The ethos of Silicon Valley technology startups has long been, “Move fast and break things.”
But bad things can happen when banks break things. Instead, regulators want banks that are interested in adding new technology from third-party vendors to brush up on a familiar tool in the risk management playbook: change management.
Change management is the process, procedures and documentation a bank management team uses to consider, implement and govern changes. Change can elevate a bank’s risk exposure or introduce new risks. It includes everything from new products and services to new regulations to shifting economic conditions, says Bobby Bean, a managing director in Forvis’ financial services advisory group who spent 30 years at the Federal Deposit Insurance Corp. Regulators see how technology is changing banks, and have reservations that banks are truly managing that process. New technology firms may represent to an institution that they can manage a process from end to end, but banks still own the ultimate risk and responsibility.
“If you look at the latest third-party risk management guidance that came out, it made it clear that even though you may have a third party functioning on your behalf, you are still responsible for all of those risks as if it had been undertaken by the bank,” Bean says. “That’s why a change management team is really important in digital transformation, so the bank can have [its] own individuals looking at the process, looking at the new system to ensure that it actually does achieve all of the risk management goals that it represents that it does.”
To that end, the Office of the Comptroller of the Currency included change management as a priority objective for supervision in its 2024 supervision plan. It wrote that examiners should identify banks that are “implementing significant changes in their leadership, operations, risk management frameworks, and business activities, including the use of third-party service providers that support critical activities” and “determine the suitability of governance processes, including acquisition or retention of qualified staff, when the board or management undertakes significant changes.”
Bean says banks can take simple, straightforward steps to show that they’re thinking ahead. He recommends banks have a team of experts across the bank. That could include folks in audit, risk management and consumer compliance, who can consider the ways that various changes could impact their areas. He says consumer compliance and information technology are areas that should be included in change management discussions, since they are often cited in supervisory feedback, like matters requiring attention or MRAs. Banks should also document these discussions, including how they identify risks and mitigate them.
“Change management doesn’t have to be a huge undertaking … you don’t need a new office of change management and hire 16 new people,” he says. “It’s really bringing everybody together.”