A Blueprint for Implementing a Risk Governance Program

Eric Bonnell, SVP, Risk Management

Another “implementing this and that…” article? Well, yes. Implementing any program or project well requires a predictive work cycle that adds structure, due diligence, tracking, adjusting, and producing. 99% of it is following the process. But how do you apply the process to the risk discipline to produce a value-added result?

What is so special about this dissertation? Well, risk managers are great at pointing out areas of concern, but how many understand how to implement a program from scratch? How does the Program/Project Management discipline apply to risk programs?

Can we get past the PMBOK gobbledygook and simplify the implementation framework for increased understanding?

Yes, we can! In the words of John Maeda, Vice President of Design and Artificial Intelligence at Microsoft, “Simplicity is about subtracting the obvious and adding the meaningful.” Let’s pull from the discipline of program/project management the key elemental phases of implementation and build a plan for success!

Deliverables for Success

I can’t provide you with everything here in this article, but I can help you build a fundamental structure and the basic tools you will need to provide a baseline for a new program. From here, you will build more useful tools/training, add emerging risk types, and mature processes and reporting.

To build a successful inaugural risk management program from scratch, here are key “must haves” you need to have in your pocket (corollary: if your current program is missing these items, consider building them):

Secure Executive Support

Without secure and transparent executive support, at best, you will be fighting other priorities. If the executives do not understand your program, its purpose, and their part in supporting it, others will not take it as seriously. To gain executive support, you will need to educate at all levels. You will need to demonstrate what value the program adds to the business. You will need to formalize time for a regular executive steering committee to keep the program front of mind and fresh.

Build Simple Frameworks and Guidance

Education on the strategy is important to gain program support. But if the “what” doesn’t follow the “why”, no first steps will be taken. Your teammates need to understand the scope and reporting structure to be able to interact with the program. For a risk program:

• Build a layered risk framework and taxonomy that codifies the inventory of risk types that will drive discussions and reporting at different levels and provides definitions of terms to non-risk professionals and regulators. I recommend a three-level risk framework to allow you to aggregate risks in meaningful ways and effectively drill down when required.
• Cover at least the key risk types at the top level: Strategic Risk, Financial Risk, Legal Risk, Regulatory Risk, Operational Risk (many companies break out Technology Risk into a separate top-level category), Third-Party and Fourth-Party Risk, and Reputational Risk.
• For example, a Level down from Financial Risk would be Capital Risk, Liquidity Risk, Interest Rate Risk, Market Risk, Price Risk, and Foreign Exchange Risk. Another example, Operational Risk, would include Human Capital Risk, Transactional Risk, Process Risk, Business Resilience, Change Management Risk, Technology Risk, etc.
• Finally, the third level for Technology Risk would follow the domains of the framework you use (for example, I’ve simplified the NIST 800–53 framework here): Technology Governance and Architecture Risk, Awareness, and Training Risk, Authorization and Authentication Risk, Networking Risk, Audit Risk, Design and Development Risk, Third Party Technical Services Risk, Disaster Recovery Risk, Incident Response Risk, System Configuration and Management Risk, Information Security and Privacy Risk, Physical and Environmental Technology Risk, Project Management Risk, and Teammate Security Risk.

Use this leveled framework to drive the development of meaningful metrics, build reporting for different audiences, and provide scope and structure around risk and mitigation conversations.

• Establish a risk steering committee of executives and peers to gather information and provide feedback on risk types, appetite, scoring levels, and improvement plans. Establish working groups for specialized risk types to give it focus with a smaller team of relevant subject matter experts.
• Build a Risk Management Policy structure to drive expectations and operations. Start with a principle-based policy statement to describe the program strategy, operational components, and deliverables, a risk committee charter with roles and responsibilities and reporting/escalation expectations, and a risk appetite statement to drive sound assessment against established business tolerance of risk. From there, build standards that describe the risk framework discussed above, and produce operational processes to gather risk information, perform assessments, manage issues in a risk-based manner, and produce reporting for the different audiences (departments, executives, board, regulators, investors, third-party partners, customers, and other stakeholders.

