I recently taught one of my Enterprise Risk Management (ERM) webinars and after the webinar, participants had two questions: What are the challenges risk leaders face? And how do we address those challenges?
Here are the top challenges risk leaders face while implementing an ERM program and how to address each one:
Lack of support from senior leadership: This is the number one challenge they face. The “Tone at the Top” is crucial and you need support at the board level. To get the attention of the leadership team and the board of directors, you have to create awareness and get educated on the subject. You need to prepare a plan of action as to how you will implement an ERM program. Most importantly, you need to address the “why” it’s important for the survival of your community bank or credit union. Even if it’s still not a regulatory requirement for most community financial institutions under $500MM in asset size (maybe even the $1 billion asset size), regulators are starting to ask for a formal program. But most importantly, establishing an ERM program is a matter of best practice.
You are the designated person to wear yet another new hat and you don’t know how to do it on your own: You’re right. You cannot do it on your own. That’s why I call those in charge of developing the ERM program the “ERM Leader.” You are responsible to “lead” the program but not one person can do it on their own. It takes an entire team that represents ALL the areas of the community bank or credit union. One person can represent more than one area, but all departments must be represented so you can identify ALL the potential risks that can impact your institution.
Lack of time to implement the entire ERM program: To implement a complete ERM program, it will take you a minimum of three months up to an entire year. It takes time because each piece of the puzzle takes time to create, implement and complete. Then each document or program needs to be approved first by the risk committee and ultimately by the board of directors and that can take several meetings until it gets on the board's agenda. Again, you cannot do the entire program on your own. You complete it with the entire team throughout several months.
How do I know I have all the pieces? You continue your training to learn what you may be missing. Some key components of an ERM program are:
- Write and implement an ERM policy
- Establish a risk committee at the board level
- Write a board risk committee charter
- Establish an internal ERM committee
- Write an ERM committee charter
- Develop a board risk appetite and tolerance statement
Most institutions already have several of the sub-programs that are part of the overall ERM program such as the Compliance Management System, the Internal Audit Program, and the IT Security Program which in turn includes your Cybersecurity Program, Vendor Management Program, Disaster Recovery Plan, Business Continuity Management and other sub-programs.
I hope this information helps you further enhance your ERM program.
Part 2 of this posting is here.