What Enterprise Risk Management Means for Your Organization

3-19-15-DC.pngOver the past decade, enterprise risk management (ERM) has become an established practice in virtually all large business organizations, including a majority of banks and other financial institutions. Regulatory expectations coupled with the harsh realities of the recession combined to encourage financial services organizations to devote significant time and resources to implementing structured processes for assessing and mitigating risks as well as identifying and seizing opportunities.

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Today, commercial and academic surveys typically show that a majority of financial institutions either have a mature ERM program in place or are well on the way toward implementing one. For most bank directors and executives, the question no longer is whether they should implement ERM but rather how they should go about doing so and what they can do to make the effort worthwhile.

For many organizations, that means it’s time to move up to the next level of ERM maturity. At this new level, ERM is not merely accepted and established as an essential corporate function. Rather, it is actively embraced and deeply embedded into every aspect of the organization’s management and operation.

This distinction is important because it highlights a common misconception about the innate nature of ERM. To be truly effective, ERM should not be treated as a distinct and separate entity within the organization. It must be incorporated as an integral part of everything the institution does.

Sustainability: The Ultimate ERM Objective
When ERM is actively embraced in an organization, it can become much more than a defensive measure for managing immediate risk. It can live up to its full potential as a strategic tool that supports long-term growth as well as the enterprise’s continued sustainability.

With more than 500 bank failures since 2007, sustainability is an area of obvious industry concern. Even though the crisis years of 2008 to 2010 are fading memories, bankers cannot afford to take the survival of their institutions for granted. Effective enterprise risk management can help organizations stay focused on sustainability.

Note, however, that “sustainability” is not synonymous with “survivability.” A sustainable enterprise does more than merely survive; it also successfully pursues its strategies and achieves its objectives.

It is also important to understand that sustainability does not equate to an absence of risk. In fact, bankers are in the business of taking risks; without risk, a bank ultimately ceases to operate. Enterprise risk management—and ultimately, sustainable risk management—must focus on identifying, appropriately assessing, reporting and mitigating those risks. That often can mean accepting certain risks or even capitalizing on them in order to seize an opportunity.

Known and Unknown Risks
A critical component of any ERM process is accurately identifying and assessing risk so that management can balance the risk against the potential reward correctly. Certain types of risks—recurring economic cycles, planned regulatory changes, shrinking margins, and fee restrictions, for example—can be foreseen with a fair degree of confidence. The risks themselves are fairly well-known; what is slightly less certain is their effect or intensity.

The more difficult challenge lies in identifying unknown risks—that is, categories of risk we may not even be aware of yet. Examples include demographic changes, new types of disruptive technology, the effects of global markets, emerging threats such as cybersecurity risks, catastrophic natural disasters, terrorist or criminal attacks, and vendor failures, to name a few.

Not only is it extremely difficult to assess the effects of such risks, it often is impossible to identify their coming existence. For example, few banks were prepared to mitigate the new types of fraud and security risks associated with Apple Pay and its competitors—because few in the industry anticipated their very existence. No one can know what will happen in the future. We only know that something will happen.

Warnings and Guardrails
Managing against unknown risk can be compared to driving down a mountain highway. The yellow lines that mark the lanes are comparable to a bank’s policies and procedures. They tell a bank how to operate to reach its objective.

A driver who veers outside those yellow lines typically will encounter a warning track or “rumble strips.” For a bank, those rumble strips are the key process indicators that management and boards monitor to detect if they are veering out of compliance or taking on unacceptable risk.

Beyond the rumble strips there are guardrails. Hitting the rails will cause some damage, but they are the last safety measure that keeps a car from going over the edge. These are comparable to regulatory penalties or enforcement actions: They can be costly and damaging, but often they are the last protection against failure.

These guides are like the major components of an ERM program. Monitoring and managing in response to them not only will help avoid failure but will minimize the risk of costly penalties while also helping to keep the bank moving toward achieving its goals.

Note, though, that there are still unknown risks and hazards, such as unexpected weather and blind corners. It is important to manage the predictable risks effectively in order to be ready to respond quickly to the unexpected hazards. If the bank already is veering outside its safety zone, even a small unforeseen hazard can have catastrophic results.

Sustainable Risk Management: A Cultural View
The highway analogy is illustrative, but it has an important limitation: It addresses only the systems, processes, and technical aspects of ERM. As crucial as these tools are, they are secondary in importance to the vital cultural foundation that must be present in order for ERM—and ultimately sustainable risk management—to be effective.

ERM cannot succeed without complete support from the board and C-suite. The board must be active in asking strategic questions to validate management’s focus on risk management, identify gaps in the system, and establish and support a formal structure for identifying, assessing, and addressing risks and opportunities.

