Building a resilient organization through sound governance has never been more important for a financial institution’s board and management. Regulators are keenly focused on resilience, demanding that FIs demonstrate their ability to withstand any shocks or disruptions.
In a period of heightened regulatory scrutiny and increased external challenges, banking leaders must embrace stronger governance with better risk management to achieve the resiliency regulators seek.
Not sure where to start? Here’s a seven-step action plan for boards and management looking to bolster resilience and effectively govern risk.
1. Make risk management central to strategic planning
Sound governance begins and ends with strategic planning, and the core elements of a financial institution’s strategic plans involve risk assessments. The board and management must first define the institution’s risk appetite and tolerance, aligning these with growth objectives.
Embedding risk management considerations and policies into strategic plans ensures financial institutions can pursue opportunities while staying within their defined risk tolerance. This helps them identify risks that may undermine goals and threaten institutional resiliency.
Banking leaders should account for the following in their strategic plans:
- Risk monitoring and reporting policies
- Compliance controls and review processes
- Contingency plans for unexpected events
- Stakeholder involvement in risk management
- SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats)
In devising strategic plans, the board and management must strengthen risk management, implementing policies and processes to achieve their goals under ever-evolving conditions.
Related: How to Build a Strategic Plan that Evolves with Your Financial Institution
2. Require comprehensive and consistent risk assessments
Well-executed risk assessments uncover the potential risks of an activity and the controls required to mitigate them, ultimately empowering the board and management to make more insightful decisions.
Robust risk assessments strengthen a financial institution's resilience by building a strong foundation for creating and updating strategic plans.
The steps in the risk assessment process include:
Establishing the context. Decide what you’re evaluating, determine your objectives, and identify stakeholders as you gather the necessary information.
Risk identification. Leverage existing risk reports and checklists and engage in discussions and brainstorming sessions to identify all potential risks. Think beyond market risks. Are you prepared for a natural disaster that brings down core systems? What would you do in the case of an extended power outage?
Risk analysis. Assess the probability and impact of a risk, assigning a risk rating to each. Prioritize those with the highest likelihood of occurrence and greatest impact.
Treat the risk. How will you manage and respond to a risk? Assign risk owners, plan mitigation efforts, and establish remediation timelines.
Communication. Communicate with stakeholders to ensure they understand their role in risk management. Establish training for your employees, and make sure that risk policies and procedures are current and well-understood.
Monitor and review risks. After you know and understand your risks, they must be monitored. What are your thresholds for acting on new information? Should you act immediately to mitigate a risk or wait until you know more?
Consistency is key for risk assessments. Managers receive a mountain of reports from across your institution, making consistent assessments vital for meaningful year-over-year comparisons and evaluating whether pursuing specific goals is worth the risk.
Related: Risk Management 101: Risk Assessments for Financial Institutions
3. Establish the right relationship between the board and management
The board sets the tone at the top, encouraging proactive risk management, promoting accountability, and fostering a culture of open communication and transparency. They are responsible for setting the proverbial fenceposts, establishing strategic objectives and boundaries of risk-taking appropriate to the institution.
Fundamentally, the board tells management what it can and can’t do to achieve its objectives.
Management is responsible for executing the board’s plans within these boundaries. They are the doers in your organization, hiring and training employees, ensuring regulatory compliance, and meeting performance targets.
Interactions between the board and management should be guided by the principle that the board offers a credible challenge to management (asking questions and eliciting necessary facts to make informed decisions) but resists managing daily operations.
Concentrating control in the hands of a few decision-makers is a terrible practice. Regulators want to ensure that one domineering official isn’t exerting excessive influence without adequate oversight, which can lead to a lack of transparency and accountability.
When the board and management understand their respective roles and responsibilities, it prevents imprudent risk-taking and mismanagement that compromise an FI’s resiliency.
4. Focus on talent management
Regulators are especially focused on assessing the board and management’s ability to manage talent. Weaknesses in employee recruitment, training, and retention can lead to compliance breakdowns and institutional fragility.
