Tuesday, April 23, 2019

What is Enterprise Risk Management?

Posted by Amit Govil October 5, 2012 4:26pm

Photo Credit: Idea go

Look up in the sky...is it a bird? is it a plane? No! Duh, it’s ERM!  Yes, ERM: the new mantra in community banking.  And it’s confusing as heck.

“What is ERM?”

“How do you know if you see it?” These are two questions that have been making bankers scratch their heads lately.

To make matters worse, while the regulators are asking banks to adopt an ERM model, they have not clearly defined what they believe is an effective ERM framework. Given the level of confusion, we have vendors heavily marketing purported ERM solutions that pretend to be ERM and are so labeled, packaged, and marketed in an aggressive way. They have a colorful dashboard and produce reports that a bank can present to the regulators and Board. So is ERM some fancy report that we print on a quarterly basis with pretty charts and colors?  Many would seem to imply that. As the saying goes, if it looks the part it must be so.

We all know quite well that all banks face uncertainty and challenges, especially more so in today’s economic environment. This uncertainty presents both a risk and opportunity with the potential to either erode or enhance the value of the bank. So why is ERM the buzz word these days?

ERM - if implemented properly - enables the Bank to deal with uncertainty in a manner that can guide the strategic planning of the Bank to build value. Sounds like a lot of mumbo jumbo that you have been hearing of late, right?  I don’t blame you. So we have all heard of ERM by now, the question really is, “how do we do it?” and “How do we do it right?” Show me the way to this Super ERM.

Bankers have been managing risks since the age of dawn.  So what is changing is not the nature of banks managing risk – but the speed of change (technology, regulations, and customer and market conditions).  This speed now mandates timing for strategic decisions which in turn are also accelerated. So a good ERM model is one that helps deliver that.  Unfortunately many risk models concentrate too much on the ability to identify negative risk trends.  Don’t get me wrong that’s not such a bad thing. But you don’t want to always look at a glass to say “it’s half empty.”  The ERM  model should also identify the opportunities for the upside.

ERM Misconception

ERM is not a risk assessment or operational and controls assessment. ERM, if designed properly, is akin to a GPS system to help the bank get to where it wants to go and avoid pitfalls and surprises along the way. The common misconception is that somehow ERM is not applicable to small community banks. That’s like saying only big trucks need GPS systems and small cars always know where to go.  When we say that, I think what we are really saying is that ERM implementation and burden is too much for small institutions from a cost and time perspective and that is certainly a plausible statement. Business processes in small and midsize banks, for example, may be less formal and less structured. But the underlying aspect and component of an effective ERM may still be present and functioning.

Banks that want to implement an effective ERM often look to third party sources for solutions. However, many vendors and applications, unfortunately, tend to take the approach of defining ERM from an operational.  They use the FDICIA and SOX approach to identify controls and have the Bank validate the existence of such controls. This exercise is not bad and can actually help to define some control weaknesses that may, indeed, be present in the institution to help improve existing processes. It can be a great exercise.

So what’s your issue, Amit? Well, that’s not ERM…that’s Operational Risk Management (“ORM”). Yeah I know… more acronyms. This is where I attempt to look smart. But since we already know that I am not, I reached out to colleague of mine for some help, who has been doing this for years.  His name is John McIsaac. He is the Managing Director at GRC Solutions and has been involved in ERM for community banks for over 30 years. I figured he is the perfect source since ERM is his passion. I don’t judge people’s passion but am glad that he agreed to provide me some insight.

ERM Modeling

So the way John explains it to me, the problem is that an institution can have the best controls and policies in place to mitigate perceived threats but still may be headed down the wrong path strategically. So ERM is really a way of understanding how we can align the movement of the institution towards our strategic plan and goal. That’s a mouthful…John is like that, but I kind of get it.

