ERM: Getting it, and getting it right

By Jeffrey Reynolds, Darling Consulting Group

Risk management at community banks has grown in leaps and bounds as regulations multiply and compliance issues evolve. We have witnessed the emergence of the Chief Risk Officer, formation of new risk committees, and a litany of new concepts that management teams need to address and boards need to understand.

ERM (Enterprise Risk Management) is a notable concept that has increasingly grabbed the attention of many directors. But there is much confusion over what ERM is, what it is not, and how to tackle it. A number of bankers and industry experts in the “ERM space” helped influence this article that I hope will serve the reader well as to what to expect if looking to move further down this avenue of risk management.

What Webster’s says versus reality

Before you start with ERM, you have to define it. If it were only that easy to nail down the definition of ERM—but it is not. A global definition that many initially come to is as follows:

“ERM is a holistic look at and the management of all potential risks that affect your financial institution.”

Sounds great in theory. What about in practice?

The definition above presents a daunting task if you take it in the literal sense. “All potential risks” is a broad topic base that immediately paralyzes bankers as they move down the ERM discovery road. And the further you peel the layers of the onion, the more you cry at the tedious nature of the work ahead in trying to measure and manage “all potential risks.”

Very quickly one finds a need to be a bit sharper with their definition of ERM.

“Happiness is…”

Defining ERM is like defining happiness, as many struggle with figuring out what happiness is.

People see advertisements for products that might make them happy, and perhaps spend the money … only to find themselves still unfulfilled. They envy friends that appear happy, seek answers from them as to how they found happiness, and find themselves dismayed when yoga or some other factor does not have the same life-changing impact on them as it did their friends.

So then they seek the counsel of experts and “gurus” who have guided many through a journey of enlightenment on a quest for happiness (or so they would have it).

They attend seminars, buy books, and hear testimonials.

Through all this, one thing becomes very clear: Happiness is not the same for me as it is for you. Nor is it the same for me today as it was 20 years ago. And what drives happiness today will likely not be what defines happiness in a year or two.

Because of this, happiness cannot be bought off the rack.

Much is the same with the process for defining ERM for your institution.

You never start ERM from scratch

Long ago realizing that trying to be everything for everyone is a losing proposition, most community banks have some sort of niche in the financial services space. This is good, because it allows you to filter what ends up in your “risk assessment net.”

Logically, you would not want to waste your time on dissecting the potential risks of the indirect auto lending business if you do not participate in it.

Conversely, if your bank carries a high percentage of total loans in investor property lending, you likely already have a fairly robust set of risk management practices established for it. I would say it is safe to assume that if you did not, you would already have been advised to “step it up” by your regulator.

Community bankers do not ignore risks. They understand that doing so could harm customers, investors, and the community in which they operate.

The reality is there are numerous risk management practices occurring continuously throughout all banks.

Another reality is that the nature, breadth, and depth of these practices vary greatly.

So what is the buzz on ERM all about if risk is already being measured, managed, and reviewed for the bank in general and the more critical risk areas in particular?

Interconnectivity of risk

Now, this will seem out of left field, but that’s my point:

Can interest rate risk result in employee fraud?

When asked, I scoffed at the question.

Yet a colleague made a compelling case that rate-risk could spur fraud. He made an interesting observation about the effect of flat yield curves (one flavor of interest rate risk) on bank safety and soundness.

When yield curves flatten, the return on the carry trade (buying money short and lending/investing long) that drives so much of a community bank’s profitability diminishes. The potential for increasing credit risk, taking on more interest rate risk, or outright fraud to meet earnings needs/share holder demands intensifies.

In this example, you can see how fibrous the interconnectivity of risk is. Interest-rate risk drives earnings lower. Lower earnings amplify investor displeasure, compelling management to take action they otherwise would not. Perhaps they drop underwriting standards or just fudge property appraisals to make the numbers work to get higher-risk deals done.

There is a good chance that the interest rate risk management directive of the asset/liability committee identified the flat yield curve as an issue. However, connecting the dots to a fraud scenario is not typically considered until after it happens.

Why? Risks are often viewed in their “silo” and with little regard to how one risk element can impact others.

This awareness of the interconnectivity of risk is where ERM comes into play.

Where do you begin?

Start with a large segment of your business and ask the questions: What could go wrong and how could it damage the organization? What is the probability of those scenarios unfolding? What are the road markers that might indicate that the scenarios are becoming more probable?

These are the building blocks of the ERM process—the assessment of event impact, the probability of occurrence, and the effective monitoring of telltale signs that a harmful risk event is increasingly probable.

Some banks have found it useful to start with exercises such as this:

Ask the management team to meet with their departments to ask a simple set of questions regarding the day-to-day operations for each major product, service, process, reporting activity, etc.

• What keeps you up at night?

• What worries you?

• Where could Mr. Murphy of Murphy’s Law fame be lurking?

Simple questions to get discussions and “thinking” in motion throughout the organization. What would you do differently? Cataloguing and organizing this feedback can be an insightful and highly useful starting point for framing a more formalized ERM process for your organization.

Very quickly you can break down risk drivers into two categories.

1. Financial risks: Specifically this includes credit, interest rate risk, and liquidity. Two formal committees (credit and asset/liability) manage them.

2. Operational risks: These are more management related. Examples include technology, legal, regulatory/compliance, strategic, and reputational. Management of these issues has tended to be addressed on an ad hoc basis over time, and responsibilities for administering them have tended to be dispersed throughout the organization.

One of the drivers behind the emergences of the Chief Risk Officer has been to centralize and bring accountability to this process.

Through the assessment and cataloguing process, the connectivity of risk becomes apparent. So too is the potential severity of impact and probability of scenarios that can present problems for the bank. Risk management priorities become clearer.

The Process vs. the Dashboard

When interviewing bankers to gain perspective on ERM, those with quality established programs conveyed similar stories about their own discovery process. There tended to be an initial focus on the communication tool for capturing risk (commonly a dashboard or heat map). Further in the discovery phase it became clear that while the way risk levels are monitored and communicated is important, the value in the exercise was in the process.

Said differently, ERM is not a risk management mousetrap. ERM, like happiness, is a mindset.

It is about the awareness of risk, and using that awareness to help drive strategic plans (e.g. capital allocation for different business lines and resource allocation). It requires organizational commitment. And for it to be truly useful, the end of the line impact of the falling risk dominos within the ERM process has to be on capital.

Purchasing tools to assist in the risk assessment and cataloguing process can make a daunting task easier. A colorful “dashboard” can help make trends and risk hot spots easier to identify. But don’t let technology and reporting fool you. The real value of ERM is in the process, and that process will evolve as your business grows and changes over time.

Accordingly, ERM is not something a CEO can “check off” as being done. Instead, ERM is a continual work in progress.

About the author

Jeff Reynolds is a managing director at Darling Consulting Group. After serving as an auditor in the insurance and banking industries, Jeff joined DCG in 1996. His analytical and managerial skills led him on a career path within DCG that culminated in his current role as Managing Director. In this capacity, Jeff’s primary responsibility is advising clients on ways to enhance earnings while more effectively managing their risk positions. He regularly assists clients with strategic and capital planning projects and has also served on numerous due diligence teams for client acquisitions. Jeff is a frequent author and speaker on a variety of balance sheet management topics and has served as a guest faculty member for the ABA’s Stonier Graduate School of Banking.