Establishing Risk Management Principles for Responsible Innovation in Financial Services Companies
Author: Mike Dempsey, Senior Manager, Risk & Accounting Advisory Services
The term “responsible innovation” has taken on new meaning as the financial services industry has transformed with rising adoption of digital technology solutions and assets by banking customers. These innovations can provide flexibility and accessibility, but also have the potential to bring risks to the financial institutions offering these products and services.
Unpacking What Responsible Innovation Means
The Office of Comptroller and Currency’s (OCC) issuance of Bulletin 2017-43 provided guiding principles for ensuring all new, expanded or modified existing products or services are developed and approved in accordance with sound business and risk management practices. A robust Products and Services Risk Assessment process should be used to evaluate products, services or strategies that could alter the risk profile of the institution. Conducting a detailed risk assessment early in the planning process allows leadership to fully consider the risk associated with their initiatives, as well as controls and monitoring tools needed to mitigate these risks.
While most institutions consider new product risks before a launch, many do not think about all the many facets involved; the approach is informal and lacks the thoroughness that a more formalized process can provide. Cherry Bekaert’s Risk Advisory practice has introduced risk management consulting services to help financial services institutions establish a robust and sustainable process that allows for informed decision-making to responsibly introduce a new, expanded or modified product or service. The product’s risk assessment process affords an opportunity to ensure that the product or service is a permitted activity for the entity and that an adequate support and control infrastructure is in place before go-live.
Establishing Governance and Oversight To Enable Success
The OCC guidance emphasizes the role of the board for providing appropriate oversight to ensure that the institution operates safely and soundly, while in compliance with applicable laws and regulations. The board should hold management accountable for due diligence and risk assessment processes for all new, expanded or modified activities. There is also a responsibility for management to inform the board of all new material activities, including due diligence findings and plans that clearly articulate and appropriately manage risks and returns. The board or a delegated board committee should also consider whether new activities are consistent with its strategic goals and risk appetite.
Impacts of Responsible Innovation on Businesses
Potential impacts to the business from an innovation or new initiative can typically be categorized in the following manner:
- Financial Impact: Contribution to earnings or capital
- Legal Impact: Exposure to litigation
- Regulatory Impact: Effect on laws and regulations that require compliance
- Reputation Impact: Perception of customers, investors and the public
- Strategic Impact: Fit with overall business plan and direction of the company
Key Risk Areas When Developing and Introducing New Activities
Examination of products and services initiative decisions that could affect the institution’s risk profile should be required and must consider the following key risk areas:
- Compliance Risk focuses on violations or nonconformance with regulations and governance.
- Credit Risk encompasses the likelihood of an inability or unwillingness to repay as agreed.
- Legal Risk focuses on violations or nonconformance with current laws.
- Liquidity and Market Risk involves the ability to liquidate/securitize assets or obtain funding at a reasonable cost and the susceptibility to adverse changes in market interest rates and valuations.
- Operational Risk is primarily associated with internal processes, people, systems and external events, as well as consideration of impact to operations and technological processes, systems and information security.
- Regulatory Risk relates to any problems arising from new or existing regulations and/or laws.
- Reputational Risk focuses on the risk of negative public opinion and potential effects such as loss of market share and consideration of how the initiative will fit into their overall business strategy.
- Strategic Risk relates to the risk to current or projected financial condition and resilience arising from adverse business decisions, poor implementation of those decisions or lack of responsiveness to changes in the financial services industry or operating environment.
4 Main Components for Effective and Principle-Based Risk Management
How well you manage risk, whether it is strategic, reputational, operational, legal or any of the above risk categories, will determine the degree of success with the initiative. According to the OCC Bulletin 2017-43, the OCC’s regulatory guidance emphasizes the following components for effective and principles-based risk management oversight:
- Adequate due diligence and approvals before introducing a new activity
- Policies and procedures to properly identify, measure, monitor, report and control risks
- Effective change management for new activities or affected processes and technologies
- Ongoing performance monitoring and reviewing systems
Keys To Successful Integration
Cherry Bekaert views the following as key messages to ensure an effective and sustainable product development and risk assessment framework for responsible innovation:
- Involve Risk Management Early: Get risk management involved early in the product development process and avoid using risk management as a “back-end” check.
- Training and Education: Train all stakeholders in the value proposition of having a disciplined and rigorous framework for assessing risk of new, modified or expanded products and services. Consistent messaging embedded in the organization’s culture is key to long-term success.
- Expand Risk Categories: Continually broaden the span of risks included in your due diligence and risk assessment process (e.g., conflicts of interest, conduct risk, etc.).
- Consult With Subject Matter Experts: Risk management should be responsible for conducting feasibility assessments on all proposed initiatives and ensuring subject matter experts and any other appropriate parties are consulted on all new and expanded or modified products and services.
- Identify and Escalate Risks & Issues: Risk managers should monitor and coordinate implementation of new products and services initiatives with the business units ensuring that all relevant issues are addressed by the sponsoring area and all relevant information is distributed to the support departments that are involved.
- Establishing the “Tone from the Top”: Members of the board and management team should set the core values and expectations for introducing new activities.
- Accountability: All stakeholders should know and understand the core values and expectations as well as how the consequences for failure to uphold them will be enforced. Failure to comply with the Products and Services Policy and framework should result in disciplinary action (including, in a severe case, dismissal).
- Effective Challenge: All levels must perform a review and assessment on the viability of a new product or service and should consider a range of views with encouraged open discussion. Initiatives should be fully vetted to determine inherent and residual risks, ensuring that mitigating controls are appropriate and that the business sponsor has a good understanding of its risk profile. Post-implementation reviews effectively ensure that all assumptions made, parameters given and conditions imposed (where appropriate) at sign-off remain valid once the business is implemented.
Cherry Bekaert is Here to Help Establish Risk Management Framework for Your Financial Organization
Responsible innovation entails consideration of the increasing expectations of management and the board to fully understand and assess the impact of new and modified or expanded products and services on the organization’s risk profile.
It is critical that management establishes appropriate risk management processes at the earliest stages in the product development planning processes to effectively measure, monitor and control the risks associated with new activities. Strategic plans should properly address the costs associated with new activities. It is critical for management to integrate risk management into the strategic planning process so that there is early line of sight on key risks and gaps in mitigating controls. The risk of failure from launching a new, expanded or modified product or service can be catastrophic from an operational and reputational risk perspective, so it is critical to ensure that the appropriate control framework is in place as part of the product introduction or launch.
To learn more about responsible innovation and your company’s risk framework, contact Mike Dempsey, the firm’s leader in our Financial Services Risk Advisory practice, or speak to your Cherry Bekaert advisor.