For many fintechs and non-bank financial services providers, consent orders issued by banking regulators in 2024 are an intimidating compilation of heightened regulatory expectations and complex remediation requirements. While Bank Secrecy Act/AML, cybersecurity and third-party risk management (TPRM) issues remain in focus, risk governance and enterprise risk management (ERM) are increasingly cited as areas for improvement.
Although not directly subject to bank regulation, requirements such as the Interagency Guidance on Third-Party Relationships: Risk Management require their bank clients to assess providers’ risk management practices.
Building a Risk Management System (RMS) is challenging, but having an effective, resilient RMS will contribute directly to growth and profitability. The good news is many of the building blocks may already be in place, and developing them into an effective risk management framework is closer than you think.
Whether you’re a mobile payment company, software vendor or digital-asset service provider, rapid changes in financial services and technological advancements provide tremendous new revenue and cost-saving opportunities. However, these often come with new or increased risks.
Developing a risk inventory and assessment process is essential, and identifying risks is just the beginning – designing, documenting and implementing a governance framework and robust controls requires considerable effort in laying the foundation for responsible, sustainable growth.
Mark Sexton
For firms new to financial services regulation, this can be time-consuming, require new skills, and distract from running the business and managing top risks. Leveraging external support can streamline program buildout, but building internal expertise, fostering accountability and ensuring effective execution will define success.
Fortunately, there’s no shortage of regulatory guidance, expert opinion and peer forums to show what’s required and present organizational options. With analysis and thoughtful dialogue (internally with peers and directly with regulators), firms can define a first-generation RMS appropriately tailored to their business. Most firms are actively assessing and managing key risks already, even in the absence of formal policies and procedures.
Once the board and senior management have a high-level understanding of requirements, key questions include:
It’s helpful to start with a simple definition of what you’re trying to achieve and an understanding of what the future state looks like. Ultimately, the board and senior management want to create a risk governance framework that allows the business to execute its strategy and deliver sustainable, profitable growth in a responsible manner. From a risk management perspective, the goal is to identify, measure, monitor and control the risks in the business to achieve those goals.
The Office of the Comptroller of the Currency (OCC) provides a helpful example of a risk governance framework in the Corporate and Risk Governance section of the Comptroller’s Handbook.
Figure 1 – OCC Risk Governance Framework
Source: Comptroller’s Handbook
This graphic shows a traditional three-lines-of-defense model, with responsibility for risk management, oversight and assurance shared across the business, independent risk management and internal audit. The position of Risk Culture reflects the notion that it is part of the “tone from the top” set by the board and senior management, and will flow down through the organization.
Paul Feldman
While this graphic depicts a robust future state, different visuals may better represent the sequencing of your program build. Even without a formal risk management framework, several components likely exist and can be repositioned to create a solid foundation for effective risk management.
Some missing components can be created quickly (e.g., a preliminary risk appetite statement) or outsourced to experts (e.g., audit), while the design and implementation of other components will take longer.
At the outset, it’s important to focus on the objective, which is to identify, measure and manage the biggest risks. A lot can be achieved by enhancing processes within existing teams.
Regardless of what you have documented, think about everything that your team is currently doing. For example, even without a risk identification and assessment process, firms typically know their biggest risks.
Similarly, without escalation procedures, teams understand when their superiors should be involved in a decision. Many risk management practices, including controls and reporting, already exist. Consider the following items:
-- Strategy/Business Plan: When developing a strategy, management evaluates the competition and identifies barriers to entry. Assumptions about available technology or the ability of key experts inform timelines and hiring strategy. These are all strategic risks. Firms also know their available financial resources which define risk capacity. Assuming the firm can’t risk everything, appetite for losses will be lower, setting the financial limits of your risk appetite statement.
-- Risk Culture: All firms have a risk culture. Answering a few questions can help firms see it. What is the “tone from the top” about risk-taking and escalating identified risks? Are key risks analyzed? Does management consider potential adverse outcomes? Are employees comfortable seeking input from peers and management when they’re concerned? These answers provide valuable insights into risk culture and will suggest areas for improvement.
-- Strengths, Weaknesses, Opportunities and Threats (SWOT) Analysis. The weaknesses quadrant of SWOT is a great place to identify risks. For example, reliance on a third party for cloud services or offshore resources to manage costs creates third-party risk. Similarly, having few employees with command of the firm’s intellectual property is key person risk.
-- Decision-Making: Is risk considered in key decisions, and where appropriate, is risk tolerance calibrated to risk capacity? Consider software development: When are new releases ready for production – when all steps in the software development lifecycle (SDLC) are complete, or when the founder or relevant committee approves? What mechanisms are in place for bug fixes and user acceptance testing (UAT)? These are controls over IT risk and strategic risk with embedded escalation and approval hierarchies.
A well-designed process for reviewing proposed new products or services, with appropriate consideration of risk, can add value quickly.
Firms frequently adjust their strategies in response to customer demand, competition or new regulations. Taking time to assess risks can bridge the gap between strategic analysis and decision-making and help avoid costly starts and stops.
With a clearer understanding of culture, risks and controls, firms are better positioned to formalize the risk governance framework.
Having reviewed operations with risk management in mind, firms can design a more tailored risk governance framework. While the goal is to build a complete program over time, consider asking, “What can we do to feel comfortable executing our strategy with current resources, and who should be accountable?”
The practices, resources and artifacts identified above are a good place to start. With nonexistent or thinly staffed control functions, responsibility rests with the company’s founders, product developers and IT and operations staff; these are collectively the first line of defense. Figure 2 shows how repositioning components of the OCC Risk Management Framework can establish a strong foundation.
Figure 2 – Foundational Risk Management System Design
This framework relies on current staff using existing processes. It reinforces the mantra that everyone is a risk manager and contributes to risk culture. If there were no formal legal or regulatory requirements to create an independent risk management function or provide audit assurance, financial services businesses could still grow in a risk-responsible manner with the foundation alone.
In practice, numerous legal and regulatory requirements mandate independent oversight. As firms grow, they should add experienced risk professionals to build the second line of defense.
Figure 3 below highlights some of the priority initiatives for the independent risk management function. Additionally, the board and senior management should ensure that the audit function, the third line of defense, provides adequate coverage of risk management in annual and strategic audit plans.
Firms can take initial steps in the second and third lines of defense, focusing on top risks and perhaps outsourcing select third-line activities. Similarly, firms can use existing governance forums before establishing a formal executive committee.
Figure 3 – Evolved ERM Infrastructure with Three Lines of Defense
As the firm grows and independent risk management capabilities improve, the foundation stays the same. Risk-conscious revenue generators, guided by a healthy risk culture, are the key to effective risk management.
Fintechs and third-party providers need not be overwhelmed by the breadth and complexity of financial services regulatory expectations for risk management. Begin laying the foundation for effective risk management by completing a few simple tasks, including:
With these quick wins under their belt, firms will be well-positioned for responsible growth.
Mark Sexton is a Senior Managing Director in the Financial Services practice at FTI Consulting. He has 30 years of experience in sales & trading, regulatory compliance, and management consulting roles. He partners with board, C-suite and senior business leaders to solve risk management and regulatory compliance issues and support complex strategic growth and transformation initiatives.
Paul Feldman is a Senior Director at FTI Consulting. He has more than 20 years of experience in implementing and validating analytics-driven solutions to problems facing financial institutions involving risk, finance, capital, strategy and regulatory compliance.
The views expressed in the article above are those of the authors and not necessarily of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals. FTI is a consulting firm and is not a certified public accounting firm or a law firm.