Wikipedia defines enterprise risk management (ERM) as “something that is used in business that includes the methods and processes used by organizations to manage risk and seize opportunities related to the achievement of their business objectives. “
The banking regulatory community used to give a “pass” on having a formalized and documented ERM program, but the tide has changed. In today’s banking environment, the larger institutions (defined here as institutions with greater than one billion dollars in total assets) are often asked by the regulators to provide copies of their ERM program documentation—not only the output, but also the input and documentation on how conclusions were reached.
Simply stated, a traditional ERM program is a holistic process in which an organization evaluates and manages risks. An ERM program helps an organization perform an in-depth look at internal controls, prior-year findings and current regulatory pronouncements to determine depth of exposure.
Most regional and community banking organizations don’t have access to the human capital and organizational structure to build an effective ERM program. These organizations should not rely on the recent regulatory reform as an excuse to not implement ERM practices. Developing an ERM program is considered a best practice and can help an organization not only identify and manage risks but also achieve its goals.
Having an ERM program is a necessity from a risk management and compliance perspective as it can help an organization control costs, avoid duplication of effort and ultimately help leadership recognize true risk levels.
Many smaller regional and community banks spend too much time and energy developing their ERM programs, building programs that are predicated on regulations that have not yet taken effect or investing in programs that don’t align with their business goals and organizational structures. Needless to say, programs developed in this manner aren’t cost effective or efficient in risk identification and measurement.
Not having an ERM program or dedicated ERM practices can lead to poor examination results regardless of the institution’s size. The larger the institution, the higher the scrutiny and risk of potential fines. Therefore, using ERM practices (formal or informal) can increase an institution’s profitability and help the institution deal with risk, control and governance issues as seen by its customers and regulators. Before embarking on a new initiative, institution leadership should consult the bank’s ERM program to assess how the new initiative will affect the banking operations and risk profile. Because of this, institution leadership can change its view of ERM from cost center to a value-added program.
A great way community and regional banks can start to identify elements of an ERM program is to first assess how they handle the following:
- Third parties used in the conduct of day-to-day bank operations. For example, technology providers that handle the core system or other vendors providing critical functions.
- Bank Secrecy Act and anti-money laundering (AML) procedures. For example, has the AML system been validated to ensure it’s providing accurate data?
- The regulatory “alphabet soup.” For example, who’s responsible within the organization for understanding and maintaining compliance with the various regulations, and are they appropriately trained, with adequate resources?
- The disaster recovery plan. For example, has the plan been tested sufficiently for several types of disasters?
Waiting until regulators force you to implement an ERM program is not the ideal strategy. Instead, recognizing the benefits of an ERM program and implementing it with appropriate resources and “buy-in” from leadership will help you identify risks, the organization’s appetite for those risks and how to achieve strategic initiatives. Even employing certain ERM best practices—rather than a full implementation—can provide many benefits and increase your credibility with regulators.
A little effort goes a long way!