Wednesday, February 26, 2020

What is Enterprise Risk Management?

Posted by OnCourse Staff October 5, 2012 4:26pm

Photo Credit: Idea go

Look up in the it a bird? is it a plane? No! Duh, it’s ERM!  Yes, ERM: the new mantra in community banking.  And it’s confusing as heck.

“What is ERM?”

“How do you know if you see it?” These are two questions that have been making bankers scratch their heads lately.

To make matters worse, while the regulators are asking banks to adopt an ERM model, they have not clearly defined what they believe is an effective ERM framework. Given the level of confusion, we have vendors heavily marketing purported ERM solutions that pretend to be ERM and are so labeled, packaged, and marketed in an aggressive way. They have a colorful dashboard and produce reports that a bank can present to the regulators and Board. So is ERM some fancy report that we print on a quarterly basis with pretty charts and colors?  Many would seem to imply that. As the saying goes, if it looks the part it must be so.

We all know quite well that all banks face uncertainty and challenges, especially more so in today’s economic environment. This uncertainty presents both a risk and opportunity with the potential to either erode or enhance the value of the bank. So why is ERM the buzz word these days?

ERM - if implemented properly - enables the Bank to deal with uncertainty in a manner that can guide the strategic planning of the Bank to build value. Sounds like a lot of mumbo jumbo that you have been hearing of late, right?  I don’t blame you. So we have all heard of ERM by now, the question really is, “how do we do it?” and “How do we do it right?” Show me the way to this Super ERM.

Bankers have been managing risks since the age of dawn.  So what is changing is not the nature of banks managing risk – but the speed of change (technology, regulations, and customer and market conditions).  This speed now mandates timing for strategic decisions which in turn are also accelerated. So a good ERM model is one that helps deliver that.  Unfortunately many risk models concentrate too much on the ability to identify negative risk trends.  Don’t get me wrong that’s not such a bad thing. But you don’t want to always look at a glass to say “it’s half empty.”  The ERM  model should also identify the opportunities for the upside.

ERM Misconception

ERM is not a risk assessment or operational and controls assessment. ERM, if designed properly, is akin to a GPS system to help the bank get to where it wants to go and avoid pitfalls and surprises along the way. The common misconception is that somehow ERM is not applicable to small community banks. That’s like saying only big trucks need GPS systems and small cars always know where to go.  When we say that, I think what we are really saying is that ERM implementation and burden is too much for small institutions from a cost and time perspective and that is certainly a plausible statement. Business processes in small and midsize banks, for example, may be less formal and less structured. But the underlying aspect and component of an effective ERM may still be present and functioning.

Banks that want to implement an effective ERM often look to third party sources for solutions. However, many vendors and applications, unfortunately, tend to take the approach of defining ERM from an operational.  They use the FDICIA and SOX approach to identify controls and have the Bank validate the existence of such controls. This exercise is not bad and can actually help to define some control weaknesses that may, indeed, be present in the institution to help improve existing processes. It can be a great exercise.

So what’s your issue, Amit? Well, that’s not ERM…that’s Operational Risk Management (“ORM”). Yeah I know… more acronyms. This is where I attempt to look smart. But since we already know that I am not, I reached out to colleague of mine for some help, who has been doing this for years.  His name is John McIsaac. He is the Managing Director at GRC Solutions and has been involved in ERM for community banks for over 30 years. I figured he is the perfect source since ERM is his passion. I don’t judge people’s passion but am glad that he agreed to provide me some insight.

ERM Modeling

So the way John explains it to me, the problem is that an institution can have the best controls and policies in place to mitigate perceived threats but still may be headed down the wrong path strategically. So ERM is really a way of understanding how we can align the movement of the institution towards our strategic plan and goal. That’s a mouthful…John is like that, but I kind of get it.

To be effective, ERM can’t just be another fancy Risk Assessment; it has to be a dynamic model and framework. Risk Assessments are then just a component of the total ERM modeling. These assessments take into account the relative controls in place, assessment of these controls, (internal audit or self assessments) but also need to include what is commonly referred to as Key Performance Indicators (“KPI”). KPIs help an ERM system evaluate further the direction it’s going in conforming with strategic objectives.  Continued assessment of controls is certainly important and helps to evaluate sustainability (in other words, “Do we have enough gas?”). KPIs are quantitative in nature and are measured against an established benchmark (or thresholds) which are tied to a risk appetite and ultimately the Bank’s strategic objective. So the difference here is this:   a bank could have most perfect set of policies, procedures and controls but strategically it is making the wrong decisions.  Maybe the bank’s underwriting polices are too lenient and thus the KPIs indicate a sudden increase in past due and non accruals or exceed the allowable thresholds against lending policy or investment policy.  Thus an assessment of existing controls and key performance indicators has to work together to help us navigate.

A big challenge that many banks that actually do understand the ERM framework is how to now collect the in-house required data for KPI. Not too long ago, I was with a bank that is implementing an ERM system.  They engaged the service of a third party to help them. The problem for them was that they engaged this service which, during the sales process apparently looked pretty good because the salesman had sample data on his laptop and was able to demonstrate how the final reporting would look. But during the implementation process, it became clear to the Bank that the collection of the required data would be a huge challenge as some of the data resides in several different applications and some even in hard copy. For example, some lending data may be in the loan origination application, some within the core processing system, some within a separate stress test application and some in the loan file. Therefore, banks are realizing that they first need a way to centralize, structure (“normalize” – a techie term) and manage  data as information which can then be used in multiple ways, Board or senior management reporting and, of course, ERM.  ERM is therefore as much about data as controls. So the lesson learned by that institution was that maybe we rushed into this ERM application without first grappling with the challenge of how we will accumulate the required data. The Bank was attempting first to consolidate the data through multiple Excel sheets which could be uploaded into the ERM application.  They quickly realized that this process was not very audit trail friendly and not to mention the increased labor that was now being spent to help facilitate the ERM functionality.  

From my experience, I am seeing regulators systematically asking institutions over $1 billion in asset size to implement an ERM system (though they officially state that there is no mandate – but an emerging best practice). The time frame for implementation is dependent largely on the growth pattern of the institution. Many institutions have been asked to hire a Chief Risk Officer (“CRO”) and implement an ERM system. So we are seeing new CROs who are now confronted with the challenge of figuring out how to implement an ERM framework with limited and confusing available industry guidance. In many instances they are not provided with much of a budget from their institution. Naturally, they then look at third party solutions to help them achieve the mandated objectives.

In evaluating a third party solution for ERM purposes, it may not be a bad idea to make sure whether, first, it goes beyond just a control assessment mechanism and second, whether it offers a solution for data collection and normalization which allows for integration of information from multiple sources within the Bank. I can tell you that there a very few vendors, if any, that offer both. The advantage that Banks have is that they need not rush into making a decision.  So far, the regulators have demonstrated patience in this regard and are looking to see whether an institution is making advancement and has a plan for an ERM implementation. Thus, some of the vendors that do understand ERM are moving in this direction as opposed to imposing a weak product onto their customers. This is an evolving process and we all need to think first and do it right.

KRI? What’s that?

As I noted previously, many ERM models are fancy risk assessments and some go a step further by analyzing operational controls.  And then just stop there. A few, however, actually go a step further to include KPI benchmarking. A true ERM also needs a quantitative data of Key Performance Indicators (“KPI”) as much as an assessment of controls.  So what is this KRI? Is this a typo Amit? Did you mean KPI? We know your computer skills are not very savvy.  Well my friends, no, I did mean KRI because I want to impress you even further about my ERM knowledge.   KRI = Key Risk Indicators.

This is another important element that seems to be absent in many of the ERM models.  (I know I am shooting for the stars now.) So what is the importance of KRI and why do we need KRI, if we already have KPI? It’s amazing how one can look smart just by throwing around some acronyms.

KPI and our control assessments help us to evaluate the internal functioning of our bank. So let’s say that, based on the numbers and control assessments, we determine that the bank is doing absolutely great.  If the purpose of an ERM model is to help us determine whether we are moving in the right direction to reach our strategic objective, it’s good to know that we have a good shop, that things are clean and that our train is moving.  But is it moving in the right direction or on the right track?  I am reminded of an old TV commercial that one of the consulting firms used to have on many years ago.  It showed two people in the front of a freight train in a dark tunnel, where they see a light ahead. Both look to each other and look puzzled.  The narrator goes on to say “ that the light at the end of the tunnel or the headlights of an oncoming train?” 

