Ten Benefits to Having a Complete ERM Program. “I can’t give you any feedback on your Enterprise Risk Management ( ERM ) Program. You’re the only small community bank that at $250MM in assets, has a complete ERM Program. Keep doing what you’re doing.” Those were the words of our FDIC examiner when I presented to them the first complete ERM program for the bank I helped start. At that point back in 2012, the bank had just reached the $250MM asset size and was about seven years old. During another conversation, the FDIC examiners told me that the bank “had a strong foundation and a solid infrastructure.”

As the CFO & COO of the bank and later as the CRO, those words made me feel good and I can tell you I slept well the almost ten years I spent with the bank from inception until I left to start Malzahn Strategic. However, those words also left me with the feeling that I was on my own, with very little guidance to continue developing the ERM program. The lack of guidance is precisely one of the main reasons small community banks and credit unions are not ready, nor able in many cases, to create a complete ERM program. The other reason is because creating an ERM program is not, at least not yet for small community banks and credit unions under a certain asset size, a regulatory requirement.

I would never want more regulatory requirements for banks and credit unions. Instead, I strongly recommend that institutions under $500MM in assets establish a complete, yet simple, ERM program. There are several ERM software packages available. However, some are too expensive and too cumbersome for institutions to use. They simply don’t have the time, resources, internal expertise, or the energy to devote to such programs. But small community banks and credit unions don’t have to use those sophisticated and intimidating software packages. What the regulators want is for institutions to know all their risks, put mitigating factors in place, and be aware of the residual risks they have in every area. Regulators want to know that you know your story from the risk perspective.

Even though credit risk is one of the biggest risks for community financial institutions, they now also have to focus on other important risks such as technology and operational risk. Unfortunately all the risks are interrelated. If one high risk area is affected, the ripple effects flow to the other risk areas such as capital, earnings, legal, or reputational, for example.

There is the perception that creating a complete ERM program is monumental and institutions then tend to focus on certain pieces such as Cyber Security, or Compliance, or the Disaster Recovery Plan, and they are not looking at the “enterprise-wide” approach. They are missing opportunities to make their bank or credit union the best it can be. They are missing all the benefits of having a complete ERM program. So today I would like to share Ten Benefits to Having a Complete ERM Program:

1. Establish best practices enterprise-wide. When you create an ERM program, it forces you to look at your entire organization and many of the practices that get implemented are best practices that will help the organization overall, not just to mitigate a specific risk.
2. Increase efficiencies. The same way, as you establish new best practices, you find other ways of doing things and, as a byproduct, your institution becomes more efficient. Efficiency ratio is a key measurement of profitability and most are looking for ways to become more efficient.
3. Establish an ERM process. One of the best practices that you should establish is an “ERM process,” which means now you have a process to run new ideas through. For example, if you are thinking of adding a new division or a new product, you answer a series of questions such as “What are the new risks we will have by adding this new division or product?” and “How are we going to mitigate those new risks?” “Is the reward worth the new risks?” Going through this process will eliminate not only new unnecessary risks, but will also save your staff valuable time wasted on new products or divisions that may not be profitable.
4. Build the team. One of the best results of creating an ERM program is creating an ERM team. When creating an ERM team, carefully select one person from each area to represent that area and to bring their opinion and expertise to the table. This practice not only helps create a complete program but it also builds the team. Now each team member learns about other areas and learns the importance of each of those areas. They also see how the organization works as a whole, as one company.
5. Create awareness, enterprise-wide. When you establish an ERM program across the organization, employees learn about other areas and become aware of potential risks the company may encounter in the future. The program, as a byproduct, creates a “risk aware” culture. Everyone is looking out for the good of the company.
6. Opportunity to assess risk, enterprise-wide. The process of conducting a risk assessment organization-wide, uncovers risks that most owners/leaders had not thought about in the past. As you put in place mitigating factors, and educate the staff, you improve processes across the board and are able to eliminate some of the risks.
7. Prepare for the future. There is nothing like knowing your current risks and potential new risks to help you prepare for the future. The process of testing your processes, current systems, disaster recovery plan, or business continuity plan, opens your eyes to be prepared for the future.
8. Create accountability. The ERM team meets with regularity through the year (even as little as quarterly) and team members have an on-going list of monitoring and reporting tasks. Results of testing, running new products through the ERM process, and the reporting to the Board of Directors, creates continued accountability within the organization.
9. Educate and involve the Board of Directors. Very few community banks or credit unions have completed a Board Risk Appetite and Tolerance Statement. But this is a very important step to complete. This is the summary of all your institution’s policies along with the level of tolerance/risk you’re willing to take in the various risk categories. From here, you can sound the alarm when you are approaching the high level of tolerance in the various risk categories.
10. Create a sound infrastructure and a solid foundation. Putting in place a complete, yet simple, ERM program, in the end creates a sound infrastructure and a solid foundation upon which your institution will grow into the future.

