Enterprise Risk Management (ERM) is a cycle that your financial institution must continue to work on regularly. Below are the three ongoing phases of Enterprise Risk Management:

1. Identifying and Assessing Risk
2. Mitigating and Eliminating Risk
3. Monitoring and Reporting Risk

Let’s go through the cycle by describing what each phase entails.

Identifying and Assessing Risk

The first phase of the three ongoing phases of Enterprise Risk Management is to identify and assess risk. There are 8-14 risk categories that you must identify first and then assess to see if they impact your institution. The OCC refers to eight risk categories: Credit, Interest Rate, Liquidity, Price, Operations/Technology, Compliance, Strategic, and Reputation. I like to assess seven additional risk categories: Technology (separate from Operational risk), HR, Legal, Earnings, Capital, and Model risk.

Risk Assessments: Use risk assessments as the tool to identify and assess how these types of risks affect your financial institution. We developed the ERM Risk Assessment Template to assess these risk categories. If you would like a free copy of the template, please contact us and let us know you would like the ERM Risk Assessment Template.

Unique Risks: During Phase I you identify individual risks that are unique to your institution. For example:

• Relationship Concentration. You need to assess how critical certain loan and deposit account holder relationships are if you were to lose them. How would losing them impact your balance sheet and thus your income?
• Portfolio Concentration. You need to assess if you have a concentration by type of loans such as Commercial Real Estate, Construction, or Commercial and Industrial (C&I) loans in your portfolio. Some rural institutions may have their biggest concentration on agricultural (or “Ag”) loans because there are less opportunities for other types of loans in their market. These institutions must assess their risk if major Ag loans default and perform a stress testing on this portfolio.
• Succession Planning. Your institution may be at a higher risk if the current CEO is an owner who is also Chairman of the institution. This presents a significant risk to your institution and you need to have an emergency succession plan as well as a longer-term plan. How about the rest of your senior leadership team? Do you have succession plans in place for those positions and other key individuals in your organization?
• Geographic area. Your institution may be located in a rural area where population is declining, and you are losing business consistently due to residents and businesses moving away.

Categorize Risks: As you conduct the ERM risk assessment, you also categorize the risks identified from four perspectives using a number scale of Low to High:

• Criticality: How critical is this particular asset or process to the everyday operation of your organization?
• Confidentiality: Refers to what type of data that particular asset (or vendor) has access to sensitive information.
• Impact and Probability/Likelihood: What is the impact that this particular risk category you’re assessing would have in your institution if it were to occur? What is the likelihood of this type of risk happening at your institution at the time you’re conducting the risk assessment?
• Vulnerability and Speed of Onset: How vulnerable is your institution as of the date you’re assessing the risk category? Lastly, how fast could this risk spread once it’s triggered?

Mitigating and Eliminating Risk

The second phase of the three ongoing phases of Enterprise Risk Management is to mitigate and possibly eliminate the risks identified in phase I. During Phase II, you:

• Determine the steps your institution will take or tools used to mitigate the risks identified in Phase I.
• Determine how your institution can eliminate certain risks, if possible.
• Ensure your institution is comfortable with the residual risk which is the risk remaining after you have implemented all the mitigating factors to the inherent risk.
• Establish policies, processes, and procedures (also systems and outsourced expertise) to mitigate and eliminate risks.

Monitoring and Reporting Risk

Lastly, the third phase of the three ongoing phases of Enterprise Risk Management is to monitor and report on the activities you established to mitigate the risks identified. During Phase III, you:

• Conduct ongoing monitoring of risks identified that are being mitigated.
• Establish accountability across the board so no one person is responsible for implementing all the mitigating tools. This is a team effort.
• Ensure policies, procedures, and systems in place are being followed AND are working (measuring) as you purposed.
• Establish ongoing reporting of risks and status to the Board of Directors at least quarterly.
• Provide results from monitoring efforts to leadership and Board of Directors. These reports are what auditors and examiners will look at during audits and safety and soundness exams.
• Directors learn about risks, get updates, understand their liability.
• Use tools such as “heat maps” to help you report on results.

The goal is to transition from a “reactive” stage where there is no ERM Program in place nor support from the top, to a “aware” stage where you are implementing your ERM Program, to finally a “strategic” stage where you have a formal ERM Program in place. These three phases should take place on an ongoing basis so your institution remains on the strategic stage of the ERM Program.

