Building Your ERM Puzzle: Strategically Integrating it into Your Bank’s Strategic Plan It’s all about risk! We, bankers, know how to identify and assess risk, mitigate and eliminate risks when possible, and monitor and report on those risks. So why are we afraid of ERM? Enterprise Risk Management (ERM) is here to stay so we might as well learn what it’s all about. It’s not that complicated!

If you think about your bank’s strategic plan as a simple yet complete puzzle, some of the key components would be the Vision, Mission, S.W.O.T. analysis, Capital Plan, Talent Management, and the Enterprise Risk Management (ERM). Today we will focus on ERM.

Risk management is at the heart of banking and every bank has to have processes, policies, and procedures in place in order to assess and manage the risks on their balance sheet. Think of ERM as a big puzzle within the bigger strategic plan puzzle. Just as with any puzzle, in order for you to put it all together, you’ll need a picture of the entire puzzle to know what it should look like when it’s all done. You will also need to know what the fundamental pieces of the puzzle look like and how the other pieces that connect to each piece relate to each other. In this article, we will use the analogy of puzzles to explain how important ERM is for your bank, no matter how small in asset size you are, how ERM is intricately related to every area of your bank, and how you can integrate your ERM program into your bank’s unique strategic plan. The ERM is a crucial piece of your strategic plan puzzle.

At the basic level, ERM has three phases (big puzzle pieces):

Identifying and assessing risk: During this phase you identify all the risks that can potentially affect your bank by using risk assessments. In this phase you should also identify unique risks that your bank has such as a relationship concentration or a specific industry concentration.

Mitigating and eliminating risk: During this phase you determine what your bank will do to mitigate some of the risks and how you can eliminate other risks. There are some risks that you will never be able to eliminate. For example, wire transfers are inherently high risk and after you put controls in place such as policies and procedures, you will end up with a moderate to low residual risk. But the risk will never go away completely.

Monitoring and reporting risk: Once you have established your policies, processes, and procedures to mitigate and eliminate the risks you identified through the risk assessments on the first phase, then you need to monitor those risks and report the results to your Board of Directors. Monitoring is key because that’s how you establish accountability across the organization to ensure all your policies and procedures are being followed and that they actually work. The reporting is crucial because that is where the leadership team provides the results of the monitoring efforts to the Board and now the Board is liable for knowing and understanding what the bank is doing in regards to ERM. Some reporting tools are heat maps where you plot using colors where you feel each risk is at in regards to how the bank is mitigating that specific risk at that time.

The next step is to integrate your ERM program into your strategic plan by coming up with strategies to mitigate each one of the risks identified in the various categories of risk. Below are the most common risks: (each of these risks is a puzzle piece in itself connected to each other)

Capital, Liquidity, HR, IT, Profitability/Earnings, Legal, Operational/Transactional, Reputational, Compliance/Regulatory, Interest Rate Risk (IRR), Credit

Below are the key components of an Enterprise Risk Management Program: (small puzzle pieces)

• Capital Plan (should be completely integrated into your Strategic Plan. What are your strategies to retain, protect, and grow your capital?)
• Board Risk Appetite and Tolerance Statement (vitally important) –The Appetite Statement is your qualitative idea, what risks do you want to pursue? The Tolerance Statement is your quantitative statement, what are you willing to lose?
• IT Security Program, which includes:
  • Disaster Recovery Plan
  • Business Continuity Plan
  • Cybersecurity Program
  • Vendor Management
• Compliance Program
• Internal Audit Program
• Liquidity Contingency Funding Plan

Below are some simple steps to help you get started on your ERM program:

• Form an ERM Committee (include your Board Directors and every area of your bank)
• Write an ERM Committee Charter
• Train your Board of Directors so they know their liability
• Train your staff so they know their role in ERM and how every area is integrated with others
• Define Board and leadership team responsibilities in regards to ERM
• Start by doing an ERM risk assessment to cover all areas of the bank
• Know the bank regulations – know your industry
• Establish policies to comply with regulations
• Establish procedures and processes to comply with your policies
• Establish an organizational and operational infrastructure to support current size and scalable for future growth
• Establish Key Performance Indicators and Key Risk Indicators and reporting
• Never stop the cycle! Once you have a program in place. Repeat!

Small asset size is not an excuse to not have an ERM program. The key is to know all your risks across the organization and to do something about them. The complexity of building your ERM puzzle depends on the size and uniqueness of a bank but, in the end, regulators will work with you and will be more understanding if they know you have done your best in putting in place a professional, well-thought out ERM program. Most banks have some pieces of the puzzle done but usually they don’t have them put together into one big puzzle or don’t know how to put it together. Others don’t have the picture of the entire puzzle. Seek out professionals that can help you put your ERM puzzle together!

I recently taught one of my Enterprise Risk Management (ERM) webinars and after the webinar, participants had two questions: What are the challenges risk leaders face? And how do we address those challenges?

Here are the top challenges risk leaders face while implementing an ERM program and how to address each one:

Lack of support from senior leadership: This is the number one challenge they face. The “Tone at the Top” is crucial and you need support at the board level. To get the attention of the leadership team and the board of directors, you have to create awareness and get educated on the subject. You need to prepare a plan of action as to how you will implement an ERM program. Most importantly, you need to address the “why” it’s important for the survival of your community bank or credit union. Even if it’s still not a regulatory requirement for most community financial institutions under $500MM in asset size (maybe even the $1 billion asset size), regulators are starting to ask for a formal program. But most importantly, establishing an ERM program is a matter of best practice.

You are the designated person to wear yet another new hat and you don’t know how to do it on your own: You’re right. You cannot do it on your own. That’s why I call those in charge of developing the ERM program the “ERM Leader.” You are responsible to “lead” the program but not one person can do it on their own. It takes an entire team that represents ALL the areas of the community bank or credit union. One person can represent more than one area, but all departments must be represented so you can identify ALL the potential risks that can impact your institution.

Lack of time to implement the entire ERM program: To implement a complete ERM program, it will take you a minimum of three months up to an entire year. It takes time because each piece of the puzzle takes time to create, implement and complete. Then each document or program needs to be approved first by the risk committee and ultimately by the board of directors and that can take several meetings until it gets on the board’s agenda. Again, you cannot do the entire program on your own. You complete it with the entire team throughout several months.

How do I know I have all the pieces? You continue your training to learn what you may be missing. Some key components of an ERM program are:

• Write and implement an ERM policy
• Establish a risk committee at the board level
• Write a board risk committee charter
• Establish an internal ERM committee
• Write an ERM committee charter
• Develop a board risk appetite and tolerance statement

Most institutions already have several of the sub-programs that are part of the overall ERM program such as the Compliance Management System, the Internal Audit Program, and the IT Security Program which in turn includes your Cybersecurity Program, Vendor Management Program, Disaster Recovery Plan, Business Continuity Management and other sub-programs.

I hope this information helps you further enhance your ERM program.

Part 2 of this posting is here.