Enterprise risk management (ERM) is a critical topic for banks given increased regulatory scrutiny and uncertainty in the market. The panel discussion at the ABA Risk Management Forum highlighted the value of ERM in improving decision making and preventing high-impact risks. While ERM is important, many organizations struggle with implementation due to issues like not embedding it in the culture or focusing too broadly. The discussion provided practical tips for understanding key ERM concepts and implementing it through a step-by-step process.
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
Banking ERM hot topics from ABA Risk Forum
1. Banking industry hot topics
Highlights from the ABA Risk Management Forum in New Orleans:
Enterprise risk management – Understanding risk in today’s complex banking environment
Grant Thornton LLP sponsored a panel discussion on I. Value of enterprise risk management
enterprise risk management (ERM) at the annual conference Presented by Steve Goldberg
Steve Goldberg has more than 25 years of business experience, including 20 years
of the American Bankers Association (ABA) — ABA Risk in financial services as an industry executive and management consultant. He has a
Management Forum — held in New Orleans in May 2012. The strong focus on business strategy and operations, including risk management and
panelists included three of Grant Thornton’s ERM specialists: business performance improvement.
• Steve Goldberg, Financial Services Advisory Principal What is the value of ERM?
• Tariq Mirza, Bank Regulatory National Managing Director A recent survey of 3,000 banks, conducted by Grant Thornton LLP
• Erin Morrow, Financial Services Advisory Principal and Bank Director, found that 34 percent of respondents believed
they would need to hire additional staff to meet the requirements of
Given the immense uncertainty in the market and growing Dodd-Frank, and 21 percent believed their firms would need to hire
demands from the enactment of the Dodd-Frank Wall Street an outside advisor, given that some of the provisions are one-time
Reform and Consumer Protection Act (Dodd-Frank) and from events. Nearly half of respondents think the overall financial reform
shareholders and customers, organizations face an environment will not be effective at all in detecting the broad risks to the financial
of increased scrutiny on their ERM process and its role within system. Others believe that key elements of Dodd-Frank could be
their company. Despite this renewed awareness of ERM, repealed, given the upcoming elections and resistance from Congress.
many are still struggling to implement it successfully. Some These responses raise the question: What is the value of
organizations don’t fully understand the value of ERM, while ERM? Given that the Federal Reserve Board (the FRB) and
others may have conducted a risk assessment but have not the SEC are moving forward with Dodd-Frank and expect to
followed up on it, and still others simply don’t know where finalize the rules and regulations by the summer or fall of 2012,
to begin. During this forum, our panelists discussed the value there is distinct value in implementing an ERM program.
of ERM, the view of ERM from a regulatory perspective, and Historically, companies have viewed risks in “silos,” with
practical tips for understanding ERM and implementing it in each silo representing a specific risk. Companies would analyze
your organization. and develop strategies for each risk. The goal of ERM is to take a
holistic approach and develop an overall strategy for managing risk
across the organization. ERM improves the likelihood of success
in the strategic planning process. It also prevents or reduces high-
impact risks for the organization and enables it to make timely and
informed decisions, with the ability to understand individual risks
and how they affect the organization. In the current environment,
regulators are looking for a culture of compliance within financial
organizations; ERM establishes a culture of transparency and
accountability across the organization. Finally, ERM prioritizes
the allocation of resources to the most significant risks. Performing
a structured risk assessment allows the organization to identify the
areas that require the most attention and investment.
2. Banking industry hot topics
What are the current drivers of ERM in the banking III. Understanding ERM, embedded risk management, risk
industry? intelligence and ERM implementation
Banking regulators, board members and bank management are Presented by Erin Morrow
Erin Morrow is a principal in Grant Thornton’s Financial Services Advisory practice,
all driving the renewed emphasis on ERM. Banking regulators and serves as the firm’s Governance, Risk and Compliance Solution leader for the
have increased their focus on broad risk management in their Northeast Region. Morrow is the outsourced internal audit leader for two regional
exams, including expectations of board and management banks. She is also works in an advisory capacity on topics in internal audit and risk
management with other banking and financial services organizations ranging from
oversight, and links to internal audit. Board members’
local banks to global institutions.
