Authority, accountability, and oversight of credit risk need to move together. Once those elements are split across functions without clear alignment, the institution has a credit risk framework that looks disciplined but behaves otherwise.
At its simplest, credit risk is the possibility of loss when a borrower fails to repay a debt as agreed. Straightforward enough. Yet anyone who has spent time in banking knows the real challenge with credit risk lies not in the definition, but in the execution.
I am not an academic. I’m a retired country banker who watched his first bank fail early in his career—brought down by a toxic mix of ignorance, hubris, and poor judgment. Everything I did afterward was shaped by a single goal: don’t let that happen again.
We are now more than fifteen years removed from the Great Financial Crisis. The pandemic, while severe, was a different animal. At last, regulators appear to be unwinding some of the inevitable overreactions that followed 2008. The OCC’s recent proposal to raise the “heightened standards” threshold from $50 billion to $700 billion is one such example. I have no intention of formally responding to the OCC’s 32 questions in the proposal. It does, however, raise a broader issue worth discussing, and that is credit risk ownership.
The “three lines of defense” model for credit risk has become deeply embedded in regulatory and institutional thinking. Its premise is simple:
In theory, it’s neat and orderly. In practice, especially for credit risk, it creates confusion.
The line disclaims ownership because it didn’t approve the deal. Credit expects the line to perform monitoring functions it isn’t trained for. Loan Review can’t report to Credit without compromising “independence,” so it reports elsewhere, often to someone who doesn’t fully understand the function. Internal Audit is then expected to audit Loan Review, though few institutions have figured out how to do this effectively.
The result is a Kafkaesque loop where credit risk responsibility is diffused and accountability diluted. Everyone is involved, yet no one truly owns the risk.
Authority, accountability, and oversight need to move together. Once those elements are split across functions without clear alignment, the institution has a credit risk framework that looks disciplined but behaves otherwise.
Country banking thrives on simplicity, so let’s simplify.
One of the failures at my first bank was excessive individual lending authority. The industry responded by swinging the pendulum hard in the other direction, stripping authority from the line and pushing approvals almost entirely into Credit. Today, it’s not uncommon to see institutions with enormous legal lending limits and minuscule line authority.
That structure destroys accountability.
When the line is expected to own and manage credit risk, it must have meaningful authority and be held responsible for its decisions. That authority has to operate within guidance and within limits. In my career, I encountered only a handful of truly rogue lenders. Most people simply want to do their jobs well, provided they have clear guidance and appropriate tools.
Credit’s role is not to do the line’s work. It is to set clear, durable guardrails. Unfortunately, as authority has migrated inward, policy discipline has eroded. When the approach is that “everything goes to Credit anyway,” policy adequacy becomes an afterthought.
That approach no longer works. Fintech competitors are faster precisely because their frameworks are simpler and aligned with how risk actually manifests. Credit policies must be concise, sustainable, and clearly tied to the institution’s risk appetite, which, importantly, must actually exist.
Not all credits warrant the same level of scrutiny. Complexity matters. Exposure matters. A $5 million credit and a $500,000 credit should not move through identical credit decisioning processes. Treating them as such is inefficient and, frankly, irrational.
Loan Review’s role is to ensure those guardrails make sense and function as intended. That does not mean citing endless, immaterial exceptions. It means asking harder questions at the portfolio level:
Much of the angst around Loan Review centers on independence. The regulatory framework already provides a solution. The OCC’s standards allow for multiple Chief Risk Executives. A Chief Risk Officer is one, a Chief Credit Officer is another. A Chief Credit Review Officer, reporting directly to the board with a dotted line to the CEO, preserves independence while enabling full collaboration with Credit, Risk, and the business line.
Independent loan review does not require isolation. It requires clarity. It also depends on relevance. Loan Review should be able to inform Credit, challenge assumptions, and surface patterns that require action. Isolation makes that harder. Independence and collaboration can coexist when reporting line, authority, and purpose are clear.
Credit frameworks are often built like monuments—carefully constructed, then treated as immutable. That’s a mistake.
Credit risk behaves more like a wave than an edifice. It shifts with borrower behavior, economic conditions, portfolio composition, regulatory change, and people. A framework built for a moment in time inevitably develops blind spots.
My first employer’s failure was accelerated by an inability to adapt to legislative changes that reshaped commercial real estate lending. Rigid structures and ritualized processes all contributed.
Credit functions that focus on guardrails rather than micromanagement are better positioned to identify emerging risks and respond tactically and strategically. The same is true for Loan Review. When review becomes overly ritualistic, it misses trends that matter.
That is why ownership matters so much. A dynamic risk environment requires people with clear authority, clear responsibility, and a framework that can adjust. At a minimum, institutions should conduct a bipartisan review of credit policy, guidance, and review processes every two years, and more frequently when conditions warrant. “Bipartisan” means collaboration between those who own risk and those who oversee it, with Loan Review contributing insight without compromising independence.
Credit risk is exactly what we said at the outset: the possibility of loss when a borrower fails to repay. The challenge isn’t definition. The challenge is ownership.
By clinging to arbitrary constructs and reacting to long-past crises, we’ve blurred accountability to the point where everyone is responsible, and therefore no one is. The solution isn’t radical. It’s a reset: clarify roles, restore accountability, and adopt frameworks that are simple, dynamic, and fit for purpose.
The line needs meaningful authority and responsibility. Credit needs to establish guardrails and maintain discipline. Loan Review needs to determine whether the system is working and where it is not. Those roles differ, but they have to connect.
Institutions that fail to take these steps risk joining the thousands that didn’t fail spectacularly but instead faded into irrelevance.
Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.
Make Big Things Happen.
