By nature, the banking industry is a risk management business, specifically taking a risk in lending funds, investing in bonds, or utilizing customer deposits, shareholder capital, or market borrowings. The risk management process becomes more complicated based on numerous factors such as the complexity of the institution or the volume, velocity, and value of transactions.
No doubt, risk management techniques have been discussed, identified, and utilized for centuries, going back to initial barter techniques before the Roman Empire. Assigning a value, accepting something in return, and then trading for another item a person might need involved risk.
Over time, the financial system has evolved, and while many of the same risks remain, there are new issues and concerns. In turn, the financial services industry adapts and adjusts its risk management governance and controls.
A Risk Management Game Plan
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued Internal Control—Integrated Framework in 1992 to help businesses and other entities assess and enhance their internal control systems. Subsequently, the SarbanesOxley Act of 2002 and similar legislation require public companies to maintain systems of internal control and require management to certify and an independent auditor to attest to the effectiveness of the internal control systems. COSO updated Internal Control— Integrated Framework in 2013, and it continues to serve as the broadly accepted standard for satisfying those reporting requirements.
COSO in 2004 published Enterprise Risk Management—Integrated Framework, which communicated a research project started in 2001. The goal was to develop a framework that would be readily usable by boards of directors and management teams to evaluate and improve their organizations’ risk management across the entire enterprise. ERM-integrated framework was not intended to replace the internal control framework. While it incorporates the internal control framework within it, the ERM-integrated risk management process facilitates organizations to have a fuller risk management process. Through a structured approach, an organization’s board of directors, management, and other personnel are active in strategy setting across the enterprise. Furthermore, a formal ERM program is designed to identify potential events that may affect an organization. Ultimately, the ERM program facilitates managing risk to be within an organization’s risk appetite or risk tolerance levels, establishes structured reporting of risk management efforts, and provides reasonable assurance of achieving organizational objectives and goals. By identifying and proactively addressing risks and opportunities, institutions protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.
The COSO ERM Framework1 embraces six specific objectives:
- Aligning risk appetite and strategy. Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
- Enhancing risk response decisions. Enterprise risk management (ERM) provides the rigor to identify and select among alternative risk responses—risk avoidance, reduction, sharing, and acceptance.
- Reducing operational surprises and losses. An entity gains enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
- Identifying and managing multiple and cross-enterprise risks. Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts and integrated responses to multiple risks.
- Seizing opportunities. By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.
- Improving deployment of capital. Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.
Enterprise risk management deals with risks and opportunities affecting value creation or preservation and is defined by COSO2 as follows:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The definition reflects certain fundamental concepts. Enterprise risk management is:
- A process, ongoing and flowing through an entity.
- Effected by people at every level of an organization.
- Applied in strategy setting.
- Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk.
- Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite.
- Designed to provide reasonable assurance to an entity’s management and board of directors.
- Geared to achievement of objectives in one or more separate but overlapping categories.
ERM formalizes a risk management process that is occurring, or should be occurring, in each financial institution. In smaller institutions, the process may occur each morning when the executive management team meets for 15 minutes to discuss current events, new projects, and potential problems. Much larger institutions may discuss risk on a weekly or monthly basis at an executive management committee level. The challenge, however, is implementing, utilizing, and documenting the eight fundamental concepts of ERM. ERM is critical in addressing the needs of various stakeholders who want to understand the broad spectrum of risks facing an organization to ensure risks are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of organizations.
Short Order ERM Integrated Framework
Oversight Eight specific components are found in an integrated ERM program.3 The following focus areas reflect general management criteria and are important to an integrated management process:
- Internal Environment. Internal environment reflects the organization model and sets the basis for risk management approaches and how risk is addressed by an entity’s directors and management, including risk management philosophy, risk appetite, integrity and ethical values, and the business environment in which the organization operates.
- Objective Setting. Before management can identify potential events affecting the achievement of objectives, specific objectives must exist. ERM ensures that management establishes a process to set objectives and then supports stated objectives, aligning activities with the entity’s mission, consistent with its risk appetite.
- Event Identification. Internal and external events affecting achievement of an entity’s objectives will be identified to ensure consistent communication; specific event identification should detail differences between risks and opportunities. Opportunities should be channeled back to management’s strategy or objective-setting processes.
- Risk Assessment. Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Furthermore, risks should be assessed on an inherent and a residual basis. Periodically, these assessments should be reviewed and updated.
- Risk Response. Management and/or the board of directors will select risk responses—avoiding, accepting, reducing, or sharing 3 Ibid risk—and in turn develop a set of actions to align risks with the entity’s risk tolerances and risk appetite.
- Control Activities. Policies and procedures are established to ensure consistent governance and implemented to help ensure the risk responses are effectively carried out.
- Information and Communication. Relevant information is regularly identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
- Monitoring. The entire ERM process is monitored, and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Note that ERM is not strictly a serial check-the-box process where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and often will influence another.
Just a Snapshot of the Regulatory Emphasis
The financial services industry has been advised by regulators of various risk techniques for years. For example, the United States federal government, to address various risk issues, established the Office of the Comptroller of Currency (OCC) in 1863. One of the OCC’s primary focuses was to establish a national banking system with sound governance and basic risk standards. Comptroller Hugh McCulloch issued a one page letter in December 1863 to all national banks addressing basic risk scenarios and management of those risks. Interestingly, Comptroller McCulloch’s thoughts still resonate today.
In the 1990s, the OCC introduced a revised risk management model that focused on managing fiduciary trust activities across the entire department or bank or holding company. It was based on focusing on four major pillars or cornerstones of risk management:
- Risk management
- Risk supervision
- Risk tolerance
- Risk monitoring
Each of these categories had specific elements to evaluate overall risk management techniques. The model served as one of the earliest efforts to look at risk management across an entire organization. Note that while the OCC may have been an early advocate of risk management, each federal and regulatory agency has encouraged risk management techniques over the decades. Now fast-forward to 2016. Regulatory agencies through advisory statements and examination procedures continue to underscore the relevance and importance of formal risk management systems. Although the ERM integrated risk management framework approach may not be the stated mandate, each regulator has pushed the basic concepts as a highly recommended process.
Unique New Risk Management Process?
The importance of managing risk is not new. COSO’s ERM integrated risk management framework basic concepts and components are not unique. The implementation of an integrated risk management framework, however, is still a work in process for many institutions. And to add to the challenge, some project banking will change more in the next 10 years than it did in the past 50 years due to such factors as faster payments, mobile payment initiatives, expanded regulations, and the list goes on. However, by using the ERM disciplines, you can give a boost to your institution’s risk management efforts