accountability has increased in the wake of the financial crisis;
therefore, they are requesting risk updates and risk monitoring
Despite the advent of Dodd-Frank and increased public and
tools. Bank management teams are also looking for tools to make
regulatory scrutiny, ERM still appears to be very immature
the process easier and give them much earlier warning of risk
and loosely adopted. In 2010, North Carolina State University
events, such as stress testing.
surveyed 460 senior management executives across different
industries about the current state of enterprisewide risk
II. Regulatory perspective
oversight. Findings suggest that there is room for improvement
Presented by Tariq Mirza
Prior to joining Grant Thornton, Tariq Mirza spent over 20 years with the Federal in ERM processes across most organizations, with over 50
Deposit Insurance Corporation (FDIC) in various roles. Most recently, he served as percent of respondents describing risk oversight as casual or
senior advisor under former FDIC Chairman Sheila Bair, providing technical advice
unstructured. One-third of respondents said they were not at all
on a wide range of banking and regulatory issues. He spoke about ERM from the
perspective of a former regulator. satisfied or minimally satisfied with their ERM programs.
With the implementation of Dodd-Frank, regulators are also Why are organizations having trouble maturing their ERM
holding themselves to the same standards to which they hold programs?
financial institutions. In fact, the FDIC recently appointed its There are several issues that appear to be presenting significant
own chief risk officer. Some regulators from other agencies challenges in implementing ERM. One of the leading issues
are looking to do the same, indicating that regulators are also seems to be that ERM never got embedded in the culture or
looking at ERM within their own organizations. According business process of the organization. The reasons for this might
to Mirza, regulators are not only “talking the talk, but also include failure to get executive sponsorship, or absence of
walking the walk.” governance or accountability, or perhaps there was simply no
Mirza laid out a basic framework for what the FRB expects awareness of or training for ERM in the organization. Another
from banks’ risk committees. The FRB’s proposal indicates that challenge is the lack of focus. Perhaps ERM was not properly
risk committees must approve a risk management framework defined or focused and became too big. Some organizations
that includes the following: may have suffered paralysis through analysis or addressed only
• Risk limitations for each business line risk symptoms rather than root causes. Finally, there is a still
• Establishing systems for identifying and reporting risks, a general lack of information and intelligence about ERM. In
including emerging risks some cases, ERM programs were not forward looking enough,
• Monitoring compliance with the risks and management did not receive useful or timely information to
• Ensuring effective and timely implementation of corrective respond to emerging risks.
actions
• Integrating risk objectives into management’s goals and
compensation
Finally, Mirza discussed high-impact risk. From his
perspective as a former regulator, high-impact risk stemming One of the leading issues seems to be that
from a weak or nonexistent ERM program could be an ERM never got embedded in the culture or
enforcement action, such as a cease and desist order, consent
order or civil money penalty. These regulatory actions are in business process of the organization.
the public domain and may result in substantial reputational
risk for the institution. The ultimate high-impact risk of a weak
ERM program is failure; since beginning of the recent financial
crisis, there have been more than 430 bank failures.
2
3. Banking industry hot topics
Understanding ERM What are the types of risk responses?
One of the keys to understanding ERM is learning The purpose of risk response is to bring the risk to the
the terminology. There is a common “language of risk acceptable level of risk appetite. The four categories are
management” that many professional practicing ERM have acceptance, transfer, avoidance and mitigation. Acceptance
come to adopt. Morrow defined a list of key ERM terms, which simply means to tolerate the risk; management may realize
included these: something is a risk but perhaps nothing can be done at a
• Risk – The Committee of Sponsoring Organizations of the reasonable cost to mitigate it, or the likelihood and impact of
Treadway Commission (COSO) has described risk as “the the risk occurring is at an acceptable level. Transfer is a form
possibility that an event will occur and adversely affect the of risk reduction whereby the risk is transferred to a third
achievement of objectives.” party. The most common example of risk transfer is insurance.
• Enterprise risk management – A report from COSO A premium is paid, and the insurance company takes on the
describes ERM as an ongoing process, implemented by risk. Avoidance means just that: avoiding or exiting activities
an entity’s board of directors, management and other that give rise to risk, such as a risky market, product or line
personnel, applied in strategy-setting and across the of business. Mitigation involves the process of developing
enterprise, designed to identify potential events that may options and actions to reduce the risks by putting controls and
affect the entity.1 monitoring in place to detect and prevent and/or control risk.
