Enterprise Risk Management: A Holistic Approach to Managing Risk

By Keith Monson

Q: How can my financial institution stay ahead of the game when it comes to managing risk? It seems like, just when I think we’re good in one risk area, something occurs out of nowhere in another. It’s getting hard to keep up.

A: That feeling of being overwhelmed is understandable, but you can save yourself a lot of time and headaches by changing the way you view risk.


Take a cue from regulators and examiners, who are of the general opinion that if bankers aren’t collectively considering all the risks they face, they are not really managing risk at all. Rather, a bank’s risk areas should be viewed as interactive parts of a solid whole, each affecting the other. This approach, called Enterprise Risk Management (ERM), helps both managers and the board of directors gain a complete picture — a real-time snapshot — of all risk areas and how they work together to ultimately affect a bank’s overall performance.

The Office of the Comptroller of the Currency (OCC) has defined the eight risk areas that should remain a top priority for all banks: credit, interest rate, liquidity, price, operational, compliance, reputation and strategic. An essential factor of ERM is the ability to establish key risk indicators (KRIs) — a set of markers that help identify changes in the probability of adverse incidents soon enough to proactively prevent them — that take subjectivity out of the risk rating. In other words, when a red flag pops up in a particular risk area, management will no longer rely on educated opinion alone to decide how to move forward.

Financial institutions can develop — or work with a trusted third party to customize — a database or library of KRIs, which establish the direction of risk within those eight main risk categories. Consider the compliance risk category, for example. An institution can consult the database and find out which KRIs it should track in order to remain compliant with fair lending or consumer protection rules, since their related risks likely will rise as the number of real estate loans increase. By tracking those indicators and using them as a guide, a bank can take any underlying opinions — or subjectivity — out of the equation and establish a threshold for the level of risk it is willing to accept, known as its risk appetite.

Overcome the Obstacles to Establishing ERM
Financial institutions must ensure they are implementing an ERM program that is tailored to the size and complexity of their bank. Start with a strong business plan for the coming three years and apply all the specific risk measurements to it, then branch out from there.

The biggest obstacle with implementing an ERM program is the change of culture for banks and bankers — because nobody really likes change. Bank managers currently take a “siloed” approach to managing the risks for their institution. They must challenge their thought processes by taking a more proactive, holistic — rather than reactive — approach to risk management. ERM is meant to serve as a proactive tool for them to assess the risk their institution faces by monitoring specific KRIs.

Banks that welcome the change in culture will find that it can enhance their relationship with regulators and possibly improve their exam cycle. And while there’s no guarantee that an exam will go better, they will definitely see a change in how examiners view the bank. This proactive approach can enhance, or further bolster, a bank’s management rating. Further, if a bank’s compliance rating is outstanding, its exam cycle likely could occur  every three years. If rated poorly, however, compliance exams could take place annually, or on a more frequent basis.

Remember, regulators are looking for this approach, and from their view, anything banks can do to be proactive is good. And examiners also are applying the ERM approach to banks. For example, if a bank has a high level of loan concentration, guess where they’ll focus when they come in? They’ll be in the loan area and stay there until that risk is mitigated.

Evaluate Your ERM Needs

Start by taking a look at your most recent exam results and identifying areas that concerned the examiners. Then determine what steps will take you out of a reactive mode and into a proactive mode for managing risk.

Further, review your internal and external audits. The hope is that your auditors will catch issues, report them to the board and get them corrected before the examiners come in. Also, make sure you have no repeat findings — those risks identified over more than one exam or audit cycle — or address them immediately if found.

Execute Your ERM Plan
Once you’ve taken a hard look at your audit and exam findings, it’s time to address the policies and procedures and guidelines that have already been approved by the board — what we refer to as residual risk. To execute an ERM program, first identify your KRIs within the OCC’s top eight categories and start tracking them. Then take a look at the policies and procedures to ensure you’re mitigating any risks that were identified.

Effective ERM third-party software can identify risks earlier by automatically applying KRIs to bank data and alerting management when risks are elevated. The most advanced software solutions also create the ability to efficiently collect, store, analyze, score and report on risk data, direction and activities. This allows bank management to focus more on their day-to-day functions: taking care of customers’ needs.

The time is now for banks to abandon the separative approach to risk management. Use ERM to gain holistic transparency, visibility and data aggregation — and provide your institution with a clear view of historic, current and future risk. 

Keith Monson is vice president of application compliance for Computer Services, Inc. (CSI). In this role, Keith maintains focus on CSI’s compliance initiatives to establish and build out an enterprise-wide compliance framework for risk assessment and reporting, issue management and other key components of CSI’s corporate compliance program. He also works closely with CSI’s Board of Directors Audit Committee as well as other compliance teams across the organization to promote a culture of engagement and connectivity while implementing and advising on practices and related standards.