What Directors Should Know About Enterprise Risk Management

By Lyn Farrell, Sheshunoff Consulting + Solutions

Federal bank regulators are increasingly emphasizing the importance of “Enterprise Risk Management” for the management and directors of community banks. Enterprise Risk Management or “ERM”, is more than comprehensive than the banking risks that typically comprise risk management programs, such as regulatory compliance, loan review, fraud risk management, internal controls, etc. While traditional risk management continues to be important, if an institution wants to grow in a safe and sound manner, a more holistic view of risk management is necessary.  

By identifying and quantifying these high level risks, an institution can establish a mitigation program that will enable it to predict, monitor and contain future risks. This process will help the bank reduce uncertainty and loss in its future performance.

An ERM strategy includes a plan for financial, operational and environmental risks. A bank’s management should take all of these risks into consideration, establish the bank’s risk tolerance in each category and establish a governance and information reporting mechanism that will allow active monitoring of these risks on an ongoing basis.

There are several types of risks to consider in a bank’s ERM program, including financial risks (such as balance sheet, income statement, capital and liquidity risks), operational risks (including fraud, damage to physical assets, and business disruption) and environmental risks (such as the legal and regulatory environment).

As an example, balance sheet risks specifically include:

• Credit risks, including the probability of default and the loss as the result of default

• Maturity risks

• Deposit Risks, including deposit runoff and hot money

• Structural change risk

• Off balance sheet risks

Once the enterprise risks are identified each of them should be incorporated into the overall ERM plan with action steps, goals, reports and responsibility and accountability assigned. In some cases control systems will need to be put in place or strengthened to cover a risk that was previously not addressed. It is best if successful risk mitigation can be incorporated into job performance objectives.

What process can a bank’s management take to begin to develop an ERM program?

1.            Inventory the bank’s risks
This process should be conducted over an extended time and incorporate people from all areas of the bank so that all potential risks will be identified. All identified risks will need to be managed, so each area should be fully defined.

2.            Consider Different Scenarios
In the development of the ERM program management should consider various stress scenarios to determine how the identified risks will change – increase, decrease or remain stable. For example, if interest rates rise, credit risk may increase and interest rate risk may also increase. The scenarios should be analyzed to develop risk controls and mitigation strategies. Ask the questions: What will change in two years? What is likely to remain the same in two years?

3.            Identify Key Risk Indicators
These are measurable statistics that management can use to measure risk over time. These help to provide feedback on business processes and controls. By identifying these indicators, management can determine whether the risks are being effectively managed over time.

4.            Determine how to make decisions from the information
No ERM program will be effective unless robust reports are provided to management in a timely manner. The final step in establishing an ERM program is to develop the reporting process. The bank’s management and board of directors all need to monitor the ERM progress periodically so that adjustments can be made to continue to mitigate the risks. Reports may be available that can be used or new ones may need to be created. In any event, the ERM program will be no better than the information that is used to monitor its progress.

<back to October 2009 Directors Digest>