Risk Management in Banking: How to Prevent Another Crisis

Risk management has played a critical role in banking crises that have made headlines. As new lessons from the recent banking panic emerge, financial institutions can take actions now to strengthen resiliency to lessen the occurrence of another financial contagion.  

Key takeaways

• Swift macroeconomic shifts may require risk managers to adjust how frequently they update their risk assessments and how far they look ahead

• Broader cultural changes, including the rise of mobile phones, social media, or even remote work, should influence how teams assess risk in banking

• Technology has changed the face of risk, but the right technology can enhance risk managers’ abilities to analyze, assess, and monitor risk as well as document and share their recommendations across an organization

• Full disclosures of risks and financial health are not enough to protect a financial institution if no one acts upon them

Banks need longer sight lines 

A key catalyst of the banking sector’s turbulence was short-sighted risk assessments and management of those risks. It’s easy to forecast threats that could transpire minutes from now, but planning for them over a multi-year period is more challenging. However, assessing and managing risks with extended horizons tend to foster more risk-conscious practices, which brace and sustain controls processes, reinforcements, and incentives. Otherwise, organizations that don’t adequately fortify themselves are more susceptible to get whipsawed by the market. A best-in-class scenario would be for the funding and liquidity, capital planning, and risk management teams to forecast on a basis of two, three, or five years ahead, factoring in key macroeconomic indicators such as interest rate risk, among others. 

Even so, planning with these long views is difficult because banks operate in a dynamic environment of evolving risks, which fluctuate in tandem with a shifting economy. A couple of years ago in a lower interest rate environment, the scare of interest rate risk retreated. Now, in an economy of swelling interest rates, interest rate and liquidity risks have unexpectedly become foreground concerns because banks haven’t adequately hedged against sagging market values of their held-to-maturity securities.  

The digital era in general is a new risk that should be factored in simultaneously, as mobile communications and banking accelerated flight risk from uninsured deposits at Silicon Valley Bank (SVB) and Signature Bank. With so much enforced transparency in the market, the banks were required to promptly issue disclosures. After they issued them, depositors withdrew funds at digital speed, sapping the banks faster than their historical responses to a run. However, if banks had heightened visibility into and control of their data and planned accordingly, they could better know when and where risks could occur to more deftly respond to a crisis. 

As proposals to new regulations increase in response, the role of compliance, management, capital planning, and liquidity functions will become much more critical. Banks are required to follow hundreds of regulations, but some can fall short in operationalizing best practices through alignment of controls processes, IT systems, and personnel management. If they’re disordered, errors could result, potentially leading to stiff regulatory fines that cast a long shadow in the marketplace. 

Overlooked risk bubbles up in unexpected places

Not only do compliance, management, capital planning, and liquidity functions need to operate in unison, but also the three lines of defense. Big banks often employ thousands of employees to work in risk specialization areas and coordinate with peers in operations. But if threats aren’t monitored holistically—regardless of a bank’s size—then impairment from one neglected risk control could destabilize other controls. 

The first line of defense frequently interfaces with regulators, who tend to focus their attention on causes of the most recent crisis or regulation, which can negatively impact banks’ abilities to control risks collectively. For example, they’ve zeroed in on credit risk management in banks since the global financial crisis of the late aughts, so organizations have reacted by doubling down on monitoring this vulnerability. However, over indexing on one type of risk results in under emphasizing others, causing them to resurface unpredictably in various areas, like squeezing a balloon. Thus, the second line’s broader, technical expertise is essential to rein in these threats. The third line should always operate as the contrarian that constantly identifies uncertainties. 

Together, the three lines lose their resiliency from a shortfall in talent, time, resources to address complex processes, and data. Sometimes banks lack the right talent to identify and bridge controls and think outside the box by using technology that can aid in their work. Time is limited because teams are racing to finalize month end close reporting, which takes days with outdated workflows. While buried in paper-bound work and without access to timely, accurate, and complete data, banks struggle to build in robust controls. 

Banking risk management software closes risk gaps because teams can access centralized data and collaborate in real time without the hassle of running multiple applications at once. It also provides a broad vantage into where risks exist and their probability of occurrence and impact on others. With this dashboard capability, management can identify systemic and isolated problems and take corrective actions.

Multiple systems invite vulnerabilities 

Monitoring risks with fragmented IT systems also weakens controls and exposes threats. As the Globally Systemically Important Banks (G-SIBs) grew through organic growth and acquisitions of other banks, they absorbed each firm’s infrastructures and databases. Using the SVB and First Citizens Bank merger as an example, if SVB’s architectures and platforms aren’t interoperable with First Citizens Bank's and teams from both business units can’t access and synthesize data fluidly, then something may fall through the cracks. 

The same vulnerabilities arise from data silos within various risk areas. One contingent may use a fit-for-purpose tool that’s customized to its needs, while another group may use a separate platform. In particular, an acquired bank may prefer a specific solution for credit risk, but it may not align with what the parent bank uses for liquidity risk. And forcing teams to adopt various technologies at once could cause change management resistance, further reversing proper risk oversight. 

Tone comes from the top

The quality of risk controls standards is driven by a bank’s risk culture. Set at the board level, it percolates throughout the entire organization, varying by the board’s experience, aptitude, and risk appetite. If the board has expertise in risk and compliance, then it may lean toward embracing more risk-oriented practices. Rather, if the board’s risk appetite is overly aggressive, then chief risk officers (CRO) face friction in gaining buy-in for new policies. This opposition could ultimately scuttle their efforts and, thereby, forestall timely risk management practices, leading to blind spots for banks down the road. 

Resistance can come from banks’ prioritization of booking metrics because business is measured by them, but risk management evaluates if a bank will lose money from new business accounts. Therefore, it should be a leading, not a lagging function. Also, these benchmarks can cause bureaucracies to form. Employee performance is measured against metrics, but if management resists broadening the scope of controls to accommodate the benchmarks, then CROs face considerable hurdles.

Regulators are pushing for companies to hire CROs with the requisite knowledge, qualifications, and pay structure to counterbalance the outsized credentials and compensation of their other functional first-line peers to further strengthen risk cultures. 

The future's uncertain

As the Fed and other bank regulators propose new rules to correct lurking troubles in the financial system, banks are expecting tighter capital and liquidity and stress-testing requirements in the near future.   

If new regulations will solve these issues or not is debatable. Nevertheless, risk is unpredictable because it’s a function of human behavior, so risk management in banking should ensure the enterprise thinks and operates prudently. As banks await the regulatory turnabouts, they can begin asking and facing difficult questions.   

Don’t wait! Register for a free Amplify account and stream select sessions until Oct. 31, 2023. Explore how financial reporting, ESG, and GRC intersect.