The analogy here would be that we may have the best functioning train which however may be moving on the wrong track. It’s great that we have a dynamic and robust institution that is doing great, but it may be operating in an environment or a local economy that is doing terrible. Thus, a true ERM needs to also include factors outside of the Bank that can have direct impact on its profitability and strategic objectives.  That’s where KRIs come in. It’s a way of measuring and assessing quantitatively the factors outside the Bank’s control. If the Bank’s strategic plan calls for doubling its 1-4 family residential originations and, yet, the local market area shows a decline in new construction/sales, perhaps we need to rethink our strategy as such growth may not be plausible. Thus, a real ERM aligns a bank’s strengths to real opportunities and assess the impact of changes in strategy. 

Smaller Institutions

For smaller community banks the concept of ERM is just as relevant and perhaps one could argue that since their strategic objectives generally call for growth, knowing that the growth is on the right track is very relevant. So how in depth does the ERM model need to be and more importantly, can they afford it? My advice to my clients is to think of ERM from a smaller and more practical manner. Let’s first develop a culture for ERM – reporting structure, policies, reporting entities and defining responsible parties. The idea first is to introduce concepts and information on ERM to all relevant parties.

Employees in these institutions already wear multiple hats and inundating them with the requirement to document controls and processes akin to FDICIA and SOX environment can be very burdensome.  

A very basic ERM framework for a small community bank can be customizing key ratios for each functional area such as liquidity, lending, deposits directly from UBPR. Select a likely peer group of institutions and see what their ratios are. Just by a simple analysis you can create relevant thresholds for upper and lower limits for each ratio and benchmark it. Also we can measure our ratios to those institutions that we are emulating and strategically want to emulate in the near future. This way the bank can gauge if it is moving in that direction.  This is a very practical and efficient way of developing a mini GPS system. It would require no KPI or KRI or documentation of controls.  Yet it sets a framework for senior management and Board members to think about key risk ratios and their impact on the Bank if they move in the wrong direction.


We all understand that the concept of ERM is here to stay and regulators have seen from the last crisis that banks that were shut down were those that were shooting from the hip without a thought out mechanism in place to understand the risks associated with a growing institution.  Even though Dodd Frank mandates the development of an ERM framework for institutions $10 billion and over in asset size, the regulators have established their own threshold.  Generally, this threshold is tied to the anticipated growth rate and especially where the asset size is over $1 billion. So if we are going to start thinking about ERM and implementing it, let’s take a deep breath and make sure we understand what we need to do without rushing into it.

After all, we want to build something that is robust and is Super ERM. We want it to help us to move faster than a speeding bullet to meet the nonstop new regulatory requirements and yet help us to leap our tall hurdles in just a single bound.  Yes this is the Super ERM…an immortal power that no community bank should be without. 


Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.


OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment

OnCourse Staff's Posts Subscribe to RSS Feed

Flood Coverage – Still a Hot Regulatory Issue
Interagency Statement on Sharing BSA Resources and Challenges
New Jersey's Corporate Business Tax Legislation: A Look at the Impact for Banks
Correspondent Banking: The Challenges of Data Transparency
Regulation E and Business Account Errors
Controls over Employee and Officer T&E Expenses
Is Regulation CC Put on the Back Burner?
Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
The Case of Foreign Banks and Heightened Scrutiny
IRS and New Jersey Tax Audits of Banks
State Taxation of Financial Institutions in Today's Environment
Does your 401(k) Plan need an Audit?
De-Risking of Foreign Correspondent Banks
Same Day ACH Credits – Phase One
FinCEN Finalizes Ruling on Beneficial Ownership and Ongoing Customer Due Diligence
Keep an Eye On Your Chip!
Is the IRS Status of your Defined Benefit plan in Jeopardy?
The Dilemma of Banking Medical Marijuana Businesses and Other Indirect Risks
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
BSA/AML Training: Is your program effective?
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Anti-Money Laundering – The Age of Technology
Top Compliance Topics Discussed at the NJ Bankers Compliance University
Some tips and tricks for dealing with Regulatory Examinations
Updated Regulation E Booklet from the OCC!
Is Flood Disaster Still on the Heat Map?
Have You Implemented Your Plan yet?
FDIC Consumer Newsletter
More Flood Insurance Changes...
Same Sex Married Couples - Ensuring Equal Treatment – Announcement from Consumer Financial Protection Bureau
Truth in Lending (Regulation Z) Annual Threshold Adjustments (CARD ACT, HOEPA and ATR/QM)
FFIEC Releases Revised BSA/AML Examination Manual: So what’s new?
OFAC Consolidates Non-SDN Listings
Coping with HOPA
Coping with the CFPB’s Ability-to-Repay Rule
ABA Survey on Impact of Dodd Frank Compliance
ABA Mortgage Origination Deskbook
Who handles Your Dormant Accounts?
Appraisal Disclosure Rule
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Appraisal Management Companies in Regulatory Crosshairs
All About the Home Owners Protection Act
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
The Credit -- Er, IT Crisis?
Keeping the Balance: IT Security and the Org Chart
IT Security: "IT's" About Process
Wag the Dog
Consumerization of Technology and its influence on Information Security
Detective, Reactive and Preventive: Evolving Your IT Security
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
How do you charge Early Withdrawal Fees on Time Deposits?
Do you still offer NOW Accounts?
Policy Changes Required – Do you Wait until Annual Approval?
Summarizing ACAMS White Paper on EDD and AML Risk Assessments (Industry Survey)
ACAMS to provide Free Webinar
ACBB Changes its Name
Who Do You Give Cash to?
ABA Briefing to Help Banks Address Cyber-security Threats
The OCC Issues Booklet: “A Common Sense Approach to Community Banking”
Safe Deposit Box Contents are not insured – But They COULD Be!
Allowance for Loan Loss Tips and Tricks
FDIC Can Review New Products
Let’s Talk About Overdrafts!
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
Regulation E and NACHA Rules: When you Want to Stop Payment on a Recurring Debit
CFPB Stands Up Against Poor Debt Collection Practices
Don’t Forget the Small Stuff
Double Endorsed Checks: What is the Risk?
Social Media – Will the Regulators Do Spot Checks?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
Is your BSA/AML automated monitoring system up to par?
The Importance of BSA Training
Office of Foreign Assets Control (“OFAC”) introduces the OFAC SDN Fuzzy Logic Search Tool
Filing the New CTR Forms: What you need to Know
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Solutions to Reducing Dormant Accounts at Your Institution
Pandemic Preparedness: Are you testing your Pandemic Plan?
Regulation E Foreign Remittance Rules
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Expiration of Unlimited Deposit Insurance for NIBTAs
Is Your Institution's Marketing UDAAP Compliant?
What is Enterprise Risk Management?
New OCC Guidance Released on Investor Owned Properties
Electronic Work Papers - Why acxell Made the Switch
OCC to Toughen Exams in Response to United States Senate Permanent Subcommittee On Investigations
Clarifying Regulatory Obligations Regarding Continuing Activity SAR Filings
Federal Regulatory Agencies Proposal New Rule
Risk management - Smaller institutions and the benefits of ERM
Strengthening Your Loan Maintenance Monitoring
New Lending Proposal from CFPB
FDIC Reaches Settlement on Overdraft Fees
FRB Guidance on Foreclosures
Loan Denials and Withdrawals – Tips to Sure Up your Process
Regulation O – 5 Easy ways to avoid violations
The Summer of CFPB Proposals
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
Dodd-Frank Rule to Change Legal Lending Limit Monitoring Requirements
The ABCs of a TDR
Supreme Court ruling for the Freeman, et al. v. Quicken Loans, Inc case
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Senior member of House of Financial Services Committee Introduces Overdraft Protection Act
FinCEN is looking to streamline the financial institution reporting process by issuing mandatory E-filing reporting requirements.
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
New Rules Proposal for Servicers Coming from the CFPB
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Banking Solutions: ALLL and GAAP in Agreement
How are the most recent regulatory enforcement trends that banks are facing today affecting internal audit? Why?
What are the most recent regulatory enforcement trends that banks are facing today?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
Regulatory Burden – Managing the Pain
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
TDR or Not to TDR …Much Ado about Nothing?
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
Consumerization of Technology and its influence on Information Security
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
The Proof is in the Pudding: Affects of Dodd-Frank on Community Banks
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
IT Security: "IT's" About Process
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Wag the Dog
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
A Culture of Whatever: On the Path to Proper Governance
The Test Drive: Leasing or Buying a HR IT Platform
Detective, Reactive and Preventive: Evolving Your IT Security
Cracking the ALLL Code: How to Develop the Right FAS 114 Methodology
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Part of the In Crowd: Thoughts on the Dodd-Frank Act
Another One Bites the Dust: Regulators Close 4 Banks
Keeping the Balance: IT Security and the Org Chart
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Welcome to OnCourse
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Credit -- Er, IT Crisis?
Painting a Masterpiece: The Art of the ALLL Reserve
The Law on Your Side: Understanding HR Regulations in 2011
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
No Respite from RESPA