Clear ownership of the effort is important, and the bank must appoint a high-level executive responsible for the ERM process and program. At the same time, though, all members of the organization must recognize their own particular responsibilities.

For example, managers in all areas should be encouraged to participate in identifying and discussing risk and should understand the bank’s tolerance for opportunity and related risk. In addition, employees at all levels and in all functions should understand what risks the organization will and will not accept as well as their own specific responsibilities for helping to manage and mitigate risks.

These responsibilities can range from simple and obvious roles such as protecting cash in teller drawers to more complex responsibilities such as maintaining customer satisfaction and competitive position. In short, ERM and long-term sustainability must become embedded in the bank’s culture at all levels and in all positions.

By moving to this next level of ERM maturity—a level where ERM is embraced actively and embedded deeply in the organization—it is possible to advance beyond compliance alone and begin to add genuine value to the organization through better allocation of resources, improved decision-making, greater transparency, a stronger reputation among all stakeholders, and, ultimately, long-term sustainability.

Does Your Bank Need a Risk Committee?

5-30-14-emily-DC-risk.pngThe focus on the board’s role in managing risk has certainly been in the spotlight in the years following the financial crisis, with the regulatory bar raised regarding risk governance. While publicly traded institutions with more than $10 billion in assets are specifically required to establish separate risk committees of the board, many smaller banks are doing so as well. In March, Bank Director’s 2014 Risk Practices Survey found that more than half of institutions with between $1 billion and $5 billion in assets and 76 percent of those with between $5 billion and $10 billion in assets now govern risk within a separate committee. Data for institutions with less than $1 billion in assets was not collected.

When does a bank need a separate board-level risk committee? Despite the rising popularity of risk committees, many community banks have not taken this approach, but instead govern risk in the audit committee or as an entire board.

Regardless of size, banks with a more complex risk profile have a greater need to govern risk within a separate board-level committee. Not only does a more complex organization intrinsically have a more complex risk profile, its audit committee will be more heavily tasked, leaving less time to devote to risk management matters. In that situation, “the best case scenario is to have two separate committees,” says Jennifer Burke, partner at accounting and consulting firm Crowe Horwath LLP.

Jim McAlpin, partner at Bryan Cave LLP, believes it best to separate risk and audit responsibilities if the bank has qualified directors for both committees. “Not all boards have qualified directors for this,” he says. “Unless you have adequate capability on the board, it’s not helpful to have both committees.”

The ability of the board to place appropriate members on a risk committee is important, and having those skills mirror that of the bank’s audit committee may not be the best approach. The risk analysis process focuses on more than just financial risk and requires directors who can anticipate a variety of problems that could be faced by the institution. “It’s good to have directors with a compliance or risk background that are used to thinking outside of the box. The most beneficial aspect of the risk committee is anticipation,” he says. “The board can charge management to focus on areas where risks appear to be developing.”

He sees more banks bringing in new directors with these skills, and there is no shortage of qualified candidates. That said, larger institutions can better attract directors from outside the community and recruit for these skills, so risk and compliance expertise may not be found on the boards of smaller, less complex banks. “So far, the regulators understand this,” says McAlpin.

Generally, the more complex an organization is, the more likely the regulators will be to urge the establishment of a stand-alone risk committee. McAlpin recommends that a board look at how many different business lines the bank has, particularly in consumer-facing areas like mortgage lending. Over the past two years, scrutiny by the regulators on consumer compliance has grown significantly, he says, resulting in greater risk to the bank regarding these issues. Further risk analysis may also be required if the bank is involved in business lines that regulators deem to be unique or cutting edge.

The maturity of the bank’s risk management program could also dictate whether the bank is ready to establish a separate risk committee.

Crowe Horwath Partner Mike Percy says that a more mature and developed enterprise risk management (ERM) program will allow the board to better assess and monitor risk. Without the robust set of information provided through a mature ERM program, a risk committee won’t have much to contribute. “If you lead with [the risk committee] before the processes are mature, I think it just frustrates” board members, he says.

But McAlpin can see how a risk committee could precede development of an ERM program or the hiring of a chief risk officer. “The risk committee could be the body to take the steps of driving the hire of risk personnel or implementation of ERM,” he says.

A bigger bank is, typically, a more complex one, so banks with plans to grow, whether through organic means or by acquisition, may consider beefing up their approach to risk governance. Percy says that some regulators, notably the Office of the Comptroller of the Currency, consider risk committees to be a best practice for institutions approaching $10 billion in assets.

Burke says that a bank’s growth strategy should be considered when a board makes a decision to have a risk committee, and for those with a more aggressive growth plan a risk committee is a best practice. “You’re making changes, you’re growing [and] your strategy is different from what it’s been in the past,” says Burke.

