Improving Risk Culture is a “Necessity.”
Regulators are clear. Banking institutions must have strong risk management policies. In fact, at a recent conference, the President of the Federal Reserve Bank of New York said improving risk culture is a “necessity.” What exactly are those regulators looking for and why aren’t procedures and policies enough?
1. Policy and Procedure form the framework.
According to the Fed, some of the key metrics that regulators want to see are compliance programs directly dealing with hot buttons like consumer lending, BSA and FATCA; dual or triple monitoring; a specific statement illustrating the institution’s risk appetite; and e-risk systems. Having these policies in writing and accompanying them with written procedures ensures the first step in tackling the establishment of a strong risk culture.
2. Management Needs to Step up the Game.
Management must ensure that employees are carrying out risk culture. Regulators not only want to see policies, they want proof that someone is paying attention to those policies. Pay careful attention to employee work habits. Establish monitoring systems. Do spot checks. Promote positive attitudes about risk culture. Track successes and train on failures—but have consequences for failures. At the end of the day, regulators want to see that risk culture is effectively communicated from top down.
3. What about the Board?
It is clear that the Board is an integral piece of the risk culture puzzle. Boards should set the tone, and ensure metrics are in place to track the progress of management. While at times the regulations may be over broad as to the duties placed upon members of a Board, the Fed has indicated that there is light at the end of the tunnel. Clarity and focus are coming.
Establishing a risk culture is non-negotiable, but the real key to success is to communicate effectively and positively about abiding by that culture. Consistent messages and positive direction will make or break employee perceptions about buying into the program.