Lots of banks say they have enterprise risk management programs in place, but they really don’t have a full program. Others are just getting started.
“You hear the regulators want it, but that’s not the reason to do it,’’ said Ed Burke, who is on the board of Beacon Federal Bancorp in East Syracuse, New York, a $1 billion-asset institution that is getting started creating a program. “It will cut down on risk and we’re in the risk business.”
Here are 10 tips for getting started or enhancing enterprise risk programs. Heavy debt for this list is owed to Christina Speh, director of new markets, enterprise risk management, at Wolters Kluwer Financial Services in Washington, D.C., as well as other speakers at Bank Director’s Bank Audit Committee conference in Chicago in June.
- Do get started. If you don’t have a complete enterprise risk management program in place, have a plan on how you’ll get there.
- Do set an appetite for risk inside your organization. A risk matrix is advisable.
- Do ask questions about future or emerging risks. What is not on the agenda that might happen? What hasn’t happened in the past but might in the future?
- Don’t let management set the agenda. The board sets the agenda for risk appetite and asks the hard questions about the organization’s potential risks.
- Do make sure that managers are getting together in different departments and creating a unified approach to measure risks.
- Do make sure the organization’s appetite for risk is ingrained in the strategic planning process.
- Do make sure your executive compensation structure takes into account the organization’s appetite for risk.
- Don’t let management pile on too much paperwork for the board. Insist on easy-to-understand executive summaries of risk inside an organization periodically. The executive summary should address the organization’s risks, what the potential impacts are and what the underlying assumptions involve.
- Don’t let the person who created the risk management framework go back and audit it.
- Do ask how the organization’s appetite for risk is being conveyed and monitored throughout the organization.