Q: I’m hearing a lot about Enterprise Risk Management (ERM), and it’s something we’d like to pursue at our institution — particularly with the additional risk oversight coming from regulators. Can you offer tips on how to begin?
A: You’re right: Regulators are looking for this approach, and view favorably anything banks can do to be proactive toward risk.
As most of us now know, the Office of the Comptroller of the Currency (OCC) established eight risk categories: credit, interest rate, liquidity, price, operational, compliance, reputation and strategic. To truly manage risk, banks must meet regulators’ and examiners’ expectations of viewing these categories collectively as interactive parts that affect each other — the benchmark of the ERM approach.
And before you implement ERM, plan out the critical parties that must be involved in the process.
Who Has a Seat at the Table?
You can’t properly launch a risk assessment before first identifying who should hold a seat at the table and determining their roles. And you might as well start with the party on whose shoulders the responsibility rests: your board of directors. The board ultimately carries the burden for a bank’s actions — to the point they could be found personally liable for exceptionally poor results — so they must be aware of the institution’s risks and any major changes to them. To that end, it’s important to get the board’s buy-in on an ERM approach at the outset. They will review and approve risk assessment results and ensure management takes action to remedy matters requiring attention.
Another group that’s integral to the ERM process is senior management, who will develop and implement the ERM process through policies and procedures, and hold employees and business units accountable to their relative actions.
It’s vital to the organization for senior management to set the tone for the risk philosophy and champion the ERM program. In fact, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a private organization dedicated to providing guidance and frameworks on ERM programs, an institution’s chief executive officer “is ultimately responsible and should assume ownership over the implementation of ERM.” Though the regulators place ultimate responsibility with the board, it is essential that the CEO and senior management undertake a leadership role in ERM. While banks and their directors must maintain compliance with regulations, they should be familiar with COSO’s valuable guidelines as they move toward ERM.
Next, your CEO should designate a management-level individual, or committee, to take the lead in the overall collection of risk data, as not all institutions can or will appoint a chief risk officer. Also, while some banks or credit unions appoint their auditor to this role, sound judgment dictates that the audit function remain independent from this role in order to maintain objectivity toward risk. Risk is a management function and should be used to supplement the audit schedule.
Then, the employees who are most experienced with your institution’s day-to-day operations should have a seat at the table. This should be limited to critical staff representing business unit managers or individuals holding knowledgeable positions in lending, deposits, investments, accounting and other key business units. It is critical that these employees feel comfortable identifying risks within their business units by engaging in open and honest conversations with management regarding their responsibilities. If they feel their job is in danger due to the risks identified, it’s possible they could refrain from divulging all its problems. And ERM is meant to be a proactive management tool designed to identify weaknesses in advance.
Implementing Your Risk Assessment
Once you have identified your risk team, start obtaining past exam reports conducted by your prudential regulator. These are must-have documents, including results from safety and soundness, compliance, information technology, CRA, BSA and other regulatory exams — copies of which your board secretary should have retained. The takeaway is, gather any and all examination reports you can get your hands on.
In addition, collect external audit reports performed by such third parties as financial or IT auditors, as well as any internal audits or monitoring reports. Then, search within these reports for any identified weaknesses or recommended corrective actions, which gives your institution a factual, black-and-white starting point as to where your risks lie today. You can use this information to establish the criteria of each OCC risk category by developing Key Risk Indicators (KRIs), which identify changes in the probability of adverse incidents soon enough to proactively prevent them. Automated, third-party ERM software can significantly augment this process.
KRIs should be specific and measurable in order to provide management with the necessary tools to dictate action. After all, you can’t manage what you can’t monitor. Also, try to limit KRIs within each risk category to a set number that is meaningful to your organization: five to 10 usually will suffice. Having too many KRIs in one category can dilute the effectiveness of your ERM program.
After determining your KRIs, the board should set the institution’s risk appetite for each category, establishing the amount of risk — high, medium or low — that your institution is willing to accept in pursuit of value. Then, the individual responsible for risk, or the risk committee, should create a quantitative threshold for each KRI, commensurate with the appetite. Think of your threshold in terms of a fuel gauge: You can establish a quarter of a tank as your threshold, which alerts you to fill up your tank well before you reach your ultimate risk — an empty tank. For example, supervisory guidance states that banks have a heightened risk management practice if loans for construction, land development, and other land were 100 percent or more of total capital (your empty tank). Therefore, you might set your construction, land development, and other land loans threshold at 90 percent. This specific and measurable KRI would alert you when a threshold is reached, which allows adequate time to take proactive, corrective action.
Finally, it’s time to track trends and pinpoint changes in your risk levels. You can accomplish this task by comparing your exam reports and identifying repeat violations — which would signal a negative, increasing trend. Or, if all your KRIs in a particular category are going up, that would also indicate a negative trend. Providing your directors with a trend analysis gives them the information needed to make informed ongoing decisions that benefit the overall organization.
Remember, an effective ERM program is an ongoing process in which you continually monitor the results and trending analyses of your KRIs, and take action when needed. An effective ERM approach will help limit liability to your board, satisfy regulatory expectations, and build and protect shareholder value. After all, banking is the business of managing risks while maximizing profits.
