Six Key Questions Related to Risk Management Agility & Resilience - Maryann Bruce
It was a pleasure to be a panelist at the NACD Carolinas Chapter Event to discuss the Board’s role in oversight of risk management agility and resilience. Moderated by Mark Hodak, Partner, Farient Advisors, my esteemed panelists were Bob James, independent director of HomeTrust Bancshares, and Michelle Taylor, independent director of Griffon Corporation.
As the Chair of Amalgamated Financial Corporation and Amalgamated Bank’s Enterprise Risk Oversight Committee, I want to share a summary of my thoughts on this critical topic, including highlights from my contribution to the discussion.
Who manages and oversees enterprise risk from a leadership team and board perspective?
From a leadership perspective, Amalgamated Bank has a Chief Risk Officer (CRO) responsible for facilitating the bank’s day-to-day management and mitigation of its risks. The CRO chairs the Bank’s Risk Management Committee, which comprises leaders from all essential functions within the bank. They created an overall risk framework, including establishing a risk appetite and risk tolerance level for each of the bank’s top seven risks.
Those seven risks are:
- Credit Risk
- Compliance & Legal Risk (including regulatory and trust compliance)
- Liquidity Risk
- Market Risk
- Operational & Technology Risk (including cybersecurity and trust operations)
- Reputational Risk
- Strategic & Competitive Risk
The Risk Management Committee also monitors emerging risks.
From the board perspective, we have two Risk Committees — A Credit Risk Committee and an Enterprise Risk Oversight Committee, EROC for short. EROC is responsible for overseeing all risks except Credit.
What are EROC’s primary responsibilities?
The purpose of EROC is to assist in overseeing the bank’s overall risk framework, risk appetite, and the CEO’s, CRO’s, and Senior Management’s identification, measurement, monitoring, and control of the company’s key risks.
These include:
- Reviewing, approving, and overseeing the implementation of an enterprise-wide risk management framework
- Monitoring critical risks to the organization through analysis of reported Key Risk Indicators
- Periodically reassessing the list of the company’s top risks and emerging risks
- Monitoring the company’s compliance with laws and regulations
- Monitoring inherent and residual risks of the company’s processes
- Approving all company policies, procedures, and programs related to the Bank’s compliance and operational risk,
- Ensuring management addresses findings raised by regulators and internal and external auditors
How has the pandemic and the shift towards remote work changed the Board’s role in assessing and managing risk?
Working remotely is a risk and should be handled like all other risks. Directors should satisfy themselves that the risk management policies and procedures designed and implemented by the bank’s senior executives
and risk managers:
- Are consistent with the bank’s strategy and risk appetite
- Are functioning as directed and,
- The necessary steps are taken to foster an enterprise-wide culture that supports appropriate risk awareness, behavior, and judgments.
Remote work also required Boards to increase their focus on cybersecurity and human capital risk. Cyber because of the increased exposures in a remote working environment and human capital because of increased risk of inefficiencies and lost opportunities for personnel education and development and real-time performance management.
What types of risks have emerged or accelerated over the last three years, are likely to persist for the decade ahead and therefore need sustainable risk management strategies?
An example of a risk that has emerged and accelerated over the last three years that could impact several industries is neo-nationalism and anti-democracy. Many scholars are concerned about the rise of authoritarian regimes. It’s no longer happening solely in China and Russia. Anti-democratic regimes are spreading worldwide in Brazil, Hungary, India, Italy, Turkey, etc., and the trend shows little sign of abating.
Another example is ESG. Boards should ask the leadership team if they’ve determined those ESG risks and opportunities that could materially impact the company’s strategy, operations, or financial performance. Boards should also ask if those ESG risks and opportunities have been incorporated into the enterprise risk management plan.
Regarding the banking industry, four emerging/accelerated risks come to mind.
Regulatory: Bank regulators are extending their reach to implement greater expectations regarding how banks should treat the consumer — everything from eliminating overdraft fees to overhauling the concept of fair lending. This focus increases the risk of regulatory criticism for those institutions that aren’t prepared and may result in costly actions to meet such expectations.
Growth of Fintech Companies: The rise of Fintechs has created interesting bedfellows where many are now partnering with the big banks to improve the customer experience. As Fintechs continue to grow in their utility to the industry, regulators have heightened expectations of banks’ responsibility to ensure Fintech controls operate effectively and don’t negatively impact clients, operations, or financial results. For example, fraud scams have increased dramatically with peer-to-peer payment service providers such as Zelle. Regulators are discussing how to better protect customers from these losses, which could result in banks having to compensate them.
The Workforce of the Future: The pandemic accelerated the shift in the workforce environment from largely in-office to entirely virtual and now to a still-evolving hybrid environment. The future workforce is a critical risk for companies that don’t invest in a timely and fulsome solution based on readily available data. Why? Staffing issues will likely abound, and the related expenses associated with high employee turnover, empty offices, and operating inefficiencies could significantly impact an entity’s bottom line.
Financial Impact Risk: As operating costs continue to rise from workforce salary and benefit demands, digitization and other technology adoption, and regulatory pressure, banks will find it increasingly difficult to meet financial goals using a traditional operating model. They must identify new products and efficiencies that meet the changing ecosystem, otherwise, the risk of not achieving financial objectives and continuing as a going concern will rise.
How are we looking at systems, policies, and procedures to manage it?
An investment must be made in automating GRC (Governance, Risk, and Compliance) systems, policies, and procedures. Manual systems will no longer be sufficient. The best systems will meet the needs of multiple stakeholders within the organization and will house policies, procedures, risks, and controls that are intelligent and dynamic and highlight changes to be made as they occur in real time.
What questions should the board ask management as they evaluate the effectiveness of a company’s risk management program?
When the board evaluates the effectiveness of the company’s enterprise risk management program, I recommend you ask the leadership team questions such as:
- Are we considering the relationship between strategy and risk?
- What potential internal or external risks or threats could prevent the company from achieving its strategy?
- Have you assigned owners with accountability for each of the identified risks?
- Have you thought about how the company’s compensation program may encourage an inappropriate focus on short-term financial performance?
- Are the audit and compensation committees aligned on such risks?
Key Takeaways
The management and mitigation of risk is different depending upon your industry and is specific to each organization. There will always be risks the company is willing to accept and those the company can’t predict.
In the current uncertain economic environment, an effective risk management program has become essential to strengthen resilience and create sustainable long-term value. One of the most effective ways for you as a board director to help strengthen the company’s risk management program is to ensure that it adopts a data- and technology-driven approach and reports on the threats, risks, and vulnerabilities that matter most to your company and board.