Growth typically results in additional personnel, business lines and assets, particularly as the result of a merger, which could lessen the certainty that the board knows everything they need to know, says McAlpin.

“An acquisition strategy is just an additional complexity,” adds Percy. Banks with an eye to grow, particularly those above $1 billion in assets, need the infrastructure in place to support a larger organization, which could include a chief risk officer, an ERM program and a board-level risk committee.

“This side of the banking crisis, the attention to risk is greater than it was,” says Percy. Whether governed within a separate risk committee, combined with audit responsibilities or addressed as a full board, the board, along with senior management, is responsible for setting the tone for risk governance.

The Financial Stability Board, an international regulatory agency based in Basel, Switzerland, released guidance in April (“Guidance on Supervisory Interaction with Financial Institutions on Risk Culture”) that details the elements of a sound risk culture within a financial institution. Though primarily intended for an audience of large, systemically important institutions, this report provides some basic tenets that can be applied to institutions of all sizes. A key element of a sound risk culture that is perhaps the most applicable to bank directors is the establishment of an “effective system of controls commensurate with the scale and complexity of the financial institution.”

In addition to a mature ERM program, this system of controls would include proper oversight by the board. McAlpin recommends that boards work with senior management to determine what areas of risk require the board’s focus. Independent analysis should play a role in these decisions. “If the board relies only on senior management, that’s a big mistake,” he says.

Can a Financial Institution Be Too Small for Enterprise Risk Management?

3-26-14-Crowe.pngHistorically, enterprise risk management (ERM) has been considered an endeavor for large financial institutions because these institutions represent a greater risk to the banking industry. Today, however, financial institutions of various asset sizes are being pressured or required to implement ERM.

Financial institutions that offer complex products and services, process large volumes of transactions, have extensive delivery channels, or have a high concentration of customers in one area warrant stronger ERM practices due to the higher level of risk posed. However, smaller institutions with a less complex business structure also face risks that might affect their ability to meet their strategic objectives.

Each financial institution is unique. An institution’s ERM program should be based on its risk profile, structure, products, risks and needs. An ERM program does not require extensive documentation or systems if the risk profile does not warrant it.

Financial institutions with less risky profiles can implement effective and efficient ERM practices by following four practical guidelines.

  1. Implement a corporate governance structure by establishing an ERM committee and developing a charter and policy. Institutions typically assemble an ERM committee comprising the president, CEO, CFO, chief operating officer, chief lending officer, compliance officer, and internal auditor. Others may be members as needed to provide specialized knowledge. The objectives of the committee are to centralize oversight of risk management activities; review effectiveness of risk management systems, practices, and procedures; and provide recommendations for improvement.

    The committee should meet regularly. In smaller financial institutions, this committee generally provides risk reporting to the board. The committee should develop a charter that addresses committee membership, authority, goals and responsibilities.

    Management should develop an ERM policy that identifies the institution’s risk management philosophy, its risk identification and assessment methods, and how it addresses and incorporates changes such as new or evolving regulations and new products or services. The policy should formalize the institution’s risk appetite and identify significant risk and performance indicators and their respective limits or acceptable ranges.

  2. Clearly define measurable strategic objectives aligned with the institution’s risk appetite. Management should align its strategic, financial, compliance and operations objectives with the institution’s risk appetite. When determining the institution’s risk appetite, management should consider events that have negative effects on the institution, such as underperforming customer service, as well as events that have positive effects, like offering new products or services. Often, there is a disconnect between an institution’s stated strategy and its risk appetite. If management’s strategy and objectives do not fit within the institution’s risk appetite parameters, the objectives should be revisited.
  3. Identify and monitor important risk and profitability indicators. The management team should identify 10 to 12 significant risk indicators to monitor the progress and successful mitigation of significant risk events that affect its ability to meet its objectives. This allows management to focus on the most significant risks. New and evolving risks also should be considered. The indicators should be specific to major risk events and strategic objectives, and they should be forward-looking. At the same time, management should identify 10 to 12 key performance indicators to monitor the successful achievement of the institution’s objectives. The performance indicators often are historic measures and should be monitored, updated and reported frequently.
  4. Foster an ERM culture. An institution’s culture is critical in achieving true risk management across the organization. Executive leadership should foster an enterprise-wide risk management environment whereby the institution’s risk management philosophy is understood and supported, risk method is adhered to, individuals are accountable for managing and addressing risks, and business is transacted within the institution’s risk appetite.

