First of a 3 part series.
Risk. In today’s world, there is no escaping it. Not so long ago it was considered part of the fuzzy territory of doing business as a financial institution. Today, the principle of risk and risk management has become one of the hot topics for financial institutions and has given rise to the burgeoning field of Enterprise Risk Management or ERM. When viewed positively, Enterprise Risk Management can be as much about pursuing opportunity as it is about disaster.
But what is Enterprise Risk Management and its principle tool, the Enterprise Risk Assessment? There is little question that even the smallest financial institution must coordinate a series of complex operations involving numerous disciplines. Given these complexities, ask yourself how long would it take for an examination team to truly understand the full degree of risk factors affecting one FI if they had to completely generate the data for risk analysis from scratch?
From a purely pragmatic standpoint, there is a fundamental need by the regulatory agencies to aggressively promote the use of risk assessments among financial institutions. Throw into the mix the diversity of risk elements within each financial institution and it becomes clear that the regulatory agencies simply do not have the resources to develop a comprehensive analysis of enterprise risk for every financial institution out there. Such complexities and the risks of failure to approach them in a strategic setting would seem to be the genesis in defining ERM.
We can appreciate the definition given by the trailblazers of ERM, The Committee of Sponsoring Organizations of the Treadway Commission, or more often known as COSO. COSO provided the following guidance on what constitutes effective ERM processes:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
This definition is central to the focus of building risk management functions that align with the FI’s strategies. In other words, ERM is about where the FI is today, where it wants to go in the future and what elements stand in its way. As a result, we can recognize the fundamental factors needed to implement an effective ERM program.
In Part II of this 3-part series, we’ll talk about three key ERM factors and their importance, which will lead to Part III, the Enterprise Risk Assessment.