The term “risk management” can mean different things to different people. I prefer the way one of my clients sees it. He feels that the auditors who help with risk management “are the good guys.” This is a great attitude because the real purpose of risk management is to help. Yes, help. Have you ever wondered if your institution was doing what it should to manage risk? Have you taken the time to identify what risks you face? If you answered, “I think so,” “to some extent,” “I’m sure we do enough,” or just flat out “No,” then you are probably not, or definitely not, getting the most out of your risk management function.
What is risk management? The purpose of risk management is to help financial institutions understand where their risks are, the severity of those risks, how those risks are being mitigated through the use of internal controls and whether the internal controls used to mitigate risks are operating effectively. Many will identify a risk and say “yes, we have an internal control for that.” But all too often, the control established really doesn’t mitigate the risk the way they think it does. A common issue is having an individual review a report to ensure nothing on the report is unusual and it agrees to support, but that individual performing the review can also make entries appearing on the report, even if they are not supposed to make changes. Many financial institutions do this thinking they’ve addressed the risk, and while they have addressed some of the risk, they have not addressed all of it. So while a control is in place, it may not be operating effectively. This is the benefit of having a risk management team or utilizing outside consultants, it helps you even if you don’t think you need it.
This benefit was made clear to me when I took a college course related to risk management and got some real-world experience. Our professor assigned us a local business to work with to evaluate its risks and determine whether the risks were being mitigated. This allowed the business a chance to get some outside perspective. As we walked through the local business’s processes to determine control weaknesses and mitigations, we did identify a few areas where controls could be improved to help prevent errors or theft. While our results were not earth shattering, the owner was ecstatic with the work we performed and to hear about all of the risks we identified and how they were being mitigated or could be further mitigated. This business was fortunate to get our services for free, but after getting the results, it seemed like they would have been happy to pay to know they had sound internal controls in place to mitigate the operational risks of running their business. Because the financial institution industry is filled with inherent risks, having a quality risk management function would, at the least, give your institution similar peace of mind knowing you have addressed the risks associated with operating the institution, but it could also identify other issues and remediations.
So, who can help you with your risk management function? This all depends on your size, available resources and how often you expect to have audits performed. Larger financial institutions opt to hire someone internally or a team of individuals to assist with the function. This works as long as the individuals can maintain their independence from management.
A common issue with hiring people internally is that they may find themselves with frequent downtime, and because savvy management teams always want to leverage available resources where they can, we have seen the individuals used to review reports or perform other responsibilities normally assigned to management. The problem with this is that the risk management function is no longer independent of these controls, and in fact, it has now become the control. Therefore, many institutions will opt to outsource the risk management function. Outsourcing can save you money, time, and resources, while getting highly experienced and efficient individuals to do the work. In addition to this, an outsourced risk management team will generally have a multitude of available resources within their firm to help with other issues that may arise within your institution.
Another option is having someone internally and hiring a third party, or co-sourcing as it is called. Co-sourcing allows you to have someone year-round while also getting the high level of expertise a consulting firm can provide without having to pay multiple salaries or worry about having to keep multiple individuals busy all year. The third party can either be the busy bee who you leverage to get the work done or the one in charge of overseeing your staff to ensure they stay busy throughout the year.
The bottom line is that there is no one size fits all or one best solution. The solution is, and always will be, whatever makes the most sense for your financial institution—but without a quality risk management function, you’ll never really know what you don’t know.