Bank risk chiefs aim to shake ‘Department of No’ reputation

As banks work to combat emerging risks at a breakneck pace, risk chiefs of various-sized banks last week said they’re closely tracking developments related to artificial intelligence, fraud, regulation and third parties in the coming years.

“Three to five years out, the disruption that we're going to see in technology, financial crimes and fraud are almost immeasurable relative to where we sit today,” Brad Bender, Truist’s risk chief, said Oct. 20 during the American Bankers Association’s annual convention in Charlotte, North Carolina.

The $544 billion-asset bank is spending “a tremendous amount of our time in the nonfinancial risk domains,” Bender said.

That shift has taken place across the industry, as bank risk departments have gone from focusing mainly on financial risk, to incorporating operational risks, to increasingly facing more digitized, complex risks. Along the way, the CRO role has become more strategic and taken on greater prominence within organizations, risk experts have said.

Financial crimes are “ramping up dramatically,” particularly in the fraud domain, because threat actors have AI at their disposal, Bender said.

Bender was part of a panel that discussed the enterprise risk management mindset and how specific banks have built risk-minded cultures. Risk is often viewed as “the Department of No,” given its reputation as a control function, Dacotah Bank’s Kristina Schaefer noted.

“You're not the Department of No, you're the Department of How,” said Schaefer, the Aberdeen, South Dakota-based community bank’s associate general counsel and director of government relations.

When bank employees come up with ideas for new products and services, they need to consider how the bank will execute and implement those, and what the risks may be.

“One of the challenges is making sure that somebody in risk is one of the first phone calls,” Schaefer said. “Because if you have those conversations up front and you start incorporating risk into your strategic plan, it's going to be a lot quicker” than if the risk department isn’t looped in on an idea until later, she said.

Western Alliance

Emily Nachlas, Western Alliance’s risk chief, detailed the philosophical shift related to risk that’s taken place at her company. As $91 billion-asset Western Alliance has grown – the Phoenix, Arizona-based lender has tripled in size in the six years she’s been there – risk management has “become a more mature process,” Nachlas said.

The origination of new products or services “used to be on the side of your desk, the conversation in the hallway, ‘Hey, this is a great idea. Let's run with it,’” she said. “As the bank gets larger and larger, obviously that's not enough of an answer to your regulators, or to your board, or to your customers of, why did you make the decisions that you made?”

Now, “people do start to call on risk first,” Nachlas said. “We're part of the discussion as these things are happening, as they're coming up with new ideas, and there's a bit more of a formalized process. There's a lot of documentation around how we do things. It's built into the culture a little bit more.”

Regulators want to see how a new business, product or service fits into a banks’ risk appetite, she said.

“And how does risk management come in and circle around all of that and say, ‘This is how I'm proving to you that it actually does fit in a risk appetite,’” Nachlas said. “Or if it doesn't, what are we doing to put some control mitigations in place in order to feel more comfortable and make it fit into our risk appetite?”

She advocated for policies and procedures to establish a risk culture within an organization. “Sometimes you have to embed that into the framework of what you do day in and day out, so you don't have to think about it,” she said. “You have a place to look for information, and it's consistent across the lines.”

Nachlas also sought to elevate the CRO’s prominence.

“The CRO actually knows more than what the CEO thinks we know,” she said. “We touch every part of the organization, and we can bring a viewpoint to the company that they wouldn't otherwise get.”

Dacotah Bank

Community banks have always done well managing risk vertically – credit, information technology, etc., Schaefer said. But often, risk can live “in those gaps between those various risk management siloes,” she said.

Enterprise risk management’s goal is to get everybody thinking about risk horizontally, and make sure information is flowing to all areas of the bank, said Schaefer, who has been working to stand up a new enterprise risk management program at the $4.6 billion-asset lender.

Considerations around new products and services should involve cross-department communication, with risk employees talking to first-line staffers, she said.

“It's not just the risk management department’s job to be thinking about risk. It's really everybody's job,” Schaefer said.

Ultimately, “you’re not trying to eliminate all the risk,” she said. “The goal is … for us to have an idea of what the risks are, so that we’re making the best decision that we can.”

Truist

At Charlotte-based Truist, risk conversations start at the board level, followed by talks with CEO Bill Rogers and the board related to what the bank is trying to achieve, and how the risk department enables that, Bender said.

“A lot of what we spend our time talking about is, how does this strategy fit within our risk appetite, within our guardrails, and then how do we demonstrate that effective challenge?” he said.

The bank devotes time to “ensuring that throughline, top to bottom, so that every teammate can see the role they play and how they drive innovation, but then within our risk tolerance,” he said.

Bender reports directly to the bank board’s risk committee and meets with that group with and without Rogers. Being able to provide independent insights to the board “enables us to kind of shortcut any back and forth, because that alignment just naturally flows,” Bender said.

Since he took the CRO role about a year ago, Bender has intentionally sought more direct reports from the first line of defense – operational roles – “so that when we have these conversations now with the CEO and the board, they understand it's with the business intent in mind, and it fits within our risk appetite,” he said, adding that it gives risk leaders “a defensible position.”

The super-regional also holds monthly sessions that delve into a specific risk domain and a risk summit annually, aimed at helping employees understand “everyone is a risk manager,” Bender said.