Man plans, God laughs, according to the Yiddish proverb. Bank regulators, not so much – at least not when it comes to risk management, which continues to be an ever-moving target for financial institutions. Providing stakeholders with assurance that the risk control frameworks financial institutions have adopted will hold fast in an actual emergency is an ongoing challenge, and banks test their plans annually. The tests are meant to be aggressive and realistic – in a regulatory vernacular, they need to represent an “effective challenge.” Getting effective challenge right, however, is easier said than done.
The Federal Reserve and the OCC have published guidance outlining the characteristics of an effective challenge. I, and several of my colleagues, recently shared thoughts and advice on this as part of the Risk Management Association’s audio conference series.
As is often the case, there is a gap between present conditions and the desired future state. Risk management at many institutions is applied inconsistently across the three lines of defense and different risk types. The rules governing the control challenge process and the process for escalating risk management concerns to executive and board attention are often poorly defined, documentation is limited, and risk management often lacks the authority to effectively challenge operational managers, inhibiting mitigation efforts.
The best way for financial services providers to combat these challenges is by following leading practices – for example:
- Building effective challenge into risk management processes
- Clearly documenting policies and procedures
- Documenting challenges – for example, through detailed meeting minutes at management- and board-level meetings, and
- Requiring the appropriate escalation and resolution
Effective enterprisewide risk management requires the cooperation and alignment of all three lines of defense, plus effective oversight by top executives and the board of directors. The board of directors oversees all three lines of defense and, working closely with executive management, sets the risk appetite and the “tone at the top” of the organization to strengthen the company’s overall risk management process.
Each line of defense plays a specific role. The first line focuses on business, financial and operational risks. The second independently establishes protocols for risk and compliance decisions. The third line, which includes internal audit, assesses risk management and risk governance processes, and conducts its own tests to ensure that risk management policies are adequate and effective.
To have an impact, an effective challenge must do several things:
- Drive two-way communication on strategic business and risk decisions
- Provide transparency and direction to business and risk leadership before issues arise, and
- Enable the business to grow and pursue new opportunities according to its established risk appetite
These are common-sense steps, but common sense isn’t always common. The upshot is that robust risk management is a cultural process that depends on a strong tone at the top and an engaged middle and bottom. More than just planning, best practices call for extensive monitoring and effective challenges that pull no punches and seek to make the system stronger and more secure than before. Communication is key. So is continuous improvement.
How is your organization implementing effective challenge? Join the conversation by leaving your comments below.