Enterprise Risk Management for Your Bank

The successful practice of bottom-up enterprise risk management occurs when all of the efforts above are integrated into a cohesive program that is managed with a comprehensive strategy.

The key to this bottom-up risk management approach is that results of the assessments must be reorganized by product and service to provide information not previously known or understood. Knowing exactly which threats are most significant for each product is key.

The execution of a bottom-up enterprise risk assessment will not only highlight the high and moderate risks and threats, it will change the questions your management team asks, make them better informed about present risks, and more invested in managing them. Moreover, executive management will be able to articulate and describe to auditors, regulators, and the board, the process and elements of a sustainable management program.

Measuring the Cost of ERM
If an institution can measure the cost of risk management then it can take steps to make it cost less. Institutions are wondering how much they should spend on risk management and how much will it cost as new, increased regulatory requirements come into play. There is no hard and fast rule because there are no formal guidelines or benchmarking data. The first exercise should measure the sufficiency of current spending so the chief risk officer can assure the board and others that risks are being managed and mitigated to the best of the institution’s ability.  In other words, resources must be committed to areas of high risk, and resources must be rationed or curtailed from areas of low risk.

The second exercise should evaluate the total resource allocation from one year to the next to ensure the level of risk management resources is commensurate with changes to business strategy and external events. Level spending from one year to the next may be appropriate for many institutions, but aligning the threats and costs of risk management allows the chief risk officer (CRO) to pose questions and develop strategies not easily identified when using an ERM approach based on the COSO model or CAMEL ratings.

To effectively maintain an ERM program, the interaction of the CRO and others such as the internal auditor and the compliance officer must be re-examined to ensure that they are operating together to the benefit of the institution.

In many cases, the executive suite and board will incorrectly equate ERM and threat management with internal audit and control testing and look solely to the internal auditor for guidance. For an ERM program to be effective, the CRO must persuade the executive suite to own the risk and be responsible for controlling it. The CRO should guide management to document controls and classify them as key or secondary. The internal auditor then independently validates management’s identification and rating of risks and classification of controls.  Control testing is performed to ensure controls are designed to mitigate the related risks and operating effectively.

Moving an ERM Program Forward
To begin an effective ERM program, an institution must first take stock in its current activities and organize them along the areas of the functional risks. The institution should evaluate each risk assessment and control testing result and convert or append the analysis to create a consistent residual risk measure that is used at all levels. When a common measure and language is created to communicate risk, the reporting out by the various products and services becomes much clearer and more effective.

The second step is for the institution to take an honest look at its practices. There will be major threats within the institution that are not being sufficiently mitigated. These must be brought to the surface and placed into view for the entire organization to see. The good news is that once transparent they can be mitigated.

If expertise is required that is not present in the institution, such as information technology and security, the expertise must be acquired. If the volume of data and the time to produce comprehensive reports and analysis is overwhelming, automated tools and support must be deployed. If a financial institution is understaffed and overwhelmed, it should consider measuring what it is spending now, which threats current resources are addressing, and then realign the resources based on the clearer picture of the level of threats in each area. The larger the management team the more important it is to let the analysis derived from the ERM program guide the decisions on how to allocate resources.

Because an ERM program must cover the enterprise, governance cannot be ignored. To successfully implement an ERM program it is essential to create a risk committee or further empower an existing committee. When operating optimally, the risk committee will hold an enterprise-wide view of risk assessment and management and provide guidance, oversight, and approve funding requests to allow the ERM program to operate optimally.

As for compliance issues, a bottom-up approach to ERM will complement and continue to support the regulatory requirements of each functional risk assessment. Implementing a COSO version of ERM is a top down approach. If a financial institution believes it must implement this version, and it has the resources to do so, a bottom-up and top-down ERM approach can be deployed. The results from each approach should be complimentary but the institution should recognize that the results are used for different objectives.

Emerging Benefits of ERM Program
Three major benefits will emerge from the institution’s early efforts. The first benefit is that the very nature and behavior of the financial institution will change as enterprise-wide awareness of major threats and the purpose of controls become evident. Line management will be more involved in threat assessment, hands-on with risk assessment issues, and assume ownership for the rating of threats and designation of key controls. Day-to-day decision making will likely change as risk across the institution is more frequently considered before actions and projects are started, not after implementation or kickoff begins.

When this happens, risk management then becomes everyone’s job, not just the risk officer’s. Even for a small financial institution it is difficult for any executive to maintain comprehensive knowledge of all operational and transaction activities. But when more risk-oriented decision making is allowed and empowered in the lower parts of the organization, it results in greater speed, agility, and safety for the institution.

The second benefit is the productive alignment of internal activities such as risk management, internal audit, regulatory compliance, information security, vendor management, business continuity, credit administration, and asset-liability management. This alignment will eliminate silos and reveal gaps in threat identification through integrated, bottom-up risk assessment.

Lastly, and most important, ERM will reduce costs. When there is overlap, extra resources are spent unnecessarily and when there are gaps, losses occur and extra resources are subsequently required to fill it. Both situations are expensive and unnecessary. When the institution takes an integrated bottom-up ERM approach and measures the costs of risk management, it will plug any holes from which the institution is leaking resources.

Avoiding ERM is No Longer an Option
The current state of the economy and the increasingly complex regulatory climate requires that smaller institutions must find cost savings to compete in the marketplace. The cost saving opportunities become evident when aligning high and moderate level risks to current year budget amounts, and analyzing emerging and receding risks to year-over-year resource commitments. Practicing enterprise risk management, especially when structured in a bottom-up approach, will change the DNA of an institution in a positive way and make it more successful today and into the future.

Michael D. Cohn serves as Director of WolfPAC Solutions group and is a Principal at Wolf & Company, P.C. He provides risk management advisory services and board training to community based financial institutions. He can be contacted at mcohn@wolfandco.com or (617) 439-9700.

Visit the WolfPAC website to learn more about our services.
Print a pdf of this article, as it appeared in Massachusetts Banker.

This publication is distributed with the understanding that the author, publisher and distributor are not rendering legal, accounting, tax or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. The information in this publication is not intended or written to be used, and cannot be used, by a taxpayer for the purpose of (i) avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions or (ii) promoting, marketing or recommending to another party any transaction or matter addressed in this publication. Copyright 2012.