What’s it like to be a community bank or credit union chief risk officer? It’s a complex, time-consuming job—one that balances day-to-day management with big picture planning. And it may not even be that banker’s only responsibility or even her official title.
That’s according to a banker who manages operational risk at a $1 billion+ community bank, though she’s quick to tell you that her bank’s CEO is technically the CRO. Her job is to assist him with implementing the bank’s risk strategies while also playing a critical role in operations.
It’s a job that keeps her busy all month long as she cycles through the regular tasks of managing corporate processes, policies and issues while carving out time to further initiatives that will enhance her bank’s enterprise risk management (ERM) program.
It’s a large program with input from many committees and subcommittees. The bank has a committee to address each of the eight risk categories (credit, reputation, compliance, operational, interest rate, liquidity, and strategic) identified by its regulator. Each committee and subcommittee has a documented charter outlining its responsibilities for overseeing risk related to the business lines. Sometimes the internal auditor sits in on the meetings.
Though she isn’t on each of the committees, the risk manager is secretary of the board’s governance, risk and compliance (GRC) committee. That means she’s responsible for receiving all management committee minutes and organizing the key findings and charts in a presentation to the GRC committee each month.
The GRC committee is critical to the bank’s ERM success. It connects the work of all the committees and subcommittees to avoid risk management silos and create accountability.
This risk manager manages the flow of documents to business units, committees and the board, ensuring that everything that needs to be reviewed gets reviewed and that nothing falls through the cracks. The bank has done its best to simplify the process, using standardized templates with a special area calling out high-risk issues for board attention and reports. Even more helpful was implementing an ERM solution that lets the risk manager place a reminder on every document and easily email owners so that nothing is forgotten. The solution also has a dashboard that makes it easy to see outstanding items from each committee and keep the GRC committee informed.
The Big Picture
No matter how strong her bank’s program is, there is always room for improvement, the risk manager says, and special projects keep her busy. Over the past few years she has researched and implemented a new ERM solution, focusing mostly on financial risk. Management and the board agree it’s the most critical risk facing their institution and every other institution. Their regulators have lauded this choice and their comprehensive approach. Now the bank is looking to use the system to address nonfinancial risks. The risk manager also spearheaded the project to bring in an internal auditor and integrate that into the ERM system once the bank hit the billion-dollar threshold, triggering new regulatory requirements.
Another major project taking up her time is replacing the bank’s paper-based business continuity plan, based on a template purchased many years ago, with a software solution. While regulators have never criticized the bank’s efforts, the new system will allow the bank to more deeply define its plan and give it greater capabilities should a disaster hit. The project is currently in the training phase.
“We handled business and technology at the company level with our old plan,” she says. “Now we do BIA [business impact analysis] at the plan level.”
She also has her eye on Key Risk Indicators after hearing regulators talk about them at several conferences. She’s considering different ways to track leading and lagging indicators and Key Performance Indicators.
For any of these projects to be successful, the risk manager needs everyone at the bank to be on board. Read on to learn more about the life of an unofficial CRO and what she does to build buy-in.
Envious of the risk manager’s smooth risk management process? You don’t need to be. Ncontracts’ Nrisk is a dynamic risk management solution that measures potential impacts continuously, for the closest thing to real-time risk management you can get. With the provided libraries of thousands of risks and controls, Nrisk enables your organization to measure risk on everything from one neighborhood location’s social media page to the payroll vendor that your entire institution uses. Customizable and automated, Nrisk gives you the monitoring and reporting tools you need to be exam ready.