Banking institutions occupy a unique and vital place in the U.S. economy. They remain principle suppliers and allocators of credit, continue to be vehicles for transmitting monetary policy, and are the core institutions in which deposits and savings of individuals, partnerships, and corporations are held. They are imbued with a high degree of public trust and consequently are closely supervised. In recent conversations with bankers, several have expressed concern about the rising regulatory burden, in light of new legislationsuch as the USA PATRIOT Act, the Sarbanes-Oxley Act, and the Fair and Accurate Credit Transactions Actand their implementing regulations. This is to be expected, since increased rulemaking typically follows excesses emanating from prolonged economic expansions or periods of rapid growth. Throughout history, bubbles have been followed by significant contractions, which have in turn been followed by new laws, new rules, and new regulations designed to curb the excesses of the era just ended. While the current economic cycle has been somewhat atypical for financial institutions, characterized by relatively sound credit quality throughout the economic slowdown, weaknesses in other areas have prompted significant legislative activity. In this article, I will address two issues: why many consider regulations to be so-called "necessary evils" and how institutions can better ensure compliance in a changing regulatory environment.
A regulation is defined as a principle rule or law for controlling behavior. Prudential regulation is designed to ensure an efficient and competitive banking system, protect the banking system from a crisis, protect the public, increase institution solvency, and place certainty around transactions. It has historically consisted of a mixture of individual transaction monitoring, risk management processes, conflicts of interest, capital requirements, entry regulations, and compliance with law. Bankers must have a detailed understanding of banking regulations to successfully complete everyday operations, while bank customers need regulatory information to evaluate alternative financial services and the extent of regulatory protection provided.
The industry has traditionally adapted well to new regulation. Appropriate regulatory restraints are embedded in the core assumptions of most firms and are calculated in the cost of doing business. Management understands business parameters such as the kinds of products and services it can offer, restraints on market share, and what types of markets it can enter. However, financial crises can spur top-down regulatory change, which can alter the balance and level of costs. Regulators are challenged to balance these increased regulatory costs, or regulatory burden, against the need to ensure integrity in financial markets and public confidence.
The shifting profile of the banking sector reflects rising customer demands, new products, the growth of firms in scale and scope, increasingly rigorous stakeholder demands, and a global business environment. As a consequence, rising complexity and the need to effectively manage routine processes while adapting to change becomes key. Much of this is not new. Banking organizations have historically had their business defined by competition, customer preferences, regulations, and the ability to respond to the environment. However, advances in technology and global markets appear to have accelerated these trends, prompting uncertainty and rapid obsolescence of business models, while also spurring pockets of business failure. Confidence and innovation are critical to our economic system, and these business failures have shown us that competition can undermine prudent business behavior and that unbalanced entrepreneurial cultures, when left unchecked, can create often-fatal problems.
Banks will continue to face uncertainly, which will lead to both risks and opportunities, with the related potential to either erode or enhance value. The challenge for management will be to determine how much uncertainty to accept as it works to increase shareholder value. As always, management will need to ensure that it has adequate resources (people, technology, information), sound processes (hiring, training, resource allocation), and the right values (ethics and criteria by which priorities are established). But, management will also need to ensure that it has effective risk management and compliance programs.
Enterprise Wide Risk Management
So, what can help ensure effective regulatory compliance and the health of financial institutions? The costs and benefits of applying both existing and new regulations in this environment are the subject of constant debate as technology, market forces, and globalization continually affect the industry. Recently, the shift from banking to broader financial services-type products has increased both reputational and operational risk. As banking institutions transform, violations and noncompliance with laws can significantly impair a bank's reputation, value, earnings ability, and business opportunity.
This rapid pace of change makes market discipline and enterprise wide risk management core elements of an effective organization. While market discipline comes from outside the organization, through changes in stock valuation and shareholder-led initiatives, enterprise risk management must come from within. I believe that the most effective banking organizations of the future will be those that practice enterprise wide risk management and institute enterprise wide compliance programs.
