21
Enterprise Risk Management (ERM) Anne Jones, Banking Consultant
Enterprise Risk Management (ERM)
Anne Jones, Banking Consultant
What is Enterprise Risk Management (ERM)?
• ERM is the framework and mindset for aligning the bank’s strategy and processes within the
bank’s risk appetite
• A framework for establishing standards that:
– Ensures consistent approaches are used for risk management
– Provides common language
– Gathers risk information from throughout the organization
– Presents risk information to the Board and senior management in a format that is informative and actionable
• A culture (mindset) that accepts that risk must be managed and does so with transparency and
accountability
ERM Benefits
• Regulatory Expectations
– a management structure that adequately identifies, measures, monitors, and controls the risks of its activities
– principles of sound management should apply to the entire spectrum of risks facing an institution including, but not
limited to, credit, market, liquidity, operational, compliance, and legal risk
• Enables efficient and effective risk management
• Enforces risk awareness and accountability
• Addresses risk types holistically rather than in silos
• Provides early warnings & improves decision making
• Provides management with a tool for evaluating new initiatives
• Balances risk across the organization
ERM Concepts
• It’s not as simple as looking back at what worked and applying that to the future.
• Never again say: “Wow, we never thought of that”
• Understand how management will respond to unexpected events
• Assess past and current weaknesses and missed opportunities
• Separate Audit (Past) and Risk (future)
• Risk assessments don’t have to be exact, but should point you in the right direction
• Does your company message empower your employees to help identify risk and opportunity?
ERM Concepts
• Enterprise Risk Management connects all of the pieces.
Inherent Risks
Internal Controls
Residual Risk –Risk Appetite
Internal Audit
Risk Management
How much
residual risk is
acceptable
7
You don’t need a big complex
program. You just need a
structure that makes you think
about the things you aren’t
thinking about.
ERM Life Cycle
• Culture
• Strategic Plan & Risk Appetite
• Risk Committee
• Key Risks & Related Controls
• Implement & Measure
Risk Management Culture
In the current market and global economy – it is no longer survival of the fittest, but survival of the
chameleon – who can adapt to change the fastest
Risk Management Culture
• ERM is the framework and mindset for aligning the bank’s strategy and processes within the
bank’s risk appetite
• Mindset - The first step to ERM planning is to define your organization's shared vision
• Top Down – Tone from the top to all levels of the bank
• Define Risk Policy that sets expectations
• Embrace transparency
• “We’re on the same team” – If you have a culture of “gotcha,” fix it
• “Risk Owner” is just as important as “Revenue producer”
Risk Appetite and Tolerance
• Once the culture is defined, the overall risk management appetite and
tolerances can be defined
• Risk Appetite: General statements about the level of risk that is
considered acceptable within a given risk category or type. These
should serve as guiding principles to be used when developing
strategic plans, operational processes and business continuity plans.
• Risk Tolerance: Tangible risk limits designed to set specific
boundaries in which the business must operate. These must be
measurable, realistic and capable of being monitored.
– The two most important guardrails are:
The Strategic Plan
Risk Appetite Statements
Risk Management - Communication
• Develop a common understanding of risk across multiple functions and business units so you
can manage risk cost-effectively on an enterprise-wide basis.
• Risk tolerances that never get communicated are basically worthless
• Communication is critical because of assumptions
• Employees should understand what is an acceptable level of risk
• Look at your training
– Risk is as much about the why as the how – do your employees know the why?
Management Risk Committee
13
• Board – Where are we going?
• Audit Committee – What happened?
• Risk Committee – What could
happen?
• Management – How are we going to
get there?
Management Risk Committee
Sample Agenda
• Loss or other major events
• Risk assessment updates
• ERM project task list
• New products and services
• New initiatives
• Other new business
• Periodic reports (VM, IT, BCP, Info Sec,
compliance, etc.)
• Report preparation for BRC and BOD
15
Identifying Risks that Matter
Identify Risk - Assessment
16
• Are you operating within the guardrails?
• Use a standardized process and be realistic about your resources
• Document assumptions
• Support with related analytics/metrics
• Include management conclusions
• Most of the value is in the dialog
• Distinguish between risk and risk sources
• Risk Type vs Strategy & Process
• Enterprise risk assessment should include information on:
– Strategic risks (macro level risks)
– Operations (process level risks)
Identify Risk – Assessment Tools
17
• Review what-if scenarios with the Risk Management Team
– Forces you to think outside the box
– Make sure you are prepared to handle the risk
– Example: Our data has been breached, what do we do?
• Use questionnaires to involve employees
– Make sure you are assessing Potential Risk and not Existing Controls
– Include employees at all levels
– Example Questions:
What communication barriers are present within the organization?
How do internal and external forces impact your daily tasks?
Identify Risk – Rate Each Area
18
• Strategic Risk
• Credit Risk
• Liquidity
• Interest Rate
• Price/Market
• Operational
• Reputation
• Compliance
Path To Success
What road do you take? If only it were as easy as
following a yellow brick road.
• Identify your risk appetite
• Define expectations
• Allocate resources
• Involve people at all levels
• Encourage input
• Monitor compliance with risk tolerances
• Monitor key and emerging risks
How Can FIS Help?
20
• Utilization Study
• Tune-up
• Risk Management Solutions
• ERM Optimizer
