We are often asked the question, “What do you consider good risk management?” The answer is complex, because what works well in one organization may not work well in another. As community bank examiners, we see a wide variety of risk management practices.
For many small community banks, risk management is highly informal and so ingrained in daily business that most bankers don’t even think of it as “risk management.” Larger firms, however, have increasingly formal and sophisticated risk management programs. Most of the time, a bank’s risk management practices are highly effective. In many ways, implementing risk management practices is the most critical aspect of successful risk management (see sidebar: Elements of a Sound Risk Management System). In this article, we highlight the key aspects of risk management and provide examples of best practices for effectively implementing risk management.
An effective risk management function starts with the board of directors. The board is tasked with identifying the bank’s opportunities and risks, setting the risk tolerance for the institution, and guiding the risk management process. Banking is a business of assuming and managing risks; a robust risk management program mitigates most risks. As we all know, risks can change over time. It is important for the board and management to regularly assess the risks and respond effectively to any changes.
We offer three examples of best practices for effectively implementing risk management programs. The most successful risk management programs reflect a proactive implementation. For example, banks in farming areas are naturally exposed to risks associated with agriculture and usually have a heavy concentration of agricultural loans. Most banks effectively manage the risks inherent in this concentration, following practices consistent with SR Letter 11-14, “Supervisory Expectations for Risk Management of Agricultural Credit Risk.”
One bank adopted a highly proactive approach by obtaining Farm Service Agency guarantees on many agricultural credits—not just those with perceived increased risk. This was done well before the downturn in commodity prices. When other banks were struggling to get guarantees in place because the FSA was overwhelmed, this bank’s portfolio was already protected.
Another best practice is breaking down the silos. What does this mean? When bank management talks about risk management and how to structure a successful program, the discussion should involve the whole organization. Credit, finance, operations, information technology, compliance, and other departments should all be a part of the process and thoughtfully contribute.
Valuable insights are gained when sharing experience and expertise. This team approach has helped identify and mitigate many previously unknown risks in proposed new products and programs. Banks that internally share ideas and best practices are typically more successful in the long run.
A best practice recently identified at a community bank was an annual self-assessment of management information systems (MIS) for reporting to management and the board. The amount of detailed information required varies based on roles within the institution.
For example, management needs more detailed information to conduct daily operations. Conversely, the board needs fewer details and a broader overview to ensure management has adopted prudent controls and is operating within the risk appetite outlined by the board. A periodic self-assessment of MIS is helpful because it allows management and the board to step back and ask what type, quality, volume, and detail of MIS are needed. Taking the time to critically self-assess your procedures and processes helps identify potential improvements in risk management.
In conclusion, every bank is different. What works well in your organization may not work in another. The examples are intended to further the conversation about risk management practices and effective implementation across an individual bank. The bank’s board and management need to work together to find what serves their institution well. An effective risk management program for your institution need not be elaborate; it just needs to be well implemented and work for you.
Elements of a Sound Risk Management System
A formal discussion on risk management is available in SR Letter 16-11, “Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $50 Billion.” This guidance focuses on the following elements of a sound risk management system:
- Board and senior management oversight
- Policies, procedures, and limits
- Risk monitoring and management information systems
- Internal controls