Growing Your Organization to Think Differently About Enterprise Risk

Meeting the Demands of Regulatory Expectations and Satisfying the Shareholder 

Introduction

The recent Federal Reserve request for comment on January 6th, 2012 [enhanced prudential standards and early remediation requirements for covered companies], more examiner focus on risk management, seminars on Enterprise Risk Management [ERM] all means the balancing act between risk and reward is a critical factor for every financial institution.

We must rethink and strengthen our corporate governance, incentives, and internal control structures with a new emphasis on measuring and monitoring risk elements and creating an infrastructure in identifying and addressing emerging trends in risk.

Enterprise Risk Management Defined (It is still risk management by another name.)

What is Enterprise Risk Management? Enterprise Risk Management (“ERM”) is a process that enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build shareholder value. At the heart of the ERM program is the Board’s oversight responsibility for assessing and monitoring of risk exposures The Board is required to provide directives clearly stating the institutions risk bearing appetite and the evolving nature of the appetite as economic and industry conditions change and the institution embarks on new ventures and adjusts the appetite over time. Surveys confirm that 83% of today’s institutions have increased Board oversight. The Board appoints a risk management committee to: monitor and analyze its risk appetite make changes  as the business model changes; and communicate the risk appetite to the Board and ultimately  throughout the organization. Strong and effective oversight of the organization is one of the most fundamental requirements of prudent risk management and is essential

Risk Governance (The new and improved version.)

“The bank believes that it is in the best interest of the Board, management, shareholders, depositors and the banking community to establish clear and meaningful risk limits to serve our customers and generate a reasonable rate of return. The reasonable risk limits ensure the bank will operate in a safe and sound manner. The Board has set forth policies and measures {the Program} in order to effectively guide management to meet strategic objectives. The Program will be periodically reviewed and adjusted for changes in economic, competitive, and regulatory conditions. The intended purpose of this statement is to affirm the Board’s commitment to: providing appropriate oversight and governance; establishing risk limits and tolerances; implementing adequate monitoring methods; and creating a risk awareness environment to serve our shareholders, customers, and communities.”

Risk Appetite Statement (How much risk do we want to take on?)

The risk appetite is the collective measure of the Board’s willingness to take risks in the pursuit of strategic objectives and the Board must d ask the question “How much risk are we willing to accept?” After answering this question, the next step in the ERM process is for the bank to declare what the risk appetite is by making a “risk appetite statement.” We have included a sample risk appetite statement which may be modified to reflect the risks and complexity of your bank.

“The bank believes that it is in the best interest of the Board, management, shareholders, depositors and the banking community to establish clear and meaningful risk limits to serve our customers and generate a reasonable rate of return. The reasonable risk limits ensure the bank will operate in a safe and sound manner. The Board has set forth policies and measures {the Program} in order to effectively guide management to meet strategic objectives. The Program will be periodically reviewed and adjusted for changes in economic, competitive, and regulatory conditions. The intended purpose of this statement is to affirm the Board’s commitment to: providing appropriate oversight and governance; establishing risk limits and tolerances; implementing adequate monitoring methods; and creating a risk awareness environment to serve our shareholders, customers, and communities.”

Risk Components (What do we measure and how?)

The components of the risk appetite are not one size fits all. The Office of the Comptroller of the Currency (“OCC”) handbook highlights the risk areas of: credit; price; interest rate; liquidity; reputational; operational; compliance; and strategic and the syntax will need to be a common language for discussion. You will be required to define different levels of impact and each one could have a unique risk profile.  For example, The OCC handbook identifies specific indicators when assessing quantity of credit risk. This is good starting point with which to assess your credit risk: low; moderate; or high. Another important area of credit risk management addressed in the OCC handbook is “Loan Portfolio Management”. The OCC provides the quality indicators: strong; satisfactory; or weak. The review of all the risks and appropriate qualitative and quantitative measurements is generally summarized in an institutional risk matrix. Our sample matrix provides a risk profile for the organization.

Risk Assessment (How we measured and judged the risk.)

 Risk Assessment (sample only)

 Institutional Risk Matrix

 matrix

Risk Monitoring (It is dynamic not static- be interactive.)

We have discussed governance, a risk appetite statement, components of a risk assessment, and provided samples of a risk assessment matrix that measures the overall organizational risk profile. The identification of the qualitative and quantitative measurement tools is unique for each organization and is intended to be consistent with the strategic plan. Once this framework is created, the monitoring and updating is often overlooked and is frequently an area of regulatory comment. The frequent engagement of the Board and CRO to monitor risk through the assessment of performance against risk tolerances and limits creates the link between the overall strategic goals. Enterprise risk management software generally guides the organization participants through these processes for effective monitoring and measurement processes. This makes the Board aware of different scenarios and events through a risk dashboard and can explain the implications on risk.

Risk monitoring processes take a variety of different methods but all require strong assessments, mitigation strategies, and a need to understand the numbers that are being presented and how they make sense in light of the company’s strategy and mission. In particular, the central role of the Board is to determine whether the risk appetite needs to be adjusted in light of the current environment and the stress case scenarios. A sample of a risk response quarterly update provides a guide for quarterly reporting and is an effective tool for discussion and direction.

Quarterly Risk Response

matrix2

Your update to a quarterly risk review by the Board’s risk committee will require documentation and our sample captures the needed information. What is the risk? Who is responsible? How do we rate the risk rating? What is the trend of risk? How do we respond to the risk? (Emerging/ declining/ stable)

How effective are the risk mitigation strategies? Do we need to provide an explanation of strategy to mitigate risks which may be outside the bank’s tolerance? What is our objective over the next time horizon (quarterly)?

Conclusions (There are many- it is governance that matters most.)

The financial crisis has changed how we view risk and how we choose to approach and control enterprise risk management (ERM). Board’s must determine the risk appetite, document it and quantify it and then act on it. Management must be accountable for insuring compliance with the organizations risk appetite. The Enterprise Risk Management internal environment involves objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. We will cover additional aspects of Enterprise Risk Management (ERM) in future publications.


Please wait...

Subscribe to our Technical Publication!

Want to be notified when Compass is published? Enter your email address and name below and sign up to our mailing list!
Please wait...

Download the PDF File