As the credit crisis slowly recedes, additional and more complex risks pose a significant governance challenge for banks and other financial institutions. A competitive global marketplace, stricter legal requirements, shorter product cycles, complicated business transactions, and the explosion of technology have fueled the exponential growth of banks’ risk exposure.
One simple, undeniable reality confronts financial institutions: The future is inherently unpredictable. And unanticipated events will occur. Thus risk can never be reduced to zero. The collapse of several high-profile organizations during the crisis served as a wake-up call.
In response, U.S. and international regulators are expanding their oversight of risk management practices, and it has become more important than ever for a bank to have an effective program in place.
But organizations can achieve more than compliance alone. Properly implemented, an enterprise risk management (ERM) program can become a strategy rather than merely a defense. The competitive advantage lies with organizations that fully develop and implement efficient and effective ERM programs that allow them to anticipate, confront, and ultimately exploit risks to their advantage.
Getting all the juice from the orange
Every financial institution faces the need to balance its investment in compliance with investments that contribute to performance. This is particularly true in today’s environment of compressed margins and increased competition. To enhance return on designing and implementing ERM, boards and executives must focus on essential questions about risk, including:
• What are the most critical risks facing our institution today?
• What are the emerging factors that will drive our financial institution’s risks going forward?
• What level of resources should we allocate to managing our risks? And are our resources allocated to the highest risks that our company faces?
• What is the potential financial impact of our most significant risks?
• What is our risk appetite and our risk tolerance? (Further on, we will demonstrate why these are not the same thing.) And do these factors parallel our business strategy?
• Is risk a consistent element in the decision-making process for senior leadership and the board of directors?
• How can we take advantage of risk to enhance our performance?
A top-down integrated view of risk
Bankers are in the business of taking risks. Senior leadership in financial institutions often focuses on specific areas of risk, or silos. Thus, these risk are evaluated using a bottom-up approach and not considered from an enterprise perspective.
This bottom-up approach often leads organizations to underestimate the effects of certain risks. For example, when banks think about credit risk, they often think of credit risk in the lending portfolio. As the credit crisis demonstrated, many investment portfolios contained significant credit risk as well. Thus, some organizations underestimated the effect on their institutions of the decline in home values and the increase in delinquencies.
Using an effective ERM assessment process, banks can aggregate their risks across business units from the top down, from a point of view that leads to the understanding of the risks throughout the organization. This more accurate and comprehensive information can be used to reduce surprises and make better strategic decisions . In turn, this perspective can enhance profit and return on investment.
Communicating the ERM message
Despite the industry’s heavy regulation, each financial institution is unique.
To effectively provide an understanding of the risks of a particular financial institution, then, the ERM program must be integrated with the institution’s particular strategy, culture, and objectives, and this message must come from the top. Leaders must convey why ERM is valuable to the institution. A key message: ERM improves management’s ability to deal effectively with uncertainty.
Assessing and mitigating risks uniformly and continuously can help to insulate the bank from risks that rob stakeholder and shareholder value and limit the achievement of essential performance objectives.
The organization also benefits from an improved capability to make strategic choices by anticipating and planning for the impact of risks on decisions, and to manage and mitigate those risks in a manner calculated to gain the greatest benefit for the organization.
Enhancing and clarifying ERM
Those attempting to implement ERM in their institution often have done so without clear guidance on how to build a successful program.
A review of ERM initiatives reveals common ambiguities, including:
• No standard ERM road map for organization-specific implementation
• Multiple definitions of ERM
• Inconsistent terminology, concepts, program components, and levels of executive commitment
• No standard tools, technology, or applications
• Difficulty in demonstrating the value of ERM to the organization
To enhance return on ERM, it is important that the ERM function includes:
• A formal, documented risk management process
• A documented risk universe
• An understanding by the board and senior management of the institution’s most significant risks
• An accounting of risks during decision-making processes
• Clearly defined risk ownership that is commonly understood across the organization
Accelerating ERM performance for increased return
With an ERM foundation in place, how can management create additional return on its ERM investment? The following actions can help institutions to advance their ERM agendas:
1. Establish an enterprise risk governance policy
An enterprise risk governance policy articulates the underlying value of the ERM initiative and communicates the essential elements of ERM to everyone in the bank.
