Do Small Institutions Need Risk Management?
Risk management isn’t just for large institutions. The case can be made that it’s even more important for smaller financial institutions (FIs) to address risk management.
They are an attractive target for cyberattacks.
Large FIs may hold the most data, but hackers also know they are likely to have sophisticated cybersecurity. As a result, some hackers turn to smaller banks and credit unions, assuming they have fewer or simpler cyber safeguards in place. In fact, small businesses make up 58 percent of data breaches, according to the 2018 Verizon Data Breach Investigations Report.
Meanwhile the technology for hacking and installing malware is increasing. You know all those IT buzzwords you keep hearing like machine learning and Internet of Things (IoT)? It’s not just your institution that’s looking to take advantage of them. Hackers and cybercriminals are too.
Increasingly sophisticated cyberattacks paired with the belief, right or wrong, of some cybercriminals that smaller FIs have less cybersecurity, means that the inherent risk of a cyberattack is high. Based on the number of breaches each year (53,000 incidents and 2,216 confirmed data breaches according to the Verizon Report), the residual risk after accounting for controls remains high as well.
Having a system in place to identify and assess these risks and take action to mitigate them is absolutely essential.
They outsource more.
Smaller FIs have fewer resources than their largest counterparts. That means that functions that are developed in-house at the biggest banks and credit unions are outsourced at the smaller ones. This includes everything from core systems and mobile banking to general counsel and marketing.
While these third-party relationships provide convenience and enable smaller FIs to offer products and services and engage in activities that wouldn’t be feasible on their own, it also introduces risk. Many of these partners have access to sensitive GLBA-protected data. Others can put an FI at risk if they fail to comply with laws, regulations, and internal policies and procedures. If one of these vendors experiences a business disruption, it can cause operational issues at the FI, preventing customers or staff from accessing important data. And that’s just the beginning.
A small FI absolutely needs to manage the risks posed by third-party vendors. An FI needs to understand the potential risks a third- (or fourth-) party vendor could introduce and have a system in place to ensure it engages in due diligence and monitoring, adding controls as needed to mitigate risk. Failing to do so could expose the FI to potentially catastrophic operational, compliance, financial, cyber, and other risks.
They have less room for error.
When a large FI rolls out a major new product or service or makes a major business decision, chances are it can take the hit if it doesn’t work out as planned. It’s still a significant investment and shareholders will be miffed if it doesn’t take off, but the FI probably won’t go under. And if it’s a mega bank, it’s too big to fail anyway.
At a smaller FI, a poor business decision can lead to major losses that can erode the strength of the FI and put it at serious risk. Whether it’s bad loans, a series of ill-fated strategic decisions, or a large enforcement action financial penalty stemming from noncompliance, poor choices can lead to serious consequences.
Thoughtful enterprise risk management helps prevent these issues. When an FI is able to draw on ideas, data, and expertise from throughout the institution, it can uncover potential risks early on in the decision-making process, leading to better outcomes. It can also reveal opportunities, giving an FI a competitive advantage.
Risk Management & the Bottom Line
While many FIs think of risk management as an overhead cost that detracts from the bottom line, wise FIs know that risk management is an investment that reaps dividends in the form of smarter decisions and decreased risk exposure. Not only can risk management save an FI money by avoiding expensive mistakes, it can actually help add to the bottom line with insights into potential opportunities.
Just because an FI is small doesn’t mean it only faces small risks. Risk management is essential for everyone—even smaller FIs.