Historically, enterprise risk management (ERM) has been considered an endeavor for large financial institutions because these institutions represent a greater risk to the banking industry. Today, however, financial institutions of various asset sizes are being pressured or required to implement ERM.
Financial institutions that offer complex products and services, process large volumes of transactions, have extensive delivery channels, or have a high concentration of customers in one area warrant stronger ERM practices due to the higher level of risk posed. However, smaller institutions with a less complex business structure also face risks that might affect their ability to meet their strategic objectives.
Each financial institution is unique. An institution’s ERM program should be based on its risk profile, structure, products, risks and needs. An ERM program does not require extensive documentation or systems if the risk profile does not warrant it.
Financial institutions with less risky profiles can implement effective and efficient ERM practices by following four practical guidelines.
Implement a corporate governance structure by establishing an ERM committee and developing a charter and policy. Institutions typically assemble an ERM committee comprising the president, CEO, CFO, chief operating officer, chief lending officer, compliance officer, and internal auditor. Others may be members as needed to provide specialized knowledge. The objectives of the committee are to centralize oversight of risk management activities; review effectiveness of risk management systems, practices, and procedures; and provide recommendations for improvement.
The committee should meet regularly. In smaller financial institutions, this committee generally provides risk reporting to the board. The committee should develop a charter that addresses committee membership, authority, goals and responsibilities.
Management should develop an ERM policy that identifies the institution’s risk management philosophy, its risk identification and assessment methods, and how it addresses and incorporates changes such as new or evolving regulations and new products or services. The policy should formalize the institution’s risk appetite and identify significant risk and performance indicators and their respective limits or acceptable ranges.
- Clearly define measurable strategic objectives aligned with the institution’s risk appetite. Management should align its strategic, financial, compliance and operations objectives with the institution’s risk appetite. When determining the institution’s risk appetite, management should consider events that have negative effects on the institution, such as underperforming customer service, as well as events that have positive effects, like offering new products or services. Often, there is a disconnect between an institution’s stated strategy and its risk appetite. If management’s strategy and objectives do not fit within the institution’s risk appetite parameters, the objectives should be revisited.
- Identify and monitor important risk and profitability indicators. The management team should identify 10 to 12 significant risk indicators to monitor the progress and successful mitigation of significant risk events that affect its ability to meet its objectives. This allows management to focus on the most significant risks. New and evolving risks also should be considered. The indicators should be specific to major risk events and strategic objectives, and they should be forward-looking. At the same time, management should identify 10 to 12 key performance indicators to monitor the successful achievement of the institution’s objectives. The performance indicators often are historic measures and should be monitored, updated and reported frequently.
- Foster an ERM culture. An institution’s culture is critical in achieving true risk management across the organization. Executive leadership should foster an enterprise-wide risk management environment whereby the institution’s risk management philosophy is understood and supported, risk method is adhered to, individuals are accountable for managing and addressing risks, and business is transacted within the institution’s risk appetite.
The Early Bird Gets the Worm
ERM is not a turnkey system or a one-size-fits-all program. It is a discipline that elevates risk management to a strategic level, using collective enterprise-wide processes and practices that manage risk and maximize opportunities to achieve objectives. No financial institution is too small to implement a practical ERM program. Those that proactively identify and respond to risks and opportunities will have a competitive advantage over their peers in responding to the ever-changing business environment, and will be more likely to develop a nimble, adaptable and sustainable long-term strategy for success.