CRO Outlook

Risk Management Lessons from the Wells Fargo Report

The bank's self-analysis of its critical risk deficiencies should serve as a cautionary tale, emphasizing the importance of risk culture, reputation, expert boards, proper compensation programs and strong management support.

Friday, February 15, 2019

By Clifford Rossi

Clifford Rossi

In response to a string of high-profile risk management incidents experienced over the last several years, Wells Fargo recently released its Business Standards Report, summarizing its findings and recommendations for remediating a number of deficient business and risk practices responsible for its risk management missteps.

The report should be mandatory reading for every bank board and management team to assess their own practices, ultimately leading to the pivotal question: are there any deficiencies in culture, governance, incentive compensation and risk management processes that could put our firm in jeopardy?

Lesson 1: Credibility is hard to earn once your bank's reputation is lost.

Wells Fargo's fall from grace is a genuine case study of enterprise risk management gone awry. While problems for Wells Fargo may have first surfaced in 2016 - with revelations that millions of retail customer accounts had been opened without their authorization - practices in several other business areas (including mortgage and auto lending) suggest that the control breakdowns in the retail bank were not an isolated event.

Lesson number one from this experience is that the long-term effect of reputation risk far outweighs any short-term business objectives. Wells Fargo currently faces an immense credibility problem, since anything it says can only be measured against its actions, which in this case speak volumes about an environment that undermined the company's stated risk philosophy of only taking “prudent risks.”

Lesson 2: Avoid a culture clash between business, risk and audit functions.

The root of any risk management event lies in poor risk culture. The phrase “poor risk culture” itself has become overused, only because there have been so many bank risk incidents over the years where culture has played a role in excessive risk-taking.

Two issues identified in the Wells Fargo report should be troubling to any bank. One is special deference that control functions, such as corporate risk management and internal audit, may exhibit under certain circumstances toward business functions. Finding the right balance between being a watchdog or a lap dog for the second and third lines of defense is an essential ingredient in ensuring the three-lines-of-defense model works effectively.

Likewise, business areas that limit the flow of risk information to control functions - or otherwise stymie their oversight - erode the necessary enterprise checks and balances that keep a bank from veering off course.

One way of telling how progressive boards and management are in cultivating a strong risk culture is how the bank views and leverages the CRO. A balanced focus on risk and return can only come with parity in the stature of the CFO and CRO positions.

Don't wait until a risk event happens at your firm to change the culture. By then, the damage has been done and moral high ground has been lost.

Lesson 3: Banks with complex risks cannot have too many risk experts on their boards.

One of the most important responsibilities of a board is to provide effective challenge to management. Those two words have enormous implications for who serves on a board. To be effective and to ask the proper questions, a board risk committee member must possess a requisite understanding of risks.

Bank risks - particularly those of a firm as complex as Wells Fargo - cannot be overseen by boards lacking experience in bank risk management. While having diverse professional backgrounds can be useful for some board committees, the ideal candidates for board risk committees at large banks should have direct risk management expertise working at such institutions. Only one of the seven current Wells Fargo board risk committee members appear to have that expertise.

The other essential attribute of an effective board member is the ability to challenge management. Over time this can become difficult, as boards can become complacent as they gain familiarity and comfort with management.

Fundamentally, the buck stops with the board when serious problems arise. Under those circumstances, board shakeups are the bank's way of upgrading their board talent to ensure credible challenge.

Wells Fargo touts several personnel changes to their board as part of their response efforts, but they still have more work ahead. Nearly half of its current risk committee were on the board during the years preceding the retail account incident.

Lesson 4: Business outcomes are a direct reflection of incentive compensation.

Poorly designed incentive compensation plans destroy efforts to enhance culture and strengthen governance and risk controls. In the end, such plans become the catalyst for forging a wedge between the first, second and third lines of defense.

Consistent with what recent Nobel laureates in economics have found, bank management behavior is greatly affected by financial incentives. Compensation plans heavy on business objectives will invariably drive behavior in the first line that tends to be more short-term and riskier.

Moreover, stretch goals are fine, so long as they are balanced with long-term risk-based targets. Along with board risk committees, CROs need to be heavily involved in overseeing the firm's incentive compensation plans.

Lesson 5: Risk management processes are real safety nets and not just words on a page.

The Wells Fargo report highlights several of the bank's risk management practices that are consistent with the OCC's Heightened Expectations standards for large banks. For instance, the report goes into some detail describing how the three lines of defense doctrine works at Wells Fargo.

The problem is that the final rules for Heightened Expectations were released by the OCC in 2014, before the scandals that rocked the bank. Given the breakdowns that the report cites between all three lines of defense, there seems to have been some deficiencies - at both Wells Fargo and the OCC - in implementing critical risk processes.

Sometimes the essence of an effective standard or policy can be lost without strong management support and implementation. It is not easy to turn a policy or control document into a process that is not just implemented but also executed and embraced across the enterprise. This all circles back to strong risk culture.

Parting Thoughts

Wells Fargo's problems could happen to any bank - small or large. Their report should be on the required reading list of all boards and management teams as a cautionary tale.

Understanding the ingredients of their risk demise - e.g., poor culture, insufficient governance, risk-amplifying incentive compensation plans and deficient risk processes - could keep your bank from becoming the next Wells Fargo.

Clifford Rossi (PhD) is Professor-of-the-Practice and Executive-in-Residence at the Robert H. Smith School of Business, University of Maryland, and a Principal of Chesapeake Risk Advisors, LLC. He has nearly 25 years of experience in financial risk management, having held a number of C-level positions at major banking institutions. Prior to his current posts he was the chief risk officer for Citigroup's North America Consumer Lending Division.


We are a not-for-profit organization and the leading globally recognized membership association for risk managers.

weChat QR code.
red QR code.

BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals