Over the past decade, enterprise risk management (ERM) has become an established practice in virtually all large business organizations, including a majority of banks and other financial institutions. Regulatory expectations coupled with the harsh realities of the recession combined to encourage financial services organizations to devote significant time and resources to implementing structured processes for assessing and mitigating risks as well as identifying and seizing opportunities.
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Today, commercial and academic surveys typically show that a majority of financial institutions either have a mature ERM program in place or are well on the way toward implementing one. For most bank directors and executives, the question no longer is whether they should implement ERM but rather how they should go about doing so and what they can do to make the effort worthwhile.
For many organizations, that means it’s time to move up to the next level of ERM maturity. At this new level, ERM is not merely accepted and established as an essential corporate function. Rather, it is actively embraced and deeply embedded into every aspect of the organization’s management and operation.
This distinction is important because it highlights a common misconception about the innate nature of ERM. To be truly effective, ERM should not be treated as a distinct and separate entity within the organization. It must be incorporated as an integral part of everything the institution does.
Sustainability: The Ultimate ERM Objective
When ERM is actively embraced in an organization, it can become much more than a defensive measure for managing immediate risk. It can live up to its full potential as a strategic tool that supports long-term growth as well as the enterprise’s continued sustainability.
With more than 500 bank failures since 2007, sustainability is an area of obvious industry concern. Even though the crisis years of 2008 to 2010 are fading memories, bankers cannot afford to take the survival of their institutions for granted. Effective enterprise risk management can help organizations stay focused on sustainability.
Note, however, that “sustainability” is not synonymous with “survivability.” A sustainable enterprise does more than merely survive; it also successfully pursues its strategies and achieves its objectives.
It is also important to understand that sustainability does not equate to an absence of risk. In fact, bankers are in the business of taking risks; without risk, a bank ultimately ceases to operate. Enterprise risk management—and ultimately, sustainable risk management—must focus on identifying, appropriately assessing, reporting and mitigating those risks. That often can mean accepting certain risks or even capitalizing on them in order to seize an opportunity.
Known and Unknown Risks
A critical component of any ERM process is accurately identifying and assessing risk so that management can balance the risk against the potential reward correctly. Certain types of risks—recurring economic cycles, planned regulatory changes, shrinking margins, and fee restrictions, for example—can be foreseen with a fair degree of confidence. The risks themselves are fairly well-known; what is slightly less certain is their effect or intensity.
The more difficult challenge lies in identifying unknown risks—that is, categories of risk we may not even be aware of yet. Examples include demographic changes, new types of disruptive technology, the effects of global markets, emerging threats such as cybersecurity risks, catastrophic natural disasters, terrorist or criminal attacks, and vendor failures, to name a few.
Not only is it extremely difficult to assess the effects of such risks, it often is impossible to identify their coming existence. For example, few banks were prepared to mitigate the new types of fraud and security risks associated with Apple Pay and its competitors—because few in the industry anticipated their very existence. No one can know what will happen in the future. We only know that something will happen.
Warnings and Guardrails
Managing against unknown risk can be compared to driving down a mountain highway. The yellow lines that mark the lanes are comparable to a bank’s policies and procedures. They tell a bank how to operate to reach its objective.
A driver who veers outside those yellow lines typically will encounter a warning track or “rumble strips.” For a bank, those rumble strips are the key process indicators that management and boards monitor to detect if they are veering out of compliance or taking on unacceptable risk.
Beyond the rumble strips there are guardrails. Hitting the rails will cause some damage, but they are the last safety measure that keeps a car from going over the edge. These are comparable to regulatory penalties or enforcement actions: They can be costly and damaging, but often they are the last protection against failure.
These guides are like the major components of an ERM program. Monitoring and managing in response to them not only will help avoid failure but will minimize the risk of costly penalties while also helping to keep the bank moving toward achieving its goals.
Note, though, that there are still unknown risks and hazards, such as unexpected weather and blind corners. It is important to manage the predictable risks effectively in order to be ready to respond quickly to the unexpected hazards. If the bank already is veering outside its safety zone, even a small unforeseen hazard can have catastrophic results.
Sustainable Risk Management: A Cultural View
The highway analogy is illustrative, but it has an important limitation: It addresses only the systems, processes, and technical aspects of ERM. As crucial as these tools are, they are secondary in importance to the vital cultural foundation that must be present in order for ERM—and ultimately sustainable risk management—to be effective.
ERM cannot succeed without complete support from the board and C-suite. The board must be active in asking strategic questions to validate management’s focus on risk management, identify gaps in the system, and establish and support a formal structure for identifying, assessing, and addressing risks and opportunities.
Clear ownership of the effort is important, and the bank must appoint a high-level executive responsible for the ERM process and program. At the same time, though, all members of the organization must recognize their own particular responsibilities.
For example, managers in all areas should be encouraged to participate in identifying and discussing risk and should understand the bank’s tolerance for opportunity and related risk. In addition, employees at all levels and in all functions should understand what risks the organization will and will not accept as well as their own specific responsibilities for helping to manage and mitigate risks.
These responsibilities can range from simple and obvious roles such as protecting cash in teller drawers to more complex responsibilities such as maintaining customer satisfaction and competitive position. In short, ERM and long-term sustainability must become embedded in the bank’s culture at all levels and in all positions.
By moving to this next level of ERM maturity—a level where ERM is embraced actively and embedded deeply in the organization—it is possible to advance beyond compliance alone and begin to add genuine value to the organization through better allocation of resources, improved decision-making, greater transparency, a stronger reputation among all stakeholders, and, ultimately, long-term sustainability.