In banking, we tend to think of risk as transactional in form. We contemplate what would happen if a loan defaulted if a cyber-attack occurred, if a new product caused a liability or if interest rates spiked. This is to say that we think of risk in the context of a particular event – if X happens, then Y risk will occur. The problem is that this event-driven mentality limits our thinking on risk. Risk is present no matter if it is monetized or not. Rising interest rates does not create risk; it just monetizes it. Further, by just focusing on a transaction or event, we miss the biggest risk we have in banking – organizational risk. In this article, we look at how bankers can realign their chain of risk in order to reduce their individual, departmental and organizational risk spheres.
The Sphere of Risk Influence Concept
Every component in the production of a banking product has a certain risk attached to it. This risk starts at a single point and radiates out in all directions. This includes all assets, liabilities, fee services and capital each forming a potential “node.” Where a computer or small savings account has a small level of risk, a person or loan may have a high level of gross risk attached to it. Some people or assets have small spheres of risk, while others have large spheres.
Spheres of risk can potentially expand where assets, liabilities, and capital interact. Each interaction is a connection where risk can align in a reinforcing manner or can offset and mitigate a risk line in order to reduce the sphere. A banker has a certain level of risk as does a computer, combine the two and the sphere of risk can grow geometrically. The banker can leverage the computer to underwrite a loan, commit fraud or harm a bank’s reputation. The more nodes (assets, liabilities, etc.) an organization has, the more complexity is present and the more the sphere of risk could grow. These nodes can be combined in infinite ways to push out the sphere in all directions creating more kinetic interest rate, credit, liquidity, market, legal, reputational and other risks.
In-line vs. Mitigating
Some risk forms a locus of points where they line up. A loan, for example, has both credit and interest rate risk. These risks can not only be in-line but can be reinforcing. Higher interest rates may result in more credit stress for the borrower and a lower value of the loan for the bank. Conversely, risk can be in-line but can be mitigating to other risk. The Bank Secrecy Act may cause some customer service risk, but serve to offset fraud risk. Capital can be leveraged to create more loans and increase the sphere or it can be used for greater reserves to serve to mitigate risk and reduce the sphere. It is important to know if your risks are in-line and if, the risks are mitigating or self-reinforcing.
Putting This Into Action – Organizational Risk
The above concepts are important to keep in mind as you think about the risk in your organization. The biggest risk of all is a bank’s culture and collective set of processes. This is one risk that is rarely assessed.
Wells Fargo’s cross-sell debacle that resulted in a loss of public trust and a potential $110mm in legal liability is a classic example of a bank that never considered their organizational risk sphere. Misguided compensation policies, weak management, non-existent controls and a muddled culture all combined in a chain of risk to form a catastrophic sphere. The risk of one business development officer forcing an additional sale of a bank product on the customer was not that great in itself. However, when multiplied, the problem became systemic, and the sphere of risk grew from a product, department and organizational level.
Before you pat yourself on the back and feel confident that the type of reinforcing risk can never happen at your bank, consider two scenarios. One derivation on the above is that your bank may not be cross-selling needed products at all, and you risk underperformance as producing a return of less than your 11% cost of capital.
Alternatively, you may be cross-selling but not have the compensation programs in place to attract the high-level talent that can further take your sales program to the next level. Here, you may have a series of risk points, but they may not be connected. This also leads to suboptimal performance.
It is far better in the three examples above to figure out all your process points in the chain and then figure out how you can optimize each point to create a risk sphere that reduces the previous node’s sphere. Had Wells Fargo had a compensation program that was more aligned with the customer’s interest, had a better monitoring program and had a stronger culture; it might have had the best of all worlds – happy customers, greater profit, and a smaller collective risk sphere.
Probably the most common organizational risk that we see is a misuse of governance in a process chain. For example, put the board, CEO, and Chief Credit Officer (CCO) on loan committee, and you have just aligned your risk in a reinforcing fashion. Having all three nodes involved in credit approval does provide some diversification in views to help mitigate risk. However, managers with a common interest and shared experience usually offer little diversification in views. The little risk mitigation that comes from adding a board member or CEO to the credit approval process is dwarfed as valuable governance and oversight is compromised. You can’t manage objectively if you are involved in the process. If your board and CEO is involved in the process, who is left to conduct process evaluation, after action reviews, and provide dispassionate quality process improvement?
This is why the Safety Officer at NASA, in a military operation or at a fire is removed from the line process. Their job is to do nothing but observe and report directly to the top of the chain of command. Remove the CEO and Board from the credit process, and you now have less risk, not more. The Board and CEO are still involved, but instead of opining on credit (reinforcing risk), they are now opining on the process itself (mitigating risk).
A bank’s CCO should manage credit, while the CEO should manage the credit process. The board should then evaluate the credit approval process and the management of that process.
Putting This Into Action – Individual Spheres
Next, to organizational risk, many banks fall short on looking at the risk spheres at the individual level. Consider that a majority of banks allow their lending officers to negotiate loan terms with the borrower, conduct credit analysis, document the loan AND sign off on all the conditions precedent in order to close the loan. This is a crazy. The risk sphere is huge as each node in the process serves to reinforce the previous risk.
You don’t need a credit shock or fraud event to see the potential for this risk. Banks may get away with this type of reinforcing risk alignment in the short-term, but sooner or later, the process becomes too complex, and the smallest externality such as a nefarious customer, deterioration in culture or a credit shock pops the risk sphere so that the locus of risk nodes gets monetized.
A bank is a portfolio of risks composed of multiple risk spheres. Various risks can line up and serve to inflate the sphere. While banks excel at thinking about risk at the product level if a certain event occurs, our industry falls short of being able to observe a complete risk chain and recognize the risk before it is monetized. Take any major risk event such as the last economic crisis, the Challenger explosion, the Bay of Pigs, Enron, etc. and you will find a line of reinforcing risk creating a large risk sphere.
In today’s environment, risk is changing quickly like never before. Immigration, the potential termination of the interest expense deduction, tax reform, a change in regulations and many other issues all serve to shuffle our industry’s chain of risk like never before. Banks should not wait for a formalized event to manage these risks as the risks spheres exist for all these events now whether you know it or not. The key is to think about how your risks line up and add mitigating factors to help manage enterprise risk. Doing this one exercise will keep profits high, and your risk spheres small.
Submitted by Chris Nichols on March 29, 2017