Ongoing Challenges for Risk Leaders. The pandemic, increased cybercrime, fraud, and potential deterioration of your institution’s asset quality are all part of Enterprise Risk Management (ERM) and need to be on your shortlist of items to address going.

My simple definition of ERM: An enterprise-wide continuous process to protect all your organization’s assets while allowing you to fulfill your vision.

The time has come for community banks and credit unions to start or complete their Enterprise Risk Management program. How do you start? By creating awareness. When I teach our ERM Workshops, I ask participants what their biggest challenges are to start or complete their ERM program. In Part 1 of this article we discussed some of the top challenges starting with the lack of support from senior leadership. Below is a summary of additional challenges risk leaders face that I thought would be good to share with risk leaders. I also provide you with some steps you can take to overcome these obstacles:

• Lack of Awareness: It all starts with awareness. At the top of the biggest challenges risk leaders face is the lack of awareness and support from the Board of Directors and senior leadership. Therefore, what you need to do is create awareness of what ERM is and why it’s important for your institution to have a formalized program. It is crucial for community financial institutions to complete and formalize their ERM program to ensure you’re identifying and mitigating all potential risks that can impact your institution.
• Culture: Transitioning the culture to a “risk aware” culture throughout the entire organization comes next as one the top challenges risk leaders face today. The best way to transform your culture to a “risk aware” culture is by forming your internal ERM committee with employees representing every area of the organization. You can have one person representing more than one area, but every department must be represented.
• Team: Gathering the right team members to be part of the internal ERM committee is essential for the success of the ERM program implementation. A byproduct of forming your ERM committee is team building and cross-training amongst departments. The right ERM committee members are not necessarily the department leaders but the everyday users of systems and those working with accountholders.
• Silos: The little awareness of ERM that exists in institutions right now is siloed. Individual departments may understand their own risks but no one else in the organization is aware of them. Breaking the silos across the institution so everyone is watching out for each other’s areas is a challenge for risk leaders. Understanding that the institutions’ risks can come from any area and that all areas are important will help your institution succeed in ERM.
• The Job: The “Risk Leader hat” is added to someone’s already full plate not understanding that this is or may become a full-time responsibility. The risk leader responsibilities start typically part-time in institutions under $500MM in assets and evolve to a full-time position as the institution grows. The complexity of the organization also plays a part whether the position should be PT or FT.
  Based on my experience, the best candidates to lead the ERM effort come from the compliance and internal audit areas. However, these positions are already overloaded and adding the risk oversight responsibilities can be overwhelming. The best approach is to designate a risk leader first with the understanding that the position will become full-time within twelve months. Some institutions are investing in the full-time position from the start and those seem to be the most successful at implementing their ERM program as they now have a dedicated person for the job.
• Lack of Time, Resources, and Training. Because the role is added to an already full-time employee, there isn’t enough time to perform the duties of a Risk Leader. In addition, the appropriate resources are not allocated to this function such as the proper software solutions and/or training needed. To meet this need we designed a curriculum to help you be successful from the start in implementing your ERM program: (You can see the program descriptions and future events on the Malzahn Strategic Training and Education page)
  1. Creating the Right ERM Program for Your Institution
  2. Characteristics of Strong Risk Assessments and Tools to Monitor and Report Results
  3. Three Key Risk Assessments: ERM, IT, and Internal Controls (includes COVID-19 Risk Assessment)
  4. Vendor Management – How Model Risk Fits In
  5. How to Incorporate Business Continuity Management into Your ERM Program

In addition to training, utilizing the right solutions to help you manage your ERM is essential to your success. For instance, Ncontracts offers several integrated solutions that can help you such as Nvendor, Nrisk, Ncomply, and Nfindings.

• Accountability: If senior leadership is not involved and it’s hard to get their buy in, there is no accountability for risk at this level. Therefore, no time is allocated to the risk area. The way to resolve this situation is by assembling your ERM committee with all areas participating. As you identify the top risks of the institution, you assign accountabilities to the various team members throughout the organization and naturally some of them will be assigned to senior leadership.

I hope sharing these ongoing challenges for risk leaders will help you move forward in implementing a complete ERM program for your institution.

What it Takes to Lead ERM. Talent – the people side of the story. I refer to talent in two ways. First, the employees in your company are referred to as “the talent.” Second, each employee has “talents.” The questions are, do you have the right talent in your organization in order to succeed? And also, do they have the right talents to take your company to the next level?