The policy should define:
• Key roles and responsibilities related to implementing and maintaining ERM
• Reporting requirements
• Fundamental processes and methodologies such as risk assessment, risk definitions, and risk reporting
• Risk governance criteria
2. Establish risk governance practices and structure
Executives and board members must apply certain practices when prioritizing risks and allocating resources to ERM. Risk governance practices should take into account the individual characteristics of the institution, including its market, competition, culture, and regulations, as well as the pace of change in the operating environment.
A bank's risk governance practices stem from many factors, including the following:
• Risk culture. The attitudes, values, and beliefs of the bank that guide growth, risk, and desired returns. The culture influences how risks are assessed, how regulations are adhered to, and the ways the organization responds to risk.
• Risk appetite. The type and total amount of risk the institution is willing to take in pursuit of its business objectives.
• Risk tolerance. The level of variance the bank is willing to accept with regard to the impact of a specific risk on the achievement of business objectives.
Risk tolerance defines the parameters within which a specific risk must be managed.
• Existing organization structure and management capabilities. The risk governance structure should take advantage of and enhance the bank’s existing risk management capabilities and tools.
3. Continually assess and verify enterprise risks
It is essential for a risk inventory and assessment to be completed and the results confirmed with executive team members, who must have a common understanding of, and agreement on, the definitions of each risk.
The assessment should include consideration of external threats that could give rise to previously unanticipated events. Management should continually update the risk inventory to incorporate environmental and internal changes. The process should rigorously explore the interrelationships among the institution’s risks and the compounding effect of multiple risk events.
4. Develop risk treatment plans
Bank management should develop an appropriate plan for treating each risk identified as high priority or significant to the institution. A risk treatment plan should include the following components:
• A strategy for managing the risk. In selecting a strategy for addressing a particular risk, management should consider how much of the risk could the bank could absorb without impeding the achievement of its business objectives while also staying within regulatory guidelines. It is necessary to take into account the institution’s risk appetite and tolerance when allocating resources to the treatment strategy.
• Risk drivers and root causes. Risks do not exist in isolation from one another. For example, a bank’s reputation can be affected by customer service breakdowns that might be the result of inadequate skill levels due to insufficient training. The risks associated with reputation, service quality, human resources, and insufficient training are dynamic as well as interdependent. To treat and mitigate the risks effectively, there should be a complete view and understanding of the interactions and dependencies among the risks.
• An action plan. Once critical risks are identified, it is important to establish an action plan that can be applied consistently across the institution. The action plan should examine:
• Current risk management practices
• Risk treatment strategy
• Risk drivers and root-cause analysis results
• Risk performance measures and leading risk indicators
• Contingency steps for addressing the risk
• Responsible parties
5. Design and adopt an ERM framework
The ERM framework spells out how the bank intends to carry out its program, provides the structure necessary to support effective risk management, and enables the consistent application of ERM practices.
One ERM framework recognized by regulators is that of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Any framework must be sustainable and supported by the five elements that constitute a framework’s foundation:
• Appropriate infrastructure (staffing, risk monitoring data, and leadership)
• Effective risk management culture
• Link to strategy
• Transparency to internal and external stakeholders
• Change management systems
6. Report ERM information
Communication is vital to an effective risk culture and an essential component of an institution’s risk resilience.
For example, the board and its committees should receive status information related to the risks that have been recognized as significant. Board members will then use the data for carrying out their risk management oversight responsibilities. They will accomplish their responsibilities through assessing the application of, and adherence to, the bank’s risk appetite and strategy.
Managers and process owners rely on risk information to carry out their specific risk monitoring and management responsibilities. Access to risk intelligence empowers every member of the institution to be a risk manager. The format and content of reporting should vary depending upon a financial institution’s governance structure and particular needs.
About the authors
Jennifer Burke is a partner with Crowe Horwath LLP in risk consulting and is based in Lexington, Ky. [email protected]
Marc Dominus is with Crowe in risk consulting and is based in Dallas. [email protected]