Assessing and managing enterprise risk is crucial for the success of today’s financial institutions, and whenever new ventures are considered, this involves weighing the benefits of the new ventures, such as new programs, vendors, and initiatives, against the strategic, reputational, operational and regulatory risks that might be involved in taking on that venture.
As an example, many community banks and credit unions may have already implemented (or are looking to implement) mobile banking and mobile capture to remain competitive with larger financial institutions. Before moving forward with the initiative however, the bank must go through several stages to ensure it truly understands the enterprise risks involved. At the conceptual stage, the bank wrestles with the question of whether or not to move forward with the initiative. If the bank chooses not to do it, it may lose business to a competitor who offers this service. If it elects to move forward with the initiative, what then are the assumed risks and what are the next steps in mitigating these?
Four Enterprise Risks
Before implementing a new initiative at the bank, financial institutions should evaluate four main categories of enterprise risk:
- Reputation risk – The risk that negative publicity regarding an institution’s business practices can adversely affect the financial institution’s ability to establish new relationships or services, as well as affect its ability to continue servicing its existing relationships.
- Strategic risk – The importance that this process holds in the context of the overall enterprise. In other words, how important is the execution of the process to achieving the goals and objectives of the institution’s overall strategic plan.
- Regulatory/Legal risk – The risk arising from potential violations of, or nonconformance with, laws, rules, regulations, prescribed practices, or internal policies and procedures.
- Operational risk- Simply put, operational risk is the risk that the processes supporting the initiative fail. Practically speaking, this includes the extra overhead, or additional burden, that alternative procedures, practices and personnel required for manual or alternate methods (the work-arounds) of performing the processes add to the normal day-to-day operations. Operational risk should also consider the potential relocation of personnel from their primary job duties which could, in turn, result in reputational risk.
Of note is that adequate management of enterprise risk continues for as long as the initiative is in place at the institution.
What Can Banks Do To Improve Enterprise Risk Management?
Financial institutions can ensure that enterprise risks are addressed by building a culture that routinely evaluates and discusses enterprise risk and has incorporated it into day-to-day operations. Banks can do this by ensuring their employees understand the key risks to evaluate and how each one should be addressed.
This starts with the board and senior management understanding and supporting information security and providing appropriate resources for developing, implementing, and maintaining the information security program. The result is a program in which management and employees are all committed to integrating risk management best practices into the institution’s lines of business, support functions, and third-party management programs. In addition, management and employees should be held accountable for complying with the institution’s information security program.
The FFIEC Information Technology Examination Handbook explains that introducing new business initiatives, including new service offerings or applications, is the true test of the maturity of and degree to which information security and enterprise risk management are part of the institution’s culture. An institution with a strong security culture generally integrates information security into new initiatives from the onset and throughout the lifecycle of its services and applications.
Ensuring that strong security and compliance practices are deeply embedded in the institution’s culture contributes to the overall effectiveness of the information security program. When high compliance standards are established within a financial institution, all employees recognize that they have a personal responsibility to truly understand the risks their institution faces as well as ways to safeguard against them.