Why Asset Size Does Not Matter To Regulators In ERM

January 21st, 2019

ERM-1-21-19.pngConventional wisdom in banking has been that asset size matters in terms of regulatory expectations around enterprise risk management (ERM).

But that traditional school of thought might be changing. A new question has emerged: is it the institution’s asset size that matters, or is the complexity of the risk profile more important?

A common question among peer roundtables: what is a bank expected to do for ERM as it approaches the $10 billion asset size threshold of a regional banking organization (RBO)? The Federal Reserve considers an RBO to have total consolidated between $10 billion and $50 billion.

The next question typically is if regulatory expectations have lessened around comprehensive capital analysis and review (CCAR) or Dodd-Frank Act Stress Test (DFAST) requirements because of recent reforms in Congress?

These are hot topics especially for banks below the $10 billion asset size bubble, known as community bank organizations (CBO) by the Fed, because the cost of ERM implementation remains high.

Specific to CBOs between $2 billion and $5 billion in assets, regulatory agencies have been providing more prescriptive guidance and recommendations to upgrade and enhance ERM and model risk management frameworks consistent with existing regulatory guidance aimed at RBOs.

Examinations are more detailed, covering policies and procedures, personnel, risk appetite, risk assessment activities and board reporting. Examiners are pushing smaller banks to recognize the ERM value proposition because a keen risk awareness will inspire more informed decisions.

An effective ERM program starts with the risk culture necessary for appropriate governance of policies and procedures, risk awareness training, tone from the top and credible challenge. The culture should start with the CEO and the board establishing a proactive risk strategy and aligning the risk appetite of the bank with strategic planning.

Implementing an effective risk management program is understanding your bank’s risk profile and addressing matters proactively, having the discipline to identify emerging risks and mitigating those risks before a risk event or loss.

As banks approach $10 billion in assets, they are expected to increase the rigor around risk identification and assess risks for their likelihood and impact before identifying risk-mitigating controls.

A CBO should have a champion to effect change strategically throughout the organization, rather than a regulatory or audit check-the-box exercise. The risk management champion can be compared to an orchestra conductor who does not need to do everyone else’s job but should be able to hear someone is out of tune. Breaking down silos is key because risk management should be a continuous, collaborative process involving all stakeholders.

Regulatory expectations are converging as examiners push smaller banks to show a safe and sound risk management framework. This should encompass a separate board risk committee, or, at a minimum, a subcommittee responsible for ERM.

All banks have traditionally been expected to maintain appropriate risk management processes commensurate with their size and complexity and operate in a safe and sound manner.

The formality and documentation required is a new, evolving trend. Board and senior management oversight is important, as is risk monitoring and information system reporting. Board support is critical to understand risk areas, develop training programs and establish accountability among leadership and risk management team members.

Regulatory scrutiny for banks below $10 billion of assets has increased for ERM sub-processes, including model risk management, new products and services and third-party risk management.

We live in a post-CCAR world trending toward deregulation; however, the regulatory burden of risk management expectations for the smaller CBOs is increasing. Essentially, asset size does not matter anymore.

mdempsey

Mike Dempsey is a senior manager for DHG Financial Services. He can be reached at mike.dempsey@dhg.com.