How to Raise Risk Awareness
In an exclusive interview, Foster discusses:
- The role of risk awareness in risk management;
- The challenges of raising awareness among senior managers, employees and customers;
- How to measure the success of a risk management program.
Foster, CRCM, is the Risk Manager and Compliance Officer at Cambridge Trust Company; a nine branch community bank and trust company with its main office in Harvard Square, Cambridge, Massachusetts. She coordinates the Bank's risk management and compliance programs. She is a member of the Bank's Community Reinvestment Act Team and presents financial education training under the FDIC Money Smart Program. She is a former co-chair of the American Bankers Association [ABA] Regulatory Compliance Conference Planning Committee, ABA ERM Peer Group and the Eastern Massachusetts Compliance Network, and a member of the Massachusetts Banker's Association Legal and Regulatory Committee, and the Metavante Compliance Advisory Council and Compliance User Group. She has managed risk, compliance and/or security in various community banks for the past 20 years.
TOM FIELD: Risk awareness and risk management - where are the two connected? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We're talking about risk awareness and risk management today, and we're talking with Ana Foster, the Risk Manager and Compliance Officer at Cambridge Trust Company in Massachusetts. Ana, thank you so much for joining me.
ANA FOSTER: You're welcome.
FIELD: Just to get us started, maybe you can tell us a little bit about yourself and your role with Cambridge Trust.
FOSTER: Well, I've been in banking for about 35 years, on and off. I was a lender and a teller, not necessarily in that order; a translator; and ended up morphing to compliance, which was my first love. So I have functioned in the role of Compliance and/or Security Officer in banking. I joined Cambridge Trust Company as a Compliance Officer, and then we realized that we needed to manage operational risk, so I took on the role of Compliance Officer and Risk Manager, and that also includes anti-money laundering or Bank Secrecy Act Compliance, Office of Foreign Assets Control, and helping to institute processes relating to records management, vendor management, etc.
FIELD: So, really, you get to talk about all the exciting topics that we deal with these days.
FOSTER: Yes. The topics that, really, people don't like to pay too much attention to, but that really become important when something happens. So, we are generally preparing for something that we hope will never happen.
FIELD: Ana, of all these areas you have touched upon, which risks are of the greatest concern to you these days?
FOSTER: I would say if we establish the fact, for example, at Cambridge Trust Company, we have traditionally managed what I call a traditional risk discipline, such as credit risk, market risk and fiduciary risk. We have traditionally managed those very well, and have coordinated processes in place. The area that is of most concern to us is operational risk, and I would include in that compliance risk, especially on the credit side, and money laundering, and also it's foreign assets control risk, fraud and identity theft, automated clearing house, and basically people risk. People are so busy, and required to learn so much, that it can be difficult to keep them focused and to give them enough information timely that they need to do their jobs.
FIELD: Well, that leads directly to my next question, which is what is the role of risk awareness in your risk management program? I would love it if you would give us an example of what you do to help those people who need to be aware.
FOSTER: One of the advantages that we have is that the President of our bank really buys into the concept of managing operational risk, and he has for quite a few years. We are into about our sixth year of risk management, or I should say, operational risk management. So, we have had the expectation that people will be aware of risk from the top down. And we expect that there will be risk, but that it will not stop us from taking advantage of opportunities. We constantly seek to weave risk awareness into people's daily activities. People in banking have been managing risk for years. The key is to keep them aware, especially in an environment that is ever changing and becomes very risky -- the information security related threats. So, it is important that we keep people aware. We may have to take risk to meet our customer's needs, but we want to do it in a manner that is informed, with eyes wide open, if you will, which basically would be defining our risk appetite. We also include training, actively, as a participant in our initiative, so that training can weave risk awareness into communications. A couple of examples where we feel we have been able to provide great service to our customers in risky areas are, for example, in international wires, and wires in general. About 40% of our wire business, as a community bank, is foreign wires, and they could be consumer or commercial, to just about anywhere in the world. We also have enhanced identification processes for our wires. And even though wires are a risky business, we feel that we assess our controls to make sure that we stay current. So, it's been a good service that we can offer our customers.
FIELD: Very good, and very timely. Now, Ana, how do you instill risk management in the jobs of people who aren't necessarily used to that role?
FOSTER: Well, we believe that people in banking have always been risk managers; they just haven't been aware of it. If you look on the lending side, it's about managing credit risk in wealth management, fiduciary risk. And if you think on the finance side, you're talking about balance sheet-related risk. So, people are managing risk; it's just different than what they are used to doing. What we seek to do is demonstrate that the traditional risk disciplines converge or bleed into operational risk. For example, if we don't manage data correctly, then the information they need for reporting or for analysis will not be accurate. So, it is communicating that this isn't something new. We're now, rather than functioning in silos, we communicate that managing risk is horizontal, it's across business lines, because risks do bleed into one another. And we require risk management to have a seat at the table, with regular meetings with senior management, regular meetings with audit committee, with the board. Every opportunity, whether it's 15 minutes or longer, is an opportunity to educate and increase the awareness. One of my goals is to understand where people are coming from, in the sense that if we look at the traditional risk disciplines, when people came into banking, they didn't know that they were going to have to understand other risks, such as vendor risk or compliance risk, or Bank Secrecy Act risk or ACH risk. Now they need to know those things, so we need to communicate them. We need to develop user-friendly tools, user-friendly processes, use simple language, don't change what works, and when we are communicating, use real, live examples, and do lots of hand-holding. And we expect that each business line will have at least one, what we call "risk management" guru, to help spread the message.
