The recent string of bank failures and associated financial crises has brought the importance of risk management in banking into sharp focus. As banks facilitate the creation and management of money, unnecessary risk-taking on their part can lead to significant financial losses that can slow down or even stall economies—both local and global.
So what is risk management in a bank? What does it look like, and what kinds of threats is it designed to handle? Additionally, what can banks do to optimize their risk management programs? This guide has the answers.
We’ll start by discussing the role of risk management in a bank.
Banking risk management is the process of a bank identifying, evaluating, and taking steps to mitigate the chance of something bad happening from its operational or investment decisions. This is especially important in banking, as banks are responsible for creating and managing money for others.
Typically, risk teams separate fraud and compliance operations, resulting in separate teams for fraud risk management, responsible for managing risk associated with fraud operations, and compliance risk management, responsible for managing risk associated with compliance operations.
The Importance of Risk Management in Banking
Banks are cornerstone institutions of national and global financial systems. So while they are allowed to have some degree of risk, they are typically afforded much less risk than other industries. This is because if they fail, it slows or halts the creation and exchange of money, which has far-reaching impacts on the rest of the economy.
Some specific reasons for the importance of risk management in the banking sector are that it helps banks to:
- Avoid wasting or needlessly losing the money they need to stay in business
- Avoid disruptions to their operations
- Maintain confidence from investors and customers to continue doing business with them
- Comply with laws and regulations to avoid paying non-compliance fines
The risk management process in banking typically involves six components:
- Identification: Defining the nature of risks, including where they originate from and why they pose a threat to the bank.
- Assessment and Analysis: Evaluating how likely a risk will pose a threat to the bank, and how grave that threat will likely be. This helps a bank prioritize which risks deserve the most attention.
- Mitigation: Designing and implementing bank policies and processes that limit the chance that risks will become threats, and that minimize the damage threats may cause.
- Monitoring: Gathering data on threat prevention and incident response to determine how well a bank risk management strategy is working. This also involves researching emerging risk trends to determine if a bank’s risk management framework needs (or will need) updating.
- Cooperation: Establishing relationships between risks and mitigation strategies across different areas of the bank’s operations to create a more centralized and coordinated threat response system.
- Reporting: Documenting and reviewing information related to the bank’s risk management efforts to gauge their effectiveness. This is also used to track how the bank’s overall risk profile changes over time.
These components need to be carried out together—and repeated regularly—in order to give banks as much protection against risk as possible.
Bank risk management has a number of different threat areas to cover. The challenge isn’t just how many different types of risk there are though, it’s also about how much control an organization actually has over these factors.
To help organizations navigate the different types of risk management areas to analyze, we’ll explore each in detail below.
1. Credit Risk
Credit risk is one of the most common types of risk for banks. Put simply, it’s the risk of a bank lending money to a customer and not having it paid back. This can decrease the amount of assets a bank has available to meet its financial obligations. It can also cost the bank extra money if it deploys methods of trying to recoup the money it’s owed.
How to Mitigate Credit Risk
Mitigating credit risk boils down to knowing two things. First is the bank’s overall financial position, in terms of how much in losses it can take while still being able to operate effectively. Second is knowing a specific customer—understanding their financial history and situation, as well as their general financial behavior, to evaluate the amount of risk they pose of defaulting on a loan. A bank can then tailor a customer’s lending agreement to have tighter or looser terms, depending on their level of risk.
2. Market Risk
Also known as systematic risk, market risk is the chance that an adverse event outside the banking industry itself will negatively affect a bank’s investments. This could be from an issue in a single industry—such as the US housing market collapse in 2008—or from a general national or international economic downturn. Other types of crises, such as political instability or natural disasters, can also increase market risk.
How to Mitigate Market Risk
In some cases, market risk can be mitigated by diversifying a bank’s investment portfolio. However, there are other times where this strategy won’t work because a crisis will affect multiple interdependent industries. Some other tactics that can work include investing in staple industries (such as utilities or consumer packaged goods), employing a long-term investing strategy, or keeping more of a bank’s assets in liquid form.
3. Operational Risk
Operational risk refers to risks incurred based on how a bank is run from day to day. For example, if employees are poorly trained, they may make more errors that cost the bank time and money to correct. Or if the bank has an inadequate IT infrastructure, its systems may break down, disrupting services to customers.
A component of operational risk is cybersecurity risk. This is how likely cybercriminals are to successfully attack a bank’s digital systems. The resulting theft or destruction of digital money or sensitive information can significantly hinder a bank’s ability to operate effectively. It can also put customers and stakeholders at risk.
