Earlier this month, regulators levied a $400 million fine on Citibank for a “longstanding failure to establish effective risk management”. The Office of the Comptroller of the Currency (OCC), which sits within the Department of Treasury, cited “deficiencies in [CitiBank’s] data governance, risk management, and internal controls.”
This regulatory inquiry came in response to violations of the Fair Housing Act and the Flood Disaster Protection Act this year, along with an accidental wire transfer of $900 million by Citibank to a group of lenders to Revlon, a beauty products company, in August. With a number of lenders refusing to return the erroneously-sent funds, the bank is now pursuing legal avenues for recovery.
Citibank is not alone in being cited for inadequate risk management. Earlier this year, the OCC fined Capital One $80 million, Morgan Stanley $60 million, and USAA Federal Savings bank $85 million, for shortcomings in their compliance and risk management practices. With increasingly complicated governance, risk management, and compliance requirements, particularly in the financial sector, these types of lapses and the resulting issuance of fines are likely to continue.
Establishing a Foundation
Today’s compliance landscapes are massively complex. For organizations to successfully manage the multitude of risks, ranging from financial and operational to data governance and cybersecurity, they must embed a strong risk management and compliance culture. Effectively doing so requires Board and executive commitment, aligned compensation and performance management practices, and technology investment and support.
Foremost, support at the highest levels of leadership and an integrated top-down approach are key to embedding a risk culture. A robust firmwide governance strategy integrates risk assessment, measurement, and management into decision-making and resource allocation, and employs a consistent communication strategy that recognizes the value of effective risk management.
Acknowledging the importance of leadership buy-in for effective risk management, the OCC, in their consent order with Citibank, stated that “Board and senior management oversight is inadequate to ensure timely, appropriate actions to correct the serious and longstanding deficiencies and unsafe or unsound practices in the areas of risk management, internal controls, and data governance.” Particularly for banks, their size, complexity, and risk profile require an overarching risk governance framework to ensure risk management and compliance are not just a departmental responsibility, but an organizational commitment.
Building a Culture of Risk
To start, risk culture must be championed in the boardroom, with GRC strategy, reporting, and training sponsored by executive management and supported by independent directors. This independent perspective is critical for effective oversight and to hold senior management accountable for robust risk governance. In Citibank’s case, the OCC is requiring they “create a new committee, composed mostly of nonexecutive board members, to preside over a risk management revamp inside the bank.”
Second, migration of risk management and compliance from back office functions into organizational culture also requires compensation policies and performance management to reflect that mindset. Risk identification, assessment, and measurement should be integrated into decision making and resource allocation. Management support and cross-divisional partnership in addressing audit concerns, identifying control issues, and reporting of incidents will ensure commitment to and consistency of approach in risk oversight. Compensation plans should similarly reflect that commitment by incorporating risk management issues and timeliness of mitigation efforts into business unit performance.
Third, risk management technology is a must to help organizations identify, track, and remediate issues in light of the increase in the number and scale of enterprise-wide risks. Alongside financial risks, organizations are juggling a multitude of other risks, including regulatory, IT, cybersecurity, data governance, and third-party vendor risks. Technology can help aggregate, measure, manage, and report specific, as well as aggregate, risk exposure to ensure your organization is maintaining the appropriate risk posture and staying within its risk appetite. Given the shifting landscape of risk management, technology can also help organizations be more effective through automation and digitization of operations. Furthermore, a robust risk management governance structure supports operational resilience by providing a framework that can capture and accurately report dynamic risks to enable holistic decision-making. Adopting technology and transforming legacy systems to be more accurate and less prone to human error can also assist in addressing newer challenges such as industry disruption, increased regulatory scrutiny, and the shift to remote work. See EY’s How banks can elevate risk management over the next decade for more information.
This year, Citibank will spend over $1 billion to address the issues highlighted by OCC and transform their risk and control environment. In addition to hiring key personnel, management has committed to “achieving operational excellence and creating a best-in-class risk and control environment.” Leadership commitment is only the first step for creating a strong risk culture. An organization also needs to embed the value of risk management into its hiring practices, work responsibilities, performance and compensation policies, and internal and external communications. Technology can further this mission by providing the tools and support needed to automate risk management and strengthen operational resilience. A robust risk culture helps organizations to more nimbly respond to changing industry and regulatory expectations, while protecting the firm from headline incidents.