Taking and managing risk is fundamental to the business of banking. Managing risk effectively is critical to ensuring compliance with consumer protection laws and regulations and has become even more important as new technologies, product innovation, and the size and speed of financial transactions have changed the nature of financial services markets.
Failure to establish a risk-management structure that adequately identifies, measures, monitors, and controls the risks inherent in an institution’s various products and lines of business is considered unsafe and unsound conduct. Principles of sound management apply to the entire spectrum of compliance-related risks facing a banking institution, including, but not limited to, compliance, legal, reputational, and operational risk. These risks can be described as follows:
- Compliance risk is the risk of legal or regulatory sanctions, financial loss, or damage to reputation and franchise value for failure to comply with laws, regulations, or standards; or the organization’s own policies, procedures, codes of conduct and ethical standards; or an actual or perceived failure to adhere to principles of integrity and fair dealing applicable to the business activities and functions of the organization. Noncompliance may expose the organization to fines, civil money penalties, legal damages, voided or unenforceable contracts, reduced franchise value, or rejected mergers and acquisitions.
- Legal risk arises from the potential that unenforceable contracts, lawsuits, or adverse judgments can disrupt or otherwise negatively affect the operations or condition of a banking organization.
- Reputational risk is the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause costly litigation, a decline in the customer base, or a reduction in revenue.
- Operational risk arises from the potential that inadequate information systems, operational problems, breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses.
A sound risk management program contains the following elements:
- Active board and senior management oversight
- Effective policies, procedures, and risk limits
- Effective risk measurement, monitoring, and management information systems
- Comprehensive internal controls
All banking organizations, regardless of size, should have a compliance risk-management program. If carefully devised, fully implemented, and regularly monitored, a compliance risk-management program will provide the foundation for ensuring compliance with consumer banking laws and regulations. The formality of the program will typically increase in direct proportion to an organization’s complexity, business strategy, activities, and structure.
Relatively basic risk-management systems may be adequate for smaller institutions engaged solely in traditional banking activities and those whose senior managers and directors are actively involved in the details of day-to-day operations. In such institutions, these systems may consist only of an informal compliance program that includes both written and unwritten policies addressing material areas of operations such as lending, basic internal control systems, on-the-job training, and a limited set of management and board reports that address the bank’s needs.
A large or regional organization that is more complex would require a more formal and comprehensive program to maintain a satisfactory level of compliance and to provide senior managers and directors with the information they need to monitor and direct day-to-day activities.
Boards of directors have ultimate responsibility for the level of risk taken by their institutions. Accordingly, board members should approve the overall business strategies and significant policies of their organizations, including those related to managing and taking risks, and should also ensure that senior management is fully capable of managing the activities that their institutions conduct. While all boards of directors are responsible for understanding the nature of the risks significant to their organizations and for ensuring that management is taking the steps necessary to identify, measure, monitor, and control these risks, the level of technical knowledge required of directors may vary depending on the particular circumstances at that institution.
Senior management is responsible for implementing strategies in a manner that limits the risk associated with each strategy and ensures compliance with laws and regulations on both a long-term and day-to-day basis. Management should be fully involved in the activities of their institutions and possess sufficient knowledge of all major business lines to ensure that appropriate policies, controls, and risk monitoring systems are in place and that accountability and lines of authority are clearly delineated.
For more information on director responsibilities, see Board of Directors — Profile and Core Characteristics.
Policies and procedures represent the documented guidelines and processes an organization has established to monitor and control compliance risks in areas such as the compliance function, audit, and business units. An effective compliance program will have compliance policies and procedures in place, the formality of which depends on the needs and complexity of the organization. Policies should provide the framework for procedures and may be used as a reference source or training material for personnel.
Ongoing education of personnel is essential to maintaining a sound compliance program. Banking personnel should understand the bank’s business lines. The organization should make all personnel aware of consumer protection laws and regulations that affect the bank’s business lines and should provide training regarding policies and procedures for these areas.
Effective risk monitoring requires institutions to identify and measure all material risk exposures. Consequently, risk-monitoring activities must be supported by information systems that provide senior managers and directors with timely reports on the financial condition, operating performance, and risk exposure of organization.
The sophistication of risk-monitoring and management information systems should be consistent with the complexity and diversity of the institution’s operations. Smaller, less complicated banking organizations may require only a limited set of management and board reports to support risk-monitoring activities. These reports may include, for example, results and trends from compliance reviews and consumer complaints, details of lending patterns and approval/denial rates for key lending activities, details of new products or activities, and their resultant risk exposure. Larger, more complicated institutions would be expected to have much more comprehensive reporting and monitoring systems that allow, for example, more frequent reporting, tighter monitoring of complex compliance activities, and the aggregation of risks on a consolidated basis across all business lines and activities.
Management information systems (MIS) are the processes a banking organization has established to organize and report data to executive management. Compliance issues should be part of the MIS of the organization. The MIS should be designed to facilitate the escalation of relevant information from the business unit level to the compliance function and then on to senior management.
An institution’s internal control structure is critical to the effectiveness of its risk-management system. Establishing and maintaining an effective system of controls, including the enforcement of official lines of authority and the appropriate separation of duties, is one of management’s more important responsibilities.
When properly structured, a system of internal controls promotes effective operations and reliable financial and regulatory reporting, safeguards assets, and helps to ensure compliance with relevant laws, regulations, and institutional policies. Internal controls should be regularly tested by an independent internal auditor or for smaller, less complex institutions, by personnel independent of the function they are assigned to review.
Given the importance of appropriate internal controls, the results of audits or reviews, whether conducted by an internal auditor or by other personnel, should be adequately documented, as should management’s response. In addition, communication channels should exist that allow negative or sensitive findings to be reported directly to the board of directors or to the relevant board committee.