Making Risk Management Work in Financial Services

View All Posts

Never before has the financial services industry faced such intense pressure. While Washington lawmakers and regulators debate the need for additional regulations on the industry, financial services firms must themselves remain focused on improving how they manage risk.

Managing risk has always been a core concern of the financial services industry, but far too few firms have done it successfully. Perhaps this is because many managers have treated risk management as an inevitable balancing act between keeping risk under control on one hand, and keeping costs down on the other. The conventional wisdom has been that some trade-off was necessary. Most have believed that any effort to reduce costs would pose new or higher risks, while adding steps to increase risk monitoring would add unwelcome costs in a highly competitive environment.

SSA & Company, drawing on in-depth work with financial services clients, approaches the risk dilemma in a different way. We believe that focusing on internal processes in the right way can overcome the risk versus cost trade-off. By embedding risk analysis into the everyday decision making processes, we have helped financial services managers institute cost-effective risk-control mechanisms that address the concerns of both regulators and investors. Managers who have worked with us quickly recognize that, contrary to conventional wisdom, improved risk management and cost reduction can be pursued simultaneously.

The High Cost of Inadequate Controls

Weak risk management in the financial services industry eventually generates enormous costs, possibly even risking the viability of a firm. But why has smart, balanced internal risk management been so hard to accomplish?

When we began working with financial services leaders, we quickly noticed a common structural defect: Historically, financial services firms have been tightly organized, often into functional silos that acted virtually independent of one another. As a result, firms generally had difficulty identifying where risk in their business was actually borne. Indeed, most managers had little knowledge of the firm’s business outside their own department. This situation proved even more dangerous with the spread of complex financial products; while the risk involved in individual components may be measured relatively easily, the risk level in a product compiled of multiple components may be much harder to assess.

Clouding the picture even further, the risk management function in financial services firms is itself often siloed into its own department, isolated from the day-to-day decisions made by other parts of the business. Some risk departments are so focused on formal internal control mechanisms that they ignore the performance of the firm’s actual activities for its clients. Risk assessment is either a rushed, last-minute activity to confirm compliance, or one that becomes an ad hoc process established only when problems emerge. As mentioned, inadequate control mechanisms can actually raise costs over time and the costs of risk management failures – in money, time, and reputation – can be huge. One major financial provider has estimated to us that the cost of high-pressure, late-stage, manual risk controls may be as high as 30% of revenue.

At SSA & Company, we have learned that the most effective approach to risk management is to integrate it throughout the business, rather than managing it as a separate activity. By using this approach, companies are able to better protect themselves against potential risk issues, and perhaps equally as important, do so at a reduced cost.

Three Steps to Embedding Risk Management

We believe the principal risk management challenge that most financial firms face is that risk assessment and control is separate from the other functions of the business. In response, SSA & Company has developed three steps that companies can use to establish an alternative culture in which risk management and efficiency are integrated into the business:

  1. Examine and understand the siloed structure of the business
  2. Map cross-functional risk and value
  3. Embed risk management across all processes.


1. Unlocking The Silos

Because financial services firms have traditionally been organized around functions or products such as commercial banking, trading, or mortgages, the system of identifying and measuring risk has often been relegated to a separate department. Sometimes risk managers will establish a set of controls or compliance measures – such as for compliance with Sarbanes-Oxley legislation – but these systems simply place a layer of bureaucracy over a system that may already be inefficient, with much duplication and little cross-functional communication. We believe that unlocking the silos so that managers in every division have a richer, cross-functional view of the company’s work permits them to see where the same risks occur in every product category. By breaking down the traditional product silos, managers discover that basic risk indicators such as creditworthiness cut across product lines.

2. Mapping Risk and Value

To understand a financial services organization’s core processes and evaluate both their effectiveness and risk sensitivity, we develop a “Business Relationship Map” (BRM). The BRM provides a high-level understanding of the core processes a firm uses to deliver a product or service. This simple process, so often overlooked, provides a fact-based roadmap for both process and risk that everyone in the organization can see and execute against. The result is not a theory about efficiency and risk management, but a guidebook through the actual processes a company uses every day. The goal is to reduce the number of steps in the existing process where possible, and then align each step with common risk indicators.

With this broader view inside the business, managers can create systemic, early-warning controls at the outset of every transaction rather than intensive and costly manual checks downstream.

3. Embedding Risk Management

Changing attitudes toward risk management inside financial services doesn’t happen overnight, but demonstrating that efficient process can work in concert with risk management is a compelling driver of change. When we work with financial services teams, we ensure that each level of management understands its role in risk management, control, and measurement. To avoid functional silos, one manager is formally assigned to be responsible for revenue, cost, and risk; similarly, teams working together on a product must ensure that all types of managers – risk, operations, and marketing – evaluate risk together throughout the product development process.

What does this focus on process achieve? We have consistently found that less complex and better developed processes are generally faster, easier to manage, require fewer people, and cost less. Identifying risk up front provides measurements that enhance the overall risk management effort. Simplifying the product development process frees managers to focus on essentials.

Case Study: Stronger Processes Combat Fraud

SSA & Company worked closely with a significant U.S. regional bank with $148 billion in assets. For many years the bank had been losing millions of dollars to fraud. Although the bank had established some internal fraud detection teams, the problem persisted. Soon after our engagement began, we noticed that too many people spread across many functions were tasked with fraud detection. Moreover, the bank’s fraud losses were tracked by two different systems. Because each system had its own methodology for tracking losses, no common baseline to determine missing funds could be established. Different departments even defined “fraud” in different ways.

The bank needed a common roadmap to make its processes for detecting and preventing fraud clear and transparent to the internal teams. From this common understanding grew a series of small, rapid improvements that established a standard definition of fraud and a clearer, uniform reporting system so that fraud could be clearly tracked. The bank’s business relationship map also allowed us to standardize all decision and hand-off points that, in turn, made it possible to consolidate responsibility. Soon, a new fraud review and management process was in place, supported by standardized metrics and review systems.

The results were dramatic: The bank saw an estimated 75% reduction in check fraud losses. Eighty percent of the previously existing fraud detection systems were rationalized, improving reporting and timely processing. These changes, in turn, resulted in 96% faster investigation of suspected internal fraud and the elimination of many of the bank’s previous vulnerabilities.

Financially, these process reforms helped the bank achieve improvements of $2.5 million in a single year, including fraud recovery, more efficient fraud controls, and better check and ATM fraud detection.

The entire exercise/engagement offered another benefit: The improved monitoring system and consolidated view of activities reduced vulnerability to future internal fraud. The bank became not only more process efficient, but also more secure as it reduced its risk profile.

Find out how we can help transform your business Contact Us