CRO Outlook
Friday, July 19, 2024
By Clifford Rossi
Over the past 15 years, we’ve learned the common ingredients for bank defaults: fast, unchecked growth, increased operational and product complexity, and heightened risk taking. Combine these factors with management and board complacency regarding investment in risk management infrastructure, and, voila, you’ve got a recipe for disaster.
Clifford Rossi
This holds true whether we’re talking about this year’s Republic First Bank fiasco, the regional bank failures of 2023, or even the global financial crisis (GFC) of 2008.
There is a simple regulatory refrain that we often hear early on in our risk management careers: make sure to build risk management ahead of growth. However, while that simple approach seems so obvious, it often goes unfulfilled – particularly when banks are at an inflection point where their growth starts to take off and their products and operations become more complex.
For the long-term survival of fast-growing, increasingly complex banks, risk governance must be strengthened. Leadership teams, moreover, must acknowledge and overcome management and board complacency regarding investment in risk management infrastructure.
We’ll soon get to the steps a bank can take to avoid repeating previous failures, but let’s first take a minute to review how we arrived at this critical risk culture moment.
Interestingly, even though the GFC and last year’s bank fiascoes were separated by roughly a decade-and-a-half, the regulatory response was surprisingly similar.
Following the failures of regional banks in 2023, the Federal Deposit Insurance Corporation (FDIC) proposed a set of guidelines for corporate governance and risk management for state nonmember banks. Those were reminiscent of the “Heightened Standards” the Office of the Comptroller of the Currency (OCC) imposed on the largest national banks in the aftermath of the GFC.
Both the OCC’s standards and the FDIC’s proposed guidelines call on banks to take a three lines of defense approach, with independent risk management (the second line) responsible for building a risk framework and developing a comprehensive risk appetite statement. The second line is, moreover, expected to raise concerns about potential threats to the CEO and the board.
Under both sets of guidelines, covered banks’ CROs must report either to a risk committee or to an active board, which must review all key written policies. The big difference is that while the OCC’s standards were created for the largest U.S. financial institutions (with assets of more than $50 billion), the FDIC’s proposed rules apply to much smaller banks, starting at $10 billion in assets.
The FDIC’s proposed guidelines are also more prescriptive. For example, they would require covered banks to have a majority of independent directors (the OCC required only two), while mandating them to document all law violations and report them to the proper authorities.
Both sets of rules, of course, require risk management “tone from the top.”
Why did the FDIC propose standards for much smaller institutions? An important reason is to avoid the risk management “metal fatigue” issue.
As banks reach a certain asset size, their complexity changes. If those changes are coupled with unchecked fast growth, a bank is very likely to experience an existential event that could even threaten its survivability. Consequently, a bank’s governance and risk management capabilities must mature commensurately with its growth, complexity and risk taking.
Bank failure is akin to a piece of metal reaching its breaking point under stress.
In science, the study of metal fatigue refers to the causes associated with the failure of various materials under stress. Factors that play a role in determining the point of failure of a metal component (such as a bolt on an aircraft’s engine) are the molecular composition of the material, the load to which it is exposed and the stress cycle over which it is tested.
At some point, over enough stresses, tiny cracks will appear; this will repeat over stress cycles and the component will become overloaded, potentially leading to catastrophic failure of the aircraft.
For a bank, fast growth and risk taking is analogous to the load imposed on a material that is under stress. But in the bank’s case, rather than a disaster being created by a stressed and overloaded component, a macroeconomic or idiosyncratic event may lead to failure.
This concept is depicted in the figure below.
As a bank increases in size, complexity and risk-taking, those factors will manifest as small cracks in its risk exposure; eventually, these cracks widen under stress, which could ultimately lead to the bank failing. Banks that lack effective risk governance, practices and controls are at the greatest risk.
Effective governance and risk management are therefore prerequisites for ensuring long-term firm viability. I first realized this 20 years ago, when I was a working at a large community bank. This bank had just over $10 billion assets under management in 2004 – but that figure ballooned to over $100 billion within three years.
Per regulatory requirements for institutions of that size, the bank had to make significant investments in risk management. It therefore developed a robust risk management capability – with all the trappings of three lines of defense, a capable second-line ERM function, and sophisticated risk measurement, analytics, reporting and escalation processes. But the problem was that the bank ignored the governance side in building its risk management process.
The bank’s risk profile increased significantly during its period of tremendous growth from 2004-07, when it also saw a spike in the complexity of its products and its operational processes. The bank’s second line of defense (ERM) repeatedly called out its growing risks, both to management and to the board – but to no avail.
The bank’s board lacked the independence to effectively challenge management on the firm's fast growth, high-risk strategy. Moreover, they didn’t feel empowered to ask the right questions about the level of risk taking.
The board exhibited a collective mindset tilted much more toward return than risk, and the bank wound up as one of the casualties of the subprime mortgage crisis in 2008. But it may very well have avoided this fate, if it had heeded the guidance of the second line of defense and bolstered both its risk governance and infrastructure.
The moral of this risk management story is that as the complexity, scale and risk taking evolves for a bank, its governance and risk infrastructure must mature commensurately.
The FDIC’s 2023 corporate governance and risk management guidelines highlight the importance of avoiding excessive risk-taking as a bank’s scale and structure grows. Regulation alone, however, will not lead to the level of governance and risk management required to manage a fast-growing, increasingly risky bank.
Bank management teams that are reluctant to follow the FDIC’s guidance may be influenced by the threat of potential regulatory enforcement actions. In the end, though, the underlying risk DNA of the bank management team and the board must provide the molecular structure necessary to prevent metal fatigue and failure at 30,000 feet.
Clifford Rossi (PhD) is the Director of the Smith Enterprise Risk Consortium at the University of Maryland (UMD) and a Professor-of-the-Practice and Executive-in-Residence at UMD’s Robert H. Smith School of Business. Before joining academia, he spent 25-plus years in the financial sector, as both a C-level risk executive at several top financial institutions and a federal banking regulator. He is the former managing director and CRO of Citigroup’s Consumer Lending Group.
•Bylaws •Code of Conduct •Privacy Notice •Terms of Use © 2024 Global Association of Risk Professionals