Getting started right in Enterprise Risk Management

What makes Enterprise Risk Management work, what does it look like when it does, and who plays what role to make it happen?

The answers to these questions, as usual, reflect multiple approaches. But ultimately they are a direct function of what management wants from its investment in ERM.

What should ERM look like?

One approach to the ERM function is to view it as the rule enforcer in the organization, similar to the internal audit function, regarding both regulatory mandates and bank-adopted policies and procedures.

In this approach, the core priority of ERM is to communicate regulatory requirements, assist in adopting them, and play a significant role in the adoption of internal policies and procedures.

Another expectation of ERM, in combination with the first role, is to monitor and report on activities in the bank, so that risk events and risk positions are known by management and can be responded to effectively.

A heavy investment in timely reporting mechanisms is necessary to make this work. Accompanying this investment is a mandate for both formal and informal sets of communication expectations throughout the organization, along with formal escalation guidelines.

An ERM unit also is critical in maintaining positive relations with the regulatory community.  In today’s environment, ERM has become a regulatory necessity, as supervisors across the country mandate enhanced processes regarding risk assessments and the setting of risk tolerance levels.

What should ERM do for your bank?

Thus, any CEO and members of the board of a bank will need to invest in an ERM program to maintain an acceptable relationship with regulators.

More broadly, though, and probably more effectively, the ERM function can and should be viewed as an integral part of a bank’s value creation process.

The simple fact is that banks are highly leveraged entities, and in modern times always have been. Although less leveraged than in some of the preceding decades, the banking industry today holds, on average, approximately $11 in assets for every $1 of capital on its balance sheet—and that gives no effect to the multiple risks posed by off-balance sheet activities.

This leverage is necessary to provide stockholders with a satisfactory return on equity, which implies that risk must be actively managed to reduce the likelihood of significant threats to solvency. Because we operate in a cyclical economy and a cyclical business, it is particularly important to avoid substantial dilution of stockholders when a capital raise is necessary during bad times, when the industry is out of favor.

Hence, risk management plays a natural, necessary role as an arbiter in the process of creating stockholder value.

Viewed in this way, ERM is an integral part of the value creation process in a banking organization. Also, its status as a regulatory necessity means banks must incur the operating costs to run a viable ERM program in any event; leveraging that expense therefore has even more appeal.  

Making this value creation process work is the role most pointedly of the Chief Risk Officer. However, achieving the best results takes a forward-thinking senior management team and an educated board if an ERM program can be expected to succeed.

What should your CRO do for your bank?

An effective CRO speaks clearly, in language the CEO, other senior managers, and members of the board understand.

But mostly, he or she builds collegial trust.  That means using well honed listening skills, understanding the goals and objectives of the bank and its managers, and communicating that understanding clearly.

Identifying acceptable risk levels in light of the potential rewards and building consensus within the management team is mandatory for ERM to meet its value -creation expectation.

No shortcut will achieve this. So a successful CRO will likely spend significant effort building consensus within the management team.

CROs are also often challenged by having too much data and yet not enough information across the enterprise. Even within risk silos, such as credit, obtaining consistent data, coordinating it, and capturing sufficiently accurate historical data is an expensive, time-consuming undertaking. This is especially true of banks of $10 billion in assets or more, as they are subject to ERM standards mandated by the Dodd-Frank Act.

The banking industry itself suffers from a paucity of data regarding correlations among the risk categories. This is true primarily because the riskiest assets on the balance sheet typically are loans to private companies, often operating in regional or local markets. When building an ERM program, assumptions and judgment are necessary, along with an ongoing, consistent measurement program.

How is “risk appetite” established?

After much initial work, the bank will adopt a risk appetite statement, which sets forth acceptable risk levels in all lines of business and significant activities.

The CEO and the CRO often may be the only members of senior management whose job it is to manage to enterprise level results, and to be held accountable for them. It is the CRO who is charged with depicting a comprehensive, horizontal view of risk and weighing that view against the expected rewards.  Broadly, this is where the executive team and the board will direct much of their energy, analysis, discussion, and debate.

Reaching consensus at this level is not only critical to the success of an ERM program, but also critical to the success of the bank itself.

The outcome of this process will depict an appropriate balance of risk and reward across the enterprise. It is inherently tied to the strategic plan of the bank, and can only be done well when it is integral to the formulation of that plan. 

Warning: When risk issues are tacked onto a plan that is developed in other ways, it is more likely that the ERM program will be the subject of conflict within the management ranks, if for no other reason than consensus building was not done up front.

How does a CRO succeed for your bank?

To achieve these outcomes, a CRO needs to be candid and realistic.

Listening, communicating, and behaving as a valued business partner with colleagues are behaviors calculated to achieve quality results and to build sustainability.  Lack of repercussions for concerns raised in good faith needs to be part of the CRO’s and other management members’ behavior patterns.

But a CRO, no matter how fully she or he demonstrates these behaviors, cannot run a successful program without a committed CEO, who should allow the CRO to function in a reasonable, independent, but collaborative manner. 

That often requires a sense of self assurance grounded in reality, and even a touch of bravery.  No matter how well a CRO does the job, the leadership necessary to make an enterprise-wide program work can only come with active commitment on the part of the CEO.

Part 2: Where should ERM live?