Risk Management is Now in Style
To me, this news shows that the industry has turned a corner when it comes to addressing risk and security issues and are taking risk and security seriously.
All I'll add this: It's about time. I've listened for years as banking industry executives have done much "supposing" and "what iffing" when it comes to whether security issues are important to their organizations. It is a fact - a risk management program will never stop all the bad things from happening to your institution, but considering the alternative? I'll take a risk management program and a chief risk officer, please.
Considering the alternative? I'll take a risk management program and a chief risk officer, please.
The survey of audit committee members by audit and advisory company Grant Thornton shows enterprise risk management and "unknowns" are among their biggest fears. Hence, the trend of banks hiring chief risk officers picks up pace.
The survey shows 71 percent of the public institutions reporting they have a chief risk officer, compared to just 40 percent of institutions reporting they had a CRO three years ago. In contrast, the survey says only 32 percent of private banks have a chief risk officer.
Not surprising is the number of audit committee members (82 percent) who believe the recent credit crisis has increased their risk as audit committee members. It' also no surprise that 35 percent report they have a risk committee that is separate from the audit committee. The survey report shows 41 percent of respondents among large banks have a separate risk committee, as opposed to 17 percent among those representing small banks.
The biggest fear audit committee members say they are facing is monitoring enterprise risk management at 31 percent. (It's a bigger fear for large banks at 32 percent, small banks at 24 percent). Second to monitoring ERM is "fear of the unknown," with 25 percent of respondents reporting this as their biggest concern.
Information security professionals: What is your biggest fear? I know what mine would be -- that there's not a chief risk officer to measure and handle the risk in my institution.