FIELD: Well, it makes a lot of sense. What do you find to be your biggest risk management roadblocks in this scenario, and how do you best overcome them.
FOSTER: Well, I think the one that jumps right to the top is fear of change. As humans, we are all, to a greater or lesser extent, afraid of change. And then it's very difficult to get people out of their silos and to get people to think in a new way that is not silos, and it is not just about the traditional skill sets that they had. We have to work with them, to accept the change. They are used to possibly different languages they use and the different disciplines that are their traditional ones, and so we may need to bring new language to the table. And it's not just about changing for the sake of change. The goal is to educate, to be very hands-on, to spend a lot of time, and work one-on-one at every level, to listen, to use diplomacy, to be consistent. One of the keys that I've found is understanding people's different management and learning styles. Some people are morning people, and some are not. So, there may be a better or worse time of day to communicate with people. And again, user-friendly tools. And basically, these are the skills that many compliance officers bring to the table.
FIELD: Ana, I want to take you back to risk awareness and ask you about the challenges of building awareness with specific groups. And I'd like you to address board members and senior management, and then customers, whether they are consumer or commercial. What are some of the challenges you find when you're building risk awareness with those group?
FOSTER: It's an interesting question. When I think about it, I think that it may be easier to educate the board members because they are, on an ongoing basis, looking at the bank holistically. Whereas, if I think about the top level management, they tend to function, or try to function within the silos of their own risk disciplines. Because senior management is more involved in the day-to-day, it can be more difficult to focus on increased risk awareness in areas that they are not used to thinking about. And, to me, again, it's maintaining regular access and keeping it simple and clear, and not too detailed a message, because they don't want to get involved in the detail. The reporting, especially to the board, I have had to keep trying until I figure out what works for the board. In our bank, they receive so many quantitative reports that they like narrative about internal and external risk events. It works very well for them, and they like to talk about it, which means they are absorbing it. And then senior management is absorbing it. You know, if I look at senior management, their goals are to grow the bank, not to waste time and resources on what could go wrong. And that can be a real challenge, to make them understand that just because we are managing risk doesn't mean we don't want to do things. One of the challenges: They think, at times, that the questions that are being asked are "none of your business," because it's within their business line, again, going back to the silo. And, you know, the challenge is to build and maintain trust and constructive communication when things are going well, as well as when things are going not so well. As far as employees, again, the greater challenge is fear of change. "Will I lose my job?" If the bank is instituting a new process, another frustration for them can be, "How am I supposed to do my day job if I'm now supposed to be thinking about risk?" Again, they think of it as something new, not something that is already a part of their job. So, the challenge can be to get them to admit that they are already managing risk. There is also the perceived negative impact on customer service. You know, if you have controls in place, or if you ask customers for information, or if you put a control in place that may make it more difficult for the customer to acquire the service that he wants, will we lose customers? And turning the fact that managing risk can enhance customer service, turning that around can be a challenge. And then there's the fear of being blamed if someone makes a mistake, or there is a loss. And, of course, we focus on the solution, not on the blame game. From the customer perspective, consumers are pretty much protected by the consumer regulations, but we still feel that our staff needs to have the tools necessary to explain things to customers. We have more responsibility on the commercial side, and the challenge is that the staff needs to be educated well enough to effectively communicate and educate the customers. And that can be a drain on resources. Training takes time, and staff needs to spend the time to learn more in order to effectively educate customers. And it involves a lot of one-on-one communication with customers, which can be very time consuming. Letters or information on the website are good, but they're not as effective as the resources that are used to communicate face-to-face with customers.
FIELD: Well, Ana, that's a great overview. Given the outreach that you do and the efforts that you make, how, ultimately, do you evaluate the success of your risk management program?
FOSTER: I guess I'd start by saying we're not perfect, we're evolving. I expect that it will never be as successful as I would hope it would be, because I'm a perfectionist, but we feel that we can measure success in the fact that we can offer high risk services, such as wires, or products, such as an international student account, that we may not have been in as good a position to offer, or that we may have been taking more risk if we offered them. We feel that our program puts us in a good position. We have also had good exam results. I've noted more telephone calls from the bank staff, regarding risk or concerns that they may have. I see more teamwork, more involvement early in the process of change. And people are working toward getting out of their silos and communicating. People are working on efficiencies, and they are actually challenging the way that we do things. And we hope that the challenge makes us assess and improve the way we do things. I think one of the best testaments is that in a time when resources are strained, and the bank is growing, the risk-based approach has helped us to prioritize. We have been able to implement either regulatory changes, or technology or software implementations. We were able to implement those because we had established processes, and staff were used to the teamwork, sharing information, etc. So, I think that's the type of way that we feel that our program is becoming a success.
FIELD: One last question for you. For other institutions that are looking to improve risk awareness and risk management, what advice would you give to them?
FOSTER: Well, I'd say if I've learned anything, it's that one size does not fit all, that it's so important to listen and to get regular face time with people, and again, to learn management and learning styles, and to work with them. I'm not sure if I already said to be patient, to engage people early in assessment and decision-making, because they will feel that they have a bigger stake. And establish simple, user-friendly processes and tools, and to network. There are a lot of people to talk to out there, who are trying to, or who have been successful at implementing a risk management program, and they are excellent resources.
FIELD: Ana, very good. I appreciate your time and your insight today.
FOSTER: Well, I hope it's what you were expecting.
FIELD: Oh, very much so. I'm Tom Field. Thank you very much.