Regulators and risk managers have made great strides in controlling the forces that sparked the financial crisis more than a decade ago. But their success in fighting the last war could be feeding a false sense of security now as new threats appear on the horizon.

The softening economy is only one potential storm banks face today. In an era of rapid technological innovation, new threats are emerging almost daily in cyber security, artificial intelligence, blockchain and other areas.

Economic confrontations between major powers and erosion of multilateral trading rules are among the top global risks for 2019, according to the World Economic Forum's Global Risks Report.
Image: Oliver Wyman/World Economic Forum Global Risks Report 2019

The trouble is some banks are so preoccupied with financial risks that they are missing the bigger picture. That’s where “enterprise risk management” can help.

As its name implies, enterprise risk management seeks to control the broadest possible set of risks, from purely financial ones such as market and credit risk—the drivers of doom during the last crisis—to nonfinancial threats such as reputation risk.

Enterprise risk management emerged as a discipline during the 1990s, when banks were expanding internationally and deregulation in the United States allowed for a much more robust set of products and services, requiring a far broader view of risk. The goal was to recognize and measure all forms of financial and nonfinancial risk, so the firm can safely maximize its risk-taking. But at many firms, the enterprise risk function became little more than a dumping ground for all the ancillary risks that didn’t fit neatly into the financial-risk category.

That needs to change.

A decade ago, the industry was walloped with a one-two punch of credit and market risk, which pushed several firms to the brink of collapse (and a few into the abyss). The next crisis, however, is likely to be different, sparked not by financial risk but by nontraditional risks that create exposures across the business silos of the organizational structure.

The growth of such risks in recent years, fueled by an explosion of technological innovation, is virtually unprecedented in the history of banking. This puts a premium on firms’ abilities to make connections and to recognize the complex whole is far more than the sum of its parts.

While banks have a sophisticated understanding of financial risk, some are less experienced with nontraditional threats such as cyber risk, strategic risk, operational risk, regulatory risk and legal risk. Such threats can have real impacts on financial performance across the enterprise.

Making matters trickier, these risks aren’t easily quantified. While a high-risk loan, for example, can result in a specific dollar loss attributable to the lending function, an embarrassing customer-service blunder can harm revenues across the enterprise—for years.

Technology risks can be just as vexing. How to quantify, for example, the risk of a bank’s smart speaker application unexpectedly spouting racist insults?

After the financial crisis, regulators placed stress testing at the center of enterprise-wide risk assessment activities. This amplified the importance of comprehensive risk identification. But useful stress test forecasts need to include all the various risks to which the enterprise is exposed—not just financial risks.

Implementing a comprehensive enterprise risk management program isn’t easy, of course—particularly among firms whose risk management functions have calcified along traditional lines. It requires an organizational mandate.

Fifteen years ago, enterprise risk management was little more than a backwater at many firms. The action all took place in the individual risk silos.

We now know better the importance of synthesizing these risks in a compelling and easy-to-understand way, and of considering the ways in which discrete risks can interact with one another. But practice hasn’t always caught up to theory. Enterprise risk management needs to help tell a coherent story. It cannot be viewed as the organizational unit of last resort for activities that don’t fit anywhere else.

Banks that embrace enterprise risk management today will be positioned to respond quickly to unforeseen troubles tomorrow. Those that do not run the risk of making a new set of mistakes during the next crisis that could cost shareholders and employees—and, perhaps, weaken the banking system itself.

Adapted from a forthcoming article in the Journal of Risk Management in Financial Institutions.