The Five Enduring Principles of Enterprise Risk Management

By February 21, 2012Articles

Co-authored with Nancy Schell. 

ERM is certainly the buzz right now, raising questions as diverse as:  Is it just one more regulatory requirement?  Is it a sophisticated management method to build performance?  Is it a welcome aid in difficult operating environments?  Does it identify the risk/reward dynamic that captures the essence of banking?

ERM addresses risk in a systemized and robust process.  The subject of risk describes the potential impact and probability of loss.  ERM in the banking industry calculates and relates the risk exposure to loss of earnings, capital, the potential to pay shareholder dividends, maintaining a positive regulatory relationship and solvency.  In fact, the measurement of risk of loss may include a combination of these elements.

There are so many opinions, descriptions, approaches and methodologies concerning ERM that the level of confusion is not surprising.  While ERM includes a number of existing risk management principles and activities, it is a relatively new approach and absolutely is unique in its own right.  In fact, there are five enduring principles that guide the development of every authentic ERM process.

The First Principle of ERM – ERM is not just about risk:

  • ERM is a management system designed to boost performance, so the reward must always be considered, actually combined with risk in a uniquely practical framework.
  • Early in the process an executive summary statement describes the organizational appetite for the level and nature of risk. How much and what types of risk do you want to take after determining how much reward you want, such as yield on earning assets, or net interest margin or return on capital?  Risk and reward are indelibly connected.  In banking, you cannot have one without the other.  It is the essence of the business of banking.

The Second Principle of ERM – ERM is a management model that leads to action:

  • Involves top down participation of directors, executive management, middle management, line of business leaders and non-bank subsidiaries execs.
  • Combines categories of risk (credit, market, liquidity, operational, compliance and legal, strategic and reputational risk) across the company, identifying and measuring each.
  • A method of self-assessment and transparency that gets the right people together to discuss quantitative and qualitative factors to determine the level of risk and compare it with the corresponding reward (performance) of the risk areas being considered.
  • Influences the resource allocation (budget) of expenses to optimize risk and opportunity. The ERM process answers the question, “Are we spending money in the right places to enhance earnings while controlling and monitoring our risk exposures?”
  • ERM provides the coordination of all the various risk management activities that are currently in place in the organization, evaluating them in their entirety and interaction, not just on a stand-alone basis.
  • The ERM process also evaluates the current trends in each risk/reward category, providing a predictive indicator of potential financial performance.
  • Key Risk Indicators (measures and metrics) are designed to determine that the enterprise is operating within pre-established risk tolerances and that the risk appetite and risk profile are in sync.
  • ERM is a dynamic decision-making process that evaluates the potential risk/reward of opportunities, such as new products and services, business acquisitions, market expansion and others. As such, each opportunity is assessed to determine the potential reward and the impact on the organization’s risk profile, by evaluating whether the organization will be riskier, less risky or risk-neutral.
  • ERM always leads to actions taken to increase, reduce or accept the balance of risk and reward for each risk category, asset class and new opportunity under consideration.

The Third Principle of ERM – While Enterprise Risk Management integrates many of the risk management activities currently in operation, it creates a very different and unified approach.  So ERM does have a life of its own.

Although the following certainly have a place in the ERM conversation, ERM is a new and unique management process.


  • About risk levels.
  • Intended to satisfy the regulators.
  • An assessment of internal controls.
  • An extension of regulatory and legal compliance.
  • Simply an expansion of SOX.
  • A further elaboration of FDICIA.
  • A further description of the CAMELS regulatory rating process.

The Fourth Principle of ERM – An effective ERM process answers four key questions:

  1. Do we understand the risks we are taking across the company (enterprise)?
  2. What is the reward?
  3. Is the risk acceptable?
  4. Is the reward great enough?

The Fifth Principle of ERM – ERM is a dynamic link between strategy, opportunity, risk and reward.  

In the end, the operating principles of authentic Enterprise Risk Management assess the dynamic principles of risk and reward in providing the link between strategy, performance and risk management.  An important aspect is the ongoing identification and evaluation of internal and external events that have the potential to positively or negatively impact the company’s strategic objectives.  Event scenario planning addresses the “what if” or emerging risks and opportunities, avoiding surprises furthering the consistency of performance.  Employing the ERM principles will create a better, stronger and more effective company.