“It’s A Process”
You’ve Identified your risk. You’ve Analyzed and Financed it. You’ve Controlled it. So now you’re done, right? Wrong. Now you’ve got to Administer it.
Administering a Risk Management Program doesn’t mean you create a nice manual, stick it on a shelf and go about your business. Risk Management is a process, and an ongoing one at that. The process consists of five (5) steps: Establish, Review, Test, Correct, and Update. A sixth step following this process is REPEAT.
After identifying, analyzing, financing, and controlling your risk, you need to establish a formal system to implement your program. Basically, this is just a written document stating what decisions have been made through the process and how they will be addressed in your organization. You have one of these, right? (If not, contact us and we will help you write one.)
Next, you need to REVIEW your program to be sure it has been implemented correctly. Did you get the endorsements, coverage, limits, etc., you wanted in your insurance program? Too many times mistakes are made from the insurance proposal to the actual policy that is delivered. Make sure you’re getting what you paid for. How about your contract changes? Have they been returned from legal correctly written? Have the physical risk controls on your branches been done? Have all the cyber security controls been put into place.
The next step following the REVIEW is TESTING. One bank I’m familiar with has a Disaster Weekend. Here some invented disaster occurs either at the bank or in the community. The bank’s staff is then required to respond to the disaster using the plan. This exercise poses questions such as: How to file an insurance loss? Who determines IF it is an insurance loss? Who calls the cleanup crew to get the mess out of the bank lobby after a flood? Trying to determine these answers in the middle of the disaster could be a real nightmare. Testing will help management find solutions ahead of time.
TESTING reveals gaps and problems in the Risk Management Process, which means it’s now time to CORRECT and UPDATE. It is better to learn from a test than from the real thing. New risks must be evaluated as they arise and the program updated as need.
Finally, the most neglected part of the process is REPEATING it. Remember, this is a PROCESS. It is ongoing and never-ending. Part of the duties of a Board of Directors is to review the bank’s insurance program at least once a year. Given the regulators interest in all aspects of bank risk, a complete review of the bank’s Risk Management Program might be more useful. I often have clients tell me that they don’t need another insurance review, as they just had one the year before. So much is changing in the financial institution insurance area that this is a hazardous statement and belief. The changes in the Directors and Officers Liability policies and Cyber Liability policies alone dictate annual reviews.
Make the Risk Management Process part of your bank’s DNA. It should be supported and emphasized by top management. The term Risk Management is now being used more by regulators, and they are looking to bank management for proper implementation.