Enterprise risk management is a tool to identify and address otherwise unknown threats to your institution. Adopting an enterprise risk management program will position your institution to meet or exceed strategic goals by understanding the risk they may present, and effectively mitigate that risk. Furthermore, it will:
- Provide a competitive advantage, since many of your peers do not have an enterprise risk management program in place
- Demonstrate to regulators both thought and strategic leadership, thereby proactively addressing many of their concerns
- Create a risk-focused and risk-aware culture
To be most effective, a risk management program must be an enterprise-wide undertaking. Importantly, risk management is not an IT focused or compliance specific initiative; it is an enterprise-wide undertaking that must be applied across the organization to have value and impact.
Risk Assessment Framework
A functional enterprise risk management program is built on employing a sound assessment framework to quantitatively measure and evaluate risk that will enable banks to:
- Assess inherent risk – the risk to a bank prior to any direct actions by management to alter the risk’s severity
- Evaluate the strength of the control environment (quality of risk management or QRM) – the set of standards and actions designed to reduce the severity of the inherent risk
- Determine residual risk – the risk remaining after management has taken action to mitigate inherent risk
This three-step process applies generally accepted risk management methodologies. To be most effective, the methodology to score and rate risk factors should be quantitative/objective. Underlying components, such as the impact of laws and regulations, as well as the strength of controls in mitigating risk, require the application of knowledge and experience in adopting scoring criteria and bucketing it across the risk rating categories, but inherent risk can and should be specifically measured using relevant data.
This underlying framework enables the application of standard risk matrices to arrive at incremental and overall risk ratings. Risk matrices are powerful tools that bring risk assessment processes to fruition by providing a snapshot of the bank’s risk profile and measuring the organization’s risks against the formalized actions taken to minimize or eliminate negative outcomes.
Regulatory Significance
It’s been a little more than a year since the 2023 banking crisis. Among the many takeaways from that period, risk management as a focus of regulatory attention is unusual relative to other crises and subsequent regulatory enforcement. While many regulatory initiatives can often be resolved through effective risk management, I don’t recall it being the basis for regulatory actions, nor its focus continuing over time.
As a risk and compliance professional, I applaud the regulatory agencies for drawing direct attention to the power of a comprehensive risk management program. If you have listened at all to Acting Comptroller of the Currency (OCC), Michael Hsu, you have heard him emphatically emphasize – since the onset of the crisis – the importance of risk management. Nearly 11 months later, the OCC issued a strongly worded Consent Order
(and C&D) citing unsafe and unsound practices based directly on a lack of risk management and internal control environment – which go hand-in-hand. It specifically states operational, compliance, strategic and investment risk management weaknesses and deficiencies of City National Bank of Los Angeles. There are many other examples that followed.
Program Requirements
At its core, an effective risk management program can be the fundamental element guiding every organization, from its strategic planning to its products and services, and every other initiative and department in between. It can be applied top down, bottom up, or middle in – it doesn’t really matter, as long as its value is recognized and the program is consistently utilized. It should be woven into the fabric of the enterprise, becoming a part of its culture, thereby strengthening the organization’s understanding of the impact of its strategic initiatives.
The plan’s designers must have the relevant knowledge, skills and experience to develop an effective program. More science than art, a risk management program must measure quantitatively and eliminate ambiguity, to minimize second guessing – by executives, directors, regulators, and all users.
The program’s output should be referenced in every key decision; and if no direct relevant output can be found, the program should be tailored to the specific matter being evaluated.
Ultimately, an enterprise risk management program should serve as the rudder of every institution’s strategic planning process and should operate in service to the specific goals and objectives of the strategic plan.