Establish Cadence of Risk Assessments, Deliverables, Reporting, and Formal Engagement

To be successful, teammates need to understand how and when to interact with Risk Management. Setting regular meetings with department heads and their management teams, executives, and board committees will drive evergreen discussions.

Prioritizing risk assessments and their renewals on a schedule based on the level of business impact will help set expectations early to stay on schedule. Having set expectations for delivering metrics and issue remediation status reports will help to ease the burden of report production.

Building expressive and simple reporting to meet audience needs with visuals, values, and transparent key concerns is needed to support the comprehension of business impact and the need for calls to action to address emerging and impending risk concerns.

Set Expectations for Strategy and Continuous Improvement

Once an initial program is in place, listen for feedback to understand how to make things easier. Look to simplify and automate processes wherever possible while not compromising quality. Look for new and emerging risk types to integrate into the program. Discuss key industry concerns with external resources, including thought leadership, regulators, and peer banks.

Use this intelligence to build a 3-year strategy proposal, including budget, organizational, and resource needs. Provide additional detail as to the expected activities of the upcoming year and refresh the plan every quarter with forecasted next steps. Make sure your strategy aligns with business strategy, especially around support of new products, services, and M&A activities. Leverage your Project Management Office to align with their expectations and company tactical needs.

Turning the Wheel — The Key Phases of Risk Program Management

With a general description of the key deliverables above, you are ready to build these needed components and establish a risk management lifecycle for continual operations.

Risk Management is Change Management. The process is cyclical, as is the case with any governance and change management function. The process wheel spins through these phases: Governance, Identification, Assessment, Testing and Metric Gathering, and Reporting and Presentation. I have laid out a blueprint of key deliverables, operational strategies, and tips for success in each of these areas below.

Governance

Governance drives the soundness, profitability, and growth of the company, in that order (something that my former CEO constantly reminded us).

To describe Governance, I need data. I get the data on this wheel from the Reporting and Presentation phase at the end of the last turn of the life cycle (or “wheel”, in my analogy above).

Governance in a Risk Management program has several purposes:

1. Set program strategy to align with company strategy and prioritize areas of risk concern to escalate or otherwise act upon.
2. Maintain policy, standards, and procedures that drive the operations of the program, as well as provide counseling on those which are risk-sensitive.
3. Orient and document risk appetite and tolerance levels that the company accepts.
4. Assess risk domains and the well-being of strategy and operations against risk appetite.
5. Identify emerging risks and specific areas of concern and drive mitigation of risk with company operations.
6. Escalate emerging risks, late mitigation activities, vulnerabilities due to missing or non-performing controls, program resource needs, decisions on the priority of mitigation against other initiatives, and other concerns to executive management and the board as necessary.
7. Maintain committee minutes, work papers, results, and ongoing program strategic plans to company stakeholders in the manner that is appropriate (e.g., regulators, investors, third-party partners, and customers).
8. Continual monitoring of company risk culture, program performance, and emerging concerns to address within the program life cycle.

Governance sets the stage for program operations and manages its performance throughout the company at all levels. Governance provides “effective challenge” of concerns that need attention, partners with business areas to provide sound action plans on risk mitigation, and reports on the progress and well-being of the risk program and the risks that are measured within.

Identification

Risk identification processes may differ with the nature of the risk types, some quantitative, some qualitative, and some a hybrid of both.

