Recent high-profile instances of misconduct have brought the issue of enterprise risk for financial institutions front and center. These events make it clear that institutions must widen their focus and look at enterprise risk governance more broadly than before. And it's no longer a large bank issue – enterprise risk governance and culture affect all financial services organizations, regardless of asset size.
Regulators are conducting reviews of large bank “Conduct and Culture” programs and examining sales practices, employee sales goals, and executive compensation practices, along with the effectiveness of banks’ risk governance across the organization. Continued interest in these areas particularly at smaller institutions will likely be supported by the current administration, which has voiced concerns over sales practices that could be harmful to consumers.
This new focus increases the potential for emphasis on and action to enhance corporate governance and pushes financial institutions to strengthen their enterprise-wide approach to the assessment of enterprise risk and governance.
Although most financial institutions, regardless of asset size, have established processes to collect data from various parts of the organization, few have the mechanisms in place to connect these disparate processes and data sets. But this is a critical step to be able to fully and holistically analyze key risk indicators and key performance indicators to inform senior management and the board.
Examples of the items that should be connected include:
- an organization’s code of conduct
- complaints
- whistleblower hotlines
- issues management
- employee, customer, and vendor surveys
- third party management
- performance management
- compensation
- internal investigations
- sales practices
- business strategies
- key internal and external communications
- management and board reporting.
Three lines of defense and an enterprise-wide risk governance framework
The three lines of defense model is a common practice today. It's designed to form a system of checks and balances among first-line ownership of controls design and execution, second-line independent monitoring and oversight of controls effectiveness, and third-line independent review by internal audit of how first- and second-line control functions are performing.
Financial institutions are now considering adding an enterprise-wide risk governance framework that links risk strategy and appetite, risk governance, assessments, monitoring and reporting, control testing, and data and technology. They're also now starting to embed their values, goals, expectations, and priorities into their three lines of defense, while making enhancements to the transparency, independence, and oversight within this structure.
Regulators are providing further specific guidance in this area. Notably, the OCC’s Enhanced Risk Management Standards outline “heightened expectations” for enterprise-wide risk governance and changes to the Federal Reserve Board’s SR 08-8 Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles will focus on conduct and culture in addition to testing and monitoring.
Continuing risk governance and conduct and culture expectations
The tenets of risk governance and conduct and culture are likely to continue to dominate the expectations of regulators and consumers across the financial services industry. In addition, cybersecurity, the protection of consumer data, and competitive pressures from financial technology (FinTech) firms will only grow in importance. This all points to enterprise risk governance and culture as key to setting the tone for proper risk mitigation.
All indications suggest financial institutions of all sizes should stay focused on their current path, recognizing that, for now, the scope of anticipated change is speculative and will take time to enact. In the meantime, building a strong customer-oriented corporate culture, developing a holistic approach to enterprise risk governance, embracing technological changes, and streamlining regulatory change capabilities will help prepare and position institutions for new regulatory requirements.