How much is your financial services firm willing to risk?
Enterprise risk management has typically been reserved for large financial institutions. However, regulatory demands and the marketplace are forcing financial services providers of all sizes to adopt risk management practices. Organizations need to understand how internal and external factors affect their strategy.
Your firm must understand how internal and external factors could affect your business. And regulators want to see how the risks associated with your strategies are evaluated — before your firm follows a new strategic path.
The challenge is that many financial services firms typically don’t have a full-time risk professional, nor do they truly understand the risk of not having someone dedicated to evaluating risk in a holistic sense. Instead, risk is managed intuitively and typically siloed within a particular department. For example, the IT team evaluates the risks associated with a new vendor or tool, while the C-suite looks at the effects of bigger-picture economic changes, such as interest rates.
This siloed approach introduces enormous risk for the firm overall, so someone needs to consider all the potential risks facing the institution and how they interact. Deciding who that someone should be is the first step in mitigating risk.
Enterprise risk management in mid-sized financial services
An enterprise risk management framework can benefit financial services firms of all sizes.
An enterprisewide risk assessment seeks to aggregate risks across the enterprise, so leaders understand the full portfolio of risk that exists. Unlike an audit, a risk assessment is forward looking. It imagines what the impact of an event or change could be. That, in turn, informs the strategic direction and tactical planning. At the most basic level, risk management is asking: What stands in the way of our strategy?
Once risks are identified, leaders can address how to manage them and who should manage them. Leaders can also start to get a sense of their risk tolerance (i.e., how much risk is the organization willing to take?).
An organization’s risk appetite is often tracked through financial metrics but it is also in large part about culture. Leaders set the tone for risk, and their attitudes should align with the strategies, decisions, policies and practices within the organization.
How to assess risk in a mid-sized financial services firm
In practice, a risk assessment starts with the creation of an inventory. Someone in the organization, or a risk management consultant, can document all the potential risks an organization could face, both internally and externally.
Risks are collected through organizationwide surveys, interviews with stakeholders across all levels and departments, research and observation. Each risk is evaluated based on its likelihood of occurrence and its projected impact. Once evaluated, each risk is assigned a score, so leaders can rank and tackle risks according to their severity.
It’s also important to note that not all risk is bad. Often this exercise allows leaders to take advantage of opportunities they may not have previously considered.
A risk assessment takes some imagination — but there’s no crystal ball. As the COVID-19 pandemic made clear, some events are beyond the foresight of this exercise. A risk assessment establishes a process for evaluating risk, even if it doesn’t capture every possibility.
Risk appetites also change over time. And new threats emerge, sometimes quickly. That means financial services firms need to constantly monitor, evaluate and address risk. Their strategies have the best chance of succeeding when risks are consciously evaluated and properly mitigated along the way.
Who is responsible for risk?
Ultimately, the board of directors is responsible for the risk taken by the firm. Each area of risk should have a risk owner who is overseen by a risk officer. That said, management of risk is the responsibility of three lines of defense:
1. The front line
2. Independent risk management
3. The audit
In short, everyone in the organization has a hand in risk management. And risk management can be an opportunity to see how high-potential employees think, collaborate and strategize.
When looking for a risk officer, consider someone who:
- Is familiar with the organization’s strategic initiatives and understands the direction the organization is looking to move in.
- Has the ability and desire to work across departments and functions.
- Possesses a forward-looking and curious mindset.
- Is comfortable asking tough questions and open to receiving constructive feedback.
Your risk officer can’t make risk go away — but they can make risks clearer to leaders, even if they’re uncomfortable topics to discuss, like succession planning.
Risk should be pervasive
Even with an all-hands-on-deck approach and mentality, risk will not disappear. Today’s business environment requires firms to take calculated risks. Financial services firms need to decide how much risk they’re willing to take and move forward, as a team, accordingly.
Remember, understanding your risk will allow you to be more successful in your chosen endeavors, not to mention will garner favor with the regulators.
How Wipfli can help
Our enterprise risk management team can work closely with your firm to identify internal and external risks that get in the way of your goals. Work with Wipfli to understand your organization’s risk tolerance and uncover potential roadblocks, so you can protect your ambitions and plans. Learn more about our enterprise risk management services.