It’s no wonder that enterprise risk management functions in banking sometimes are reactive, backward looking and often entrenched in performing, after the fact, checklist activities that do little to help identify, assess and manage evolving risks.

After all, the increased emphasis on risk management over the past 15 years was itself a reaction to several crises like Enron and WorldCom.  Then, with the economic downturn starting in 2007 and the subsequent failure of hundreds of banks, we experienced regulatory reaction which emphasized enterprise risk programs as a defensive, safety and soundness functions charged with ensuring that boards received sufficient reports on risks across the organization.  Add to this several international organizations committed to standardizing and promoting the practice of enterprise risk management that gave us the concept of “three lines of defense” and we sometimes end up with risk programs that add little or no value, often existing merely to satisfy regulatory requirements.

One bank CEO I know used to refer to risk management as “blood sucking overhead.”  It doesn’t have to be.

So directors, are you getting risk related reports in your board packages?  If so, do those reports ever talk about potential or evolving risks that your bank may face in coming months, or do they contain only metrics and data telling you about things that have already occurred?  Does your CEO know how to use the risk management function as an “offensive” tool?  Does your risk management organization help to build effective mitigation and risk management controls so the bank can make better risk decisions?  Are you getting forward looking risk analysis that transparently discusses the potential risks associated with a new product or initiative you bank is undertaking?

The answers to these questions, which I encourage you to ask, are likely going to be directly related to the culture and mindset that you, your CEO and other leaders drive in the organization.  If your CEO thinks of the risk management function as a necessary evil, another costly regulatory burden, or perhaps just those people who tell us what we can’t do, then that’s pretty much what your risk management process will be.

I am excited that the AABD has established a committee focused on risk management and even more pleased that it will be called the Risk-Reward Committee.  As the name implies, the AABD recognizes that risk management needs to be balanced and the organization is committed to assisting bank directors in better understanding enterprise risk management and how it can add value at your bank.

We need to start thinking differently about risk management – not as a separate exercise but as an integrated part of strategic planning and decision-making.  Risk personnel need to shift focus from checking to see if someone followed procedures to helping identify, assess and manage risks, even risks that may occur in the future.  As we discuss more specific risk management topics in future columns, my goal is to provide you with actionable information, usually in the form of specific questions or discussion topics that you can use to facilitate meaningful dialogue with your management team.

Joseph O’Donnell
AABD Risk Management Issues Advisor
Director, Enterprise Risk Management, Fannie Mae