The Early Bird Gets the Worm
ERM is not a turnkey system or a one-size-fits-all program. It is a discipline that elevates risk management to a strategic level, using collective enterprise-wide processes and practices that manage risk and maximize opportunities to achieve objectives. No financial institution is too small to implement a practical ERM program. Those that proactively identify and respond to risks and opportunities will have a competitive advantage over their peers in responding to the ever-changing business environment, and will be more likely to develop a nimble, adaptable and sustainable long-term strategy for success.

Expert Panel: What Mistakes Do Banks Commonly Make?

Bank Director’s Western Peer Exchange October 24-25 in San Francisco is an inaugural event to get bank leaders west of the Mississippi to engage with each other on the issues that matter most to them, hopefully solving problems at their banks and making connections that can help them well into the future. As Bank Director gets ready for the peer exchange, we asked the experts who plan to attend what advice they could offer on mistakes they see banks make.

If you could correct one mistake you see banks commonly make, what would it be?

Polsky_Barbara.pngDenial. It’s one of the biggest mistakes banks commonly make. Leading up to the recent financial crisis, many banks were in denial about their commercial real estate concentration risks, and then during the financial crisis many banks continued to be in denial about the ever-decreasing value of their other-real-estate-owned (OREO) and real estate loan portfolios. It is true that the lessons from the financial crisis have made banks cautious. But caution is different from denial. Many banks remain in denial about weaknesses in their Bank Secrecy Act policies (a hot issue for their bank regulators) or about the need to bolster noninterest income (a hot issue for their successful competitors) or about their president’s excessive compensation (a hot issue for their activist shareholders). The devil isn’t in the details; the devil is in the denial.

—Barbara S. Polsky, Manatt, Phelps & Phillips, LLP

Hay_Laura.pngConversations about compensation often begin with the question, “What are other banks doing?” rather than, “Given our specific strategy and goals, how can we best structure our programs to motivate the right behaviors and drive performance?” Our firm encourages clients to look to their compensation strategy first. High-performing banks are often characterized by clear, straightforward compensation programs based on a strong compensation philosophy that drives business results. Knowing what other banks are doing through competitive data then helps to generate ideas, establish pay levels and provides a reference point for ensuring your pay designs are within the bounds of market practices.

—Laura Hay, Pearl Meyer & Partners

Nachand_Gabe.pngA common mistake among community banks is assuming the implementation of an enterprise risk management (ERM) process is an expensive proposition that lacks the benefits to warrant the cost. Certainly there are a number of expensive software solutions that provide the sticker shock to warrant this concern; but, the reality is most community banks are embarking on the ERM implementation path without using purchased software. We estimate that 80 percent of what is needed for an ERM program already exists at your institution. So banks are supplementing existing processes and procedures with a risk committee comprised of members across the organization, considering all potential risks—not just those in traditional risk assessments, and developing reporting for the board that is easily understood, timely and responsive to the bank’s significant and emerging risks.

—B. Gabe Nachand, Moss Adams LLP

Hovde_Steve.pngBankers are conservative by nature, and the credit crisis served as a stark reminder why they should be. Still, many banks—particularly smaller, community banks—are reluctant to take advantage of strategic opportunities that could significantly enhance shareholder value. FDIC-assisted transactions have been one of the most sure-fire ways to boost size, income, and franchise value during the downturn, yet we generally see the same large, serial acquirers taking advantage of these deals. In addition, there is no better time to be an acquirer than right now, when valuations are near all-time lows. Undoubtedly, larger banks command significant valuation premiums today, so growing the balance sheet and broadening a bank’s footprint through strategic acquisitions or effecting a strategic merger should be discussed seriously between management and the board. Too many healthy banks are content to sit on the sidelines without taking advantage of this unique period in banking.

—Steven D. Hovde, Hovde Group, LLC

Postcard from the 2013 Bank Chairman/CEO Peer Exchange

It was cold and rainy in Chicago in early April when a group of bank chairmen, directors and CEOs gathered to compare strategies, share problems and swap stories—fitting weather for an industry that is feeling the deep chill of margin compression and rising capital requirements.

This was the fifth year Bank Director has held the Bank Chairman/CEO Peer Exchange, which is built around a small number of presentations and three peer exchange sessions where the participants (representing 43 institutions) were able to share their thoughts in a private, off-the-record setting. And if I came away with one overriding impression, it’s that the attendees are determined to run successful organizations regardless of the challenging business climate they must operate in.

Plotkin.pngAnd the operating environment for banks is very challenging, to be sure. In a comprehensive review of the state of the industry, Stifel Vice Chairman Ben Plotkin laid out a good-news bad-news scenario. The good news: Improved profitability (due to under-provisioning for loan loss reserves, so this might be bad news for the future), a strong revenue flow from home mortgage lending, capital levels that are at a 70-year high and a significant improvement in bank valuations. The bad news: Slow economic growth and slow loan growth (which typically go hand-in-hand), increased regulation and net interest margin compression.