Ongoing Challenges for Risk Leaders. The pandemic, increased cybercrime, fraud, and potential deterioration of your institution’s asset quality are all part of Enterprise Risk Management (ERM) and need to be on your shortlist of items to address going.

My simple definition of ERM: An enterprise-wide continuous process to protect all your organization’s assets while allowing you to fulfill your vision.

The time has come for community banks and credit unions to start or complete their Enterprise Risk Management program. How do you start? By creating awareness. When I teach our ERM Workshops, I ask participants what their biggest challenges are to start or complete their ERM program. In Part 1 of this article we discussed some of the top challenges starting with the lack of support from senior leadership. Below is a summary of additional challenges risk leaders face that I thought would be good to share with risk leaders. I also provide you with some steps you can take to overcome these obstacles:

• Lack of Awareness: It all starts with awareness. At the top of the biggest challenges risk leaders face is the lack of awareness and support from the Board of Directors and senior leadership. Therefore, what you need to do is create awareness of what ERM is and why it’s important for your institution to have a formalized program. It is crucial for community financial institutions to complete and formalize their ERM program to ensure you’re identifying and mitigating all potential risks that can impact your institution.
• Culture: Transitioning the culture to a “risk aware” culture throughout the entire organization comes next as one the top challenges risk leaders face today. The best way to transform your culture to a “risk aware” culture is by forming your internal ERM committee with employees representing every area of the organization. You can have one person representing more than one area, but every department must be represented.
• Team: Gathering the right team members to be part of the internal ERM committee is essential for the success of the ERM program implementation. A byproduct of forming your ERM committee is team building and cross-training amongst departments. The right ERM committee members are not necessarily the department leaders but the everyday users of systems and those working with accountholders.
• Silos: The little awareness of ERM that exists in institutions right now is siloed. Individual departments may understand their own risks but no one else in the organization is aware of them. Breaking the silos across the institution so everyone is watching out for each other’s areas is a challenge for risk leaders. Understanding that the institutions’ risks can come from any area and that all areas are important will help your institution succeed in ERM.
• The Job: The “Risk Leader hat” is added to someone’s already full plate not understanding that this is or may become a full-time responsibility. The risk leader responsibilities start typically part-time in institutions under $500MM in assets and evolve to a full-time position as the institution grows. The complexity of the organization also plays a part whether the position should be PT or FT.
  Based on my experience, the best candidates to lead the ERM effort come from the compliance and internal audit areas. However, these positions are already overloaded and adding the risk oversight responsibilities can be overwhelming. The best approach is to designate a risk leader first with the understanding that the position will become full-time within twelve months. Some institutions are investing in the full-time position from the start and those seem to be the most successful at implementing their ERM program as they now have a dedicated person for the job.
• Lack of Time, Resources, and Training. Because the role is added to an already full-time employee, there isn’t enough time to perform the duties of a Risk Leader. In addition, the appropriate resources are not allocated to this function such as the proper software solutions and/or training needed. To meet this need we designed a curriculum to help you be successful from the start in implementing your ERM program: (You can see the program descriptions and future events on the Malzahn Strategic Training and Education page)
  1. Creating the Right ERM Program for Your Institution
  2. Characteristics of Strong Risk Assessments and Tools to Monitor and Report Results
  3. Three Key Risk Assessments: ERM, IT, and Internal Controls (includes COVID-19 Risk Assessment)
  4. Vendor Management – How Model Risk Fits In
  5. How to Incorporate Business Continuity Management into Your ERM Program

In addition to training, utilizing the right solutions to help you manage your ERM is essential to your success. For instance, Ncontracts offers several integrated solutions that can help you such as Nvendor, Nrisk, Ncomply, and Nfindings.

• Accountability: If senior leadership is not involved and it’s hard to get their buy in, there is no accountability for risk at this level. Therefore, no time is allocated to the risk area. The way to resolve this situation is by assembling your ERM committee with all areas participating. As you identify the top risks of the institution, you assign accountabilities to the various team members throughout the organization and naturally some of them will be assigned to senior leadership.

I hope sharing these ongoing challenges for risk leaders will help you move forward in implementing a complete ERM program for your institution.