Publications & Resources

July/August 2009
Focus: Risk Management

 

Third-Party Systems Can Help When Implementing Your Enterprise Risk Management Program

By Michael D. Cohn

Enterprise Risk Management (ERM) has the attention of financial institutions now more than ever.  Developing a risk management process which incorporates and integrates various elements of risk across the enterprise is an opportunity and a challenge that exists for financial institutions big and small.  Stakeholders must understand how risk management practices tie into the bank’s overall strategy, impact costs and profitability across each operating unit, and provide information to be able to make quick and informed decisions to unexpected changes in order to keep the bank safe, secure customer confidence, and satisfy regulators.  Implementing a third-party ERM system that automates risk management processes, integrates all elements of risk across the enterprise, and provides secure access to centralized data can help you get there.    

Choose Wisely: Due diligence to ensure success

When making the decision to turn to a third party for assistance, it is important to remember that you can outsource systems to help facilitate and manage the risk assessment process, but not the risk assessment itself.  The system you implement must enable the bank to perform its own assessment of risk and enable it to develop appropriate controls to mitigate those risks.   Consider the following elements during the due diligence process to help insure that the system you select aligns with the bank’s goals, increases operational efficiencies and arms bank executives with the tools necessary to make informed business decisions with speed and accuracy.

Credibility – The third-party system provider must be credible, tenured and experienced in not only the services they provide, but also in the appropriate regulatory requirements across each functional area and business unit where risk is present.

Regulatory Guidance – The ERM system must align with appropriate regulatory guidance and provide automatic system updates to reflect changes in the regulatory environment to insure that the risk assessment is current and that adequate controls are in place. 

Accurate Representation of Risk – Nothing stirs the ire of regulators more than a bank that cannot articulate the methodology and process used in assessing risk and controls.  The system selected must allow the bank to provide its own assessment of risk. 

Security – Appropriate security features must be built-in to the ERM solution, such as multi-factor authentication, which protects the identity of a bank and its customers and insures safety and soundness. 

Current Information – Risk managers need immediate access to accurate and up-to-date information that affects each department, process and function throughout the enterprise.

Centralized Data – Stakeholders responsible for risk management must be able to measure each business unit and function across the enterprise to identify potential threats and the subsequent controls in place to mitigate risks. 

Continuous Methodology – The process of risk assessment begins but never ends. It must be a continuous, systematic process.  It is important that the ERM system have functionality that allows the bank to update appropriate risk assessment and control practices on a continuous basis in order to make informed decisions.

Robust Reporting – Stakeholders need to make informed business decisions, while also ensuring appropriate controls are in place.  Built-in reporting capabilities are important for internal control documentation, review by governance committees and Board of Directors, as due diligence packages for regulators and are paramount to the ongoing safety and operational efficiencies of the institution. 

Financial institutions that are able to align their ERM program with their strategic goals can maximize operational efficiencies, ensure compliance with regulatory requirements, instill customer confidence and make more informed decisions.  

By utilizing a credible and capable ERM system provider, you can achieve success with your internal risk assessment and control program.  Implementing a secure, automated system that provides a centralized view of risk and control across the entire enterprise allows stakeholders to recognize the challenges they face so they can react quickly and develop appropriate controls to mitigate potential risks.  Bank managers can deal with the day-to-day risk-related issues while executives maintain a level of knowledge that enables them to fulfill their oversight responsibilities.  The result is better decision making across not only one area or business function, but across the entire enterprise.  

Michael D. Cohn, CPA, CISA, CGEIT, currently serves as the director of the WolfPAC Solutions group for Wolf & Company, P.C., a certified accounting and business consulting firm headquartered in Boston.  He can be reached at 617-428-5488 or mcohn@wolfandco.com. Cohn will speak on Leveling the Playing Field: Emerging Technologies for Community Banks at the WIB Bank Technology & Security Summit October 14-16 in San Diego.

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.