How to Mitigate Operational Risk
Operational risk can be limited in a few ways. One is to hire the right people and properly train them on both the bank’s processes and its ethical culture. Another is to secure the bank’s tech stack, including thoroughly vetting third-party service providers, as well as staying up-to-date with cybersecurity threats and trends.
Automating processes with technology—such as customer onboarding—can help reduce human error. Implementing feedback and data collection programs can help address any updates needed as the bank’s risk profile changes over time.
4. Reputational Risk
Reputational risk refers to the risk that a bank will lose confidence from its investors and customers, and thus lose funding or business (respectively). It’s basically a side effect of any other risk a bank encounters, but that doesn’t mean it’s any less threatening. It can be caused directly by the bank’s business practices or employee conduct, or indirectly by the bank being associated with a person or group that has a negative reputation.
For example, reputational risk might result from a client receiving poor customer service from the bank and then telling others about it—either through word of mouth or on social media. Or a news outlet may publish a story revealing corruption among some of a bank’s management staff.
How to Mitigate Reputational Risk
Minimizing reputational risk starts with defining the bank’s core ethical values. Develop these in concert with stakeholders, and conduct proper training on them so employees understand how they are expected to conduct themselves. A bank should also research its reputation in news outlets and on social media, addressing concerns and taking responsibility for mistakes whenever appropriate. Reputation management software can help with this.
The bank should also develop a contingency plan in case a reputation-affecting incident occurs. It should focus on quick and transparent communication, outlining what controls are being used to help minimize the damage, as well as how the bank will determine what it will do differently in the future to avoid the same mistake happening again. A bank may want to hire a public relations firm, or use specialized reputation management software, to assist with this and other reputational risk management processes.
5. Liquidity Risk
Liquidity risk refers to the chance that a bank will run out of physical money, including if it can’t convert its other assets into cash fast enough. Thus, it becomes unable to meet its short-term obligations to creditors or customers.
A recent trend that threatens to elevate banks’ liquidity risk is an increase in the number of bank runs. A bank run happens when rumors that a bank may fail in the near future cause its customers to panic. They then try to withdraw as much cash as possible from the bank before they potentially lose access to their money.
Bank runs rapidly decrease the amount of liquid assets a bank has available to meet its short-term debts. So while rumors of the bank failing may not have been completely accurate, the bank run still causes a spike in the bank’s liquidity risk. This makes it much more likely that the bank actually will fail.
Especially if they result in bank failures in this way, bank runs can also damage overall consumer confidence in the entire financial system. This can lead to a domino effect of further bank runs, and potentially more bank failures as a consequence.
To make matters worse, with the advent of the internet, bank runs are becoming more threatening than ever. Rumors of a bank’s financial troubles can spread very quickly over online communications, especially social networks. And the ability to make electronic funds transfers means that customers can withdraw money almost instantaneously without actually setting foot in a bank, making it difficult for the bank to control how fast it’s drained of available cash.
How to Mitigate Liquidity Risk
Banks can manage their liquidity risk by more regularly forecasting their cash flow—that is, how fast liquid assets are coming into a bank versus leaving it. Part of this is understanding the potential risks associated with the different ways a bank is funded, from investing to customers. A bank should also have a contingency funding plan (CFP) in place to address liquidity shortfalls.
Banks can also conduct stress tests—creating hypothetical risk scenarios that would cause a loss of liquidity, and estimating how much liquidity would be lost in each instance. This can allow a bank to create baseline liquidity rates, helping to ensure it has enough working capital in the event of a crisis.
6. Compliance Risk
Bank compliance risk involves the risks a bank takes by not fully complying with applicable government laws or industry regulations. These can include punitive fines, civil lawsuits, criminal charges, and even economic sanctioning.
Compliance risk includes a component of reputational risk, as well. Banks exposed as being non-compliant often lose the trust of their investors and customers, which hurts their ability to make money. They can also cause a downturn in overall consumer and investor trust in the entire banking industry or financial system.
How to Mitigate Compliance Risk
A bank can manage compliance risk by having employees on staff familiar with applicable laws and regulations—for most organizations, this is an AML compliance officer. It’s also essential to equip them with the right tools to automate processes where possible, quantify and analyze activity patterns, and keep on top of any other obligations.
One of these obligations should be to understand the other types of risks that a bank faces, as well as assess how likely they are and how impactful they would be. This allows a bank to identify areas of residual risk where it may not entirely be meeting compliance requirements, and strengthen controls there.
