Federal regulators recently slapped Citigroup, the nation’s third largest bank, with a $400 million fine for its “longstanding failure” to fix problems with its risk management systems. The decision sends a clear message that the entire financial services industry needs to up its game when it comes to risk management.
The fed report didn’t pull any punches. “For several years, the bank has failed to implement and maintain an enterprise-wide risk management and compliance risk management program, internal controls, or a data governance program commensurate with the bank’s size, complexity and risk profile.” And blame was laid squarely on the shoulders of senior leadership at Citigroup.
Even though Citigroup was aware that federal regulators were breathing down their neck, getting a handle on the problem can be exceedingly difficult and incredibly expensive. In some cases, the cost of remediation dwarfs the cost of fines, which can create an environment of complacency within executive and risk management teams.
And Citigroup is no outlier. Failure to meet risk management requirements is a widespread problem throughout the banking industry.
The Roots of the Problem
Banks have always performed risk management, but a number of factors are coming together to make it increasingly difficult for them to comply with ever-evolving regulations. As banks grow, systems become siloed, which makes it difficult to integrate data sources to get a complete picture of what’s happening.
In addition, the risk ecosystem has expanded beyond the four walls of the bank to include the entire supply chain. Data is now located in the cloud, on mobile devices and in edge computing scenarios. From a technology perspective, banks might still be operating legacy mainframe computers and running outdated software that no longer complies with current regulatory standards.
Another problem is that the culture of the banking industry is extremely change averse, which creates a drag on efforts to modernize processes, which is many cases is the core of the problem. Companies might have solid policies on paper, but they don’t have the processes in place or the tools to verify whether those processes are being implemented.
And they simply might not be able to move fast enough. For example, a bank might have a remediation solution that they’re trying to implement, but they’re rolling it out one division at a time in a protracted 18-month process, and they end up getting fined two more times along the way.
5 Things Companies Can Do
- Board incentivizes the CEO: The solution starts at the top. Boards of Directors need to make risk management a top priority and they need to authorize the necessary funding. One important step that Boards can take is to tie CEO compensation to regulatory compliance. The Board should also require that CEO develop specific strategic plans and they should demand timely progress reports.
- CEO takes the lead: Once CEO compensation is tied to regulatory compliance, everything changes. The CEO then has a clear directive to drive that mandate down the chain of command, and to tie raises and promotions of other employees to risk management. The CEO needs to develop that strategic plan and make sure it is followed.
- Create a common data source: Communication is always a problem area. Risk management teams, auditors, lawyers and the IT teams that are charged with implementing risk management need to be on the same page, using the same data sources. Ultimately, it’s up to the CISO/CSO to develop accurate and comprehensive reports that highlight the organizational risk against the current regulatory landscape to ensure that the true cost of both remediation and fines can be assessed by executive management.
- Prioritize investment based on risk: There are specific steps that companies can take to improve their risk management posture, starting with the most obvious, acknowledging that you have a problem and then identifying specific gaps or shortcomings. A comprehensive risk assessment entails identifying strategic and tactical risks, then measuring the operational impact and business impact of organizational inefficiency. Investments need to be prioritized based on addressing the most serious risk.
- Take advantage of new technology tools: One problem facing companies like Citigroup is that, up until now, there simply haven’t been technology tools with the ability to drill down and analyze risk management systems across business units. However, there are new software tools on the market that use machine learning and artificial intelligence to quickly and efficiently uncover problems and provide actionable intelligence so that policies can be enforced across the organization. Embedding these new tools into the risk management ecosystem can help companies automate and improve processes, alleviating some of the pain associated with regulatory compliance and hopefully avoiding the types of fines that Citigroup was hit with.