Enterprise Risk Management ( ERM ) is a unique niche. It’s scary and intimidating for many. It’s easy and makes complete sense for some—like those of us who have experienced it first hand and who also appreciate what it does to a company and for a company. I first took an interest in ERM because of all the natural disasters I have lived through in my life. Those experiences made me be “risk aware” and also taught me to always have a backup plan for everything I did. That behavior became part of who I am, which made me an excellent candidate to become the first Chief Risk Officer of the bank I helped start back in 2005 when the bank was only $250 million in assets.

Community banks and credit unions, and any organization for that matter, need to choose the right person—the right talent, to lead the ERM program efforts successfully. In addition, this person needs to have the right talents to succeed at this role. Some of the talents that this person needs are:

Leadership: Undertaking the effort to create and maintain an ERM program takes, most of all, leadership skills in order to succeed. ERM leaders will need to “gather the troops,” sell the idea that, together—as a whole—is the only way the company will maximize their efforts to protect their company. Good leaders create successful teams.

Communication: ERM leaders need to be the “central station” for this program to work. They need to communicate at all levels and with all constituencies so everyone feels included and “in the loop.”

Empathy: ERM leaders need to understand that when they start asking questions, the other division leaders may feel challenged, questioned, and inadequate to respond to their requests.

Patience: ERM leaders need to be very patient for the entire organization to follow and become risk aware. They will need to educate, educate, educate—everyone. It starts with the Board of Directors by introducing them to the concept, obtaining their approval to start the process, and to make them aware of their liabilities in regards to ERM. Then they need to initiate the training program with the leadership team and then the entire staff. They don’t have to do the training, just coordinate it and bring the experts in.

In addition, ERM leaders need to have experience and skills developed during their careers. For example:

Project Management: They will need to lead a broad, company-wide project. Having experience in leading previous large projects will help tremendously.

Communication skills: I referred above to Communication as a talent, meaning the risk leader needs to include everyone and make employees feel part of the bigger team. Now I’m referring to the skill of communicating well, presenting well, writing professionally (good grammar and spelling), and representing the organization with regulators and all constituencies.

Organizational skills: In order to establish a complete and comprehensive ERM program, the leader has to be very organized. The ERM program is multi-dimensional and thus it’s built with certain foundational components, in various layers, and in a specific order. Otherwise, you will end up with silos—just as you started. For example, Risk Assessments need to be created with the same assessment criteria so the entire company understands what the levels of risks mean.

Board Governance Experience: It is important for the ERM leader to know how the board works so they can present and educate the directors on what they need to learn—what their liabilities are, what they need to approve, accept, adopt, or vote on—during the process. ERM leaders will need to work with the Board of Directors on an ongoing basis as they present updates on the program, incorporate training in their meeting agendas, and introduce the various components of ERM.

Finance Experience: It is useful and helpful for the ERM leader to understand the finances of their organization. Knowing financials will help them identify Key Risk Indicators (KRI’s), Key Performance Indicators (KPI’s) that can also be used as KRI’s, work with the Chief Financial Officer ( CFO ) and Chief Information Officer ( CIO ) on ERM related cost projections. For example, if the institution (or any organization) needs to invest in technology to either upgrade their systems or to improve the safety of customer data (or to provide new products), the Chief Risk Officer (or ERM leader) works with the CIO on the technology aspect, and also with the CFO on the financial aspect. In addition, the Chief Risk Officer works with the President and/or Chief Executive Officer ( CEO ) on the strategic aspect. The point is that they would work together as a team.

My favorite and most rewarding aspect of creating the ERM program for the institution I helped start was the people side. Using the talent I had (the people) and maximizing their talents (their gifts). In the end, the ERM team members learned so much from each other. They learned to appreciate each other more, learned about other unrelated areas to their daily jobs, learned how important it is to be aware of all risks at all times, and most importantly, they learned to work together for the good of the entire company—as one team.

If you are a bank president or director on a board, I encourage you to seek for the right person (talent) as your ERM leader. Choosing the right person is key to the success of your organization’s ERM program. If you are the ERM leader and have what it takes to lead ERM, I encourage you to grow in these areas and seek outside expertise to help you create or strengthen your current ERM program. Take pride in your position at your institution. You are valuable and a key member of the team!