Articles & E-Books


ERM – Makes Sense for Everyone

Aug 27, 2018

If you think enterprise risk management (ERM) is just an exercise that benefits larger financial institutions, you could not be more wrong. ERM is growing in popularity in community banking organizations, and here is the reason why— it just makes good business sense. While not specifically prescribed by law unless certain asset sizes are met, ERM, or a formalized risk management practice (not all regulators use the term ERM), is being encouraged on a more frequent basis. Those financial institutions with ERM programs stand to be viewed in a more favorable light in the management assessment component of the CAMELs rating system. ERM is another acronym the meaning of which is somewhat nebulous or confusing to those trying to conceptualize the process. And the reason for that is ERM means something different and looks somewhat different in every organization. Every financial institution is different, every strategic vision is different, every culture is different. While each financial institution deals with fundamental risks common to all (e.g., credit risk, interest rate risk, liquidity, price, operational, compliance, strategic and reputation risk, etc.), historically these have been managed in their respective silos and not viewed in a strategic or aggregate fashion across the enterprise. When the tables are turned upside down on this long-standing, backward-looking view (what has happened in the past), the institution can manage more proactively its strengths, its strategic vision, and its ultimate objective of value creation for its stakeholders and can explore possibilities for the future. 


Enterprise risk management is not a new concept, nor is it specific to the financial services industry. The concepts of ERM and a holistic approach to risk management have been around since the 1970s and arguably longer than that. However, the discipline of ERM has become more defined in recent years due to the combined effects of the post 9/11 world and the financial crisis that led risk managers to start focusing on aggregate risks to an organization.  In addition, greater transparency and stricter financial reporting and controls due to the Enron scandal and the ultimate emergence of the Sarbanes Oxley Act mandated ERM programs for certain public organizations. Finally, the explosion of regulatory compliance and globalization and a highly competitive environment further drove institutions to view risks in a more opportunistic fashion.


According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), ERM “is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving and realizing value. . . . ERM can be used by organizations of any size. If an organization has a mission, a strategy, and objectives—and the need to make decisions that fully consider risk—then enterprise risk management can be applied.”[1] ERM should be part of an institution’s culture, and to fully embed ERM in an organization, decision makers must know how much risk is acceptable in the achievement of its business objectives. A financial institution with a lower risk appetite might avoid certain activities while one with a higher appetite for risk could decide to embark on riskier endeavors. Only if the institution clearly evaluates its risk appetite from a strategic and cultural perspective can it begin to balance risks and the opportunities they afford. “Implementing a risk management program is about truly understanding your institution and addressing matters on a proactive rather than a reactive basis. A reactive approach is ineffective at best and, more often than not, chaotic and wildly expensive.”[2]


Depending on your prudential regulator, ERM can be a consideration in the examination process or not. The OCC and the NCUA use the term ERM. The FDIC and the Federal Reserve do not. They all, however, have a concept of risk management (whether they call it ERM or not) and they all share the same stance that the development of the program should be in relation to the complexity of the institution. The OCC has the best summary of risk management in its publication, A Common Sense Approach to Community Banking. It states “no single risk management system works for all community banks. Each bank should develop a risk management system tailored to its specific needs and circumstance. The sophistication of the risk management system should be commensurate with the bank’s size, complexity and geographic diversity. All sound risk management systems, however, share these four common fundamentals:


  1. Proper risk identification
  2. Accurate and timely measurement of risk
  3. Prudent risk limits as set forth in the bank’s operating policies and procedures
  4. Accurate and timely risk monitoring”[3]


Included in this system are measures for aggregate, strategic, and reputation risks.


Marrying the regulatory concept of risk management with the COSO idea of risk management through strategy and performance allows the financial institution to properly manage its risks but not lose sight of the potential opportunity that is the consequence of risk taking—value creation.


There are many benefits to implementing an ERM process even in smaller, less complex institutions. To name a few:


  1. It increases opportunities.
  2. It matches strategy and risk to business processes.
  3. It highlights interdepartmental risk and views risk on an aggregate level.
  4. It allows for better decision making.
  5. As risk is managed outside of silos, it allows for greater transparency and lessens potential for negative outcomes or surprises.
  6. The strategic focus enhances and strengthens the corporate culture.
  7. It allows for better deployment of resources and capital.
  8. It allows for a consistent risk framework across business units.
  9. It creates value.


“The benefits of embracing ERM cannot be overstated. Financial institutions learn to manage themselves using a common risk language, gain transparency as to where they sit in relation to competitors and industry norms, set clear recommendations for where future efforts should be focused and make explicit the trade-off and choices that drive the business strategy.”[4]


In summary, ERM is not just for the “big boys,” but ultimately it is what your institution makes of it and how your organization embraces it that matters. It should be a constantly evolving process that grows with your organization. ERM is not intended to be a box-checking function but rather a management process that allows for the achievement of business objectives in the most efficient, least costly, and most risk-controlled fashion as possible. “Risk effectively becomes part of the strategy process, informing discussion and deliberating at all levels, including the top.  Risk becomes a capability across an organization, not a function with narrowly defined responsibilities. ERM is the vehicle for this transformation.”[5]


Highly formalized ERM processes and complicated software implementations are common in larger organizations, but ERM, even in a very basic, low-tech form, is acceptable for any size organization including the community financial institution that strives to achieve value for its stakeholders. And it just makes good business sense.


If you would like to get started on an ERM program or if you need to refresh your existing program, contact me at

[1] COSO Enterprise Risk Management Integrating with Strategy and Performance, June 2017.

[2] Venable LLP, Enterprise Risk Management in Community Banks:  A Self-Help Guide, April 2017.

[3] OCC, A Common Sense Approach to Community Banking.

[4] McKinsey & Company, Working Papers on Risk, Number 43, Getting to ERM: A road map for banks and other financial institutions, March 2013. 

[5] McKinsey & Company, Working Papers on Risk, Number 43, Getting to ERM: A road map for banks and other financial institutions, March 2013.


Karen A. Mitchell
Senior Manager, Risk Advisory Services
View Profile