• Inherent risk – This refers to the “natural” level of This is the most common risk response.
risk associated with doing business. Inherent risk is not
necessarily a bad thing, given that most activities banks Embedded risk management
engage in to make money are inherently risky. Inherent risk ERM not just a project: it needs to be part of the day-to-day
is not static; it can rise because of external factors. operations of the company and its decision-making processes.
• Residual risk – This refers to the remaining risk after Merely putting ERM components in place is also not enough
management’s controls are taken into account. to create value or to avoid corporate failure; the key to making
• Key risk indicator (KRI) – This is a measure used in ERM valuable is to embed it in the organization where it must
management to indicate the level of risk currently in place. It be accepted and understood. So how can management achieve
gives a quantifiable view of the risk the bank is adopting. this? Embedding risk management entails performing a risk
• Risk appetite – According to COSO, risk appetite is “the assessment, installing a monitoring system, and developing
amount of risk, on a broad level, an entity is willing to a process for responding to changing risk levels quickly.
accept in pursuit of value.” Bank management may say they Furthermore, risk management ownership and participation
have no appetite for risk, but in order to grow and make is an enterprisewide endeavor. Everyone in the organization,
money, banks need to take on some risk. ranging from tellers to loan officers to the president and board
• Risk response – Once a key risk is identified, management of directors, owns some portion of risk.
will evaluate the risk and formulate a response. Risk Risk management should also be relevant to your
responses are grouped into four categories. organization. There is no single way to do risk management.
However, under Dodd-Frank, if an organization has over
$10 billion in assets, it must have a board risk committee. The
board committee must be independent of other committees
and also have an independent director with experience in risk
management. The board risk committee has oversight of risk
strategy and tolerance, and overall risk effectiveness.
1
Source: The Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management – Integrated Framework, September 2004.
3
4. Banking industry hot topics
Another important element in the ERM process is installing Responding to the KRIs involves determining strategic
a management risk committee. The management risk committee responses the business would take if risk tolerance is exceeded.
is chaired by the chief risk officer, and its members usually Often this comprises a set of responses for progressively more
comprise the CFO, and legal and compliance personnel. Its role severe tolerance thresholds. In addition, the organization needs
is to review risk policies, implement risk strategies and make to decide when the risk threshold has been met, and then it
recommendations to the CEO. needs to implement the appropriate strategic response. Banks
should leverage risk intelligence to continuously update and
Risk intelligence improve the ERM program. When there are changes, events
Risk intelligence means being effective and efficient at managing and indicators that affect the organization, management should
risks to both existing assets and future growth. Banks should internally or externally review the current risk assessment (to
use risk intelligence to monitor and respond to risks on a determine if there are new emerging risks to address), the ERM
constant basis. Monitoring involves determining KRI for each strategy, communications protocols and risk responses.
risk in the watch list, determining a process for reporting KRIs,
and developing a process for communicating risk events. ERM implementation – Key steps
The development of effective KRIs can be a challenge for The process of implementing an ERM solution can seem
most companies. Financial institutions usually have a large overwhelming; however, we have found it less daunting for
amount of credit risk and market risk indicators, and most of some clients to break down the process into “bite-sized” steps:
them have a sound system for addressing them. But there are
additional “soft” indicators that go beyond the basics of credit 1. Define the organization’s risk universe, and rank each risk
risk and interest rate risk that many people overlook. These by impact and likelihood.
include the following: 2. Select a framework that fits the organization’s culture.
Consider how the bank works and people communicate, and
• Financial market turmoil/Unemployment — An increase structure something that will be successful for that group.
in unemployment can be an indicator of increased fraud risk. 3. Establish board or related board committee responsibilities
• Client dissatisfaction — Low client satisfaction scores can for risk oversight so they understand their responsibilities.
forecast an erosion of revenue. Although there is no one document that defines how to
• Staff turnover — High levels of staff turnover can predict manage risk, having a procedure manual that talks about the
reduced customer service and/or quality. whole risk program can be very useful.
• Open compliance cases — An increase in open compliance 4. Appoint a chief risk officer and/or an internal management
cases might indicate a change in the risk profile of clients or risk committee and related charter with roles and
staffing not keeping pace with growth. responsibilities.
• Loan growth — Significant loan growth can indicate a need
for additional hiring to keep pace.
4