By Yvonne I. Pytlik and Carlo di Florio, Part-Time Lecturers in the Enterprise Risk Management Program, School of Professional Studies
A recent panel discussion held by the New York chapter of the Risk Management Association (RMA) provided an opportunity for risk and compliance practitioners to interact directly with leadership from major regulatory agencies in the U.S. on a number of regulatory priorities.
This year’s regulatory program was moderated by Yvonne I. Pytlik and Carlo di Florio, part-time lecturers in the Enterprise Risk Management (ERM) program at Columbia University’s School of Professional Studies (SPS), members of the NYC RMA Board of Governors, and regulatory industry leaders from ACA Global Consulting Firm. Our discussions with regulators revolved around key risks in the financial services industry, including deployment of artificial intelligence, asset-liability management, cybersecurity, and operational resilience.
Proper Risk Management and Compliance
The U.S. regulatory agencies expect financial institutions to have effective risk and compliance programs to assess and manage the challenges of the day. “We expect banks of all sizes to be able to say how they manage compliance and manage risk right,” said Beth Dugan, deputy comptroller for large bank supervision at the Office of the Comptroller of the Currency (OCC). “Without a good chief risk officer [CRO], chief compliance officer [CCO], and framework you are not going to find issues.” Regulators emphasized that to be effective and empowered, risk professionals need seniority and authority in the organization to help mitigate the highest risks.
Reflecting on the regulatory priorities, Pytlik and di Florio discussed how the partnerships between the CCOs and CROs with senior leaders are critically important to all firms. Compliance and risk professionals advise leadership teams on important compliance and risk decisions to mitigate the firm’s regulatory risks. Culture, high ethical standards, conduct, and compliance are critical to a broader risk-governance and regulatory risk management framework empowering CCOs/CROs to provide a great value to the firms mitigating their regulatory risks. Regulatory expectations are high; to that end, said Pytlik, compliance and risk professionals constantly strive to understand how regulators are thinking about top risks and to anticipate what’s next. Regulatory priorities typically reflect those risks that could have the biggest impact on safety and soundness, investor protection and market integrity.
Artificial Intelligence Risks
The financial services industry continues to experience rapid growth in technological innovations, such as artificial intelligence, which may present risks to investors, and regulatory technology evolution increases certain risks. To mitigate regulatory risks, the firms should have an adequate governance process, and policies and procedures that support their use of AI, and proper, fair and balanced disclosures to investors.
AI “will change dynamically what we do day in day out,” the regulators said. It requires strong governance by firms on its usage. They emphasized that it’s important to ensure that the firms have the right AI skill sets for all lines of defense and to manage the different types of risks differently. “CCOs\CROs help to navigate complexity of AI and advise senior management on AI pre-implementation risk assessments and risk mitigation strategies,” Pytlik said.
Di Florio noted that the SEC recently conducted a sweep exam evaluating how investment managers are considering using AI and what governance, risk management, and regulatory compliance controls firms are putting in place. Both legislators and regulators are considering new rule books to govern AI use in the industry. Enforcement authorities are also very focused on how AI may present greater risks to the financial system, cyber security, privacy and customer protection.
Asset-Liability Management and Liquidity Risks
The current interest-rate environment is frequently referred to as “higher for longer.” But considering this era followed a period of unusually low rates, it is often considered a more normalized structure. Even though the era of low rates was in response to a global financial crisis and then a pandemic, a sense that low rates would continue created “complacency,” catching some off guard when rates rose quickly.
Resilience and Cybersecurity Risks
Cybersecurity will continue to evolve and be important for every organization as cybersecurity attacks are becoming more technologically sophisticated, which continuously increases the risk to the firms. The firms should be constantly alerted to these risks and build in resilience and ability to quickly respond to them to properly mitigate these risks to their organizations.
Uncertainty
Regulatory agencies are operating and pursuing priorities this year against a backdrop of increasing challenges to their policies and guidance by courts. “The reality now is that courts are playing a bigger role in regulatory rulemaking than they did before,” said di Florio. “Every rule coming out of the SEC now is going to be challenged.”
The election this year could also shake-up agency leadership and priorities. While political changes might affect regulation—and, in turn, bank strategies—Dugan said that “as regulators, we are independent agencies and will focus on the work required to fulfill our mission. […] Regardless of the politics at the top, as appointees come and go, the professional regulators are the ballast of the organization and keep it on its mission.”
Views and opinions expressed here are those of the authors and do not necessarily reflect the official position of Columbia School of Professional Studies or Columbia University. Beth Dugan, Deputy Comptroller for Large Bank Supervision at the Office of the Comptroller of the Currency is a frequent speaker at our Strategic Risk Management sessions at Columbia University, SPS.
About the Strategic Risk Management Course
Enterprise Risk Management lecturers Yvonne I. Pytlik and Carlo di Florio’s Strategic Risk Management course offers a review of the types of strategic risks, such as a flawed strategy, inability to execute the strategy, competitor risk, supply chain risk, governance risk, regulatory risk, M&A risk, international risk, etc. The course includes case studies, research, and common mitigation techniques, such as strategic planning practices, management techniques, governance practices, supply-chain management, etc.
About the Program
The Master of Science in Enterprise Risk Management (ERM) program at Columbia University prepares graduates to inform better risk-reward decisions by providing a complete, robust, and integrated picture of both upside and downside volatility across an entire enterprise.
Fall 2025 application deadlines for the M.S. in Enterprise Risk Management program are March 15, 2025 for applicants with international documents, and May 1, 2025 for the final deadline. Learn more here.
