Sept./Oct. 2021 Edition

Eyes Wide Open: Lenders Must Understand Risk, Not Avoid It

The financial industry is full of risk. This is nothing new, yet organizations spend an incredible amount of time and resources avoiding it. According to Gartner, risk management spending will exceed $150 billion worldwide this year – a 12 percent increase from 2020 and double the growth rate from the previous year.

From cyber risk to regulatory risk to credit risk, properly managing risk can have a tangible impact on a lender’s bottom line. In fact, according to The Journal of Risk and Insurance, companies with mature enterprise risk management programs are valued 25 percent more than their peers.  Financial institutions that embrace risk management are also more resilient, according to research from the Federal Reserve. This underscores the importance of having a strategic risk management framework in place.  

But good risk management is not about risk avoidance but rather risk awareness, empowering both lenders and their fintech partners to be prepared, protected and positioned for opportunities. 

Usually a daunting task, the ability to see not just the risks in a particular activity, but how those risks intersect with others throughout the institution is critical. 

But first, what is risk?

Risk is not just a four-letter word. It’s a natural and sometimes even a desirable by-product of business. All business decisions come with some degree of inherent risk. The key is to balance the potential for losses and gains while positioning the institution to withstand the shock of unexpected events.

The maxim of “no risk, no reward” rings true, but that doesn’t mean that risk can be entered into haphazardly. To the contrary, risk is only worth undertaking when it has been carefully identified, assessed, measured, mitigated and controlled as part of a deliberate overall strategy.

At its simplest, risk is the probability of a loss. Nearly every financial institution activity poses some kind of risk. A customer might fail to pay back a loan. Systems can be hacked. An oversight can result in a compliance violation.

But just because an activity holds inherent risk doesn’t mean it’s not worth pursuing. Risk management is the process of methodically addressing potential risks tied to a specific activity to maximize the benefit of the activity by working to reduce risk. Enterprise risk management (ERM) ties these activities together to look at risk broadly across the institution to ensure its overall strategic decisions fall within its risk tolerance. Effective governance balances strategic planning with risk management to ensure an institution enters into new businesses, products and systems with its eyes wide open.

When an institution carefully assesses risk, it understands where it has advantages over the competition that it can exploit, which can be more market knowledge, greater flexibility, or superior technology. It also knows where there are weaknesses that need to be mitigated.

What are the types of risk?

To properly manage risk, you must understand what it looks like. In simpler times, risk was mainly the purview of the chief financial officer. Financial and credit risk were top of mind and the two biggest concerns a financial institution faced.

Today, risk is a multi-faceted concept that touches every aspect of a financial institution. The most common types include:

  • Operational risk: the risk of financial loss when processes, people or systems fail, either because of external events such as flood or fire, or internal issues like fraud or software failure.
  • Transaction risk: the risk that products and services won’t be delivered as expected, adversely impacting the institution or its customers.
  • Compliance risk: the risk that an institution will violate state or federal regulations and laws or fail to follow its own internal policies, resulting in reputational, financial and regulatory consequences.
  • Credit risk: the risk that a borrower fails to repay a loan, resulting in a financial loss to the institution.
  • Strategic risk: the risk that a company doesn’t make decisions that support its long-term goals.
  • Reputation risk: the risk that lawsuits, fraud, service interruptions, data breaches and other headline-worthy mistakes can erode customer trust and diminish the appeal of a business. 
  • Cyber risk: the risk of cyberattacks and data breaches.
  • Third-party risk: the risk that a vendor or other third party poses to the institution.
  • Concentration risk: the risk that an institution has taken on a significant amount of risk in a single facet of its business, such as lending to too many businesses in a single type of business or industry, making too many of the same type of loan, etc.

With so many types of risk, how do lenders strategically mitigate them?

The answer is to periodically assess each business line, product, service or system against each risk category to identify key risk drivers. This sound overwhelming, but this process becomes easier when a systematic approach is created.

Additionally, financial institutions must identify how risks intersect with each other. Here are just a few risk-related questions an institution should be asking.

  • Do you have concentration issues?
  • What can go wrong in your processes?
  • How can fraud occur in your business?
  • What might interrupt your business processes? System outages? Phone outages?
  • What project and change risk are happening in your business?
  • Do you have high-risk customers in your portfolio? If so, how are they managed?
  • What key regulations govern your business?
  • Are there other governing bodies to consider?
  • What are your revenue goals?
  • Have you been successful in reaching desired market share?
  • What other risk categories apply to your business?

This list of questions is by no means exhaustive, but it does illustrate that risk discussions must go way beyond a single risk manager or group. Answering these questions requires the expertise and input of managers and employees throughout the financial organization.

As regulatory guidance has expanded the scope of regulations over the past few years, the overlap between different areas of risk management has grown significantly. Enterprise risk management, business continuity planning, compliance, cybersecurity and vendor management can no longer be thought of as stand-alone elements of a financial institution’s operational risk management program because they are intertwined.

Everything points to Enterprise Risk Management.

The Institute of Risk Management describes risk management as “a central part of any organization’s strategic management. It is the process whereby organizations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities.”

In a study of ERM in banks published by the ACCMAN Journal of Management, ERM is “the discipline, by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to stakeholders.”

At its simplest, ERM is a system to manage risk – and should be top of mind for lenders. This system examines risk holistically to understand how different areas of the institution interconnect. It’s about identifying, assessing, mitigating, measuring, monitoring and communicating risk. The goal of ERM isn’t just to identify risks to exploit or reduce them. It’s also to create value.

Risk matters, and this is not just in a hypothetical or philosophical way. Financial institutions must embrace a new way of thinking – shifting from risk avoidance to understanding it. With greater awareness of risk and an understanding of how different risks intersect with each other, lenders are empowered to not only protect themselves from it, but also uncover unique opportunities to increase their competitiveness and drive growth. Ultimately, risk management and strategic planning are inseparable.