In Part I of this two-part blog, we focused on the first three components to help formalize your ERM program. They are: the Enterprise Risk Management (ERM) Risk Assessment, the ERM Policy, and the Board Risk Committee and its Charter. In Part II, we focus on the next three essential components that are also very important when formalizing your ERM Program.

Internal ERM Committee and Charter

One of the first steps in formalizing your ERM Program is to form an internal ERM Committee. One common question is, who should be on this committee? The number of members is not as important as having all the areas of the institution represented. One person can represent more than one area. Risk can come from any area of the institution so it’s crucial to protect every aspect of it. Let’s dig in deeper on the components of the internal ERM Committee Charter:

• Purpose: To assist the Board in its oversight of management’s responsibility to identify and manage existing and emerging risks at the enterprise level. This encompasses the identification, mitigation, monitoring, reporting, and management of all risks. The Committee ensures then that the processes and resources to manage and mitigate the risks identified are adequate.
• Goal: The goal is to assist the Board in understanding all the risks the institution faces as it accomplishes its vision and strategic objectives. The Committee establishes the program to help anticipate emerging risks, identify current risks, prioritize top risks, and manage all risks.
• Role of the Risk Leader: We explain the role of the risk leader in the next component below.

Dedicated Risk Leader

One common mistake community banks and credit unions make is to give the “hat” of risk leader to an already full-time employee. This employee is typically the compliance officer, BSA officer, or internal auditor. While employees with these backgrounds are excellent candidates to lead risk management, they are already overloaded with these critical functions. Often, one person already has all these responsibilities plus now they must also be the new risk officer.

Part of the Board’s “tone at the top” regarding ERM is to allocate adequate resources to it. Naming an already full-time employee with this new responsibility does not provide the appropriate resources. The result is an incomplete ERM Program and a burnt-out employee. Another significant aspect of the Board’s support of ERM is to emphasize its importance by communicating to all staff. Giving an employee the risk leader’s responsibilities without the authority that goes with the job only leads to frustration.

Lastly, new risk leaders need training. Most often risk leaders come from other areas of the institution such as the ones listed above. Risk management may be completely new to them, and they need the appropriate training and resources.

Risk Leader Responsibilities

The titles for the risk leader vary. But the most common are Vice President of Risk Management, Risk Manager, Risk Management Officer, Risk Officer, and Chief Risk Officer. Below are the responsibilities of a dedicated Risk Leader.

• The primary responsibility is to develop a comprehensive enterprise-wide program to include all the institution’s areas and ensure it’s followed. The risk leader ensures the implementation of sound policies, processes, procedures, and best practices. Risk leaders lead the effort to identify and mitigate existing and emerging risks. Lastly, they are responsible for monitoring all mitigating activities, and report on all efforts to the Board regularly.
• Chair the internal ERM Committee meetings. Ensure someone documents the minutes of the meetings and provides them to the Board.
• Create awareness enterprise wide about the ERM Program and educate all staff on its purpose and what it entails.
• Build the team as one person cannot implement nor maintain the entire ERM Program.
• If the risk leader is in the role of Chief Risk Officer, this role oversees other areas. Some of those areas include compliance, audit, IT Security Officer, CRA, collections, and fraud.

Board Risk Appetite and Tolerance Statement

There is some confusion as to what this “statement” entails. Typically, institutions write one-paragraph describing their “appetite statement” and that’s it. Very few understand the depth of this document and what it tells the reader, which is typically examiners and auditors.

The Board Risk Appetite and Tolerance Statement describes the Board’s appetite for risk and the tolerances established for each risk category. The “appetite” is the qualitative part of the statement that describes the “what,” your pursuit of risk. In other words, what products and services your institution wants to offer to your customers. It also describes what initiatives you’re willing to embark on and your level of risk appetite for every risk category.

The “tolerance” is the quantitative part of the statement that describes how much you’re willing to lose. Again, your level of tolerance for risk in each risk category. The risk categories include Credit, Liquidity, Interest Rate Risk, Technology, Operational, Reputation, HR, Compliance/Regulatory/ Legal, Model, Capital, Customer, and Earnings.

When to Start Formalizing Your ERM Program

If your institution is below $500 million in assets, examiners may only provide best practices and recommendations. They ensure you have the big components under the ERM Program. They include Cybersecurity, IT, DRP, BCM, Compliance, Audit, Liquidity Contingency Plan, Capital Plan, and Vendor Management. If your institution’s asset size is between $500 million and $1 billion, examiners will start asking you about formalizing your ERM Program. Once you reach the $1 billion asset size, you are expected to have a more comprehensive and formal ERM Program. Incorporate the six essential components to formalize your ERM Program described here, and you will be on your way.

