Over the past few months, I have had experiences with several catastrophic natural disasters. My grown children and grandson were in the path of tornados in Nebraska. My father, sisters, and friends were in the path of flash floods in Minnesota, Iowa, and South Dakota. As a Floridian, I had to execute my own risk management strategies to prepare for the impact of hurricanes Helene and Milton and plans for recovery in the aftermath. In the face of such threats, knowing what is needed to take care of our families, homes, communities, and ourselves—especially when it comes to basic needs like food, water, and shelter—becomes an immediate priority.
The same view can be applied to a financial institution's risk management strategy. Over the last 20 years, risks have increased significantly for the financial industry. Data breaches, cyberattacks, and financial crimes are familiar occurrences, unfortunately. At the same time, we're reading more about the importance of risk management. For example, regulators are issuing formal agreements and consent orders more frequently. They're also emphasizing well-developed risk management strategies with board of director oversight.
Risk management can sometimes feel overwhelming and—given the steady emergence of new risks—like a moving target. An effective risk management strategy includes regular internal communications that identify which new risks could affect specific areas within the financial institution. Newly identified risks should be assessed right away. A risk assessment will provide a critical roadmap for setting a program to control and mitigate risks.
Similar to the aforementioned basic food, water, and shelter needs, below are what I consider to be the core components of a risk management program.
- Board-approved policies that identify risks and actions to reduce them
- Procedures that explain how the institution will put board policies into action
- Periodic audits to test if the components of the risk management program are operating as intended
- Regular reporting to keep the board informed and to understand the board's risk appetite
- Routine updates to the risk management strategy and program, in response to emerging risks and when new systems and processes are implemented
- Staff training (Employees are vital to risk management!)
Additional guidance on risk management programs is available to financial institutions. This includes resources offered by the Federal Financial Institutions Examination Council and Federal Reserve Board of Governors
. Previous Take On Payments posts have also explored effective risk management programs. We will continue to keep you informed of actions that can help you maintain solid risk management strategies.
If you haven't already, it's time to prepare for the risks your financial institution could face. That is, before the disaster happens, before your regulator finds inadequate risk management, and before your financial institution ends up in the news.