An enterprise wide risk management framework is an approach to managing risk that is integral to an organization's strategic planning and tactical execution. The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, which brought us Internal Control - Integrated Framework, is finalizing its enterprise wide risk management framework and expects to publish it early this year. The purpose of this framework will be to imbed a consistent "risk and control consciousness" throughout an organization and to create a commonly accepted model for discussing and evaluating an organization's risk management processes. 1
The underlying premise of enterprise risk management revolves around the creation of stakeholder value, since effective risk management practices can help insulate an organization from costly legal and reputational risk that can adversely affect the bottom line. In a nutshell, an enterprise wide risk management framework will help management identify potential events that may affect the organization and set parameters around the company's appetite for risk. This will require that business line management perform regular evaluations of risks, given current and anticipated market conditions, and the effectiveness of controls, with individual business lines' assessments aggregated for the entire organization by a chief risk officer or an individual with similar perspectives. This enterprise wide perspective will allow senior management to more readily identify intracompany conflicts in risk management policies or philosophies as well as practices that in aggregate actually serve to increase, rather than mitigate, risk.
Enterprise Wide Compliance
An enterprise wide compliance program is an integral part of the broader enterprise risk management framework. Enterprise wide compliance programs focus on two emerging areas of risklegal and reputational risk. Given the recent publicity related to financial institutions' involvement with companies such as Enron and Parmalat, legal and reputational risks appear to be two of the more significant risks facing financial institutions today. Compliance risk management must address more than traditional "consumer compliance." Rather, an effective enterprise wide compliance risk management program must actively assess how compliance with all laws and regulations, as well as internal policies, procedures, and controls, could be enhanced across the organization as a whole. This requires constant reassessment of risks and controls, as well as frequent communication with business lines, to minimize the likelihood that the compliance program operates on autopilot and does not proactively respond to change in the organization. Enterprise wide compliance programs and processes do not supplant business line specific compliance processes, which are more transactionor operationallyoriented but remain equally valuable. Rather, enterprise wide compliance programs supplement business line compliance programs by providing management and the board with a big-picture view of the organization's risks. 2
Risk taking, execution, and innovation can still create competitive advantage, but competitive success depends primarily on management choices. I believe that an effective enterprise wide risk management framework will be characterized by four levers of control, all reflecting management choices: control systems, belief systems, boundary systems, and performance measurement systems.
Interactive control systems, such as a system of strong internal controls and corporate governance, complete with continual risk assessments, are generally recognized as the core of an enterprise risk management system. The output from these systems is communicated through the balanced scorecard and other dashboard indicators that assess performance across multiple spectrums, further ensuring that an enterprise perspective is embraced throughout the organization. However, the control system will not be effective without a strong belief system. The belief system is the underlying culture of the organization, and is a sum of its core values. The tone of the belief system must come from the top, and must be imbued throughout all levels of the organization. Boundary systems establish both cultural and control boundaries, setting behavioral and physical boundaries on what behavior is acceptable, what will be tolerated, and what will not. Finally, performance measurement systems must be established to ensure that performance consistent with enterprise risk management principles is rewarded by appropriate compensation and incentives.
The challenge for financial services stakeholders (regulators, bankers, and the general public, alike) is to establish a regulatory framework that is resilient and responsive to rapid change. As in the past, future regulatory developments will be aligned with financial developments and innovation. As stakeholders, we must balance the organic and mechanistic aspects of regulations and operations, ensuring that financial institutions can operate effectively along the continuum between innovation and strong fundamentals, adding value to their shareholders and the national economy. You can contribute to this policy formulation process by providing comments to the Board of Governors and the other state and federal banking regulators on their notices of proposed rulemaking.3 You can also contribute to this process by sharing your concerns with SRC officers at Bankers' Forums, Field Meetings, and other appropriate venues.
We look forward to hearing from you!
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.