution to create value. It’s about identifying, assessing, measuring, monitoring, mitigating and communicating risk — and using that information to build a stronger, more resilient institution.
Why should bank boards care about ERM?
1. Compliance Management. Compliance management is a huge concern for any bank. From federal and state consumer protection and privacy regulations to Bank Secrecy Act/anti-money laundering (BSA/AML) regulation, the number of regulations and the speed of regulatory change can be overwhelming.
Not only can non-compliance hurt individual consumers, it can damage a bank’s ability to offer the best-possible pricing, products and services. Failing to comply can result in costly enforcement actions, fines and lawsuits. It can also lead to limitations on growth.
Banks need to have a strong compliance management system, or CMS. This allows them to identify, measure, monitor and mitigate compliance risk. A CMS can also help banks respond more efficiently to regulatory changes by ensuring they implement changes while minimizing the cost of compliance.
2. Vendor Management. Third-party partners like including vendors, fintech partners and consultants can easily increase the potential risk to a bank or its customers. Data breaches can expose customer data. Outages can prevent customers from accessing the products and services they need. Mistakes can result in compliance violations and consumer harm. Automatic contract renewals can cause the bank to sign long-term contracts with unfavorable pricing.
Managing third-party risk requires a good vendor management program. It’s not just a regulatory requirement; it’s also a best practice. Not only can vendor management help a bank secure lower pricing, this required due diligence and monitoring helps banks identify vendor partners that could help the bank grow and thrive.
3. Findings Management. A bank needs to correct identified problems quickly. But it can be easy to lose track of these problems — whether they are self-identified, examiner or audit findings — with the demands of day-to-day responsibilities.
Every bank should have a findings management program that logs every finding, assigns it to someone responsible for remediation and tracks its remediation. This creates accountability that ensures that no finding is overlooked, whether it’s a consumer complaint, a weakness in a control, a vendor issue or a compliance violation.
Risk Performance Management for High-Performing Banks
Each of these three areas of ERM have the potential to hurt or enhance a bank’s performance. Done well, they can better control costs, strengthen the banks’ resilience and more quickly achieve the board’s strategic goals. One of the most effective ways for a bank to gauge its risk and performance is by leveraging expert solutions that provide the frameworks, tools and knowledge that executives and the board need to maximize the efficiency of the process. These solutions can also serve as an educational primer, showing banks what needs to be done and the best ways to do it efficiently, so the bank can follow a clear, well-informed path forward.
These solutions also make it easy to understand where the threats and opportunities are for an institution. This is especially important as banks try to keep pace with evolving technology and consumer expectations. Having the right risk management tools in place directs the executives and employees to quickly ask the right questions when evaluating new technologies, partners and strategies, and understand what those answers mean.
Whether it’s knowing how regulations impact a new product or service, or assessing the maturity of a vendor’s cybersecurity controls, good risk management means having more information sooner to make better decisions — and that leads to better performance.