Bart Smith
Partner & Managing Director, Risk & Regulatory Insights

What are the basic concepts and guidelines for enterprise risk management?

In the first part of this series, we established that enterprise risk management, or ERM, is a proactive and holistic process that helps bank managers understand, evaluate and establish risk positions that benefit their organizations. ERM covers more than compliance; it’s an integral part of strategy setting and decision making that creates performance and value for organizations.

How might boards create and implement effective risk management systems? That can be complicated. Risk-management guidance is broad and complex, and no single system or process can be applied uniformly to all organizations. That said, regulators lay out basic guidelines that can help form the basis for fundamental risk management programs in most banks.

The most widely referenced regulatory guidance comes from Federal Reserve Supervisory Letter 16-11 (Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $100 Billion). While the policy is quite detailed and lays out various of expectations for effective risk management, there are some basic concepts organizations can adopt.

What Does It Mean to Identify, Measure, Monitor and Control Risk?
In all supervisory guidance related to risk management, you will hear identify, measure, monitor and control. Regulators want to know if your organization’s ERM process identifies, measures, monitors and controls a full spectrum of risks. While regulators largely focus on an organization’s viability risk, these same considerations apply to strategic and performance risk.

Identify Risk: This step involves considering all potential risk that may impact an organization. In banking, there are frameworks and guidance to establish primary risk categories. In the Fed guidance we outlined, those principal risks include six categories:

1. Credit risk or risk arising from a borrower or counterparty failing to perform on an obligation.
2. Market risk or risk resulting from adverse movements in market rates or prices, including interest rates.
3. Liquidity risk or risk that a financial organization will be unable to meet its obligations due to an inability to liquidate assets or obtain adequate funding.
4. Operational risk or risk resulting from inadequate or failed internal processes, people and systems or from external events.
5. Compliance risk or risk of regulatory sanctions, fines, penalties or losses resulting from failure to comply with laws, rules, regulations or other supervisory requirements.
6. Legal risk or risk that actions against the institution could result in unenforceable contracts, lawsuits, legal sanctions or adverse judgments that could disrupt an organization’s operations.

Measure Risk: Once you identify risks that could impact your organization, you must develop criteria to empirically measure those risks. ERM systems have two primary ways to measure risk, quantitatively and qualitatively.

  • Quantitative Measure consists of numerical positions that can be objectively measured through objective data. Capital ratios, loan performance and compliance statistics are quantitative indicators that can be used to objectively measure identified risks.
  • Qualitative Measures are based on subjective observations that relate to policies, systems and processes, management performance and control structures. Collectively, they can potentially mitigate quantitative positions. Administrative controls and management process to mitigate risk may offset a higher risk asset structure.

Monitor Risk: Monitoring risk involves the information systems and processes used to evaluate quantitative and qualitative measures. Does the board have access to the sufficient information to understand how the measured risk positions relate to one another and change over time? Does information include reporting structures that let the board determine if management is complying with polices and the board’s prescribed risk appetite? Without systems to effectively monitor risk, identified and measured risk positions are incapable of effectively informing an organization’s actions.

Control Risk: While controlling risk may involve taking action to reduce the likelihood of adverse events, it also informs acceptable risk taking and provides operating management with the framework to take risk effectively. Risk is integral to pursuing value; the ERM process is not meant to minimize or eliminate risk. The goal is to manage exposures across an organization so that, at any given time, the organization can incur enough of the right kinds of risk to effectively pursue its strategic goals.

ERM is about effectively taking risk, not avoiding it. If you devote the time and energy to meet ERM’s basic guidelines and principals, statistics show that your company can perform more effectively and profitably.

 

Performance Trust has been advising community banks for thirty years and is a registered broker/dealer, member of FINRA/SIPC. This is intended for educational and informational purposes only and is not intended to be legal, tax, financial, or accounting advice or a recommended course of action in any given situation. This is not an offer or solicitation to purchase or sell securities. The Information is subject to change without notice.

WRITTEN BY

Bart Smith

Partner & Managing Director, Risk & Regulatory Insights

Bart Smith is a partner & managing director of risk & regulatory insights at Performance Trust Capital Partners, LLC.  Drawing on 34 years of experience in banking, Mr. Smith serves as an expert resource in bank policy and regulatory matters and helps develop materials to educate customers.  Prior to joining Performance Trust, Mr. Smith spent over 27 years at the FDIC, serving in various senior positions throughout the country.  During his last 10 years there, he served as the territory manager for the FDIC’s Charlotte, NC office, which covers all supervisory activities in NC and SC.