It could decide your success…
While there is no regulatory imperative for enterprise risk management for smaller institutions, regulators are increasingly expecting it.
A risk management system, in any form, is always considered a good idea.
It is probably a good idea to discuss what ERM is in its broad generic sense versus a risk management system that is envisioned by the regulators.
We bandy these terms about interchangeably, but they can often be approached in very different ways. As financial institutions, we are highly focused on financial risk, credit risk, interest rate risk, liquidity risk, price risk, etc. We dutifully build dashboards with risk indicators and tolerance levels and chart them appropriately with the green, yellow and red. We love numbers. They tell us the story we understand. Or do they?
There are risks that don’t come with a perfect ratio to calculate that will measure performance. Reputation risk is one such example.
ERM is meant to capture all risks that may positively or negatively affect the institution’s strategic objectives.
This includes many risks that are more difficult to plan for and measure — like legal risk, strategic risk and human resource risk. These risks can prove to be very significant or, at the very least, no less important than the financial risks.
ERM is also meant to allow for the free flow of information up and down the organization so risks can be identified and dealt with before they become detrimental to the organization. ERM in its purest sense is meant to keep the organization agile and dynamic and, above all, relevant.
Whether you call it ERM or a risk management system, regardless of asset size, financial institutions are expected to have a framework in place for assessing and monitoring risk across the entire organization. The regulators would like each financial institution to develop a risk management system tailored to its specific needs and circumstances, and all sound risk management systems should share four common fundamentals:
- Proper risk identification
- Accurate and timely measurement of risk
- Prudent risk limits as set forth in the financial institution’s operating policies and procedures
- Accurate and timely risk monitoring
Regulatory directive on this topic has been prescriptive in approach. It is generally centered around the key ratios all financial institutions use to monitor performance. It is certainly important to monitor the ratios and react when things fall out of tolerance but focusing solely on this exercise keeps the risks in their silos. It loses sight of the nonquantitative risks the organization faces and doesn’t quite address the strategic initiatives of the organization.
True to other areas of financial institution management, ERM management may have very rigid committee structures and reporting requirements in place. And perhaps the review of tolerance levels occurs only once a year.
Certainly, there is a need to communicate information, but the flow of information should be dynamic and free flowing and not inhibited by a process that is not nimble enough to allow the organization to respond to the risks it faces in real time. The capacity to adapt to change on a timely basis increases the resiliency of an organization by reacting to the marketplace and resource constraints. It also allows for the identification of opportunities for growth and increased value.
What is risk? It is the possibility that events will occur and affect the achievement of strategy and business objectives. The goal of ERM is to measure all forms of risk so the firm can maximize its risk taking. In a bit of eerie foreshadowing, the World Economic Forum in November 2019 indicated that the next crisis was likely to be sparked not by financial risk but by nontraditional risks that create exposures across the business silos of the organizational structure. The thought was that if an organization embraces ERM today, it will be in a good position to respond quickly to the problems of tomorrow.
No one anticipated that we would receive such an egregious example of a nonfinancial risk in the form of a global pandemic, but it may prove to be the best indicator of how well an ERM program can or cannot work. Issues are emerging at lightning speed, and the impacts need to be assessed in real time.
Gartner conducted a survey in March 2020 that indicated risk management was being postponed in order to place more focus on the audit plan. Risk leaders should not be bogged down with process. They need to be proactive and get ahead of committee meetings with relevant, business-focused agendas that demonstrate the value ERM provides in a stronger internal consultant role to the executive team in the midst of uncertainty.
Risk leaders should immediately respond to the crisis at hand and not get stuck in the numbers.
The ratios we typically calculate may not reflect the crisis for a number of months, but that does not make the crisis any less real. Risk leaders should be updating risk assessments. They should also be scenario and stress testing certain events to gain some insight into the scope and depth of the impact of the crisis. The board and senior management must be constantly updated with specific, risk-based information; what the impact could be; and what steps could be implemented to mitigate risks.
In addition, the board and management must exercise caution about becoming too risk averse. There are plenty of opportunities to be taken advantage of, but they require eyes being wide open to see.
If the ERM process is too rigid or formulaic, it will detract from its one main purpose. It will not be agile or dynamic enough to respond appropriately to the crisis or capitalize on real opportunities. The risks may not all be financial in nature and having an evolving assessment of those risks allows for better management in times of crisis. Perhaps the best opportunity at this time will be addressing reputation risk. Executing on that properly will pay dividends for a very long time.