As with most things in life, attitude is everything. Enterprise risk management (ERM) is no different. Taking the glass-half-empty approach, ERM is a regulatory burden that's expensive to implement, time-consuming to maintain, and provides little value to a bank.
The glass-half-full approach puts a positive spin on ERM in that it allows a bank to identify threats—compliance, operational, credit, liquidity, and other risks—before they become crippling. ERM can help banks capitalize on opportunities, industry players say.
Banks mistakenly consider ERM as nothing more than a documentation exercise, says Jennifer Burke, a partner in the risk consulting practice at Crowe Horwath, LLC, a provider of governance, risk, and compliance-management services.
But that limited view of ERM is changing. According to Accenture's 2011 Risk Management in Banking report, 91% of banks see their risk organizations as critical or important to enabling long-term, profitable growth, and 93% see risk management as critical or important to sustained future profitability.
Get with the (strategic) plan
To effectively address ERM, banks must align risk management with strategic plans, notes Burke. Not doing so is like getting on a highway without knowing where you're going. "The fundamental premise of ERM is to consider how risks can either impede your organization or provide opportunities," she says.
Christina Speh, a former examiner and now regulatory consultant at Wolters Kluwer Financial and Compliance Services, Minneapolis, Minn., agrees ERM is about identifying risks that prevent banks from achieving strategic goals. Also, risk managers approaching risk strategically are more likely to receive support from banks' lines of business, boards of directors, and executive teams, she notes.
Aligning risk management with the strategic plan is a struggle for banks, says Danny Baker, vice-president of product management and risk and compliance for Fiserv. "Even if you get ERM right, tying it to the strategic plan is difficult," says Baker.
But it can be done—without hiring a dedicated ERM executive, says Anthony Costa, chairman and co-CEO of $165 million-assets Empire State Bank in Newburgh, N.Y. The bank, chartered in 2004, recently established a risk committee of several senior managers and board members. The committee quantifies risk types across the bank, categorizes risk, analyzes trends, and ensures that risks are aligned with the bank's strategic plan. ERM, he explains, also serves as an early warning system. Empire uses a green, yellow, and red "stoplight" of key risk indicators to represent whether it should monitor or address immediately a risk exposure.
"Banks say that integrating ERM with the strategic plan is too complicated, but it's essential," says Costa. "As a senior manager, you must spend some serious time on risk management. As a board member, you must insist on it."
The rise of the CRO
The chief risk officer (CRO) job market is improving. In 2002, 65% of banks had CROs. Just prior to the 2008 financial crisis, the number climbed to 73%. Today, it's up to 86%, according to Deloitte.
A small portion of the increase may be attributed to the Dodd-Frank Act requirement that bank holding companies with $50 billion or more in assets name a CRO, and the anticipation that updated regulations may lower that threshold. More likely, it's due to heightened awareness of ERM importance.
Not only are the CRO ranks growing, but so is their sphere of influence. More than half (51%) conduct executive sessions with the board of directors compared to only 37% in 2008. At eight out of ten institutions, the CRO reports to the board or CEO, says Deloitte. Ted Luchsinger, industry principle with SAP's financial services team, has heard of a CRO, not CFO, becoming the heir-apparent to the CEO.
What's the CRO's role? Section 165 of Dodd-Frank defines CRO responsibilities as including allocating risk limits; monitoring compliance; establishing risk-management policies, procedures, processes, and systems; testing risk controls and reporting; and remediating risk-management issues. The legislation is clear: CROs must consider risk management at an enterprise level.
The CRO should not be directly responsible for managing risk or supervising the risk-management function, notes Deloitte in its report, Risk Intelligence Enterprise Management: Running the Risk Intelligent Enterprise. The CRO should act as a "central switchboard and clearinghouse for enterprise risk information, providing decision support for executive management and other business leaders, and facilitating cross-enterprise dialogue." Christopher Spoth, a director for Deloitte's banking and securities team and former FDIC senior regulator and deputy to Sheila Blair, says the board governance process will look at how independent the CRO is from the business line.
Crowe Horwath's Avoiding the Black Swan: Barriers to Improving Risk Management report states: "A CRO who can act independently—free from influence from the top corporate power structure—and an independent risk-management function are among the cornerstones of effective [ERM]."
Do you need a CRO?
Even small- and mid-tier banks without CROs have designated people responsible for overall risk management and reporting, says Burke.