1. Operational Risk — With the three-level risk framework above, a list of current and expected controls to mitigate risks, and a process inventory, Risk and Control Assessments (RCSAs) can be conducted and cross-references with audit and compliance findings to rate inherent risk (risk levels if no controls are in place) and residual risk (risk levels with the current quality of controls in place). The risks within the RCSAs may cover multiple risk types and sub-types. Aggregating the risk inventory with this information allows us to predict expected risk levels by department or process for different risk types, or conversely, see the mitigation coverage of risk types within the framework for the entire bank or comparing departments. RCSA data tends to be qualitative. Reporting of this kind can be visualized on “heat maps”, numerically, or otherwise. For key risk areas, measuring the effectiveness of controls, the historical impact of events, or the upward/downward trends of risk using qualitative Key Risk Indicators is also helpful.
2. Financial Risk — Balance sheets, credit and liquidity models, transactional data, and economic forecasting data are used to provide quantitative analysis of financial risk. For example, understanding at different interest rate sensitivity levels (stress levels), the level of capital that is needed to cover financial assets that may default, devalue, or otherwise be withdrawn from the company can provide insight as to how much capital is needed to remain solvent and affect organic and/or growth strategies. Credit risk defaults can be qualitatively predicted in a worst-case scenario to inform the need to pass on specific loan type onboarding, sell or encourage specific loan types, or alter the credit tolerance in onboarding models. Such are examples of qualitative analysis and tell a story of how committed a company is to remaining solvent and profitable in a sound manner. Be aware that other risk types may affect strategic decisions as well, especially risks to customer fairness and inclusion.
3. Regulatory Risk — Demonstrating adherence to regulatory expectations is vital to be seen as a sound and secure company. A regulatory compliance function will interpret controls needed to meet compliance levels and test the effectiveness of these controls (along with internal and external audit testing, SOX testing, and regulatory examinations). The articulation of adherence should include a risk rationale (i.e., what risk does the adherence address). The results of control testing along with non-regulatory control testing inform the levels of control within RCSAs and can assist the company in understanding the residual risk that must be managed where controls are not as mature, or regulators are otherwise prioritizing scrutiny. Key Risk Indicators can be used to count process quality and concentration levels (e.g., in terms of transaction types and customer demographics for measuring compliance with the Community Reinvestment Act — CRA). Key Performance Indicators can measure the quality of control remediation activities and compliance program effectiveness.
4. Other Risk Types –

a. Reputational Risk may be measured through metrics (e.g., # of complaints of a particular type, # of legal actions required, etc.). Managing social media may provide qualitative and quantitative data to help assess this level of risk. Some companies report Reputational Risk as a separate category of risk or can localize it into each risk type that the company manages.

b. Environmental, Social, and Governance Risk is a newer risk type that touches on Reputational Risk, Regulatory Risk, and Financial Risk. ESG requires a separate reporting structure, transparent reporting, and external evaluations.

c. Model Risk is a function of both Financial Risk and Operational/Technology Risk and can affect other risk categories such as Regulatory Risk. Understanding how numerical, credit, underwriting, and “AI decisioning” models work (i.e., their assumptions, data quality, algorithms and calculations, and quality of results) is paramount in demonstrating sound business practices and fair customer treatment. Some models are specifically called out in regulatory requirements and others are either suggested or may be interpreted otherwise as significant to regulatory expectations.

d. Other risk types may emerge from social trends, new technologies, increased regulatory scrutiny, or the company’s need to understand them for strategic planning.

Assessment, Testing, and Metric Gathering

Based on the section above, you can see that assessments mean different things in different risk contexts.

Many assessment levels and types can take place, in some cases, especially in quantitative cases, you may be able to incorporate the data gathering into the operational process or be given access to reporting results that can be used to assign risk and control scores, validate findings, and articulate specific risk areas using trends or forecasts.

For example, if your process RCSA indicates that a specific control is well-managed, you can use data to inspect the transaction or processing to validate that the control is in place and working. If there are errors listed, you can work with the business area to understand if these are exceptions, outliers, or errors that need attention.

For gathering financial measurements, most if not all the calculations and metrics required will be measured quarterly and available in the financial system and/or models as part of quarter-end and year-end reporting. Partnering with your financial and treasury functions will be key to gathering this data, interpreting it correctly, and reporting it accurately.

Partner with the other lines of defense to coordinate testing controls. First line risk and quality control/assurance teams will monitor controls within their processes. The third line (Internal and External Audit) should have a forecasted plan as to what controls are being tested and in what scope. The second line should attempt to leverage the testing already completed by these areas and examiners to reduce duplication and disruption to operational teams. However, where controls are shown to be concerning or there is a reason to effectively challenge results, the second line should be proactive and perform independent testing. Results should be considered and reflected within operational RCSAs and reporting.

Where there are significant concerns or operational errors that caused a specific impact, these issues should be documented, and the first line and operational teams should respond with mitigation plans to be tracked through resolution.

