Your institution may be missing six essential components to formalize your ERM program. Enterprise Risk Management (ERM) is like a puzzle made of several essential components. The ERM Program has sub-programs under it and all institutions have most of the sub-programs in place. However, they lack six essential components to formalize their overall ERM Program.

In Part I of this two-part blog, we’ll focus on the first three components:

ERM Risk Assessment

Bankers who attend our ERM webinars, share that they have never conducted an overall ERM Risk Assessment. Community banks and credit unions conduct dozens of risk assessments yet lack this foundational one to formalize their ERM Program. The goal of this risk assessment is to identify the top risks of the institution along with the mitigating strategies. This two-page report is what the Board needs to understand their top risks.

Clients ask how many risks should be considered “top risks” from all the ones identified through the ERM Risk Assessment. Typically, you identify over twenty risks, but we recommend listing the top ten. It is difficult to focus on more than ten. Having said that, your institution still must watch all the risks identified in the process at the same time.

We assess 14 risk categories when conducting an ERM Risk Assessment for our clients. They are: Liquidity, Interest Rate Risk (IRR), Capital, Earnings, Compliance/Regulatory and Legal, Technology, Operational, Model, Customer, Human Resources, Credit, Strategic, and Reputation. This list is longer than the one provided by some regulators. However, it makes it a comprehensive assessment of all the risk categories at the highest level.

The result of this assessment is to arrive at your top risks and understand the existing mitigating strategies. And also, to continually improve. We list the plans for improvement under each risk category with a responsible person and timeline assigned to each task.

Enterprise Risk Management Policy

Part of formalizing your ERM Program is to establish the policy that your institution will abide by. The policy addresses the ERM framework for your organization and should cover the following sections:

• Risk Governance: Describe the risk governance structure and where the ERM function is within the institution. This section describes your lines of defense to manage risk at all levels. This section lists the roles and responsibilities of the Board, Risk Committee, Senior Leadership, and the Risk leader.
• ERM Function and Committee: It is important to form an internal ERM Committee where all areas of the organization are represented. This section describes the responsibilities of the internal ERM Committee which is primarily to provide an independent oversight of ERM. If your institution has an ERM department then list the function and who comprises the team.
• Risk Categories: List all the risk categories your institution assesses during the ERM Risk Assessment and what you do with the results.
• Risk Appetite and Tolerances: Your policy should describe your institution’s appetite for risk and how you plan to manage those risks. The policy states that you use tolerances (or metrics) to measure the risk taken in each risk category. It also states how you ensure your institution stays within your tolerances.
• Risk Culture: It is important to include your institution’s risk culture and how you communicate with the entire staff about your approach to risk management. This statement should always include the “tone at the top” regarding risk culture.
• Risk Management Processes: This section describes how you approach your risk management activities. The three phases of ERM are risk identification and assessment, risk mitigation and elimination, and measuring, monitoring, and reporting.
• Annual Policy Review: Finally, your policy states that the Board of Directors reviews and approves the policy annually.

Board Risk Committee and Charter

It’s surprising how few community banks and credit unions have a formal Board Risk Committee. Some directors confuse it with the Audit Committee and feel they are covered. Credit Unions have a Supervisory Committee but that’s not the same as a Risk Committee either. The purpose of the Board Risk Committee is to oversee the overall risk management of the institution. It focuses on identifying and managing current and emerging risks to the institution. This function is different from the Audit Committee’s function to oversee the audit function and financial controls.

Each Board Committee must have its own Charter with the following sections:

• Purpose and Authority: This section describes the purpose of the Risk Committee and the authority of the committee on the various functions.
• Composition and Meetings: The Charter specifies how many times per year the Committee meets, the minimum number of directors, and the members. Other areas listed are the term of the office, who the committee chair is, and how the minutes are handled.
• Responsibilities and Duties: This section describes the general responsibility of the Committee, the risk management framework, and the duties of the Risk Officer.
• Annual ERM Program Performance Evaluation: The internal ERM Committee reviews and updates the entire ERM Program and the components. They then present it to the Board Risk Committee for their approval. Lastly, the Board Risk Committee presents it to the entire Board for final approval.

In Part I we focused on the first three of the six essential components to formalize your ERM Program. In Part II of this blog, we will focus on the next three essential components. They are the Internal ERM Committee and Charter, the dedicated ERM Leader, and the Board Risk Appetite and Tolerance Statement.

If you need help formalizing your ERM Program, feel free to reach out. We’re here to help!

Part 2 is here!

What happened with the recent bank closures in 2023 is all about managing all risks and tackling every aspect of risk—at the same time! As you can see from the various events that led to the closure of several banks, one type of risk led to another in a chain reaction until the regulators closed their doors.

One of the most important things to know about Enterprise Risk Management is that all the risk categories are interrelated. This means that when your institution experiences one type of risk, immediately, or simultaneously, you will experience another type of risk.

Chain of Events

When the Pandemic happened in early 2020, (see blog about how the Pandemic affected all other risk categories), the government’s reaction was to provide the biggest cash stimulus in the history of the country. With the extraordinary influx of cash to individuals and businesses, the financial institutions encountered a tidal wave of cash which represented an “excess” of liquidity (risk). This cash was sitting idle not making any profits for the institutions which led to earnings risk. Then most institutions decided to invest the excess cash, and many chose government securities. The decision of how much to invest, for how long, and in which investments was a crucial management strategic decision and thus strategic risk.

The Decision’s Consequences

Unfortunately, many institutions of all sizes made the wrong decisions. They invested too much of their excess cash for too long of a term, not in a laddered maturity structure, and at extremely low interest rates. But that was better than making zero money on the extra cash, right? However, as a result of the government stimulus, inflation happened. Now, to combat inflation, the Fed started raising interest rates (interest rate risk) at such fast pace that institutions quickly found themselves upside down on the value of their bonds. The Other Than Temporary Impairment (OTTI) happened, and institutions’ balance sheets now showed millions, and for some billions, of dollars in unrealized losses.

This situation became now a liquidity (risk) crisis for certain institutions, and they experienced capital risk when they had to realize the unrealized losses from the sale of their securities. Lastly, when word got out that certain institutions were in need of raising additional capital, the bank experienced a run on their deposits. This is a perfect example of reputation risk. In the end, reputation risk is what sealed the fate of these institutions.

Your Reputation Risk

Your reputation is your most priceless possession, and you must protect it at all costs. You protect your reputation when you establish strong policies, procedures, and safeguards in all areas of risk. You then ensure none of the risk categories start a chain reaction that could end your existence. This blog is a simplistic way to explain what happened to certain regional banks that experienced several risk categories one after another and almost simultaneously for some risk categories.

This catastrophic event serves as a perfect example on how it’s all about managing all risks—at the same time. This is the “M” in the CAMELS ratings that regulators focus on to ensure your Board of Directors and senior leadership—management—can in fact manage all the potential risks your institution faces now and in the future. As an emergency reaction, the government stepped in and created a new program called “Bank Term Fund Program” (BTFP). But institutions must be cautious on using this new liquidity funding source because it may imply a liquidity weakness which creates immediate reputation risk.

The Tone at the Top

Can the Board of Directors and senior leaders tell your institution’s story from the risk perspective? Do you know your unique risks such as portfolio concentration, depositors/relationship concentrations? Do you allocate the appropriate resources to ensure your institution is truly safe and sound from every risk category? Is ERM an afterthought at your institution or is it a monthly Board meeting agenda conversation? The “tone at the top” is crucial to identify, assess, mitigate, monitor, and report all your risks. I encourage you to complete and formalize your ERM Program.