Face it, human beings are not rational. We all tend to favor the status quo (which is why so few people ever change the amount of money they set aside in their 401(k) from their original settings); we tend to favor groupthink (we switch teams, stocks and political candidates based more on sentiment than extensive evaluation of the options); we favor immediate gains over those that take more time (which is why we will eat that piece of chocolate cake now, despite knowing it is not good for us later in life) and we are very forgetful (which is why our seat belt dings when we don't buckle up and an idiot light comes on to tell us to fill the oil in our car). Yup - human beings are nincompoops.
Perhaps that is why community bankers incorporate risk management into their daily lives. It is important to note, however, that not all risk management approaches and techniques are created the same. To be effective, a robust risk management platform must have a strong reporting framework. To do that, bankers need to capture data, measure risk and report it back to key constituents on a timely and flexible basis. While this is easier said than done, there are some things bankers can be doing in order to make headway and better control risks in the organization.
To begin, bankers should ensure the data that drives the risk analysis is of good quality. As the saying goes, "garbage in, garbage out," so care must be taken. Bankers should ensure missing or unusable data is collected; it reflects current practices; it is up to date; it is input into the core system; conflicting data is reconciled within/among systems; data conforms to bank standards for storage/GLBA and proper controls are in place to ensure its ongoing integrity. Banks should also regularly audit the data/systems to ensure controls remain in place and are not circumvented. Doing these things makes certain data on the system is clean and stored properly, while providing a strong comfort level that the information presented in reports that follow is accurate and complete.
Next, bankers should think long and hard about who will need risk management reports from the system before designing them. Reports will be needed by the board of directors, chief risk officer, CEO, business unit heads, auditors, regulators and others. The user perspective should be considered when designing reports, since each will have different requirements/needs. In short, a strong reporting structure should allow a bank to monitor all risks within the organization (credit, market, liquidity, legal, etc.) and to take action. The CRO and others need enough information to direct others within the bank on limitations of activities, course of action or risk exceptions on a near real-time basis. In so doing, bankers can control risk more fluidly, allowing a better response to changing conditions.
Drilling into more detail on the reporting and risk measurement, community bankers can start with policies. Having an easy, at-your-fingertips way to quickly measure, monitor and report exceptions to policy (as well as overall limits) allows decision makers time to react. Banks can then layer in regulatory capital requirements, risk sensitivities, hard limits and exposures by sector/type, internal risk ratings, etc. Finally, bankers interested in utilizing a more sophisticated approach can also incorporate correlations, volatility, RAROC, default data, value at risk and other concepts to refine risk measurements.
A few other quick tips bankers should consider with any risk management structure is to be sure reports include the source for any data, who created the report, historical references (to capture trends) and ensure change controls are in place to prevent unauthorized modifications.
In closing, the good news is that nearly all of this can be done in good old Excel, so bankers do not have to spend a lot of money or learn anything new. Simply getting started is the hardest thing to do.