People come in all shapes and sizes. Clothing manufacturers know this, and generally have a wide array of different sizes available. However, if you want your clothes to fit well and be comfortable and stylish, and if (like most of us) your proportions aren’t the same as the generic person the clothing was designed to fit, clothes shopping can become very difficult. This is where the tailor comes in very handy.
Financial institutions, while not quite as abundant as people, also come in all shapes and sizes, and each one is affected by its own complex set of risk factors. Risk and its management have become increasingly hot topics over the past several years, giving rise to the burgeoning field of Enterprise Risk Management, or ERM.
Given the complexities and differences of each individual institution, regulatory agencies simply don’t have the resources to develop a comprehensive analysis of enterprise risk for every financial institution out there. This means that each financial institution is responsible for shouldering its own Enterprise Risk Management. In other words, each institution has to tailor its own ERM program to fit properly and be effective. While an ERM program should be tailored to fit, there are several elements that every effective ERM program has in common.
What Is ERM?
There seem to be countless definitions of ERM, but the definition given by the trailblazers of ERM, the Committee of Sponsoring Organizations of the Treadway Commission, or more often known as COSO gets to the heart of what constitutes effective ERM processes:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
This definition is central to the focus of building risk management functions that align with an institution’s strategies. In other words, ERM is about where a financial institution is today, where it wants to go in the future and what elements stand in its way. As a result, we recognize the fundamental factors needed to implement an effective ERM program. We have identified four such factors that ensure that the ERM approach “fits” the credit union instead of trying to make the credit union fit ERM.
Strong ERM must be innately relevant to the financial institution and its “vision.” COSO notes, “Among the most critical challenges for management is determining how much risk the entity is prepared to and does accept as it strives to create credit value.” As such, ERM must establish where the financial institution is today and where it plans on going in its value-creation efforts. We frequently know what is defined as “Risk” as well as what is defined as “Management.” Yet, what do we define as Enterprise? One definition states that Enterprise is “a project undertaken or to be undertaken, especially one that is important or difficult or that requires boldness or energy.” Keeping ERM relevant to the financial institution’s “Vision” requires that we know our Five Ws (who, what, why, where, when) today and in the future. Our collective assessment efforts must present those in a sound manner at given points in time, then seek to identify impediments to reaching those achievements and the corresponding risk mitigation.
Effective ERM cannot be achieved with a “silo mentality,” where each department declines to share key information with the other departments. It requires correlation throughout the enterprise. History has repeatedly shown that a failure to understand the cause and effect of pursued strategies by an entity upon all departments of the financial institution results in weakness and, in some cases, failure. Many institutions have recognized this factor and responded with the designation of a Chief Risk Officer. Establishing such a position is logical, but cannot become a silo itself. Rather, such an individual must serve as a go-between for the various departments in an effort to establish and continually reestablish the Enterprise Risk Assessment.
3. Target Driven
Because ERM covers the full array of risks within the organization, it requires a unique approach to analysis. The framework for ERM is established in key categories:
Objectives of an organization hit one or more of these categories. Those objectives will face a wide array of challenges to implementation including both internal and external events. As the financial institution analyzes these events and corresponding strategies, it establishes the framework for measurement of ERM via the Enterprise Risk Assessment (ERA).
The Enterprise Risk Assessment provides an initial and ongoing tool for management. It engages such key elements as:
- Internal environment (where we are today)
- Objectives (where we are going)
- Event identification
- Impact likelihood (on an inherent and residual basis)
- Risk Response and Control Activities
- Information capture, communication and monitoring.
Following this format is a challenge, but leads to a logical, quantitative and qualitative presentation that yields significant benefits and facilitates the process with each succeeding year.
Although there is no question that the ERA must address qualitative elements (such as risk factors, strategies, etc.), those elements are best presented when quantified (such as key ratios and risk scores to be evaluated). The adage that we value what we measure is absolutely true of ERM and the ERA gives us that capacity from both a static (level) and dynamic (trend) perspective. No ERA can encompass every conceivable risk, but sound ERM provides a powerful tool that promotes internal and external confidence.
When properly tailored, the Enterprise Risk Assessment serves as a powerful document that:
- seeks to align the risk appetite and strategy of the financial institution;
- facilitates enhanced risk response and decisioning guidance;
- reduces operational surprises and losses through facilitating an effective, coordinated response to the myriad of risks affecting different parts of the organization;
- promotes the ability to seize opportunities through proper management positioning and deployment of capital; and finally,
- helps ensure the effective reporting and compliance with laws and regulations while guiding the financial institution away from the damage inherent in reputation risk and its associated consequences.
Ken Agle, President of AdvisX, AffirmX’s sister company, brings more than 29 years of experience covering almost all facets of financial institution risk management operations. He has conducted more than 500 compliance reviews and has assisted more than 300 financial institutions throughout the United States. He has developed and implemented systems and training programs on all phases of banking risk management, including, but not limited to BSA/AML, fair lending, loan review, HMDA, CRA, BSA, operational compliance, TILA, and RESPA. He has written numerous regulatory responses and appeals and has been instrumental in assisting institutions with challenging circumstances while facing regulatory enforcement orders. He has partnered with RSM/McGladrey, Promontory, Sheshunoff and Wipfli and other multi-region firms to provide support services to financial institutions. Mr. Agle specializes in strategic regulatory response and in developing and implementing both proactive and reactive tools and systems to preempt and resolve issues affecting today’s financial institution. Email Ken at email@example.com.