While the sessions were confidential, I think I can share a couple of things that came out of the three peer exchange sessions that I sat in on.

  • The directors and CEOs embraced the concept of enterprise risk management (ERM) as a risk mitigation tool rather than because regulators are forcing them to adopt it (although the bank regulatory agencies are big ERM proponents). Many of the attendees have also hired chief risk officers and set up risk committees. One CEO described ERM as a profit enhancement tool since every dollar saved through risk mitigation falls pretty much to the bottom line.
  • Many of the banks have responded to the margin pressure by expanding their lending activities into (for them) new areas. Examples include municipalities, mortgage warehouse funding, auto loans (including something that sounded very much like subprime), hotels (so-called non-destination hotels rather than resorts) and franchise companies. The point is that they are experimenting with new loan categories in an effort to protect their net interest margins, particularly since C&I lending has become extremely competitive. One participant commented that C&I loan pricing has become so irrational (both in terms of loan rates and duration) that he wondered if some bankers learned anything from the financial crisis.
  • Most of the participants seemed to have adopted a stoic attitude toward regulation. Many of them feel that they are overregulated, but they don’t waste a lot of time complaining about it because compliance is not optional. It is better to focus on something that can have a positive impact on, like margin compression.

Nash__Wolohan.pngThe most poignant session was unquestionably a joint presentation by Citizens Republic Bancorp CEO Cathy Nash and Chairman Jim Wolohan. Citizens was acquired by FirstMerit Corp. last fall—in fact, the deal closed on April 12—after a long, tough fight by Nash, Wolohan and Citizens’ executive management team and board to recover from wounds inflicted by the recession. The bank had regained profitability and was making good progress on its long-range strategic plan, but the FirstMerit deal gave Citizens’ shareholders a quicker payoff than the board and management would have been able to deliver. That’s a difficult position for any board of any target company. Whose interests do you put first, those of your shareholders, or management and the board?

“You do what’s best for the shareholders,” said Nash.

While Nash and Wolohan are not staying on with FirstMerit, I think they are two very talented and highly principled individuals who will resurface in major roles very soon. Cream always rises to the top, as the old saying goes.

Enterprise Risk Management: What it Is and How to Do It

WK-ERM-WhitePaper.pngEnterprise Risk Management (ERM) is a hot news item. Everyone is writing about it—from the Harvard Business Review, to regulatory examiners guidance, to consulting firms, to The New York Times.  ERM seems to be the newest panacea created to protect the financial markets from themselves. However, it isn’t a magic pill. Nor is it as simple as implementing a policy or assigning responsibilities to one individual and yielding immediate success and benefits. It is an all-encompassing cultural shift—where an institution’s management and employees embrace the concept that the institution has risks and that the internal identification of those risks, by everyone at every level of the institution, is key to the proactive management of the institution’s risks. 

A recent Deloitte study defined a successful ERM program as follows:

[A]n ERM program is meant to set the overall framework and methodology for how a company manages risks. ERM provides an institution with the tools to clarify its risk appetite and risk profile, and to evaluate risks across the organization. By adopting a comprehensive approach to risk identification and assessment, ERM can help identify many dependencies or interrelationships among risks that might otherwise go unnoticed. 

When building an ERM program, the focus should be on providing executive management and the board of directors the information they will need to guide their institution towards longer-term strategic goals.

Benefits an Effective ERM Program

As the familiar saying goes, “knowledge is power.” The board has a responsibility to safely guide and provide the necessary oversight to ensure that the strategic plan of the institution is successfully achieved. A comprehensive ERM program should provide the board and executive management with necessary and timely information on the institution’s risks, in order to for them to make decisions and provide proactive supervision. 

It should also provide a singular focus on the institution’s risk profile and strategic plan, forging a common direction for the institution’s management team. 

Tying ERM to the Institution’s Strategic Direction

To quote a less familiar saying, “[P]ast performance is not indicative of future performance.” Just because examiners have not found a problem does not mean one does not exist, or the environment is not right for something to go wrong in the future. Indeed, authors of “The six mistakes executives make in risk management,” (Harvard Business Review’s) Nassim Taleb, Daniel Goldstein and Mark Spitznagel identify the reliance on past performance as one of the six mistakes executives make in risk management. In our ERM programs, we need to focus on the future likelihood and impact of a risk.  

