What Enterprise Risk Management Means for Your Organization

3-19-15-DC.pngOver the past decade, enterprise risk management (ERM) has become an established practice in virtually all large business organizations, including a majority of banks and other financial institutions. Regulatory expectations coupled with the harsh realities of the recession combined to encourage financial services organizations to devote significant time and resources to implementing structured processes for assessing and mitigating risks as well as identifying and seizing opportunities.

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Today, commercial and academic surveys typically show that a majority of financial institutions either have a mature ERM program in place or are well on the way toward implementing one. For most bank directors and executives, the question no longer is whether they should implement ERM but rather how they should go about doing so and what they can do to make the effort worthwhile.

For many organizations, that means it’s time to move up to the next level of ERM maturity. At this new level, ERM is not merely accepted and established as an essential corporate function. Rather, it is actively embraced and deeply embedded into every aspect of the organization’s management and operation.

This distinction is important because it highlights a common misconception about the innate nature of ERM. To be truly effective, ERM should not be treated as a distinct and separate entity within the organization. It must be incorporated as an integral part of everything the institution does.

Sustainability: The Ultimate ERM Objective
When ERM is actively embraced in an organization, it can become much more than a defensive measure for managing immediate risk. It can live up to its full potential as a strategic tool that supports long-term growth as well as the enterprise’s continued sustainability.

With more than 500 bank failures since 2007, sustainability is an area of obvious industry concern. Even though the crisis years of 2008 to 2010 are fading memories, bankers cannot afford to take the survival of their institutions for granted. Effective enterprise risk management can help organizations stay focused on sustainability.

Note, however, that “sustainability” is not synonymous with “survivability.” A sustainable enterprise does more than merely survive; it also successfully pursues its strategies and achieves its objectives.

It is also important to understand that sustainability does not equate to an absence of risk. In fact, bankers are in the business of taking risks; without risk, a bank ultimately ceases to operate. Enterprise risk management—and ultimately, sustainable risk management—must focus on identifying, appropriately assessing, reporting and mitigating those risks. That often can mean accepting certain risks or even capitalizing on them in order to seize an opportunity.

Known and Unknown Risks
A critical component of any ERM process is accurately identifying and assessing risk so that management can balance the risk against the potential reward correctly. Certain types of risks—recurring economic cycles, planned regulatory changes, shrinking margins, and fee restrictions, for example—can be foreseen with a fair degree of confidence. The risks themselves are fairly well-known; what is slightly less certain is their effect or intensity.

The more difficult challenge lies in identifying unknown risks—that is, categories of risk we may not even be aware of yet. Examples include demographic changes, new types of disruptive technology, the effects of global markets, emerging threats such as cybersecurity risks, catastrophic natural disasters, terrorist or criminal attacks, and vendor failures, to name a few.

Not only is it extremely difficult to assess the effects of such risks, it often is impossible to identify their coming existence. For example, few banks were prepared to mitigate the new types of fraud and security risks associated with Apple Pay and its competitors—because few in the industry anticipated their very existence. No one can know what will happen in the future. We only know that something will happen.

Warnings and Guardrails
Managing against unknown risk can be compared to driving down a mountain highway. The yellow lines that mark the lanes are comparable to a bank’s policies and procedures. They tell a bank how to operate to reach its objective.

A driver who veers outside those yellow lines typically will encounter a warning track or “rumble strips.” For a bank, those rumble strips are the key process indicators that management and boards monitor to detect if they are veering out of compliance or taking on unacceptable risk.

Beyond the rumble strips there are guardrails. Hitting the rails will cause some damage, but they are the last safety measure that keeps a car from going over the edge. These are comparable to regulatory penalties or enforcement actions: They can be costly and damaging, but often they are the last protection against failure.

These guides are like the major components of an ERM program. Monitoring and managing in response to them not only will help avoid failure but will minimize the risk of costly penalties while also helping to keep the bank moving toward achieving its goals.

Note, though, that there are still unknown risks and hazards, such as unexpected weather and blind corners. It is important to manage the predictable risks effectively in order to be ready to respond quickly to the unexpected hazards. If the bank already is veering outside its safety zone, even a small unforeseen hazard can have catastrophic results.

Sustainable Risk Management: A Cultural View
The highway analogy is illustrative, but it has an important limitation: It addresses only the systems, processes, and technical aspects of ERM. As crucial as these tools are, they are secondary in importance to the vital cultural foundation that must be present in order for ERM—and ultimately sustainable risk management—to be effective.

ERM cannot succeed without complete support from the board and C-suite. The board must be active in asking strategic questions to validate management’s focus on risk management, identify gaps in the system, and establish and support a formal structure for identifying, assessing, and addressing risks and opportunities.