The definitions, thresholds, ownership, scope, timelines, and process for pulling data for Key Risk Indicators and Key Performance Indicators should be kept current. Adhere to these parameters as you capture metrics for the month, quarter, and year. Maintain a historical inventory of values to search for trends and patterns. For example, you may see that the number of events for a particular type of fraud is cyclical (e.g., perhaps peaking after the holidays and again around tax preparation time). Communicating these trends can assist operational teams to establish readiness and more attention to certain types of fraud at specific times of the year. From a financial risk perspective, providing an analysis of current economic conditions and likely market adjustments will help prepare for the need to maintain capital at a higher level or be able to responsibly allocate capital in a limited fashion towards growth or new product launches and/or improvements.

Reporting and Presentation

With the data ready, you can generate reporting for different audiences. Reporting should maintain consistency of definitions and state scope while being flexible enough to pinpoint root case concerns and business impact. Here are some tips:

• The visuals you use on reports can affect comprehension and focus. Standardize your color palette to match your risk scale. Use arrows and charts to tell the story behind the numbers most effectively. See my article on KRI development for some examples.
• Where you have enterprise-level metrics, explain in a short narrative how the results affect strategic initiatives. Also, be prepared to highlight areas of concern under the surface (e.g., if enterprise-level metrics are favorable point out any departmental-level metrics that are out of tolerance or otherwise in jeopardy).
• Have a summary area that lists top concerns, achievements, and next steps. The discussion points here should drive your presentation. Bring the board member or executive to the areas of concern and explain what is being done or what you recommend happening to address the issue. If the concern is significant, be prepared to submit the mitigation as a formal project to be prioritized with the feedback you receive from management discussions.
• Break out reporting in such a way that you can quickly bring attention to all the items that apply to your audience, that is, enterprise-level at the top and program-level and/or department-level profiles below.
• When scheduling the presentation of the material, consider the order in which it will be seen. Try to stay on a cadence where key stakeholders weigh in before finalizing the reporting and then present to the committee, executives, and board in the same order to facilitate better feedback. Make sure to circle back with the management committee, board/executive feedback, and key concerns for follow-up.
• Company-level reporting is likely to be seen by external stakeholders, namely regulators, auditors, and possibly other third parties. Make sure the tone and content are correct, consistent, and focused for these audiences. Transparency is important but be sure to protect intellectual property, personal customer and teammate information, and anything that may be part of litigation. When in doubt, check with your legal and compliance teams for guidance.
• Lastly, maintain final copies of reports in a secure manner where they may be reviewed by authorized individuals and recovered easily if requested by regulators, etc.

Strategic Improvement Planning

The risk program should add value to the company in the following ways:

1. Support safe and sound strategic planning, operation execution, and decision-making.
2. Provide awareness and training for the company and its teammates that establishes and rewards a risk-aware culture.
3. Demonstrate to stakeholders of all types (i.e., investors and prospective investors, customers, business partners, board members, executive management, internal and external auditors, examiners, etc.) that the company takes risk seriously in its decision-making and quickly addresses areas of concern using a thoughtful and deliberate risk-based approach.

Networking with key decision-makers, subject matter experts, and operational staff is vital to working well within the company. Finding a cadence for formal and informal stakeholder engagement is necessary to promote understanding, gather quality intelligence, come to reasonable mitigation solutions, and, most of all, build trust.

Most of all, make sure that presented information and the resulting dialogue are part of the strategic planning process. This is where the value manifests beyond a “check-the-box for compliance” risk program. Good engagement and alliances with the board, executive management, and senior management will pay dividends when building trust in the risk program and securing support for maturity initiatives over time.

A Few Words about the Lines of Defense

The way I express the relationship among the three lines of defense is this:

“The third line gives the test. The first line takes the test. The second line prepares the first line for the test.”