With $1.3 billion in assets, Cambridge Trust Co. is not required to name a formal CRO. However, the bank has elected to consolidate risk management into the compliance function headed by vice-president Ana Foster. The goal was to reduce silos without having to change the existing organizational structure. "If we made too many changes at one time, we thought there may be pushback," Foster says. "Instead, we are slowly but surely integrating the functions to provide us with a holistic approach to managing risk." The team consists of Foster, a security officer, and an internal audit manager, functioning as an advisor.
For banks too small for a CRO, the committee approach seems to satisfy examiners, says Empire's Costa. "Our examiners are happy with the initiative we are taking in naming a committee and having our board take an active role in ERM."
What banks cannot do is outsource the CRO function, contends Wolters Kluwer's Speh. "It's important that banks have an internal person—regardless of whether they have the CRO title or not—who is responsible for interacting with all areas of the bank." Banks can outsource some work, like documentation, she says.
Regulators also are not keen about outsourcing the CRO function. At Summit Bank, Panama City, Fla., vice-president of internal audit and operations risk manager Landy Dutton says being a bank employee is preferable, since she understands bank culture and strategy.
What's your "appetite?"
Almost three-quarters of banks have an enterprise-wide risk-appetite statement or are creating one, according to Accenture's 2011 Risk Management in Banking report. A risk-appetite statement can be detailed or conceptual depending on bank culture, and each method can be effective, says Speh. What's important is that the bank understands what risks are out of bounds.
Even banks with such statements have difficulty translating appetite into tactical processes and procedures. "Right now, they're disjointed," SAP's Luchsinger says. "The board is struggling with operationalizing risk-appetite statements."
Boards want better data
Whether mandated by regulations or not, the boards of directors at the vast majority of banks are stepping up to their enterprise-wide risk-management responsibilities. Dawnella Johnson, a partner with Crowe Horwath's risk consulting practice, notes their increased concern and desire to truly understand their bank's enterprise-wide risk. "Regulators will not accept uneducated board members," adds Baker.
Board members often aren't confident they're getting the appropriate information from their bank executive teams to fully understand the banks' risk exposure. "The board is asking the executive team to up their game and deliver succinct and crisp information that is targeted to what matters," says Johnson. They also balance just how much information they need to function in their oversight role.
Cambridge Trust is continually seeking to improve board-level reporting, notes Foster, to ensure the board receives an entire picture of the bank's risk. "It's less about fancy pictures and more about the quality, timeliness, and accuracy of data, and identifying efficient controls," she says. "The board knows that we won't waste their time. We give them the high-level takeaway."
Off-the shelf ERM?
To meet regulatory requirements, banks will increasingly rely on technology for faster data analysis.
Luchsinger's vision of ERM's future is that the CRO will type an ad hoc question into an ERM "dashboard" and receive an immediate answer. "You need to serve-up the answer as the question is being asked rather than cluttering the dashboard with junky data."
Although banks may not eliminate legacy systems, they can update infrastructure to improve the accuracy of the data feeding the ERM and to eliminate manual data reconciliation. "If you've got good data, the rest is easier to build," says Luchsinger. Gathering accurate data from disparate systems remains an issue, and almost half of banks (48%) plan to invest in data-quality programs in 2011, according to Deloitte's risk survey.
High-level dashboards that display metrics such as capital and liquidity levels as well as market and credit risks are becoming more common, says Spoth. The best dashboards, he says, link financial metrics into a forward-looking presentation and include drill-down capabilities into hundreds of data elements for strategic support and decision-making.
Although technology solutions can facilitate ERM, Crowe Horwath's Burke says, ERM doesn't lend itself to an off-the-shelf solution since risk management must be highly customized to each bank. She also warns banks about accumulating data. "You don't want to 'voluminize' data and not see the forest for the trees."
For smaller banks, such as $268 million-assets McHenry Savings Bank, McHenry, Ill., ERM technology is out of their budgetary reach. Unlike larger institutions that typically run systems in-house and have the resources to create interfaces to the ERM, McHenry has the same number of customer-facing systems but less ability to create interfaces. "We just can't cost-justify ERM technology," says Bryan Nash, chief information officer.
Wolters Kluwer's Christina Speh agrees that while generic ERM solutions are of little use, a solution with pre-configured templates can help banks get up and running quickly with ERM, but still allow them to customize the solution to their risk profile. "We realize that banks are unique, but all banks have the same regulatory requirements," she observes.
Creating an ERM roadmap
To support its move to manage risk across the enterprise, Cambridge Trust has assembled an ERM roadmap that outlines both the horizontal and vertical approach the bank takes to risk management.
"We felt it was important to document how we manage risk across the organization," explains Foster, "both to share with examiners and to highlight any gaps we may have. It's not a static document; the roadmap continues to evolve."
