Where should ERM live?

In the first part of this series, “Getting started right in Enterprise Risk Management,” we discussed the various expectations of an ERM program, and how a CRO might approach fulfilling them. Now we will consider governance of the ERM program within the organization.

Plainly, appropriate governance ultimately varies directly with what management and the board expect of the ERM program.

Previously, we expressed the view that ERM should be made an integral part of strategic value creation.

We came to this conclusion because of the inherent leverage in the banking industry. Simply stated, staying sufficiently solvent during bad times to avoid the necessity of raising capital when stock values are depressed is essential in a leveraged—and regulated—company.

Working from that overall premise, what does good ERM governance look like?

ERM in the boardroom

Starting at the board level, it is accepted that risk oversight is an essential responsibility of the board. This is derived most directly from the governance of risk expected by regulators, and may be associated with the fiduciary obligations of the board under state corporate law.

Like many of its other responsibilities, the board can—and should—rely on committees of its members to assist in carrying out the board’s responsibilities. The first practical issue, then, is whether there should be a separate risk committee, and where does it best fit in an existing committee structure.

Banks have made various choices along the way, but there is a clear trend to establish a Risk Committee of the board. To avoid simply adding one more committee, the board may consider expanding the responsibilities of an existing committee so that it can function to oversee the ERM program. The usual candidates for this expanded role are the Audit Committee, the Loan or Credit Committee, and ALCO. Let’s look at each one in turn.

The Audit Committee is primarily charged with overseeing the financial reporting of the bank, including oversight of external or other required audits. It also prominently oversees the internal audit function, and very often compliance activities.

Its view of risk is therefore concentrated on internal controls over financial reporting and operational controls. It is also a workhorse of a committee to serve on, with many significant legal and regulatory responsibilities within its existing mandate.

The Loan or Credit Committee has several responsibilities, depending upon the size and complexity of the bank. In many community banks, this committee considers individual loans for approval. It also is the working committee to authorize or recommend loan policies.

Finally, as banks begin to look more at diversification and other risk limits within the loan portfolios, the committee is the natural place to report and discuss such issues. This process tends to focus on the loan portfolio by itself, perhaps considering funding from loan customers, but does not typically look at the overall balance sheet structure of the bank.

That role typically falls to ALCO—the Asset/Liability Committee, which oversees market risk.

In most community banks market risk is composed of interest rate risk and liquidity risk wherever it may arise. ALCO will therefore take a comprehensive view of the balance sheet, including earning and non-earning assets of all types, along with deposits, borrowings, and other funding mechanisms.

It must also understand the dynamics of the income statement of the bank to carry out its responsibilities. As a result, it is likely to be the existing committee with the most comprehensive view. Further, if the bank has already begun capital stress-testing, as most banks have, it is typically under the oversight of ALCO.

Working on the idea that ERM should be an integral part of enterprise strategy and value creation, it is natural to view ALCO, with its existing enterprise-wide view, as the most logical place to oversee an ERM program. Selecting ALCO as the Risk Committee does not alter the responsibilities of any of the other committees. So the Audit Committee will continue to focus on operational risk and the Loan Committee on credit risk in the loan portfolio.

ALCO will take that, together with its view of market risk, and functioning as the Risk Committee, integrate it into an overall view of enterprise risk.

Outside the lines

Included in an enterprise-wide risk management program are several elements that typically fall out of the scope of any of the existing committees.

One of them is reputation risk, which may arise from any of the bank’s activities. Another is strategic risk, which cuts across all risk categories. Finally, there is the correlation among and between the risk categories, which by its nature can only be viewed on a comprehensive basis.

For a Risk Committee to function well, it is worth considering selecting at least one board member from each of the Audit Committee and Loan/Credit Committee to also serve on the Risk Committee. The view those board members bring from the more in-depth views of risk within each category will enhance the effectiveness and efficiency of the ERM governance and oversight process.

Who runs the meetings?

The CRO is typically the most suitable member of management to lead the Risk Committee. Due to the ALCO oversight responsibilities, though, the CFO is typically a joint leader during a committee meeting.

Management will also likely want its Chief Credit Officer, Chief Operating Officer (or senior operations officer in charge operations), and perhaps the Chief Internal Auditor, to partake in these meetings.

And perhaps better than any other board committee, the CEO will find these meetings as a great platform to discuss strategic initiatives.

In the conclusion next week Dan Rothstein will look at what management and the board should be hearing from the Chief Risk Officer.