Finally, a bank should make compliance part of its overall culture. This means educating employees outside of the compliance and risk management teams on what laws and regulations the bank has to comply with, and why they can play important roles in ensuring this happens. It can also mean proactively addressing reputational risk. A bank can do this by summarizing what it’s doing (in a practical sense) to remain compliant, and how that protects the interests of customers and other stakeholders.
In addition to the tips above for managing specific types of banking risks, there are certain things a bank can do to have an overall more effective risk management program. Here are some examples.
Establish an institution-wide risk governance framework
This is another way of saying that it’s important to involve everyone who works at the bank—not just risk and compliance team employees—in the bank’s risk management operations. Department leaders should brainstorm with their teams, and then collaborate with executives, to develop an overall risk profile for the bank. This should be shared among all bank stakeholders so they understand what risks a bank faces and why it’s important to control them.
The identified risks should then be delegated to the appropriate departments. Team leaders should work to develop risk management strategies, and ensure that they’re properly understood and implemented, within each department. Decentralizing risk management like this helps to make it an institution-wide priority while limiting confusion over risk management roles in banking.
Prioritize identity verification & authentication for everyone who interacts with the bank
People not dealing honestly with a bank can drastically increase the risks it faces. That’s why a bank should make a point of investing in identity verification and authentication techniques for both customers—whether individuals or businesses—and its own employees. These are especially important during onboarding (whether gaining new clients or hiring new staff), but they should be applied regularly afterwards to ensure everyone is acting in their own capacity.
Know Your Customer (KYC) helps to ensure individuals aren’t impersonating others to cheat the system, or acting unlawfully to another party’s benefit. Know Your Business (KYB) is essential for knowing who’s really in charge of a business, and making sure the business itself is legitimate (and not, say, a shell company used simply to hide illicit dealings). And Know Your Employee (KYE) is important for ensuring all bank employees are acting in the bank’s best interests, as many risks can be caused by employees misusing privileged information—including sharing it with illegitimate outside parties.
Automate tasks related to risk management, like transaction monitoring
Checking transactions to see if they pose a threat to a bank or its stakeholders is a tedious—if not impractical—process to do manually. Not only does this cost extra time and money, but it can also actually introduce more risk in the form of human error. The key is to balance between being able to catch transactions (or patterns of them) that are likely risky, and filtering out false positives that unnecessarily take up a risk management team’s time.
Unit21’s Transaction Monitoring solution helps with this in two ways. First, it looks beyond strictly monetary data streams to other activities that may be deemed suspicious. This allows banks to create more complete and accurate risk profiles for customers and transactions.
Second, it employs machine learning in banking risk management to create “alert scores”. These are ratings based on a customer’s transaction history, the bank’s case history, and other factors that indicate how likely a suspicious activity alert will be a true positive. This allows a bank’s risk management team to better prioritize which alerts actually warrant a manual investigation.
Keep up with both individual cases and overall risk reporting
When incidents happen that present heightened risk to the bank, it’s important to not try and deal with them as a single group. Compartmentalize them based on the relevant information, and then delegate them to separate teams or team members. This allows for handling more incidents at once, while still allowing each team to have greater focus on data analysis and pattern visualization for each incident. This is a strategy known as case management.
With that said, it’s also helpful to write and file reports regarding incidents on a fairly regular basis.
This serves two purposes. First, it reduces compliance risk by demonstrating what practical steps the bank is taking to address risk. Second, when taken together, these reports help paint a picture of a bank’s overall risk management profile—where it faces the most (and least) risk, and how effective its controls are in mitigating certain types of risk.
Continually assess, analyze, and act on risk metrics
Risk management in the banking sector—or anywhere else, for that matter—isn’t a static process. A bank’s staff or clientele can grow and change. New technological standards get developed, which can lead to both better security and new avenues for risk. And new regulatory requirements are put in place to address the evolving landscape of threats to banks.
That’s why the risk management process in the banking sector has to be dynamic. Banks need to assess how well their current controls are handling risk, and what areas of risk may need further attention. They also need to look at what risks they may face in the near future, and determine if their systems are capable of adapting to properly manage those risks.
Above all, though, a bank has to take action—creating and updating risk management plans based on its analysis and implementing governance structures to ensure all employees are on board and doing their part.
Manage Banking Risk Today and Tomorrow with Unit21’s Tools
The future of risk management in banking will likely shift more and more to digital spaces, as customers demand faster and more convenient ways to bank. The emergence of decentralized virtual currencies, neobanks, and banking as a service (BaaS) functions will likely prompt banking regulatory changes in an attempt to address the potential for such technologies to be exploited by cybercrime.
Be ready by leveraging Unit21’s suite of tools to make risk management and regulatory compliance easy. Contact us for a demo of what we can do for your bank.