Banks’ Risk Exposure Boils Down to Better Management and Better Data

CCG Catalyst Commentary

Banks’ Risk Exposure Boils Down to Better Management and Better Data

By: Tyler Brown

May 7, 2024

To stay in compliance and avoid punitive, public regulatory enforcement, bankers have a lot of work to do beyond the financial safety and soundness of their institution. Broad risks that bankers grapple with, which we’ve covered before, tie back to several fundamental issues: Disciplined management and oversight, the structure of the organization, and the systems, software, and data they depend on to monitor and evaluate risk.

It’s crucial that they set appropriate cultural norms, build the right talent pool, set governance rules, and manage the organization to systematically anticipate and respond to all risks to the bank or its customers.

“Many banks have a tough time understanding, measuring and managing the interconnected factors that contribute to operational risk, including human behavior, organizational processes and IT systems.”  — Bain & Co.

Risk mitigation as part of the ordinary course of business is a lynchpin for a bank’s long-term health. Disorganized or incomplete processes, poor governance, siloed or dated technical infrastructure, and a shallow talent pool all contribute to risk from within the organization. As recent enforcement actions show, compliance failures can be far and wide, and it’s very likely that banks cited for one failure will be cited for others. Issues banks have been cited for recently include:

  • Financial management lapses, such as poor controls related to liquidity and interest rate risk, capital planning, and stress testing; highly concentrated assets or liabilities; and unplanned growth.
  • Governance failures, including a lax board of directors or ineffective, inadequate rule-based oversight; incomplete or absent strategic planning; or deficient systems and tools for monitoring risks across the organization.
  • Sloppy third-party risk management, flagging shortcomings in documentation, reporting, and compliance requirements for vendors; poor due diligence developing products for partners; and insufficient independence of bank leadership.
  • Scant IT controls, threatening the ongoing performance and compliance of the software and systems the bank relies on day-to-day for business-critical functions. (As we’ve noted, many banks struggle with their technology.)
  • Weak fraud management, including insufficient board oversight, policies, procedures, technology, and staffing to support legal obligations related to anti-money laundering and counter-terrorism financing.

Clear, specific technology and data strategies are critical, according to Deloitte. Effective risk management depends on high-quality and complete data, clear ownership over the data, and knowledge about which systems it resides in. Correct and complete formatting, aggregation, and reporting follow.

Information governance is the umbrella concept bankers should grasp — the procedures, systems, and metrics that emphasize data as an asset and help an organization control and have visibility into its data and set compliance processes. Up-to-date IT and data management systems are fundamental. Banks with legacy or siloed IT systems face immediate problems related to managing risk because effective risk management requires usable data from the bank’s core.

To succeed, bankers need to invest in technical frontiers for compliance — particularly automation and artificial intelligence. Broad technical solutions for risk management include enterprise content management (ECM) solutions and governance, risk, and compliance (GRC) platforms, which help banks manage risk policies, internal controls, cyber security issues, and third-party risk. They also need organizational solutions. Risk needs specific ownership and board oversight within the organization, and leadership needs to focus on breaking down organizational siloes and addressing coordination between different parts of the business.