Enterprise risk management poses different challenges for every institution, but achieving consistent results is the universal goal
By Brian O’Connell
Enterprise risk management, or ERM for short, is a popular buzzword bandied around banking industry water coolers, in industry publications and, increasingly, in bank examinations. Lots of banking industry professionals use the term loosely. From a loan portfolio manager to a compliance consultant to an IT network security firm, the term can mean different things to different people.
“ERM has traditionally been like that sign at the pool that warns you that there is no lifeguard,” says Chris Nichols, chief strategy officer at CenterState Bank, a $2.4 billion-asset community bank in Winter Haven, Fla. “It states the obvious, covers the owner for liability, is important to be reminded of, but it really has not been that useful.”
Generally, enterprise risk management is the process of planning, identifying and controlling a bank’s activities to minimize any potential risk that could affect a bank’s capital and earnings, according to several regulatory consultants. In a few words, it identifies and evaluates risk across and throughout a financial institution—but not in a compartmentalized fashion. The concept involves financial, strategic, operational and other risks. It also encompasses the methods and processes used.
“ERM for banks is different from other industries, mostly because they are so heavily regulated,” offers Maria Corde, senior managing director of Crystal & Co., a risk management services firm in New York City. Many community banks, she says, use a section from the Community Bank Supervision Comptroller’s Handbook from the Office of the Comptroller of the Currency as a template.
Regulators and risk management experts generally divide ERM risks into seven broad categories:
- credit risk,
- interest rate risk,
- liquidity risk,
- operational risk,
- compliance risk,
- strategic risk and
- reputational risk.
Of course, some community bank operational risks are more of a priority than others. However, the three most pressing risks that every financial institution today is monitoring and taking action to avoid involve interest rate, compliance and operational risks. As community bankers know, interest rate risk is heightened with the expectation that historically low market rates will begin rising soon, Corde says. Compliance risk is increasing given emerging consumer regulations and increasing regulatory enforcement, and operational risk is generally growing given the increase in cyberattacks.
The fundamental process behind every ERM strategy and program should involve three steps, Corde notes: identifying risks, checking whether risks exist and managing risks. “Community banks do not consider ERM as a strategy to run the bank, but instead as a process that consolidates all of these risks and enables management to assess them,” she says. “Based on the assessment, management can determine whether the risk is acceptable and then make any changes that are needed.”
Community banks of all sizes and operations have adopted the risk management basics, Nichols says. However, risk management is starting to move beyond addressing basic risks while still addressing practical matters. “Community banks in the last two years have grown to have better definitions of risk, more concrete charters, enhanced monitoring and improved management,” he says. “The next evolution is for community banks to make better use of their data and become predictive on risk so that a more forward view can be achieved.”
Covering all bases
Defining what ERM should involve, however, is usually easier than implementing such a strategy or program effectively. By and large, any ERM efforts, which inherently attempt to be broad and all-encompassing for continually changing operations, are bound to have both strengths and weaknesses.
So do many community banks do a good job of identifying and managing ERM? Not always, consultants say.
Community banks looking to harness ERM strategies and “cover all the bases” in doing so may have an uphill climb, but it’s not an impossible one. Successful ERM involves developing the right mindset, taking careful steps, watching the dollars and getting complete buy-in from the entire bank.
“If banks are going to start thinking about ERM and implementing ERM resources, they should take a deep breath and make sure they understand what needs to be done—without rushing into it,” advises Amit Govil, a managing partner at P&G Associates, a risk management services company in East Brunswick, N.J.
But once community banks take that “deep breath” and commit to an ERM campaign, where do you start, and how do you hit the sweet spot that industry consultants keep talking about? To get the ball rolling, and cover all of your community bank’s ERM bases, several risk management experts suggest taking six steps.
1. Start small, and aim for steady progress. Don’t be overly ambitious in rooting out risk, as tempting as that might be, cautions Rohit Arora, co-founder of Biz2Credit Inc., a lending services company in New York. Start small with pilot programs to see what works, and then do more of that.
2. Identify key areas of risk. Community banks shouldn’t try to address every potential risk scenario at once. Instead, identify areas where the biggest potential impact lies (compliance and lending are usually at the top of the expert’s list), Corde says. Then monitor, assess and manage those risks from a bottom-up approach, and mitigate them across the entire institution.
3. Measure key indicators. The best community bank ERM programs have a “dynamic model and framework” that don’t necessarily focus solely on risk assessment, Govil says. Risk assessments are only a part of ERM, not the whole, and they work best when they are linked operationally to key performance indicators.
4. Build a three-year plan. Implement an ERM program tailored to your bank’s size and complexity, advises Paul Koziarz, chief development officer at Computer Services Inc., a core software and technology services provider in Paducah, Ky. “Start with a strong business plan for the coming three years and apply all the specific risk measurements to that plan,” he says. “It all starts with the road map the bank is using and branches out from there.”
5. Give decision makers access to ERM. Trouble arises if community banks don’t use a strategic planning process coupled with ERM when looking at new products, suggests Walt Mix, head of the financial services group at the consulting firm Berkeley Research Group LLC in Emeryville, Calif., and a former banking executive. When that doesn’t happen, as is often the case, key risk issues don’t bubble up to the surface.
In addition, Mix says it’s not enough for a CEO or the IT director to have a full grasp of enterprise-wide risks—every staffer should understand the issue of risk and how to manage it. In short, everyone in the bank needs to be able to assess and manage risk in relation to their jobs, and the best ERM programs make that a priority.
“Community banks do not consider ERM as a strategy to run the bank, but instead as a process that consolidates all of these risks and enables management to assess them.”
—Maria Corde, Risk Management Consultant
6. Keep it real—and in perspective. Community banks have always managed a variety of risks well for a long time, Govil points out. But what is new in risk management is the speed of change (such as technology, regulations, and customer and market conditions). “This speed now mandates timing for strategic decisions, which in turn are also accelerated,” he says. “So a good ERM model is one that helps deliver that.”
The main goal of any ERM initiative is to identify key risk areas before trouble occurs, consultants say. So they agree that community banks should identify their own particular areas of risk—whether credit, interest rate or compliance risk—and then monitor and test for those risks again and again, using myriad risk assumptions and under multiple scenarios.
Ideally, ERM is an ongoing process, but community banks should aim to present their board of directors with a quarterly update, risk consultants say. A bank’s chief risk officer should manage the ERM program, but if such a position doesn’t exist the CEO should run the program, with tight cooperation from the information technology director.
Above all, community banks shouldn’t take the ERM process for granted, consultants advise. In an era of tighter credit, tougher competition and stricter regulatory standards, an effective enterprise-wide ERM strategy and process is now a necessity.
Brian O’Connell is a writer in New York.