CROs Discuss Their Approaches to Evaluating Risk Program Maturity

When Kevin Slane became Sandy Spring Bank’s chief risk officer five years ago, he knew he needed to build a risk management framework for the growing Metro Washington, D.C., area bank. He also needed a way for the bank to evaluate itself against an aggregated set of risk management best practices. 

“While we were managing various elements of risk, we lacked a formalized and well- aligned risk management infrastructure” Slane said at a recent Risk Management Association (RMA) panel discussion. “There was really no clear roadmap to take us to the destination that would help drive priorities.” 

Slane turned to the Risk Maturity Framework from RMA and Strategic Risk Associates, which measures a bank’s overall risk management program effectiveness against industry standards and regulatory guidance. The tool provides a clear view of a bank’s risk management maturity and improvement opportunities—and enables risk managers to build a holistic, integrated risk management solution. 

Another panelist—Robby Harmon, CRO at TriStar Bank in Dickson, Tennessee—said he had the same need to establish a risk framework two years ago. TriStar, a $450 million bank, was growing rapidly as the federal government’s COVID stimulus spending turbocharged its loan business. Looking ahead, Harmon knew TriStar would have to implement new controls as its assets grew toward the $500 million threshold, where Federal Deposit Insurance Corporation Improvement Act reporting requirements covering audit, controls, and other areas kick in.   

“It is daunting to try to manage it all,” Harmon said. “I needed something to help me put all this together, instead of having to recreate the wheel.” Harmon said the Risk Maturity Framework software helped him “overcome a daunting task” and set the bank up for future growth. 

Strategic Risk Associates CEO and Co-Founder Michael Glotz, who has led risk management and capital planning efforts for national, regional, and community institutions, said the initial Risk Maturity Framework was created by mapping all available regulatory guidance and tapping the insights of industry CROs. He said the framework is a “growing and breathing” tool that gets updated as regulatory guidance evolves and as more CROs deploy it and offer feedback. More than half of the framework’s measurement points come from common and leading practices of experienced CROs.   

The framework has also been informed by feedback from regulatory exams and input from regulators at the Federal Reserve, the FDIC, and the Office of the Comptroller of the Currency. More than 80 banks now use the tool, Glotz said, with another 100 expected to adopt it in the next year. 

Glotz said the Risk Maturity Framework can be especially helpful for newer CROs who want to become more adept at evaluating risk from a big-picture perspective after specializing in, say, internal audit or compliance.  

In addition to helping CROs evaluate risk, the Risk Maturity Framework helps them communicate that evaluation to their boards of directors and executive teams, Glotz said.  

“You need to find a way to get a big-picture view of what you’re doing, and to be able to articulate it” to the board of directors, Glotz said, which has a fiduciary obligation to ensure that an appropriate risk framework is established, given the size and complexity of the bank. 

“There’s a lot of value to having that assessment and having it all pulled together into one place for the board to understand where the gaps are, what the plan is, and what the priorities are,” Slane said.  

A common risk management “gap” is staffing. From community institutions to those with over $100 billion in assets, SRA has found many have risk staffs that are not large enough or optimally organized. The framework tool can help CROs emphasize staffing needs to the management team and the board, Glotz said.   

Risk leaders also need to communicate how the relative risk of an organization is linked to its strategic and capital plans. 

“Banks have a strategic plan for a reason. It’s a way to give a roadmap and educate not only the board and the management team, but all the employees to get them aligned,” Glotz said. Linking a three-year risk management plan to the company’s three-year strategic plan can make it easier for risk managers to provide forecasts to the board and executive team, achieve risk management goals, and seek resources for risk management. 

Through benchmarking, the Risk Maturity Framework can also show a bank’s management team and board how their risk program compares with institutions of the same size. As banks grow in size and complexity, the maturity level of their risk program needs to grow as well, Glotz said. The Risk Maturity Framework will help answer the question: “Do I have the right structure in place, given the size and complexity of my organization?” 

Want to learn more about the Risk Maturity Framework? Contact Shea Scarpa Gardner, RMA Associate Product Manager, at sscarpa@rmahq.org.