Flexible Risk Assessments and Effective Reporting in the Banking Industry at RMA's GCOR XIII

By Steven Minsky, CEO of LogicManager and author of the RIMS Risk Maturity Model

The banking industry is perceived as the most advanced in their understanding and implementation of risk management. Although banks have indeed made huge progress in risk management, two areas all banks can improve on is the structure used in conducting their assessments to enable actionable and insightful strategic reporting.


I’ve found that the understanding and implementation of risk management is driven not by industry or size of institution, but rather by its people: boards, executives, their teams, and front-line managers keeping their organization on track to achieve their goals and preventing missteps in this fast-paced age. Recently, I presented at the Risk Management Association’s GCOR XIII Conference in Cambridge, MA, which aimed to educate risk managers in the financial industry on new best practices and emerging trends, such as how to build flexible risk assessments and present effective board reports.

In this blog post, I’ll recap some of the highlights of these two important, intimately related topics. I’ll also pass along the tools I showed to attendees to give you a head start on implementing these tips for risk management in the banking industry.

Goals and Challenges in the Banking Industry

Attendees of GCOR XIII have similar goals and challenges. So first, what’s the goal? Protect your bank by identifying, mitigating, and monitoring risks before they manifest. 

What’s the challenge? Today, there’s a lot to protect your bank from―data breaches, reputational damage, non-compliance, and so much more. So the challenge, in a word, is complexity.

To paint a small picture of this complexity, think about the main regulatory body your bank has to align with and how many different risk categories they define. What I’ve seen time and time again is banks trying to put together different risk assessments to match up with all these different categories - the FFIEC’s 6 risk categories, the OCC’s 9 risk categories, etc.

The problem with this approach is if you take one of these categories, say reputation risk, and try to ask someone in IT to fill out a risk assessment on this category, they won’t know where to begin. They can only speak to what they know, and most IT professionals haven’t made the connection between what they know and reputation risk. 

A better approach is to attract as many people as you can with honey. The honey in this case is cross-functional risk assessments.

Get More Out of Cross-Functional Risk Assessments

With cross-functional risk assessments, you’ll be able to gather, re-aggregate, and report on all the information you need to protect your business from a myriad of risks.

First, my presentation is nicely summarized in our eBook 5 Steps for Better Risk Assessments: A Special Edition for the Financial Industry, so feel free to download a free copy for an in-depth recap.

For the purposes of this blog, however, I’d like to reiterate three things:

1) The key to cross-functional risk assessments is taking a risk-based approach. Risk management is in every employee’s job title, whether they know it not. Having their engagement in the risk assessment process is crucial to achieving a more-flies-with-honey effect. Download the Risk-Based Approach Wheel I showed attendees here. Use it to connect with other professionals in your organization like Audit or Compliance by starting with their priorities and working your way around the risk management cycle from their most preferred starting point!

2) Rethink your risk assessment categories. Instead of creating risk assessments with categories that align specifically with FFIEC or OCC categories, use standards in scoring, naming conventions, and risk libraries to organize them by key departments, key products and services, and key regulations. This way, you’re talking to people about what they know best and getting the most accurate information with the accountability for those risks attached.

3) Re-aggregate risk assessment information to align with big regulator risk categories and more. With a taxonomy in place, you can categorize one risk in multiple ways. Let’s say the Marketing Manager identifies someone hacking into the website as a risk. This would be simultaneously categorized as a marketing risk, an external risk, and a reputation risk (one of the OCC’s main categories).

The Why, How, and What of Effective Board Reports

Item number three above has everything to do with developing a flexible reporting structure―a topic I took a closer look at with GCOR XIII attendees. With such a structure, you can take any piece of information you’ve gathered from across the enterprise and dig into it in a multitude of ways.

Above we talked about how aligning with the main regulatory bodies adds complexity to managing risk in the financial industry. Another faction of this complexity is aligning with strategic goals set by the board. So, not only are risk managers juggling hundreds of regulations, but they also have the board calling on them for evidence that their ERM program is effectively supporting the goals they set for the company. 

At first, risk managers may not realize the massive amounts of information already on hand throughout their bank covering all areas of the organization down to the front lines. Without standards and taxonomy to link and relate all the connections across that information, it can be very challenging to portray how operational activities also align with the business’s greater strategic goals. Historically, boards of directors and senior leadership have struggled to engage with risk managers because, typically, information is not collected and distilled in the most effective way. The boards want to see the bottom line: how risk management is supporting their strategic objectives.
I’d like to give you a few tips on how you can overcome this challenge and paint the big picture for the board.

First, the taxonomy I describe above is a great tool for aggregating risk in many different ways. With a flexible categorization structure in place, you can pull reports on risks tied to different departments, products, regulations, or even strategic goals. The board wants concise deliverables providing evidence that the appropriate risk management controls are in place and that they are effective over the risks they are designed to mitigate. They also want to know that these risks are monitored, so that they won’t be the next name in the headlines.

Another tip to keep in mind, is to collect information in a way that enables your reports to be flexible. Compiling enterprise-wide risk into strategic dashboards gives the board a comprehensive look at the “why” of an aggregated view of risk and its implications, and also provides the flexibility to drill into individual risks all the way out to the front-business lines where the risks are known. They are strategic in that the information in the dashboard can be dynamic, but the presentation framework remains the same so that board members can quickly zoom in on the insights they need without needing to interpret the structure of how the data was gathered or changing the presentation style that is being used. The board doesn’t need to be overwhelmed with all of the risks at the business activity level, but it is best to have the option to dig deeper and re-aggregate information within the report. 

Once the board has a clear view of their organization’s risk, they can rest assured that your risk management program has their strategic organizational goals in mind. As a result, the board will continue to provide the necessary support for your program. 

It was an honor presenting at RMA’s GCOR XIII, where I got to share and learn from risk professionals in one of the most advanced industries in the risk management fields. I hope attendees, and new readers, found these tips and tools useful!

You can access a recording of Steve Minsky’s GCOR XIII session on The Why, How, and What of Effective Board Reports below.


Washington - The Week Ahead, May 20-24, 2019

Read More

Washington - The Week Ahead, May 13-17, 2019

Read More

Stop Sending Me Information and Start Getting Me Some: A Risk Lesson for the Banking Industry’s Executives, Board Members, Wall Street, and Business Unit Practitioners

Read More

comments powered by Disqus