Tell your story from the risk perspective. Once your ERM program is complete you will feel equipped to tell your institution’s story from the risk perspective—not just the credit risk perspective but from all potential risks you could possibly be faced with now and in the future.

Disaster Recovery Planning – Time Well Invested! An earthquake, a war, a hurricane… I survived those three life events by the age of thirteen. Even though each one of those experiences left a mark in my life, they taught me many lessons and created an awareness that not many people possess. I became very appreciative of everything I have and of every person in my life. At the same time, it created a sense of “being ready” at any time for “what could happen” and what I would need to do to bring things back to normal again.

When I hear a train go by, my memories bring me back to the noise of an earthquake back when I was six years old in Nicaragua. A deep sound from beneath the earth, a sound of destruction. Your home, your office, and everything around you becomes distorted and destroyed right in front of your eyes. Your own life could be gone if you’re in the wrong place at the wrong time. I learned that all your possessions and what you worked so hard to attain can be “torn to pieces” in a matter of seconds.

When I hear the noise of a helicopter, it reminds me of the sound of machine guns in the background when I was twelve years old and lived through the war in Nicaragua. I remember going to bed with the rattling noise of the windows with each bomb that was dropped. They were close to my house and some days it felt as if they were fighting right in my own backyard. The terror you feel when you are helpless, only a victim of someone else’s war, is indescribable. You learn to appreciate life in a new way.

When I hear the sirens announcing the possible tornado coming to your city, it reminds me of the hurricane David I lived through in the Dominican Republic when I was thirteen years old. I observed from a fourth floor apartment about three miles away the waves from the ocean that destroyed the island and the noise of the wind getting through the windows in our apartment. I learned that everything you own can literally “blow away” in a matter of seconds too.

But I choose to look at life from the positive perspective and I’m grateful to God that I’m still here so I can help others in many ways. That’s one of the reasons I founded Malzahn Strategic. The three key things we focus on—strategic planning, enterprise risk management (ERM), and talent management—all have to do with disaster recovery planning. From the strategic planning perspective, you have to put strategies in place to protect your business from ANY disaster and to keep the company safe. From the enterprise risk management perspective, you need to have strategies to mitigate ALL risks that can potentially affect your company. And from the talent management perspective, you need a plan to protect your company from losing your KEY talent, protect it from internal fraud, and also to plan ahead for future talent to bring your company to the next level.

Disaster Recovery Planning falls under your IT Security Program most of the time, which in turn is part of your ERM program. Below is a simple way to start with a Disaster Recovery Risk Assessment:

Conduct a risk assessment based on your business location and probability of any type of incident happening:

• Threat/Vulnerability (include fire, flood, earthquakes, riots, tornadoes, etc.)
• Probability of incident (how probable is for this natural disaster to occur in your area)
• Severe Rating (how severe would it be if it were to ever occur – low, medium or high)
• Criticality (how critical would this incident be to your business – low medium or high)
• Confidentiality (this refers to data breach due to a disaster)

Conduct the following risk assessment based on the type of asset and then risk rate each asset:

• Asset Type: Application/Software, Process, System
• Asset Medium: Paper or Electronic
• Vendor Name
• Controls/Procedures in Place
• Description of Risks Associated with Asset
• Risk Mitigation: Description for Mitigation of Risks
• Risk Rating: Low, Medium, High
• Criticality to Bank or organization: levels 1 to 5 with 5 being the most critical
• Residual Risk: Low, Medium, High
• Information Classification: Public, Non-Public, Confidential
• Threats/Vulnerabilities: Level of Damage, Type of Vulnerability
• Threat/Vulnerability Likelihood: Low, Medium, High
• Vital Resources: Description of Vital Resources to the Bank Operations
• Recovery Point Objective (RPO): Description of How the Information or Asset Will be Recovered
• Recovery Time Objective (RTO): Approximate Time of Recovery

Something else to consider is that there are other types of disasters that are not “natural disasters” and they relate to your key talent in your company. I call that “Disaster Recovery for People.” I wrote another article called “Succession Planning – Is It Only for the CEO?” where I urge readers to consider the other key positions in the organization to have a backup for and be ready in case you lose those employees unexpectedly. Part of the DRP is also to include a Pandemic Disaster Plan. Regulators were very focused on that topic several years ago and for obvious reasons, it should still be part of your plan. The same way, having a data breach could be disastrous for your company as we all learned from recent incidents at large corporations that suffered a cyber attack. The biggest disaster is your damaged reputation and the financial damage that derives from that as a consequence.

I want to conclude by encouraging you to appreciate everything you have and the people in your life. I also want to encourage you to create a Disaster Recovery Plan for your institution and update it and test it annually. We don’t want to live in fear but we live in a world where life happens to all of us and we must be prepared at all times.