To be effective, ERM can’t just be another fancy Risk Assessment; it has to be a dynamic model and framework. Risk Assessments are then just a component of the total ERM modeling. These assessments take into account the relative controls in place, assessment of these controls, (internal audit or self assessments) but also need to include what is commonly referred to as Key Performance Indicators (“KPI”). KPIs help an ERM system evaluate further the direction it’s going in conforming with strategic objectives.  Continued assessment of controls is certainly important and helps to evaluate sustainability (in other words, “Do we have enough gas?”). KPIs are quantitative in nature and are measured against an established benchmark (or thresholds) which are tied to a risk appetite and ultimately the Bank’s strategic objective. So the difference here is this:   a bank could have most perfect set of policies, procedures and controls but strategically it is making the wrong decisions.  Maybe the bank’s underwriting polices are too lenient and thus the KPIs indicate a sudden increase in past due and non accruals or exceed the allowable thresholds against lending policy or investment policy.  Thus an assessment of existing controls and key performance indicators has to work together to help us navigate.

A big challenge that many banks that actually do understand the ERM framework is how to now collect the in-house required data for KPI. Not too long ago, I was with a bank that is implementing an ERM system.  They engaged the service of a third party to help them. The problem for them was that they engaged this service which, during the sales process apparently looked pretty good because the salesman had sample data on his laptop and was able to demonstrate how the final reporting would look. But during the implementation process, it became clear to the Bank that the collection of the required data would be a huge challenge as some of the data resides in several different applications and some even in hard copy. For example, some lending data may be in the loan origination application, some within the core processing system, some within a separate stress test application and some in the loan file. Therefore, banks are realizing that they first need a way to centralize, structure (“normalize” – a techie term) and manage  data as information which can then be used in multiple ways, Board or senior management reporting and, of course, ERM.  ERM is therefore as much about data as controls. So the lesson learned by that institution was that maybe we rushed into this ERM application without first grappling with the challenge of how we will accumulate the required data. The Bank was attempting first to consolidate the data through multiple Excel sheets which could be uploaded into the ERM application.  They quickly realized that this process was not very audit trail friendly and not to mention the increased labor that was now being spent to help facilitate the ERM functionality.  

From my experience, I am seeing regulators systematically asking institutions over $1 billion in asset size to implement an ERM system (though they officially state that there is no mandate – but an emerging best practice). The time frame for implementation is dependent largely on the growth pattern of the institution. Many institutions have been asked to hire a Chief Risk Officer (“CRO”) and implement an ERM system. So we are seeing new CROs who are now confronted with the challenge of figuring out how to implement an ERM framework with limited and confusing available industry guidance. In many instances they are not provided with much of a budget from their institution. Naturally, they then look at third party solutions to help them achieve the mandated objectives.

In evaluating a third party solution for ERM purposes, it may not be a bad idea to make sure whether, first, it goes beyond just a control assessment mechanism and second, whether it offers a solution for data collection and normalization which allows for integration of information from multiple sources within the Bank. I can tell you that there a very few vendors, if any, that offer both. The advantage that Banks have is that they need not rush into making a decision.  So far, the regulators have demonstrated patience in this regard and are looking to see whether an institution is making advancement and has a plan for an ERM implementation. Thus, some of the vendors that do understand ERM are moving in this direction as opposed to imposing a weak product onto their customers. This is an evolving process and we all need to think first and do it right.

KRI? What’s that?

As I noted previously, many ERM models are fancy risk assessments and some go a step further by analyzing operational controls.  And then just stop there. A few, however, actually go a step further to include KPI benchmarking. A true ERM also needs a quantitative data of Key Performance Indicators (“KPI”) as much as an assessment of controls.  So what is this KRI? Is this a typo Amit? Did you mean KPI? We know your computer skills are not very savvy.  Well my friends, no, I did mean KRI because I want to impress you even further about my ERM knowledge.   KRI = Key Risk Indicators.

