It can be argued that the success of any organization boils down to how well it manages risk. Jason Painley, vice president and chief risk officer (CRO) of the Ohio-based Park National Bank, says his department must have its finger on the pulse of every aspect of the company’s operations to successfully identify, measure, monitor, and control risk for the organization. “In some way, any unfavorable performance is a result of risk management not working—as a CRO, you must know you are accountable for that,” Painley says.
That’s a lot of weight to carry, especially in a bank with $7 billion in assets like Park National. The company has 116 branches in its network, many of which are not under the Park National banner, but operate as locally managed affiliate banks. Risk management, Painley explains, is not just about crunching numbers and analyzing portfolio performance. “It’s what we don’t know that worries us the most,” he says. “The risks and threats in the banking industry today are numerous and complex.” Difficult-to-assess variables, such as cybersecurity, are near the top of the list, along with the ongoing risks related to the economic environment at a macro level, as well as the regulatory environment. But Painley points out that he must also develop protocols for geographically based risks, such as how to respond in the event of a natural disaster—threats can come at any moment from any direction, keeping him on his toes.
Enterprise risk management (ERM) was born out of the insurance industry, but has always been a part of business thinking, especially at financial institutions. However, formal ERM programs—and the rise of the role of the CRO in most large, capital-intensive organizations—are relatively recent phenomena that have unfolded over the last fifteen years or so and continue to expand at a rapid rate. “The recent recession drove home the fact that we not only to need to manage the risks that we face at a given time, but also be proactive in managing for risks that we’ve never experienced before,” Painley says. “Regulators were really looking for financial institutions to expand their risk management programs during that time.”
Quantitative analysis plays a major role in ERM, for which Painley’s accounting background and previous experience with the Federal Reserve Bank of Cleveland prepared him well. Painley and Park National’s chief financial officer have regular conversations on “complex risks and their corresponding accounting treatment,” he says. Painley uses Wdesk, a cloud-based platform for risk reporting and will soon integrate a new line of GRC software (governance, risk management, and compliance) to more fully automate Park National’s risk measuring, monitoring, and reporting systems. Periodic “capital stress test reviews” are a big part of his annual work cycle, he says.
“The recent recession drove home the fact that we not only to need to manage the risks that we are facing at a given time, but also be proactive in managing for risks that we’ve never experienced before.”
But qualitative analysis also plays a surprisingly large role in the day-to-day work of a CRO, according to Painley. Strategizing for those less tangible, unpredictable risks is what keeps him up at night. And the key to managing those, he says, has to do with creating a culture of risk management. “It’s not just one department,” he says. “Risk needs to be understood by everyone in the organization, and everyone needs to understand what their roles are as far as identifying risk and reporting that risk to the right people.”
Painley’s job is to spearhead a risk-aware culture and turn it into a formal program for the bank. On a practical, day-to-day basis that means nurturing relationships with every department and business line in the company as well as with external stakeholders. Painley has a staff of four direct reports but is in constant contact with designated liaisons in every team within the company.
“We’re constantly in dialogue with the people that have the direct knowledge of potential risk exposure in order to document what they know and, to the extent that we can, develop a what-if scenario,” Painley says. “You can’t measure the number of cyber-attacks you are going to get tomorrow; you just don’t know what that number that is. But you can put the right things in place and make sure that when they do happen, and if the volume does increase, that you’re able to protect your systems, your technology, and your information.”
The success of any ERM program rests on a healthy balance between its quantitative and qualitative components. Every bank has its methodologies for measuring risk relative to loan losses and other concrete figures. If certain trends develop on financial statements—and the numbers go past a predetermined benchmark for what company leadership has established as a prudent level of risk—red flags go up and risk management protocols are executed to preemptively curtail the damage. But when risks come out of left field, a different set of protocols is required. “We work a lot with numbers, but that’s balanced with the things you can’t necessarily measure but you know are out there,” he says. “For the things you can’t measure with any sort of quantitative precision, you still need to put down a qualitative plan.”
ERM strategy should always flow from corporate strategy, which is why integrating risk management at the executive level through the role of a CRO has become standard practice at financial institutions in recent years. Painley reports to an independent risk committee within the bank’s board of directors to ensure that his perspectives on the organization’s risk profile are completely objective, he says. The board of directors and senior management must be made aware of any risk that may cause the bank to deviate from its business strategies. By sharing that information in a timely and cohesive way, new assumptions can be formulated and the course of the ship adjusted accordingly.
Painley calls ERM a “contact sport” due to the fundamental importance of communication. “The relationships I have with all of those individuals must be sound,” he says. “A two-way exchange of information serves a common purpose—to maintain a successful and sound financial institution—a position that Park National Bank enjoys.”