Let’s break that down:

• The third line gives the test. Internal and external audit functions essentially test operational processes and reporting to account for the quality and effectiveness of controls.
• The first line takes the test. Operational teams must present their work, much like they would when solving an algebra problem, to demonstrate that they have controls in place that work as documented and designed. Risk managers and quality assurance teams may report to first-line management to help gather the documentation and screen results to check their work, to continue the algebra problem metaphor.
• The second line prepares the first line for the test. Though effective challenge and a cursory dive into areas that are at risk of being concerning, for various reasons (e.g., regulatory focus, lack of historical quality, upcoming strategic expectations, etc.), the second line monitors how well the first line can answer the test questions. In many cases, the second line provides guidance and training in the form of standards and frameworks, much like a study guide for a book might assist a student in understanding the plot and main themes to articulate on a literature test.

Each of the lines of defense depends on the other. Working together can make them more effective and add value. For instance:

• The internal audit group that leverages second line risk reporting can help reduce repeating an already documented issue and can focus audit’s review efforts in a more focused manner that is less taxing on the first line with a better result.
• Second-line risk management can research trends and areas of concern that the third line has taken deep dives into to assist the first line in developing more effective remediation plans and updates to controls as advantageous.
• First line operational teams can gather the knowledge and recommendations from the second and third line functions to anticipate the need for more controls, resources, and attention in certain areas that result in more sound and effective operational processes.

Pulling It All Together — Organic Improvements vs. Formal Project Management

The blueprint above gives you the basic deliverables and some tips on how a basic risk program can run effectively. But how do you go about implementing it? I recommend a divide-and-conquer approach, balancing building your influence throughout your company and establishing formal avenues of change management.

Do the Prep Work!

Start drafting the deliverables above and create visuals that tell the story: what happened that causes us to need this program? What value is the program to the company, its customers and teammates, and other stakeholders?

Also, spend time understanding your company’s organization, who is a good ally to have that will help you champion the program? Who will need more convincing? What are the best ways to leverage culture to operate (e.g., expected meeting cadence, follow-up expectations, how does the company celebrate success and tackle failures, what escalation and/or reporting is expected, etc.). Understanding the culture and how teammates operate will allow you to better engage them personally and formally.

This type of preparation leads to success in team and personal engagement as you build the program.

Making it Personal

Networking with teammates at all levels of the organization is the best way to build trust and build an understanding of the program’s vision and value. Meeting individuals where they are will help you to tell the story in the best way that they need to hear it. This creates a free and safe space, enabling them to ask questions they might not ask in a public setting, allowing them to tell you what they already understand, and begin working together towards a collaborative and supportive relationship. Once the individuals have the baseline, they will be better prepared for the formal meetings and be more likely to support and contribute to the program’s needs.

Driving the Formal

Leverage existing processes as expected and available. For example, for larger and /or more complex deliverables, work through the formal Project Management Office to build a business case, have it prioritized with resources, and execute according to the project methodology. Formal projects get better support as they are more visible and transparent to management.

Whether you are assigned a formal project manager, or you must act as one yourself, stay in touch with the PMO and leverage their tools and guidance. Make sure to close the projects with feedback as to what went well and what could be improved and celebrate your successes publicly.

Balance Personal and Formal Approaches

Balancing your time between these two strategies and leveraging them in tandem will help you to engrain the discipline of risk management within the company culture. As Dr. Martin Luther King Jr. stated, “If you can’t fly, then run. If you can’t run, then walk. If you can’t walk, then crawl. But whatever you do, you have to keep moving forward.” Use both personal conversations and formal communications in your leadership style to solicit buy-in and build a team of change agents. Then, help the team to succeed by providing the formal project management structure to address the larger and more complicated change tasks.

First Steps and Beyond

Taking the first steps requires a good understanding of this blueprint, including the function and order of risk program deliverables, how to engage your audiences, and balancing formal and informal communications and execution.

Find a mentor and solicit feedback from others to provide assurance and uncover items to course correct along the way. Tell your story publicly and retell it regularly with new chapters as things unfold. Be sure to take care of yourself and recharge in between the storms.

Once you have something in place, pilot it, adjust it, celebrate it, scrutinize it, and grow it. Building maturity means keeping it fresh and interesting. And when you reach a plateau, add more value through simplification, automation, and consolidation.

Copyright 2023 Eric J.G. Bonnell