Enterprise Risk Management Is About Managing Risk, Not Avoiding It

How should bankers and boards think about risk in an organization?
Over the past two years, dramatic bank failures, declining profit margins and increased credit concerns have heightened the industry’s collective anxiety about risk. To clarify that risk and underline exposures, many have searched for short-term or isolated answers, viewing risk in the moment rather than proactively and broadly across their individual institutions and the industry. Many have sought direction from regulators, asking regulatory officials to clarify their primary concerns and provide direction on how to address specific risks. However, the regulators have resisted calls to address any singular risk and have instead suggested that risk should be viewed broadly and holistically, while bankers should tackle whatever risk is presented.

“Banks need to be aware of the complexity of what’s going on externally, and how it might impact their bank and how they are preparing to withstand whatever storm may come,” said Federal Deposit Insurance Corp. Assistant Regional Director Rafael Valle at a 2023 conference. “The risks are more complex because they are intertwined, and one could trigger the other.

“We will be looking at your risk assessments internally, your reserves, your capital position, and so forth,” he said.

A bank’s operating model will be a big factor in how tough an exam is. “It depends on your risk profile, your risk appetite and the fundamentals of your [capital adequacy, asset quality, management, earnings, liquidity and sensitivity to market risk (CAMELS)],” Valle said.

At another 2023 event, Comptroller of the Currency Michael Hsu stated that, following the recent industry tumult, the Office of the Comptroller of the Currency’s supervisory focus will be “risk management, risk management, risk management.” He reiterated that view on a podcast that same year. “Be on the balls of your feet in terms of risk management, risk management, risk management – make sure where your risks are, make sure you don’t have concentrations,” he said.

The reasons for bank failures and industry troubles are numerous and complex, and it is nearly impossible to predict the exact risk position that could lead to a serious disruption. That is why the regulators and experienced industry experts always suggest a more holistic or enterprise-wide approach to evaluating and measuring risk. Instead of guessing on impending risks or narrowing risk evaluations to a small set of indicators, the broad discipline of enterprise risk management is intended to provide a framework to identify, measure, monitor and control the holistic risks that might impact an organization.

What is enterprise risk management (ERM)?
There is no single definition that objectively defines ERM; however, the most widely referenced governing body for risk management in the United States, the Committee of Sponsoring Organizations (COSO), defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, that is designed to identify structural risk positions that may affect the entity under certain adverse impact scenarios, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

That’s a mouthful! An easier interpretation might be that ERM is a process that manages enterprise risk so that ongoing decisions are consistent with the company’s risk appetite and stated performance goals. Taking risk is integral to the pursuit of value, so the process of ERM is not meant to eliminate risk or even to minimize it. Instead, the goal of ERM is to manage risk exposures across all parts of an organization so that, at any given time, the organization can incur just enough of the right kinds of risk — no more, no less — to effectively pursue its strategic goals. ERM is about taking risk, not avoiding risk.

It is also important to note that ERM is not simply a function or department. It involves the culture, capabilities, and practices that an organization integrates with strategy-setting, with the purpose of creating, preserving and realizing value. As Alan Greenspan famously noted, “Indeed, better risk management may be the only truly necessary element of success in banking.”

How do I create an effective ERM system in my organization?
We have established that risk management needs to be proactive and holistic, and that ERM is a process that integrates with strategy setting and value creation. But how do you functionally build an effective ERM process in a community or regional banking organization? That will be the subject of Part 2 of this series, where we will explore best practices for creating and managing an effective ERM solution.

Performance Trust has been advising community banks for 30 years and is a registered broker/dealer, member of FINRA/SIPC. This is intended for educational and informational purposes only and is not intended to be legal, tax, financial, or accounting advice or a recommended course of action in any given situation. This is not an offer or solicitation to purchase or sell securities. The information is subject to change without notice.