Hopefully this two-part blog that describes the six key components to formalize your ERM Program helps you start the process. If you need help formalizing your ERM Program, feel free to reach out. As always, we’re here to help!

Your institution may be missing six essential components to formalize your ERM program. Enterprise Risk Management (ERM) is like a puzzle made of several essential components. The ERM Program has sub-programs under it and all institutions have most of the sub-programs in place. However, they lack six essential components to formalize their overall ERM Program.

In Part I of this two-part blog, we’ll focus on the first three components:

ERM Risk Assessment

Bankers who attend our ERM webinars, share that they have never conducted an overall ERM Risk Assessment. Community banks and credit unions conduct dozens of risk assessments yet lack this foundational one to formalize their ERM Program. The goal of this risk assessment is to identify the top risks of the institution along with the mitigating strategies. This two-page report is what the Board needs to understand their top risks.

Clients ask how many risks should be considered “top risks” from all the ones identified through the ERM Risk Assessment. Typically, you identify over twenty risks, but we recommend listing the top ten. It is difficult to focus on more than ten. Having said that, your institution still must watch all the risks identified in the process at the same time.

We assess 14 risk categories when conducting an ERM Risk Assessment for our clients. They are: Liquidity, Interest Rate Risk (IRR), Capital, Earnings, Compliance/Regulatory and Legal, Technology, Operational, Model, Customer, Human Resources, Credit, Strategic, and Reputation. This list is longer than the one provided by some regulators. However, it makes it a comprehensive assessment of all the risk categories at the highest level.

The result of this assessment is to arrive at your top risks and understand the existing mitigating strategies. And also, to continually improve. We list the plans for improvement under each risk category with a responsible person and timeline assigned to each task.

Enterprise Risk Management Policy

Part of formalizing your ERM Program is to establish the policy that your institution will abide by. The policy addresses the ERM framework for your organization and should cover the following sections:

• Risk Governance: Describe the risk governance structure and where the ERM function is within the institution. This section describes your lines of defense to manage risk at all levels. This section lists the roles and responsibilities of the Board, Risk Committee, Senior Leadership, and the Risk leader.
• ERM Function and Committee: It is important to form an internal ERM Committee where all areas of the organization are represented. This section describes the responsibilities of the internal ERM Committee which is primarily to provide an independent oversight of ERM. If your institution has an ERM department then list the function and who comprises the team.
• Risk Categories: List all the risk categories your institution assesses during the ERM Risk Assessment and what you do with the results.
• Risk Appetite and Tolerances: Your policy should describe your institution’s appetite for risk and how you plan to manage those risks. The policy states that you use tolerances (or metrics) to measure the risk taken in each risk category. It also states how you ensure your institution stays within your tolerances.
• Risk Culture: It is important to include your institution’s risk culture and how you communicate with the entire staff about your approach to risk management. This statement should always include the “tone at the top” regarding risk culture.
• Risk Management Processes: This section describes how you approach your risk management activities. The three phases of ERM are risk identification and assessment, risk mitigation and elimination, and measuring, monitoring, and reporting.
• Annual Policy Review: Finally, your policy states that the Board of Directors reviews and approves the policy annually.

Board Risk Committee and Charter

It’s surprising how few community banks and credit unions have a formal Board Risk Committee. Some directors confuse it with the Audit Committee and feel they are covered. Credit Unions have a Supervisory Committee but that’s not the same as a Risk Committee either. The purpose of the Board Risk Committee is to oversee the overall risk management of the institution. It focuses on identifying and managing current and emerging risks to the institution. This function is different from the Audit Committee’s function to oversee the audit function and financial controls.

Each Board Committee must have its own Charter with the following sections:

• Purpose and Authority: This section describes the purpose of the Risk Committee and the authority of the committee on the various functions.
• Composition and Meetings: The Charter specifies how many times per year the Committee meets, the minimum number of directors, and the members. Other areas listed are the term of the office, who the committee chair is, and how the minutes are handled.
• Responsibilities and Duties: This section describes the general responsibility of the Committee, the risk management framework, and the duties of the Risk Officer.
• Annual ERM Program Performance Evaluation: The internal ERM Committee reviews and updates the entire ERM Program and the components. They then present it to the Board Risk Committee for their approval. Lastly, the Board Risk Committee presents it to the entire Board for final approval.

In Part I we focused on the first three of the six essential components to formalize your ERM Program. In Part II of this blog, we will focus on the next three essential components. They are the Internal ERM Committee and Charter, the dedicated ERM Leader, and the Board Risk Appetite and Tolerance Statement.

If you need help formalizing your ERM Program, feel free to reach out. We’re here to help!

Part 2 is here!