Risk Management and Strategic Planning

          – A Long Courtship

Submitted by Vince Van Nevel on March 10, 2016

Talk about risk management! Our neighborhood men’s group half-jokingly volunteered a friend, recently retired from the Air Force with combat “tours” in the Middle East, for a project some thought was a bit risky, declaring he was a risk taker. He quickly corrected us stating, in the military the whole idea is to identify risks in your mission and then make plans to minimize them while still accomplishing your goal with a highly trained and disciplined team. If the risk assessment presented too much risk they may scrap the mission and/or find alternative strategies to achieve their objective.

This approach should sound familiar to bankers right now! Why? Because this same approach is what the examiners will be looking for when they visit your institution.

The term “Risk Management” has been discussed in banking circles since the late 1980’s, and began to take root in the early 1990’s. As some of you may recall, the Comptroller of the Currency tested this examination approach in its Southeast District beginning in 1991.  The initial results were chaos and confusion, and gave rise to the OCC’s Ombudsman program.

Under the testing phase of this risk-based examination approach, Composite 2 rated banks were being placed under formal agreements! What was the problem? The problem was these test banks had poor risk management as evidenced by the following possible weaknesses:

  • weak loan underwriting practices;
  • poor file documentation;
  • inadequate polices and lack of controls to detect noncompliance;
  • inadequate information in board and management reports; and
  • inadequate ALLL methodology (the ALLL itself was adequate).

Today, add the lack of an effective strategic planning process to the list. Thinking about the lesson from our military friend above, an institution and its board operating with these weaknesses would be like a battalion going into battle without a firm grasp on what risks lie ahead, much less a solid plan for controlling them.

The evolution continued… In 1996, risk management terminology was firmly entrenched in the examination process of all regulatory agencies when the Federal Financial Institutions Examination Council (FFIEC) revised its Uniform Financial Institutions Rating System (“UFIRS”), AKA the then well-known CAMEL rating system. The revisions not only expanded the system to include a sixth component, “S” addressing sensitivity to market risk, but added explicit reference to the quality of risk management processes in the management component, and the identification of risk elements within the composite and each of the component rating guidelines.

The process has been refined and is being used by the FDIC and Federal Reserve, as well as state banking regulatory bodies. The focus of the examination is now preventative versus reactionary. Regulators then took the lessons of the 1980’s with record levels of bank failures seriously and learned that once deterioration in a bank’s condition was well underway, corrective measures often fell well short of desired results.

After this recent crisis, it’s Deja vu all over again!

Risk Management Defined

At the core of proper risk management is adherence to effective policies and procedures. The key words being “adherence” and “effective.” Policies aren’t meant to be totally risk averse, but rather to minimize and control risk in an institution’s operations. In order to control risks, you must first identify them – that is where risk assessments come in handy. Other key components in the risk management process include strategic planning, internal auditing, loan review, and external auditing. Over the top of all this must also be accountability.

The fact that regulators are going to be focusing on the strategic planning process at upcoming examinations has been clear since the FDIC’s Summer 2015 Supervisory Insights and the OCC’s Fiscal Year 2015 Mid-Cycle Operating Plan Status Report were published. This approach was further confirmed by the recent panel of regulators at this year’s Independent Community Bankers of America conference, according to an American Banker article March 9, 2016 by Jackie Stewart.

Strategic planning, while always important to successful institutions, has taken on a significant role in risk management. Strategic planning involves setting specific goals and objectives, which often include new products and/or services (or rapid growth in existing products) that contain some degree of risk.

Strategic planning practices require the Board and management to determine if the institution’s personnel have the expertise to offer and administer specific products and then establish risk appetites along with effective policies and processes.

As indicated in the graphic below, an effective planning process must consider whether the infrastructure (core processing, operations, reporting systems and staffing levels) have the capacity to support all products and services.  It should also examine competitor offerings and economic feasibility. Finally, does the institution have adequate expertise not only in the front (sales) office, but in the backroom and in the audit functions, to properly monitor activity and inform the Board of internal controls, compliance and risk issues in its products and services.



It is recognized that the banking business involves taking risks in order to earn profits and enhance shareholder value.  To be successful in achieving your stated goals and objectives, financial institutions must:

  • determine what products they desire to offer;
  • identify the key risks in each of those products (See Key Factors above);
  • determine what risks they are willing to take;
  • establish risk tolerance limits; and
  • develop a process to manage and control and monitor those risks.

These bullet points are required under both risk management and strategic planning processes. A Risk Management program helps to provide effective supervision of the institution by the Board of Directors and Senior Management.

Examiners are now looking closely at strategic plans and how they mesh with the institution’s risk profile, skills and culture. Having a strategic plan is one thing; having a well-conceived plan that is supported by effective risk management and consistent with the skill set, resources and culture required to implement it successfully, is another.

Professional Bank Services, Inc. offers risk management and strategic planning services to the financial services industry. We would be pleased to partner with you as you work to establish or improve these important functions.


To download or print this article, click here.

Professional Bank Services
(800) 523-4778