The benefits of an enterprise risk management (ERM) program

Community banks might not be obliged to conduct regular enterprise risk management, but that doesn’t mean it’s not a good idea. The benefits of a solid ERM program can stretch far beyond compliance.

By Karen Epper Hoffman

At a time when community banks are fighting to reduce the regulatory mandates that are draining their resources, it would seem odd that many community banks are looking to embrace enterprise risk-management (ERM) programs. After all, regulators don’t require community banks to have formal ERM programs. However, even smaller banks are recognizing that successful risk-management initiatives can boost profitability, mitigate third-party risk and aid in meeting strategic goals.

But what exactly is ERM? According to Amber Goodrich, compliance strategist at full-service financial technology and regulatory compliance provider CSI, ERM is the tactical implementation of risk processes across all units of an institution. Developing an ERM program typically starts with identifying the risks and challenges a financial institution may face, as well as potential opportunities, Goodrich says. Once those factors are identified, the likelihood and impact of potential risk factors are assessed, and controls for risk mitigation established.

More than anything, Goodrich says, the ERM process is “cyclical and should consist of the ongoing monitoring of risk factors, as well as controls.”

“We often hear from regulators and examiners that while not all institutions are required to have an ERM program, every bank, regardless of size, needs to have a formalized risk-assessment process in place for various aspects of their operations,” she adds. “While institutions may not call what they are doing currently ‘ERM,’ the fact is that in order to successfully comply with all the requirements, guidelines, laws and regulations out there, institutions must implement an arsenal of risk-management activities across the entire institution.

“In a way, community banks and other non-covered institutions have the best of both worlds right now: the benefit of the guidance surrounding ERM without the regulatory mandate,” she adds.

The roots of ERM
The ramp-up of ERM came in the wake of the high-profile financial reporting scams and executive malfeasance at Enron, WorldCom, Tyco and other corporations in the early 2000s. While most of these scandals did not involve retail banks, the financial industry was swept up with the Sarbanes-Oxley Act of 2002, and bankers started to look at how they could institute broader enterprisewide risk processes and tools to amp up their existing risk postures and avoid the increasingly sharp gaze of regulators. Community banks, which fell under the asset threshold of many risk-related regulations, did not embrace ERM at first. They believes they already had a good handle on risk.

But things have changed since the subprime crisis and subsequent recession. Community banks were not at fault for virtually any of the issues there, but the whole tumult threw a bright spotlight on risk in banking as a whole.

Bankers like Robert G. Coradi, executive vice president and chief risk officer for $1.3 billion Orrstown Bank in Shippensburg, Pa. (see sidebar), and other industry experts note that specific line items in an ERM program may pay large dividends. However, Steve Sanders, vice president of internal audit for CSI, points out that “it is the broad benefit of helping develop a risk-aware culture that is most important. Risk aware shouldn’t be confused with risk averse. A keen awareness of risk allows management to make better decisions with more lucrative rewards.”

With that in mind, how can community banks effectively, and with limited resources, implement and maintain an ERM program? David Ruffin, director at Charlotte, N.C., accounting and advisory firm Dixon Hughes Goodman, says that ERM should have “a champion.” This should be someone high up enough in management to effect change throughout but not necessarily an executive rooted in the audit department, he says, since “ERM is more of a strategic exercise, not just about audit.”

Ruffin compares this risk-management champion at a community bank to an orchestra conductor. “They don’t need to be able to step into everyone else’s job, but they should be able to hear when someone is playing out of tune.”

Given the growing interest in ERM programs among community banks, Strunk, a software and consulting firm based in Atlanta, Ga., that helps banks manage risk, improve profitability and grow, launched an ERM software and consulting solution two years ago aimed directly at community banks. “Up until recently, the solutions to the problem have been really expensive,” says Strunk CEO Daniel J. Roderick Sr.

Two years on, Strunk has many community bank ERM clients and charges based on asset size in addition to an annual maintenance fee. Roderick says the average Strunk client pays about $7,000 per year for its ERM solution.

“In a way, community banks and other non-covered institutions have the best of both worlds right now: the benefit of the guidance surrounding ERM without the regulatory mandate.”
—Amber Goodrich, CSI

In the end, community institutions that welcome the change in culture toward an ERM-focused program “often find that it not only gives a better holistic view of their organization and the risk and opportunities that they are facing, but also it improves their relationship with their regulators,” says Goodrich.

“There is no guarantee that implementing an ERM program will improve on exam ratings as a whole, especially since the program still isn’t technically required for community institutions, but it definitely changes the conversation a bit,” she adds. “Regulators love to see institutions take a proactive approach.”

What are the benefits of ERM?

Robert G. Coradi, executive vice president and chief risk officer for Orrstown Bank in Shippensburg, Pa., says managing risks on an integrated basis through ERM brings a number of benefits to community banks like his.

For one, it promotes best practices in identifying, measuring, controlling and monitoring risk exposures, and it ensures a consistent, balanced and integrated approach to the identification and management of risk across the entire bank. It also allows the bank to monitor and oversee the risk analysis of all new, expanded or modified products or services and major strategic proposals. Finally, it ensures reporting of enterprise-wide risk exposures in all areas to senior management and the board of directors and provides for the periodic independent evaluation of risk-management systems and processes within the bank. 

Experts say it is important not to get too caught up in the process or the myriad descriptions of ERM. “Many of the ‘official’ definitions of ERM are so complex that the point is missed,” says CSI’s Steve Sanders. And going down too many rabbit holes can lead to an ineffective ERM program, which, Sanders says, “is nothing more than wasted resources, while an effective ERM program is much like forecasting the weather: You aren’t going to always get it right, but you have a lot better chance of surviving the storm if you know it is coming.”

Karen Epper Hoffman is a writer in Washington state.