This is another important element that seems to be absent in many of the ERM models.  (I know I am shooting for the stars now.) So what is the importance of KRI and why do we need KRI, if we already have KPI? It’s amazing how one can look smart just by throwing around some acronyms.

KPI and our control assessments help us to evaluate the internal functioning of our bank. So let’s say that, based on the numbers and control assessments, we determine that the bank is doing absolutely great.  If the purpose of an ERM model is to help us determine whether we are moving in the right direction to reach our strategic objective, it’s good to know that we have a good shop, that things are clean and that our train is moving.  But is it moving in the right direction or on the right track?  I am reminded of an old TV commercial that one of the consulting firms used to have on many years ago.  It showed two people in the front of a freight train in a dark tunnel, where they see a light ahead. Both look to each other and look puzzled.  The narrator goes on to say “...is that the light at the end of the tunnel or the headlights of an oncoming train?” 

The analogy here would be that we may have the best functioning train which however may be moving on the wrong track. It’s great that we have a dynamic and robust institution that is doing great, but it may be operating in an environment or a local economy that is doing terrible. Thus, a true ERM needs to also include factors outside of the Bank that can have direct impact on its profitability and strategic objectives.  That’s where KRIs come in. It’s a way of measuring and assessing quantitatively the factors outside the Bank’s control. If the Bank’s strategic plan calls for doubling its 1-4 family residential originations and, yet, the local market area shows a decline in new construction/sales, perhaps we need to rethink our strategy as such growth may not be plausible. Thus, a real ERM aligns a bank’s strengths to real opportunities and assess the impact of changes in strategy. 

Smaller Institutions

For smaller community banks the concept of ERM is just as relevant and perhaps one could argue that since their strategic objectives generally call for growth, knowing that the growth is on the right track is very relevant. So how in depth does the ERM model need to be and more importantly, can they afford it? My advice to my clients is to think of ERM from a smaller and more practical manner. Let’s first develop a culture for ERM – reporting structure, policies, reporting entities and defining responsible parties. The idea first is to introduce concepts and information on ERM to all relevant parties.

Employees in these institutions already wear multiple hats and inundating them with the requirement to document controls and processes akin to FDICIA and SOX environment can be very burdensome.  

A very basic ERM framework for a small community bank can be customizing key ratios for each functional area such as liquidity, lending, deposits directly from UBPR. Select a likely peer group of institutions and see what their ratios are. Just by a simple analysis you can create relevant thresholds for upper and lower limits for each ratio and benchmark it. Also we can measure our ratios to those institutions that we are emulating and strategically want to emulate in the near future. This way the bank can gauge if it is moving in that direction.  This is a very practical and efficient way of developing a mini GPS system. It would require no KPI or KRI or documentation of controls.  Yet it sets a framework for senior management and Board members to think about key risk ratios and their impact on the Bank if they move in the wrong direction.


We all understand that the concept of ERM is here to stay and regulators have seen from the last crisis that banks that were shut down were those that were shooting from the hip without a thought out mechanism in place to understand the risks associated with a growing institution.  Even though Dodd Frank mandates the development of an ERM framework for institutions $10 billion and over in asset size, the regulators have established their own threshold.  Generally, this threshold is tied to the anticipated growth rate and especially where the asset size is over $1 billion. So if we are going to start thinking about ERM and implementing it, let’s take a deep breath and make sure we understand what we need to do without rushing into it.

After all, we want to build something that is robust and is Super ERM. We want it to help us to move faster than a speeding bullet to meet the nonstop new regulatory requirements and yet help us to leap our tall hurdles in just a single bound.  Yes this is the Super ERM…an immortal power that no community bank should be without. 


Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.

Amit Govil Image

Amit Govil

Managing Partner

Amit Govil, Managing Partner of P&G Associates, has over 25 years of experience serving the risk management needs of financial institutions

Amit Govil's Posts Subscribe to RSS Feed

What is Enterprise Risk Management?
What are the most recent regulatory enforcement trends that banks are facing today?