The map describes the risk-management roles of each organizational level. For example, senior management is charged with identifying risk and enforcing adherence to controls. The board is tasked with setting policies.
Difficult, but doable
ERM can seem overwhelming, particularly for smaller banks needing to meet all the regulatory requirements of the largest financial institutions, yet lacking budgets to hire additional employees. As Summit Bank's Dutton notes, "The compliance burden on small banks is even greater than on larger banks, because we don't have subject matter experts for each type of risk."
Despite that, is ERM something all banks—big or small—should do? "It's the right way to manage your bank," says Costa. "Today's markets are much tougher and mistakes are magnified. If you manage ERM well, you'll remain in business."
A regulator's perspective on ERM
A conversation with Carolyn DuChene, Deputy Comptroller for Operational Risk Policy, Office of the Comptroller of the Currency
ABABJ: How do you view enterprise risk management?
DuChene: ERM is an integrated approach to risk management that includes the practices and processes the board and management use to define their business model and strategy, and prudently manage their risk exposure.
ERM is not a new concept but banks of all sizes are discussing how ERM can strengthen their risk-management capabilities. Particularly for larger institutions, understanding how risks across the institution are interconnected becomes critical.
I've spent a great deal of my career in community banks and I believe that it's a bit easier for senior management in smaller banks to have a hands-on approach to all facets of their business and achieve that integrated view of risks.
ABABJ: Do regulations specifically address ERM?
DuChene: We expect banks to have a risk-management structure that ensures their safety and soundness, but for the majority of banks, regulations do not dictate that they provide a holistic view of risk across the organization. However, Section 165 of the Dodd-Frank Act does include several ERM requirements for banks with more than $50 billion in assets.
As banks strive to strengthen enterprise risk management, we expect that they adopt tools and practices commensurate with their complexity; and the sophistication and formality of systems and structures to achieve ERM can vary greatly.
There is no one-size-fits-all ERM approach or model. As regulators, we can't prescribe a certain type of ERM function. ERM has to be developed and tailored by the organization to meet its specific needs.
ABABJ: Is it important to align risk management with the strategic plan?
DuChene: It's critical to making all the pieces work together. It should start with defining the risk appetite, setting risk tolerances, and integrating reporting and communication. That information is integral to strategic- and capital-planning processes.
ABABJ: Do banks need to make changes in board-level governance regarding risk?
DuChene: Perhaps, but less complex community banks probably need to make few, if any changes, to governance since they tend to have engaged boards with a good handle on the bank's overall risk.
The board sets the tone and the risk culture for the institution, and bank management should supply them with sufficient information so they can challenge management when necessary.
ABABJ: It sounds like boards need to be more educated about risk....
DuChene: It is a very fast-changing industry, and keeping abreast of how these changes impact the risks the bank already has assumed is important. Boards need to understand how various risk pieces fit together so they can make decisions about key vulnerabilities [the bank] may have in a particular line of business. Boards also need to understand the effectiveness of their internal controls.
ERM, from the top down
Memphis, Tenn.-based First Horizon National Corp. has come a long way in enterprise risk management (ERM). Like most banks, it had separate committees charged with monitoring different types of risk. One of the first steps the bank took in getting an enterprise-wide view of risk was to change its risk committee structure, collapsing subcommittees and creating a board-level risk committee.
Next, the $25 billion-assets bank created an enterprise risk report that rates all risks throughout the bank using a standard methodology. A key challenge in creating the report was to put disparate risks on a level playing field, says Kevin Slane, executive vice-president of risk management. The bank created a relatively simple scoring mechanism to rate each risk. This wasn't a technical issue, he says, but a change-management challenge, because each area had its own measurements and methodologies. The bank also had to agree to a common organizational hierarchy to support the risk report.
The risk report uses a relative scoring model based on dollar impact multiplied by probability, so that the most important risks "rise to the top." The model doesn't have to be perfect, says Slane, but it has to use common ratings. He attributes the bank's success in defining a methodology to having executives who understand the value of common ratings. "We're not telling management how to manage risk, only how to measure it," he explains.
The bank also has a clearly defined risk-appetite statement. Although operationalizing it is still a challenge, being able to articulate risk appetite for various risk types enables the bank to better define boundaries.
One mistake that banks make, says Slane, is to use a bottom-up approach to implementing ERM. Instead, he recommends that banks start at the top and force alignment. At First Horizon, CRO Yousef Valine sets the tone in making ERM important. "If you don't have top-down support," says Slane, "it's like pushing a rope."