We know intuitively that just because a person crosses a road blindfolded 10 times without being hit by a car, does not mean this success will continue. Many factors besides past performance will play into future performance. Just for a moment, think about what would happen to this person if he or she continued to cross that road blindfolded because there had been no issues in the past? How complicit would you be in the ultimate result if you failed to point out that in the past this person was crossing the road at midnight, and he or she was now getting ready to cross at rush hour? The blindfolded person did not have the necessary information to make an informed decision. Effective ERM can provide that information from which informed decisions can be made about future risks and strategic impact. 

There are many situations like crossing a road blindfolded that we instinctively know are risky. However, there are many circumstances where the impact of risks is not immediately apparent, making them harder to tease out. As a board member, you must be provided with the necessary information and data to holistically understand the interconnectivity of risks and the impact of individual risks on the overall risk picture. Sponsoring an ERM program that is built around a singular framework tied to the strategic plan and risk appetite, as opposed to reviewing risk reports individually by risk discipline, will provide you with the information in a way that can be easily and systematically included in the strategic planning process. It may be a data challenge at first, but one that will reap huge rewards when you have consistent information to serve as a foundation for decision-making.    

The success of an ERM program is driven in large part by board support. When board members expect ERM efforts to focus on longer-term strategic plans and the success of the institution, they foster a coalition of support for building an effective ERM program. Employees and management participate more readily in efforts to collect complete, reliable, current data that will ultimately allow the board to provide the necessary guidance and oversight for the institution. 

If you take this strategic approach to ERM, risk management can provide that long-term check on potential short-term operational decisions and shift the culture so that meeting long-term strategic objectives while staying within the risk appetite is intuitive. This approach will make ERM an integral part of the success of the business, and more importantly, may provide that “panacea” that people are looking for. 

What ERM Is Not

It is equally important to understand what an ERM program is NOT. If the following are in place at your institution, you should NOT mistake them for a comprehensive, proactive, ERM program similar to the one identified by the Deloitte definition:

  • Risk-based audit plan
  • Compliance testing program
  • Disaster planning program
  • ALCO (asset-liability) committee
  • SOX (Sarbanes-Oxley) compliance program
  • Checks and procedures in place solely to meet regulatory requirements with no connection to strategic planning
  • Individual risk assessments for requirements such as BSA (Bank Secrecy Act), fair lending, security, etc.

Individually, none of these represent an ERM program. However, when aggregated in a common framework across all risk disciplines with a singular goal, they become the basis for a solid ERM program. 

Singular Framework

It is not enough to just identify your risks. You also need a way to understand the impact of these risks on the organization, consistently across risk disciplines and across business lines. To understand impact, you need to be able to measure, compare and prioritize individual risks regardless of whether they are an IT risk or a liquidity risk. 

If every risk discipline had its own processes, definitions and best practices it would be almost impossible to understand the true risk of an activity/decision/product. Different reporting structures, definitions and even color indicators can make it difficult for the board to compare a highlighted risk from the ALCO committee to another raised by the audit committee, for example. 

It will likely be difficult to create a framework that is consistent yet flexible enough to apply to multiple unique risk disciplines.  However, support from the board and a tie-in to the strategic plan and risk appetite will help push this forward.

While it may be difficult to create a consistent framework for uniformly tracking risks across disciplines, what have been consistent are regulators’ expectations that such a framework be in place. Regulators are now regularly asking questions to determine whether an ERM program is a “true” ERM program. They want to know whether an ERM program spans all risk disciplines and accounts for the interconnectivity between the different risk disciplines and individual risks. Creating this type of program does not happen overnight.  There are many issues that need to be dealt with to be able to operate within a singular framework. The board should require risk discipline owners to develop and report through a singular framework. This framework needs:

  • Consistent definitions and language
  • Unvarying scoring/rating definitions (i.e., a $10,000 impact and a $1,000,000 impact should probably not have the same coding in reports just because one comes from finance and the other from compliance)
  • Common formats for assessing risk to make it easier for the business owners
  • Ability to know if an information technology risk is also a compliance, strategic and operational risk, to better understand the true impact to the institution.

The Deloitte study found that the biggest impediments to thoroughly implementing an ERM program are gathering and managing data across the institution through the use of a consistent framework  and embedding the processes, data and framework into the everyday workings of an organization. 

The essential essence of the culture shift is this: Embedding risk-reduction processes into day-to-day business activities as opposed to thinking about potential risks.  Enhanced reporting on risk-related data supports this goal and is imperative for decision making and supporting strategic planning.  To get to this data, and for it to make any sense, it is important that all risk disciplines are utilizing the same risk management framework. If different frameworks are used, several things can happen. First, individuals can spend days or their whole job just transforming data and creating reports. Second, decisions could be made based on data that appear to be comparable, but due to definitional and scoring issues are not. Neither is effective or efficient. 

