For most banks and insurers, the financial crisis has been the catalyst that has forced them to rethink their approach to risk management. New reporting lines and structures have been introduced that give risk managers greater authority and responsibility. But not every organization has seen the need to make wholesale changes. For Wells Fargo, the second-largest lender in the United States, the changes have been more incremental and merely complement the solid foundation that was laid well before the crisis.
At the heart of this approach is an organizational culture that puts the emphasis on robust risk management. According to Caryl Athanasiu, head of operational risk at Wells Fargo, the bank has consistently tried to instill a risk-aware culture that relies much more on embedding principles across the business than it does on imposing a rigid set of rules. “Operational risk is largely embedded in our business processes throughout the company,” she explains. “And if you think of the many millions of decisions that are made that might be subject to operational risks, you can’t create rules or policies for everything. It has to start with principles.”
Business managers at Wells Fargo are fully accountable for the risks they run and this feeds through into how they are measured and incentivized. New business opportunities are put through a rigorous process to ensure that there is an appropriate risk management structure underpinning them. “We tell people as they are growing the business that there is a very basic principle for how you manage growth—and that is control first, then profitability and then growth,” says Athanasiu. “If you mess with that order, there will be problems.”
But, although principles guide the majority of business activities, not every risk can be managed in this way. In some cases, it will be necessary to put in place hard and fast rules. For Athanasiu, the distinction is between those activities where the incentives of customers and the business are aligned and those where they are not. “If you take fraud as an example, that not only creates a problem for the customer, it also damages the business, so there is a clear alignment of incentives which can be managed using a principles-based approach,” she explains. “On the other hand, a business manager may be inclined to put off spending on business continuity because they don’t think an earthquake is likely, and spend that money on hiring salespeople instead. That’s an example where principles don’t work because there isn’t a natural alignment of incentives. In that instance, you need rules.”
In addition to a largely principles-driven approach, Athanasiu credits the organizational structure at Wells Fargo as a key factor driving the bank’s risk culture. Although there is a central risk function, which monitors issues such as regulation and capital modeling, much of the day-to-day risk management takes place close to the business. Each unit has its own dedicated risk managers who work alongside the business managers and have a dual reporting line into the head of the business and the central risk function. “We want risks managed as closely as possible to where they happen,” says Athanasiu. “If you can get the right business head and the right risk management head supporting them, then you have 70 percent to 80 percent of your risk culture problem solved.”
Learn where your firm stands: Too good to fail?