By Harvey Johnson, CPA, CGMA, Senior Manager
As Published in Inside Business
Financial institutions – for right or wrong – have been directly tied to the systemic problems of the economic crash and subsequent Great Recession that followed. As a result banks have had a renewed focus on effective risk management.
In the wake of all this, financial institutions have turned to a concept called Enterprise Risk Management, or ERM, to help provide a holistic view of the risk that affects their organizations. The concept of ERM was actually started in the mid ’90s but outside of Fortune 500 companies it never really took off, mainly because there wasn’t much guidance on how to build an ERM program. The same holds true today. There is no regulatory guidance on ERM so many banks are turning to consultants to help them.
As ERM consultants are keen to note, putting an ERM program in place may not be as hard as you think. After all, banks and credit unions have been tracking various risks for years in some form, even if it’s with a fragmented, silo-bound sort of method. Getting an ERM program started may be as easy as taking those risk processes you already have in place and tying them all together into a cohesive system.
Here are some of the most common pitfalls and five strategies for success to building a successful ERM program.
- Lack of cultural change. It’s a journey, not a destination. ERM has to be ingrained into the culture of the institution.
- No backing from senior-level management. If the CEO thinks it’s important, then it becomes important to everyone else.
- ERM is only seen as a compliance requirement. Product/service risk assessments are generally viewed as a compliance requirement, so they only get updated once a year and there is little value placed on what the actual assessment means. Asking a financial institution to do “another” risk assessment isn’t exactly at the top of their list of favorite things to do.
- Lack of board involvement. Many boards are already overwhelmed with regulatory requirements and reporting. As a result, the last thing on their minds is asking for more information.
- Risk is viewed in silos. Most risks are inter-related, meaning they affect many different aspects of the organization, crossing over operational, compliance and strategic risk initiatives. The current risk assessments being done by banks are usually viewed in silos versus an integrated approach.
- Complexity – too many risks and threats to manage. You can come up with an infinite number of risks and threats if you think long enough about it. Given there is little to no guidance on how to implement effective ERM programs, the key is to focus on significant risks that affect the institution.
- Unrealistic project deadlines. Don’t think an ERM program can be built from the ground up by the end of the next quarter. Establishing an effective ERM program can take anywhere from 18 to 36 months.
- ERM is outsourced. Unfortunately, there is no turn-key, ready-made solution to simply pull off the shelf and implement. But using automated tools can help reduce the time and effort spent on risk management, especially if it’s an automated and integrated tool.
Now that we’ve addressed the pitfalls, let’s shift attention to some best practices for an effective risk management program.
- Define (and understand) your board’s risk appetite. While this sounds pretty simple, it’s not as straightforward as you think, especially given that risk appetites change. Most of the board members when asked will probably tell you their risk appetite has changed a bit since the current economic downturn. Most board members are a little more risk-adverse and conservative than they were five years ago.
- Define an assessment methodology that utilizes a common language to assess risk. As stated earlier, banks and credit unions have been assessing risk for years. The challenge is that it has been in a fragmented, silo approach. Many of the risk assessments are done with a completely different approach and do not consider the impact they have on other areas of operations, governance and compliance, making it difficult to provide a holistic view for management. The key is to use a common methodology and language to assess risk. A consultant typically asks that you measure the inherent risk (what could go wrong) against the control risk (procedures you have put in place to make sure things don’t go wrong). This will give you a residual risk rating that can be applied across all areas to begin to integrate the risk assessments.
- Build the program from the bottom up to ensure all threats and risks are considered. Think of your bank as a house. Your risk management program is like the roof on your house – it protects your institution much like a roof protects a house from the elements and other negative outside forces. But you didn’t build a roof and then build the foundation of your house. Rather, you built the foundation from the bottom up. The same goes with your risk management program. You want to build it from the bottom up to ensure all threats and weaknesses have been identified.
- Centralize an inventory of people, business processes, and technologies. Every product or service a bank offers is either provided by or supported by people and technologies. There is just an inherent correlation between the three. Have a central inventory that allows the organization to better understand the risks and controls related to them.
- Automate and integrate. Eliminate the “silos” and manual processes you have been accustomed to and automate the process in order to gain efficiency and leverage on the natural integration between operational areas. This allows management to focus on “running” the bank versus wasting time on a manual process that will most certainly be viewed as a compliance requirement (see pitfalls above).
If done properly, an effective risk management program can provide banks with a real strategic advantage over its competitors. Major benefits of an effective risk management include: (1) identifying areas for potential operational losses; (2) identifying and reducing the cost of compliance; and (3) ability to link strategic goals to business practices. All of which lead to helping ensure the financial stability and safety and soundness of the institution.
Harvey Johnson is a senior audit manager and is an active member of the Financial Institution Services Team at PBMares, LLP, a regional accounting and consulting firm serving clients throughout the mid-Atlantic. Contact him at email@example.com or visit www.pbmares.com.