Why banks keep blowing up, and how to actually fix risk management.

Despite significant advancements in risk management regulations, such as Basel IV, and billions of dollars invested by financial institutions (FIs) in enhanced risk practices, FIs continue to face billions in financial losses, severe reputational damage, and even outright failure.

Look at recent cases: the collapse of Silicon Valley Bank (SVB), the downfall of Credit Suisse, billions lost in regulatory fines such as TD Bank’s AML penalties, and operational failures at Citigroup like the Revlon error that triggered regulatory enforcement action and reputational fallout. Across them all, a clear pattern emerges.

So, what is this pattern? It’s the ambiguity, inconsistencies, fragmentation, and incompleteness

in how institutions design or implement risk management —

• from identifying exposures to financial and reputational loss,

• to containing losses within an acceptable amount,

• to bouncing back quickly once losses occur, and

• to structuring accountability for carrying out the first three effectively and efficiently.

By the way, that’s all risk management really is: identifying exposures, containing potential losses, recovering fast, and structuring accountability. That’s it. We call these four components the Risk Management Framework (RMF).

If we want to cut down the frequency or severity of financial and reputational losses (and I say reduce, not eliminate — the only way to eliminate them is to stop doing the activity altogether), then we have to fix this pattern in how FIs design and implement their RMF. That means replacing ambiguity with clarity, inconsistency with consistency, fragmentation with integration, and incompleteness with comprehensiveness — across all risk types and across the whole organization, in both design and execution. We call this fix the Integrated and Comprehensive Risk Management Framework.

This Integrated and Comprehensive RMF has four parts:

• Exposure — identifying potential financial and reputational losses;

• Controls — containing those losses within a defined acceptable amount (your Risk Appetite);

• Resilience — bouncing back quickly once losses occur; and

• Governance — structuring accountability to make sure the first three are carried out effectively and efficiently.

In short: ECRG. And the whole thing has to be designed and implemented clearly, consistently, integrated, and complete.

We’ll dive into each of these components in detail later.

FAQ-RMF

What fundamental problem plagues risk management in financial institutions despite significant advancements and investments?

Despite advancements like Basel IV and billions invested by financial institutions (FIs) in risk practices, they continue to suffer massive financial losses, severe reputational damage, and even outright failures. The core issue isn't a lack of regulation or investment, but rather "ambiguity, inconsistencies, fragmentation, and incompleteness" in how FIs design and implement their risk management frameworks (RMF). This systemic flaw prevents them from effectively identifying, containing, recovering from, and being accountable for losses.

Can you explain what a Risk Management Framework (RMF) entails in its simplest form?

At its core, a Risk Management Framework (RMF) is about four key components:

1. Identifying Exposures: Recognizing potential financial and reputational losses.

2. Containing Potential Losses: Limiting these losses to an acceptable amount.

3. Recovering Fast: Quickly bouncing back once losses occur.

4. Structuring Accountability: Establishing clear responsibilities for the effective and efficient execution of the first three components.

What evidence suggests that current risk management approaches are failing?

Recent high-profile incidents clearly demonstrate the inadequacy of current risk management. Examples include the collapse of Silicon Valley Bank (SVB), the downfall of Credit Suisse, billions lost in regulatory fines such as TD Bank’s AML penalties, and significant operational failures like Citigroup’s Revlon error. These cases all point to a recurring pattern of flawed risk management design and implementation.

What is the proposed solution to fix the persistent failures in risk management?

The proposed solution is to implement an "Integrated and Comprehensive Risk Management Framework." This involves replacing the current "ambiguity with clarity, inconsistency with consistency, fragmentation with integration, and incompleteness with comprehensiveness." This comprehensive approach must be applied across all risk types and the entire organization, both in its design and execution.

What are the four core components of the Integrated and Comprehensive Risk Management Framework, and what do they stand for?

The Integrated and Comprehensive Risk Management Framework consists of four parts, collectively abbreviated as ECRG:

• Exposure: Identifying potential financial and reputational losses.

• Controls: Containing those losses within a defined acceptable amount, often referred to as an organization's Risk Appetite.

• Resilience: Bouncing back quickly once losses occur.

• Governance: Structuring accountability to ensure the first three components are carried out effectively and efficiently.

Why is it important for the ECRG framework to be "designed and implemented clearly, consistently, integrated, and complete"?

For the ECRG framework to be effective, it must replace the current deficiencies in risk management. Clarity eliminates ambiguity, consistency resolves inconsistencies, integration addresses fragmentation, and completeness tackles incompleteness. This holistic and coherent approach is essential to genuinely reduce the frequency and severity of financial and reputational losses across all organizational levels and risk types.

Does the new framework aim to eliminate all financial and reputational losses?

No, the goal of the new framework is to "reduce, not eliminate" the frequency or severity of financial and reputational losses. The only way to entirely eliminate losses is to cease all activity, which is not a practical solution for financial institutions. The focus is on significantly mitigating and managing these risks more effectively.

How does the concept of "Risk Appetite" fit into the new framework?

Within the Integrated and Comprehensive Risk Management Framework, "Controls" are specifically designed to contain potential losses "within a defined acceptable amount," which is explicitly referred to as an organization's "Risk Appetite." This means that organizations must clearly define how much risk they are willing to take on, and their controls must ensure that actual losses do not exceed this predefined threshold.