Co-authored with Nancy Schell
With so much attention focused on the economy, yield curve and the Dodd‐Frank Act, the subject of Enterprise Risk Management (ERM) has not received much attention. ERM has been a Federal Reserve requirement for the nation’s largest financial institutions for some time. Now it is finding its way into the community banking arena. So what is ERM and how might it enhance the management of your institution?
ERM as a methodology to understand and manage risk emerged in the early 2000s in the insurance industry. The financial crisis in 2008 paved the way for broader use of ERM in the banking industry. The Federal Reserve Bank of Cleveland developed a comprehensive ERM framework to provide guidance for banks implementing an ERM process. This framework, while still in the early stages of development, sets out the broad approach needed to build a robust ERM process. The framework addresses a wide range of issues from the integration of strategy and risk appetite to organization, oversight, measurement, response and validation of the process. The current challenge is that the interpretation of this guidance can vary widely among regulators, bankers and industry professionals.
If you have begun the ERM journey, you have no doubt run into the conflicting opinions defining ERM. To clarify: ERM is a very specific and comprehensive management process that links risk AND reward in a dynamic way. It connects your strategy to your risk appetite. It is an assessment of your current risk situation and your decision to accept, reduce or eliminate the level of risk your company (“the Enterprise”) undertakes in pursuit of your business performance objectives.
For example, consider the level of financial performance or “reward” you are expecting to achieve. That can entail any number of performance metrics, such as net income, earnings per share or return on equity. From an ERM perspective, isolating yield on earning assets may be most useful since it highlights the revenue requirement. This leads to the question, “How much risk are you prepared to take in the pursuit of that level of revenue generation?” More simply, what is the level of interest income required to cover operating, funding and credit costs? Factor in the expected profit and achieve some level of relief from noninterest income and you have solved for the level of required interest income. That number is very important. If it is significantly higher than your historical performance, you will need to determine the quantity and type of risk you are willing to assume in your pursuit of the desired level of return.
Alternatively, you could look at your current products or lines of business to determine whether you are being compensated adequately for the risks you are taking. For example, nonbank subsidiaries may generate lower levels of earnings with much greater risk exposure. In determining your risk appetite, you must relate the level of risk to the strategic goals and objectives, operating environment, incentive compensation structure and other related areas that have a bearing on risk‐taking throughout the organization.
Once you have determined your risk appetite, the next step is to perform an assessment of the current level of risk (“the risk profile”). One approach is to conduct this assessment across the seven broad risk categories: credit, market, liquidity, operations, legal and compliance, reputation, and strategic. ‐
The risk assessment process is essentially a self‐assessment that considers both quantitative and qualitative factors in determining the current levels of inherent risk and the effectiveness of risk mitigation activities throughout the Enterprise. The assessment is typically performed by multilevel staff directly operating in the areas that manage the risks, under the direction of a risk officer or outside consultant. The quantitative factors will consider the potential impact of loss as related to earnings, capital, dividend payments or some combination of these items. The probability of loss is also captured in the assessment through qualitative factors that are not represented by financial measures in the final analysis of each area.
Once the overall level of risk is determined, the next step is to identify the internal and external metrics that will assist you in identifying how your risk position is changing over time. These metrics are called Key Risk Indicators (‘KRIs”). The compilation of the KRIs is far more than “yet another dashboard.” Rather, it is a key component to taking specific actions to impact the current risk position. The KRIs should measure the degree of potential loss, external economic and monetary conditions, and resulting effects on the risk profile. These indicators will evolve over time as the ERM process matures.
Despite the apparent complexities, there is practical value in using ERM as a management decision‐ making model for organizations of all sizes. In its simplest form, a practical ERM process compares the intended amount of risk you wish to assume‐‐the Risk Appetite‐‐with the assessment of your current risk position‐‐the Risk Profile. If these are not in sync, specific action steps are needed to better align the risk appetite and risk profile. In doing so, you will arrive at the most important aspect of the entire ERM process‐‐taking action sooner rather than later.