What to Do Next

Currently the “accepted” theory on risk management is that it needs to be a “top-down” approach. The board and executive management must discuss and agree on a business strategy and a risk appetite. Then this information is “pushed down” into the organization through “control groups” like ERM, compliance, EM, etc. While ERM needs to start at the top, it cannot be “pushed down” until there is a cultural shift within the organization that alters the mindset of the entire organization regarding the role of risk management.   

This is most successful when implemented as a circular process, where each individual is important and responsible for understanding and managing risks. The board and executive management need to say that risk management is important, define the risk appetite, provide investment where necessary to reduce risks, and make it apparent that they view ERM as everyone’s job, not just the job of the chief risk officer.  The risk discipline leaders need to translate this risk appetite, create a process to identify and assess risks and work directly with the various operating divisions to evaluate how their businesses and decisions compare to that risk strategy. Decisions are made continually  based on this information. The risk staff report back to the board and executive management on the program and overall institutional risk, which rounds out the process. 

Step 1:  Review, update, and approve strategic plan

Step 2:  Work with executive management and risk leaders to ensure strategic plan is translated into risk appetite statement that the board approves.

Step 3:  Ensure the risk discipline leaders, not just executive management, understand both the strategic plan and the risk appetite. 

Step 4:  Ask the risk discipline leaders and ERM (if you have a designated individual) to demonstrate that the ERM and individual risk programs have incorporated your strategic plan and risk appetite into their programs.

Step 5:  Risk discipline leaders should present a singular framework for future ERM reporting to the board.

Step 6:  Conduct a brainstorming session that identifies emerging or major risks that could keep the institution from meeting strategic objectives. ERM incorporates this into risk assessment program.

Step 7:  Reporting is updated and augmented to ensure that the board understands the highest profile risks, how they interconnect between the different risk types, their potential impact to the institution, and mitigation plans and responsibilities, etc. 

 “New Language” and Your Questions to Ask

  1.  Key Risk Indicators (KRIs):  Ratios or data points that alert you to potential problems/risks that should be investigated.
  2. Key Performance Indicators (KPIs): Ratios or data points that help you measure the success of the institution’s ERM program and/or strategic plan implementation.
  3. Inherent Risk: The base risk that exists by being in business, without your institution’s programs or controls in place. It is beneficial for the board to understand which risks have very high inherent risk so that they can ensure the proper resources are allocated to control those risks.
  4. Residual Risk: The controlled risk that exists after taking into account your ERM and other management programs. In most cases this is the most important “score” for the board to review and understand.
  5. Risk Disciplines: A generic term for IT, audit, compliance, operational, PR, finance/treasury and other operational areas that actively manage the institution’s risk profile.
  6. Risk Assessment: The process to identify and score the impact of a risk happening and the likelihood that it will.  
  7. Risk-Based Audit: An overall understanding of the risks of an institution so that an audit calendar can be created that focuses audit resources on the highest areas of risk for the institution.
  8. Compliance Risk Assessments (BSA, Fair Lending, etc.): Detailed risk assessments that are required by regulation and/or law on a specific topic defined by a regulation.  


Program Questions

  • We have a risk management program in place. How does the board know if the program is providing timely, valuable information upon which informed decisions can be made?
  • Are your bank’s strategic plan and risk appetite statements driving your ERM program, or does it seem to be an exercise in regulatory paperwork? 
  • Are your auditors auditing your ERM program or performing your risk management function? If they are performing it, who is auditing it?

Have you correlated any of the risks and understand the overall impact of a singular risk to your institution regardless of whether it is IT, compliance, finance, etc? 

Risk Scoring/Reporting reports

  • What does “red,” “4,” “high risk” really mean?
  • How does your program remove “high risks” from the reports?
  • Are people/divisions penalized for noting a “high risk”?
  • Do we have any key risk indicators that tell us we may need to become more concerned with these risks?
  • How do these ratings translate into “impact” to the institution (i.e., not achieving our strategic plan or going outside of our risk appetite)?
  • Who manages the medium or low risks to ensure they don’t become high risks?
  • How often do you update your risk scoring? (Annually is typically good for community banks.)
  • Who participated in the scoring of the risks? (More than the person responsible for the risk should be involved in scoring.)

Day-to-Day Management Questions

  • Is the business leader held responsible for the risks in their business?
  • Do your risk discipline leaders work together to identify, assess and manage risk across the institution?
  • Does all management take the risk assessment and management process seriously and consider it part of their job?
  • If issues (surrounding key risks) are identified and action plans put in place, do we hit our dates and have involvement by the entire team necessary to act?
  • Are the proper resources allocated to ensure the institution can manage ERM and provide relevant data to the appropriate individuals for decision making?

