Enterprise Risk Management (ERM) has been in different stages of evolution. The financial crisis of 2008/2009 changes ERM from a function pressed by the regulators to a strategic attribute for all community banks. ERM should be the risk “pulse” that contributes to the board and management team’s understanding of risk, setting risk parameters, the tactical solutions to control risk, and a more effective method of monitoring risk.
Get Out Your Umbrella
Different risks in community banking are interconnected. Yet, community bankers often focus on different risks separately. This oftentimes happens because it’s the nature of a policy-driven process. However, effective ERM views all the components of risk under a singular umbrella.
When community banks were faced with the implosion of Lehman and the earthquake affecting large banks, many risks came into play at once. Reputation risk was in the forefront with liquidity risk simultaneously occurring. Capital risk was questioned. Credit risk was rising. One could argue that there was also operational/transaction risk as bankers grappled to explain FDIC insurance maximums to customers.
Effective ERM is Proactive
While most banks dealt with this situation reactively, an effective ERM umbrella would have foreseen and dealt with these heightened risks in a more global fashion. This proactive approach would have put the board, the management team, the employees, the customers, and the public more at ease in a very tense environment.
The same could be true of the most recent credit cycle. The fact that so many banks have failed or have been critically weakened during this cycle is proof that there was not effective risk management. The history of this period solidifies the need for strategic ERM.
What Should ERM Do?
An effective ERM program should:
- Assess risk, set risk parameters, monitor risk trends, and create action plans.
- Actively engage the board and entire management team through annual meetings to:
- Review list of potential risks
- Add and assess any new risks
- Actively educate the board and the management team on each risk and its interconnection under the entire ERM umbrella.
What is the CEO’s Role in ERM?
The CEO should be responsible for ERM. The CEO can delegate duties of ERM, but the financial crisis has underlined the need for leadership and total understanding of ERM by the CEO.
The CEO should lead the management team in monitoring risk trends and understanding risk. Every management team member should have a working knowledge of ERM and the components of risk, even if the risk is not the direct responsibility of the individual. In fact, management team members should be encouraged to identify risks outside of their direct responsibilities.
The CEO should also be responsible for educating, reporting ERM trends, and presenting the ERM action plan to the board. This should be done on a regular basis, per the board’s desire. The reporting should be concise and easy to follow.
The CEO should consider a dashboard of risk trends displayed on one page. This should be created and maintained in light of the ERM action plan inclusive of relevant strategic documentation.
Where Should the Work of ERM be Placed?
Many banks have placed ERM under the audit committee pre-financial crisis. Early versions of ERM had audit-type functions. Post financial crisis, ERM must go beyond audit and function strategically with active participation between the board and management team promoting risk awareness. Some banks have placed ERM under the asset-liability committee and redubbed it the risk committee. Because of its strategic nature, some banks have ERM under the entire board.
Invite Outside Evaluations
The ERM program should include as much independent outside evaluation as possible. The regulators, auditors, external loan functions, and consulting services ensure against an isolated ERM perspective. Community bank boards should encourage expending resources to provide education and independent points of view.
For instance, we handle the subject matter through a concise ranking system that monitors trends, maintains established risk parameters set by the board and management, and provides an ongoing independent risk evaluation comparing the individual bank to all community banks in the nation in the areas of capital risk, credit risk, interest rate risk, and liquidity risk.
Do Not Limit ERM to Procedures
Many banks have adopted an ERM policy. The policy should not only document risk parameters and procedures, but also the risk philosophy of the board and how ERM will achieve the board’s desire to control risk.
Remember, It’s an All-New Banking Environment
Recent events passed have forever changed banking as we know it. In that same vein, ERM can no longer be slotted as a regulatory burden or cost. In this all-new environment, it should be considered a strategic initiative to protect the value of each community bank.