Is Enterprise Risk Management Achievable at a Community Bank?
By S. Scott MacDonald, Ph.D. , Southwestern Graduate School of Banking
I often hear from community bankers that Enterprise Risk Management (ERM) is a “big bank” concept. In his March 2006 speech to the Independent Community Bankers of America, Federal Reserve Chairman, Ben Bernanke said:
Although I learned a long time ago not to try and interpret what a Fed Chairman is trying to say, one might assume he is talking to the average community bank which has increased their total portfolio risk. As we discussed last time, the average bank has grown rapidly, increased their concentrations in commercial real estate and funded more and more of this growth with borrowed funds. At the same time, compliance risk, technology risks and payment system risk have all increased. The average bank then, is due for an overhaul in how they measure and monitor aggregate risk.
Most banks today are good at evaluating individual risks and exposures, but not as diligent in measuring and managing how our various business units interact and affect other areas of the business. Chairman Bernanke clearly indicated in his speech that ERM is for the community banker. If ERM really is for the community banker, how do you implement an enterprise wide risk management program into a community bank? Unfortunately, ERM is not a piece of software or a new program; it is a new way of looking at our business. The good news is that an effective ERM system can actually improve the bank’s bottom line performance. ERM will not be accomplished over night, so we need to get started today.
First, make enterprise wide risk management everyone’s responsibility. This means making ERM a part of the bank’s culture. Although this can be accomplished in a multitude of ways, education and training are fundamental. Establish a top-to-bottom ERM culture that is well communicated throughout the organization by senior management such that all staff members understand their roles and responsibilities in the ERM process.
Next, create a risk management committee which meets regularly and is staffed by senior management from the various areas of risk in the bank such as lending, operations, technology, compliance and asset-liability management to name a few. This committee’s primary charge is in creating a risk “footprint” for your organization. A risk footprint identifies and accesses internal and external events (risks) that could negatively affect the bank’s ability to achieve its objectives. This committee should also focus on the organization’s methods and systems for responding to risk - that is avoiding, accepting, reducing, or sharing risk. Events with high probability of occurrence and high financial impact should be avoided. Events with low probability and low impact are generally accepted and managed. Events with a low probability but high impact are candidates for risk sharing through insurance or outsourcing. Finally, those events with a high probability and low impact must be carefully monitored and controlled.
Finally, consider creating the position of chief risk officer (CRO). In smaller banks, this position is often filled by the CEO or credit risk officer but it is critical not to continue to focus just on lending and single credits. Stepping back and evaluating the bank’s aggregate risk position and the interactions between individual risk events is fundamental to the success of an enterprise risk management system.
Next time we will begin to examine today’s hot aggregate risk topics within the various risk areas of the bank, such as credit risk, liquidity risk, operational risk, strategic risk, market risk, and reputational risk to name a few.