The red flags that regulators look for include insufficient staffing and diminished expertise. Banking leaders might invest in tools that enhance employee effectiveness and engagement to combat high turnover and preserve institutional knowledge.
They must also create a culture that encourages employees to report issues, promoting greater transparency. When staff is afraid to speak up, this jeopardizes a financial institution’s resiliency. Risks are not acknowledged, leaving the board and management in the dark. It is essential that management listens to employees' concerns and always protects whistleblowers.
Download: Employee Retention, Engagement, and Productivity in the Era of Quiet Quitting
5. Implement the Three Lines Model
Sound governance requires a structured way of delegating risk management responsibilities. The Three Lines Model enables the board and management to delineate risk management duties for more effective oversight.
Let’s break down the three lines:
- The first line refers to those delivering products and services or operationally serving consumers (think of your loan officers, tellers, and customer service staff). They are responsible for applying internal controls and responding to risks in interactions with clients.
- The second line consists of employees delivering expertise and support to the first line. These are your financial institution’s risk and compliance roles, responsible for testing and monitoring high-risk activities and ensuring policies and processes work as intended.
- The third line is your internal audit function, providing an independent and objective evaluation of risks and control effectiveness. The third line reports audit findings to the board and typically works closely with management.
The Three Lines Model supports sound governance by enabling banking leaders to identify where a breakdown occurred. It also increases stability by involving everyone in risk management.
Related: What Are the Three Lines of Defense in a Compliance Management System?
6. Develop robust change management
Banking leaders must focus on change management with the avalanche of new regulations from 1071 to CRA modernization. The process begins with the board and management identifying the change.
If you’re forced to deal with a regulatory or external change, how will you manage the costs? Do you have the necessary resources, with the people, processes, and systems, to ensure compliance?
Is it an internal change such as introducing a new banking product? If so, how will it affect your consumers?
Once the board and management have identified the change, they must assess its impact, designate the parties responsible for dealing with it, and create an action plan. Without a change management process, the board and management may struggle to understand what is causing the change. Is it external or internal? What policies and procedures need updating?
Effective change management is not simply about identifying internal or external changes. It’s about ensuring a financial institution possesses the risk management processes to adapt to evolving conditions. It’s about guaranteeing that an FI can meet its goals in a safe and sound manner.
Related: What Is Regulatory Change Management at Financial Institutions?
7. Leverage reporting
Reporting and communication are essential to sound governance, breaking down your broader strategy into more measurable goals and objectives. There’s a distinct difference between formal reports to the board and management and communicating goals to the relevant stakeholders. Ongoing communication creates a continuous dialogue for aligning goals and training. Many assume that communication and reporting are the same thing, but ongoing communication is less formal than reporting.
Reporting is a subset of communication, enabling the board and management to evaluate their direction, slowing down or speeding up as necessary.
Both communication and reporting oblige stakeholders to answer for their decisions and actions, cultivating a culture of accountability. Accountability is the cornerstone of effective governance. Regular communication and reporting reinforce the goal of greater accountability. Visibility into an institution’s operations and decision-making processes lays the foundation for building a risk-aware financial institution poised to reach its objectives and confront challenges.
Institutional resilience with integrity
With these governance strategies, leadership can strengthen its institution’s resiliency and be better equipped to meet performance benchmarks safely and soundly.
As financial institutions prepare for heightened regulatory expectations, it’s incumbent upon them to exceed baseline compliance requirements. Leadership is more than satisfying regulators. True leadership is about operating with integrity and demonstrating to your people that you have their best interests at heart. It’s understanding and appreciating your institution’s impact on consumers and the community you serve.
Want to know more about how regulators evaluate governance? Check out our webinar: “The ‘M’ in CAMELS: The Role of Risk Management.”
Subscribe to the Nsight Blog
Share this
Third-Party Vendors & Compliance Risk: 10 High-Risk Compliance Situations
What Examiners are Looking for: Board Oversight
