Risk management for all hands

When bankers talk about the continual need to find talent and to attract it to their industry, they are usually talking about the rainmakers, the people who bring in business relationships, or tech savants. Yet more than ever before, without appropriate risk management, compliance oversight, and other controls, banks may find themselves facing fines, sanctions, or other limitations in areas from consumer banking to BSA/AML practices when lack of those factors leads to missteps.

“The ideal would be to be proactive in linking business and regulatory strategy,” says Chris Spoth, executive director for the Center for Regulatory Strategies at Deloitte Advisory, part of Deloitte & Touche LLP. Pursuing a business strategy of improving efficiency and lowering costs, for instance, ought to be aligned with a goal to reduce regulatory criticism, he says.

For that to happen, Spoth continues, “everybody has to have a seat at the table” when decisions are made. Increasingly, he  says, “regulators are looking at the ability for risk and control functions to challenge.” At the same time, under the three lines of defense philosophy increasingly being adopted by regulators, the first line of defense resides in the business unit itself, followed by the second line, control functions like Compliance and Risk Management, and finally, the third line, Internal Audit.

For some organizations, this is still a new concept, with the front-line units still expected to concentrate on revenue. While “three lines” thinking has begun with large institutions, the practice is seeping into other parts of the industry.

Spoth says this emphasis on risk management from the front-line back puts an emphasis on adjusting bank culture to carry the tone from the top of the bank—at the board level—into the rest of the bank. A recent report from Spoth’s Center states that:

“A key to sustainable risk governance is developing, attracting, and retaining talent. Regulators are increasingly looking at staffing levels, training, compensation structures, and performance management programs to determine if they promote a sound risk culture. Also, proper messaging of risk considerations in compensation and training programs is important—including clear messaging about negative repercussions where warranted.”

Spoth spent 32 years at FDIC, concluding as senior deputy director of supervision, before joining Deloitte in 2012. In a recent interview about the Deloitte report, Forward Look: Top regulatory trends for 2016 in banking, he spoke about the need to consider talent and culture in the course of a broader discussion about risk management trends.

Tone, culture, and talent

Tone and culture can be nebulous terms. But Spoth says today a board’s attitudes about risk and compliance must be as much woven into their thinking as are business attitudes. He says regulators are looking at this combination from the board down.

Key elements of tone and culture are accountability and responsibility. Regulators aren’t satisfied only with how quickly a shortcoming is addressed by the board after an issue has been flagged. They want to see a proactive attitude.

Having the right mix of risk talent, he explains, begins with the board, not with hiring specialists. Evidence of his balance is seen, or not seen, in the design of the bank’s risk program, which the board should oversee.

However, as the report illustrates, a bank must make it clear to regulators that there is a depth to risk ownership throughout the bank. For example, if only the top executives in a business unit “get it,” then this is a weakness in the front line, seen as the first bastion against risk and noncompliance.

“In the business units,” the report states, “both executive leadership and rank-and-file employees need to clearly understand the relationship between the risk appetite statement, the system of limits, the risk framework, and the work they do everyday.”

Deloitte calls this the “echo from the bottom” of the tone from the top. If it isn’t clear that it is there, Deloitte recommends a formal assessment, potentially to discover gaps. Events of recent years—one that comes to mind is the “London whale” of JPMorgan Chase—illustrate a concern highlighted by the report. That is the risk of development of “inappropriate sub-cultures” where maverick attitudes develop within business units.

When banks combine

A corporate event that dictates a fresh look at culture is a merger or acquisition. When two organizations get together, even if one organization is acquiring another, the result may naturally be a melding of two cultures, rather than the dominance of one.

In some cases, a business combination may be the occasion for determining how to come up with a new overall culture. Cultural change is often a gradual process, and Spoth says a helpful tool to see where things stand is to survey employees to see how they view their organization’s culture and risk profile. Spoth says that legacy risk issues brought into the combination from both organizations must also be considered.

Once there’s a clear picture, a board can decide what the combined organization’s guideposts will be, and go about sending that message to the troops.

Where bank meets customer

The report sees attention to culture and ethics as an essential that can reduce regulatory issues, and worse.

“However, instilling an appropriate culture should not be viewed as a compliance exercise or a standalone work stream or project,” the report states. “Rather, it must be a fundamental firm-wide mindset. Firms should not just be asking, ‘Is it legal?’ They should be asking , ‘Is it consistent with our values for treating our customers and the community?’ Over time, good ethical behavior will enhance the firm’s reputation and trust.”

The report discusses the impact of the Consumer Financial Protection Bureau, “a force that is transforming the landscape for consumer financial products.” One effect of the bureau’s work has driven a change in the industry: a greater emphasis on tracking customer complaints, to remedy the immediate issues but also to find root causes, in order to address wider challenges.

“That’s become a data dive exercise that’s relatively new,” says Spoth, an effort that combines the lenses of customer relations improvement and compliance.

If staff response is “echo from the bottom,” in the report’s words, then complaints represent a strong message from the outside—perhaps you could call it “gripes from the outside.”

Spoth says banks will be receiving tons of fresh data that will tell them of their dealings with the outside world as the ripples of Dodd-Frank continue. Coming up are trends that will be seen as increased reporting under the expanded Home Mortgage Disclosure Act reporting requirements, now under CFPB jurisdiction, kicks in. The new requirements will generate entire new series of data points. Covered institutions will collect data under the new rules in 2018 and report in 2019.