Clear ownership of the effort is important, and the bank must appoint a high-level executive responsible for the ERM process and program. At the same time, though, all members of the organization must recognize their own particular responsibilities.

For example, managers in all areas should be encouraged to participate in identifying and discussing risk and should understand the bank’s tolerance for opportunity and related risk. In addition, employees at all levels and in all functions should understand what risks the organization will and will not accept as well as their own specific responsibilities for helping to manage and mitigate risks.

These responsibilities can range from simple and obvious roles such as protecting cash in teller drawers to more complex responsibilities such as maintaining customer satisfaction and competitive position. In short, ERM and long-term sustainability must become embedded in the bank’s culture at all levels and in all positions.

By moving to this next level of ERM maturity—a level where ERM is embraced actively and embedded deeply in the organization—it is possible to advance beyond compliance alone and begin to add genuine value to the organization through better allocation of resources, improved decision-making, greater transparency, a stronger reputation among all stakeholders, and, ultimately, long-term sustainability.

There’s a New Framework for Internal Controls: What Boards Need to Know

10-17-14-Moss-Adams.pngThe COSO framework, which stands for Committee of Sponsoring Organizations of the Treadway Commission, is used by most public companies when reporting on the effectiveness of their internal control over financial reporting in compliance with the Sarbanes-Oxley Act.

The organization, whose sponsoring members include the American Institute of CPAs and the Institute of Internal Auditors, released an updated version of its major guidance document in May of 2013, called Internal Control—Integrated Framework.

As a member of a bank board or audit committee, it is important to have an understanding of how these changes might impact your bank.

Banking regulators are putting more pressure on banks to diversify lending while simultaneously improving credit risk management and reporting, and they are also after banks to focus on IT security. The 2013 framework creates a more formal structure for designing and evaluating the effectiveness of internal controls by codifying the fundamental concepts associated with them. A set of 17 broad principles relating to internal controls, which were present but deeply buried in the earlier framework, now supplement the five components held over from the 1992 framework. These components and associated principles are:

  • Control environment

    • Demonstrates commitment to integrity and ethical values
    • Exercises oversight responsibility
    • Establishes structure, authority and responsibility
    • Demonstrates commitment to competence
    • Enforces accountability
  • Risk assessment

    • Specifies suitable objectives
    • Identifies and analyzes risk
    • Assesses fraud risk
    • Identifies and analyzes significant change
  • Control activities

    • Selects and develops control activities
    • Selects and develops general controls over technology
    • Deploys through policies and procedures
  • Information and communication

    • Uses relevant information
    • Communicates internally
    • Communicates externally
  • Monitoring activities

    • Conducts ongoing or separate evaluations
    • Evaluates and communicates deficiencies

Entities must demonstrate compliance with the principles associated with each component above to conclude that the component is present and functioning.

Also new to the 2013 framework are 75 points of focus that relate to external financial reporting. These specific considerations relate to each principle above, principles such as “assesses fraud risk,” and are important characteristics to consider in determining whether the corresponding principle is, in COSO’s terms, “present and functioning.” Not all points of focus need be met to conclude that a principle is present and functioning.

A key first step is determining how the 2013 framework will affect your internal controls’ design, documentation and evaluation. While many businesses have an abundance of transaction controls but gaps in other areas, banks—which operate in a regulated environment with frequent examinations—are more likely to have implemented many of the entity-level and monitoring controls that other companies lack. Still, since some of these controls may not have previously been identified as key SOX controls, additional documentation may be necessary.

Your staff should begin by matching existing documented controls with the new principles and associated points of focus. Next, they should compare each principle and point of focus to your existing controls to assess whether the controls are sufficient to conclude that each principle is present and functioning. A fair amount of judgment is involved in determining which controls address a specific principle or point of focus, and undoubtedly there will be many relationships between your existing controls and the COSO principles and points of focus.

If you can conclude that the principles are covered, no further analysis is necessary. But if it appears a principle isn’t covered, your staff should determine whether the unmet principle or point of focus is due to an entirely missing control—an activity the institution doesn’t perform—or an undocumented control. Many apparent gaps are often the result of missing documentation, not necessarily missing controls.

At this point, staff should determine whether undocumented controls should be formally documented as part of your bank’s SOX program or if new controls are necessary to mitigate the missing controls. This is an important point and should be considered carefully. Although your SOX program may be based on the 2013 framework, not all points of focus need to be covered by a key SOX control.

The process of mapping your internal control documentation to the principles and points of focus and mapping each principle and point of focus to your documented controls will help you evaluate your mix of control activities, the levels at which activities are applied, and segregation of duties. This exercise will determine how close you are to complying with the COSO 2013 framework—and put you on the path to full compliance.