What To Do About Risk Management When There Are No Clear Answers

For American Community Bank & Trust, a $590 million-asset institution located about 70 miles north of Chicago in McHenry County, Illinois, enterprise risk management (ERM) has steadily become a part of the culture and dialogue throughout the organization. Chief Executive Officer Charie Zanck admits that it will still require continual improvement over time, but knew she had to start somewhere.
A common theme throughout this year’s Bank Chairman/CEO Peer Exchange event was the topic of enterprise risk management and what exactly that means to today’s financial institutions. While many bank leaders are finding the term difficult to define, it is clear that the Federal Deposit Insurance Corp. will be focusing heavily on risk management processes and not just for the publicly traded and/or larger banks.


After much research and calls to the regulators, Zanck had come up empty in her quest to define what ERM was and what the industry standard best practices were for her to build upon at her institution. What she discovered was that it wasn’t easy, or simple, and there was no hallmark case or standard process. Now what?

Although it was hard to get started, Zanck knew that the old siloed or isolated approach to managing risk wasn’t going to work anymore. So she began to build out her own processes for assessing the risks in her organization, identifying the bank’s risk appetite in conjunction with the board, putting controls in place and determining how to best measure those risks.
American Community Bank & Trust ended up changing the way it looks at risk and has begun to apply those processes to not only specific areas such as IT or vendors, but also to their strategic and growth decisions. For example, when the management team wants to introduce a new product into the marketplace, it must first get the approval of the ERM committee, which looks at it from all different perspectives and asks the tough questions. That is the essence of enterprise risk management, and no one person can do it all, Zanck said. It requires a team of people from compliance, operations and senior management to fully assess the risk to the entire organization. Zanck then reports the findings to the board and audit committee.

Unfortunately, the regulators weren’t much help to Zanck despite their new mandate to monitor her organization’s risk. She sympathized with her fellow bankers, noting that this was why it was such a difficult process for her and her team. If the banks don’t figure ERM out for themselves, then it will surely get decided for them. The question is by whom?

What Today’s Bank Boards Are Worried About

Unknown regulatory impact, slow economic recovery and increased risk of liability have created a tough environment for even the most skilled director of a financial institution to navigate. This year’s Bank Chairman/CEO Peer Exchange hosted by Bank Director in Chicago this past week provided an opportunity for today’s banking leaders to gather for candid discussions on topics ranging from risk oversight to managing the CEO-board relationship.

Over the course of a day and a half attendees representing banks of all asset sizes from across the country met in small peer groups to challenge and support each other on the top issues keeping them up at night. The results of those sessions formulated a theme throughout the event that reflected the need for more skilled management, risk management processes, and a solid strategic plan.

Strong Management & Stronger Boards
During his industry overview presentation, John Duffy, Chairman & CEO of Keefe, Bruyette & Woods Inc., reminded the audience that the cause of many bank failures could be traced back to a dominant CEO and a compliant board, a correlation not lost on the majority of attendees as they shared their desires to cultivate a strong leadership team and board of directors.

With so many new regulations, directors fear that their management team doesn’t have the right skills, talent or vision to take their institutions through the fire. Where there is a lack of strong leadership, board members are struggling to find the discipline to ask the tough questions. As a fundamental role of the board, attendees expressed the need for processes and shared best practices for dealing with these sensitive personnel issues.


The Risks of Risk Management
In a peer exchange summary session, Paul Aguggia, partner of Kilpatrick Townsend & Stockton LLP, noted that many bank leaders are not insensitive to the importance of risk management. They have embraced the need to implement processes and procedures to better manage their institutions’ risks; however several have expressed frustration with the lack of industry standard ERM best practices and instead have found themselves slaves to ratios and quantitative driven requirements. Boards are looking for direction from the government and finding none that emphasize process rather than a list of common risks.

In addition, bank executives are trying to determine the role of a risk manager, what qualities they should look for in a candidate and whom that person reports to in the organization. With the regulatory and fraud risk top of mind for today’s directors, many community bankers are still worried that they won’t be able to compete in a marketplace impacted from this latest round of rigorous regulations.

Prove You Planned It
Financial institutions are not going to be as profitable as they once were, and as a result, their approach to business is going to have to change, noted Jim McAlpin, partner for Bryan Cave. A solid strategic plan is not only something today’s bank boards are reevaluating; regulators are, too. Today’s examiners are spending more time looking at strategic planning to determine what that institution will be doing over the next five years. Bert Otto, deputy comptroller, central district for the Office of the Comptroller of the Currency asked the group to look at their strengths, focus on what they do best, perform the proper due diligence, and document that plan thoroughly.