Dos and Don’ts of Risk: 10 Ways to Handle Risk on a Bank Board

Lots of banks say they have enterprise risk management programs in place, but they really don’t have a full program. Others are just getting started.

“You hear the regulators want it, but that’s not the reason to do it,’’ said Ed Burke, who is on the board of Beacon Federal Bancorp in East Syracuse, New York, a $1 billion-asset institution that is getting started creating a program. “It will cut down on risk and we’re in the risk business.”

Here are 10 tips for getting started or enhancing enterprise risk programs. Heavy debt for this list is owed to Christina Speh, director of new markets, enterprise risk management, at Wolters Kluwer Financial Services in Washington, D.C., as well as other speakers at Bank Director’s Bank Audit Committee conference in Chicago in June.

  1. Do get started. If you don’t have a complete enterprise risk management program in place, have a plan on how you’ll get there.
  2. Do set an appetite for risk inside your organization. A risk matrix is advisable.
  3. Do ask questions about future or emerging risks. What is not on the agenda that might happen? What hasn’t happened in the past but might in the future?
  4. Don’t let management set the agenda. The board sets the agenda for risk appetite and asks the hard questions about the organization’s potential risks.
  5. Do make sure that managers are getting together in different departments and creating a unified approach to measure risks.
  6. Do make sure the organization’s appetite for risk is ingrained in the strategic planning process.
  7. Do make sure your executive compensation structure takes into account the organization’s appetite for risk.
  8. Don’t let management pile on too much paperwork for the board. Insist on easy-to-understand executive summaries of risk inside an organization periodically. The executive summary should address the organization’s risks, what the potential impacts are and what the underlying assumptions involve.
  9. Don’t let the person who created the risk management framework go back and audit it.
  10. Do ask how the organization’s appetite for risk is being conveyed and monitored throughout the organization.

Enterprise risk management: what it is and what to do about it

When the Federal Deposit Insurance Corp. sued Washington Mutual’s executives in March over the bank’s failure, the government’s lawyers said they “took on enormous risk without proper risk management,” marginalized the chief risk officer, and pursued an aggressive lending policy despite being warned against it.

In part because of the financial meltdown at banks such as Wamu, regulators and bank boards are more interested in how risk is handled throughout an organization.

About 78 percent of financial institutions have adopted some kind of enterprise risk management program, according to the 2011 Deloitte Global Risk Management Survey, up from 36 percent who said so in the 2009 survey.

Regulators are asking more questions about what bankers are doing about risk, and more banks are starting the process of implementing an enterprise-wide program, according to speakers at Bank Director’s Bank Audit Committee conference in Chicago June 13-15.


Enterprise risk management is about more than just insuring against known risks. It’s about what could happen in the future that you don’t even know about, said Pat Langiotti, chairman of National Penn Bancshares enterprise-wide risk committee in Boyertown, Pennsylvania.

“What are you not monitoring? What is not on the agenda that could happen and what would the impact be, and what are we doing about that?” she said. “What risk are you taking and is there a reward for taking on that risk that’s adequate to the risk?”

Enterprise risk is about assessing all the risks of the institution, from operational, to information technology to reputational risk on an ongoing basis, establishing an appetite for risk, and making sure conformity to that risk appetite is monitored and pervades the institution.

Some banks, such as National Penn Banchsares, a $9.4 billion-asset publicly traded bank Boyertown, Pennsylvania, have a separate risk committee of the board to take responsibility for their enterprise risk management program, but some others handle it on the audit committee.

 “I don’t think a risk committee is operating to make sure there’s no risk,’’ said Tony LeVecchio, the audit committee chairman of ViewPoint Financial Group, a $2.8 billion publicly traded bank in Dallas, Texas. “It’s more of an understanding of what risk you’ve agreed to take. What you don’t want is to find out ‘oh my goodness, I didn’t know we had a risk here?’”

The risk appetite has to be factored into the bank’s strategic planning, said Christina Speh, director of new markets, enterprise risk management at Wolters Kluwer Financial Services in Washington, D.C.

“There is nothing more frustrating than having a process and spending energy and time on something that doesn’t do anything,’’ she said. “If you have no idea how this fits into your strategic plan, it’s possible you’re just doing paperwork for regulatory agencies.”

“At the end of the day, the reason you’re doing this is because you want to ensure your bank is successful and meets your strategic plan,’’ she said. “You have a plan and you want your bank to reach this in five or 10 years. But how do you get there? And how do you put processes in place to make sure that if risks are realized, you’re able to handle that?”