November 3, 2011
Financial institutions are adapting policies and practices to the “new normal” regulatory environment of: more proscriptive rules, less flexible policies, stressful economics and vulnerable balance sheets. These remedial actions result from a belief that prior practice failed to adequately assess the risks as well as demands from Boards and regulators for a best in class risk management system.
Critical to effective risk management in this environment must be an institutionalized mechanism to: a) identify regulatory-oriented risks, b) assess those risks and their potential impact and, c) manage the impact.
Three types of regulatory – oriented risks are compliance, internal control, and reputation. Addressing each requires in-depth understanding of the Company’s business and an ever-deepening grasp of the evolving regulatory environment. Typically, this means a team oriented approach with Board oversight of risk professionals, key operations and regulatory compliance personnel.
1. Regulatory Compliance Risks. Understanding the precise and ever changing regulatory requirements. The Company has to have personnel familiar with the applicable regulatory burden and monitoring developments in the requirements for their applicability to the business. A mechanism for passing along upcoming regulatory changes and working as a ‘team’ to assess the possible impact of these changes – while they are still in the proposal and not in the effective stage – is critical. These days the regulators are less willing to be creative in their views of new practices than previously. It’s not just how a particular practice hits the specific financial institution but also the regulator’s experience with that practice at other institutions.
A periodic audit of the performance of this function is needed to assure that changes to improve timely and effective effort are made. The institution should establish lines of reporting to smooth the flow of information running two ways – up (from the Team to management) and down (from management to the responsible parties). Throughout, Board oversight is essential.
2. Internal Control Risks. This stems from requirements of the organization’s governing documents and from legal and regulatory requirements impacting the organization, as well as the public and regulatory reporting. Awareness of the landscape of regulations and formal requirements began anew in the “post Enron” era of Sarbanes-Oxley compliance. Post SOX, and, as a direct result of the current financial crisis, we see even more attention being given to the roles of the Board and Management, their responsibilities to: their shareholders, customers, the public and, the regulators.
Critical are: the information flow – formal and informal – within the organization, the processes set up to assure timely identification and remediation of issues and, the periodic reporting required. Similarly, ongoing assessment of the qualifications, performance and compensation of management and Board, their attention to their roles – particularly as directors and board committee members – and their oversight of the Company compliance processes feed into this picture.
3. Reputation Risks. Financial institutions have become increasingly aware of the risk of public policy shifts which can leave the institution on the wrong side of an issue the institution thought was well settled. The current economic crisis and the regulators’ response to its perceived causes give eloquent examples of abrupt shifts dislocating ongoing business practices and fomenting public ire over an institution’s conduct. With the benefit of hindsight, the policy makers view a practice from the perspective of its aftermath and conclude that practices that led to an undesirable result should never have occurred in the first place, despite the universality of those practices and, the intervention of seriously adverse economic events distorting the outcomes.
The economic crisis points toward a new paradigm in which financial institutions are embroiled in public criticism and even litigation – official and private – challenging long held business practices. This requires deft handling by the institution facing these challenges. A team of legal, operational, compliance, public relations (shareholder relations as well) and liaison with management and Board are essential to manage the reputational aspects of such situation. Reputation risk is a central theme for regulatory focus. How the institution manages such risks – which directly impact business and revenues – is a line of inquiry in which regulators have a great deal of interest.
The possibility that a given institution needs to outsource some of these responsibilities, in whole or in part, is usual and expected. Personalization of the risk management process to fit the specific institution is critical. Of course, the regulators have check lists of what works for them and what they might expect to see. So, major departures from those norms will have to be justified as part of the examination process and as part of the crisis review, in the immediate aftermath of a problem.