Enterprise risk management: what it is and what to do about it
When the Federal Deposit Insurance Corp. sued Washington Mutual’s executives in March over the bank’s failure, the government’s lawyers said they “took on enormous risk without proper risk management,” marginalized the chief risk officer, and pursued an aggressive lending policy despite being warned against it.
In part because of the financial meltdown at banks such as Wamu, regulators and bank boards are more interested in how risk is handled throughout an organization.
About 78 percent of financial institutions have adopted some kind of enterprise risk management program, according to the 2011 Deloitte Global Risk Management Survey, up from 36 percent who said so in the 2009 survey.
Regulators are asking more questions about what bankers are doing about risk, and more banks are starting the process of implementing an enterprise-wide program, according to speakers at Bank Director’s Bank Audit Committee conference in Chicago June 13-15.
Enterprise risk management is about more than just insuring against known risks. It’s about what could happen in the future that you don’t even know about, said Pat Langiotti, chairman of National Penn Bancshares enterprise-wide risk committee in Boyertown, Pennsylvania.
“What are you not monitoring? What is not on the agenda that could happen and what would the impact be, and what are we doing about that?” she said. “What risk are you taking and is there a reward for taking on that risk that’s adequate to the risk?”
Enterprise risk is about assessing all the risks of the institution, from operational, to information technology to reputational risk on an ongoing basis, establishing an appetite for risk, and making sure conformity to that risk appetite is monitored and pervades the institution.
Some banks, such as National Penn Banchsares, a $9.4 billion-asset publicly traded bank Boyertown, Pennsylvania, have a separate risk committee of the board to take responsibility for their enterprise risk management program, but some others handle it on the audit committee.
“I don’t think a risk committee is operating to make sure there’s no risk,’’ said Tony LeVecchio, the audit committee chairman of ViewPoint Financial Group, a $2.8 billion publicly traded bank in Dallas, Texas. “It’s more of an understanding of what risk you’ve agreed to take. What you don’t want is to find out ‘oh my goodness, I didn’t know we had a risk here?’”
The risk appetite has to be factored into the bank’s strategic planning, said Christina Speh, director of new markets, enterprise risk management at Wolters Kluwer Financial Services in Washington, D.C.
“There is nothing more frustrating than having a process and spending energy and time on something that doesn’t do anything,’’ she said. “If you have no idea how this fits into your strategic plan, it’s possible you’re just doing paperwork for regulatory agencies.”
“At the end of the day, the reason you’re doing this is because you want to ensure your bank is successful and meets your strategic plan,’’ she said. “You have a plan and you want your bank to reach this in five or 10 years. But how do you get there? And how do you put processes in place to make sure that if risks are realized, you’re able to handle that?”