United States

Scaling ERM to fit community banks


Enterprise risk management (ERM) has become a hot topic in the banking industry, fueled in part by lessons learned from the recent economic crisis and the increased regulatory scrutiny that followed. Large banks have been required to develop comprehensive ERM programs. Will community banks that are not likely to be subject to the same rules or have the resources of their larger counterparts be expected to do the same?

The realistic answer is that certain elements of ERM that are required of large banks are likely to filter down to smaller banks, although regulators will expect less complex approaches. This is because ERM boils down to effective risk management practices that are a good idea and can help to protect the safety and soundness of banks of all sizes. The key to implementing ERM for community banks is to focus on the aspects that provide a direct benefit to the bank in identifying and avoiding potential risks that can cause unpleasant financial surprises, and in understanding and improving the relationship between risks and returns.

So how can a community bank implement these practices without ERM becoming "Expensive Risk Management?" There are relatively simple ways to get started. First, it is important to understand what ERM is, and how it differs from traditional risk management, and independent validation processes, such as internal audit.

An enterprise view of risk
ERM is, quite simply, risk management practices that provide a holistic view of all of a bank's material risks, and are integrated with key decision-making processes across the enterprise. Basic steps, such as developing reports that compare and aggregate risk concentrations across business lines, industries and geographies, can provide valuable insight into a bank's vulnerabilities to market and economic trends.

Consider, for example, the benefit of understanding a bank's combined exposure to real estate markets - whether through home equity loans, commercial real estate or investments in mortgage-backed securities - particularly if the bank performs this analysis in advance of market declines and discusses it as part of the bank's strategic planning process. Add consideration of how potentially higher credit losses could lead to other risks - such as harm to the bank's reputation - as well as other risks that could occur as a result of market declines - such as increased fraud - and the bank is well on its way to creating a holistic view of risk.

An enterprise-wide view of risk can help banks to improve profitability and ensure an efficient use of limited capital resources. This can be accomplished by comparing returns to risks and using this information to target business lines or portfolio segments with the highest returns. Alternatively, banks can cut back or exit segments with low risk-adjusted returns. Large banks generally rely on complex, resource-intensive approaches, such as economic capital analysis, to compare risks and returns. However, even a relatively simple approach, such as graphical comparisons of returns and long-term average losses for key products, can provide insight into areas where returns on risks are greater.

Establishing a risk culture
Developing an understanding of a firm's risks and returns is an important first step. However, for ERM to be implemented effectively, employees in all areas of the bank need to understand what risks the bank is willing to take, how their activities can affect the bank's risks, and how to manage those risks. In other words, risk management can no longer be the responsibility of a single executive or function. The good news is that banks can communicate their risk appetite and promote ownership of risk across the enterprise relatively inexpensively. They can establish a "tone at the top" and incentives that support risk management and set expectations for ethical conduct, adherence to policies, and prompt reporting of risk issues. The benefits of doing this far outweigh the costs, as risk management becomes the job of all employees rather than only one. Further, developing a culture that is supportive of risk management can actually be easier for a community bank than for a large bank, as organizational structures tend to be flatter and executive management more visible to employees.

The three lines of defense
Ownership of risk by business line employees is often referred to as a bank's first "line of defense." Areas providing risk oversight, such as an ERM function, are considered the second line of defense. Internal audit serves as a third line of defense and provides independent review and testing, such as of regulatory compliance. Three lines of defense are not only important to effective risk management; they can be achieved with limited resources. Community banks can outsource internal audit activities and assign risk management oversight to an executive with other responsibilities, such as the CFO, provided that the executive is not involved in risk-taking activities, such as approving loans.

Open communication across all lines of defense is critical to successful enterprise risk management. To promote sharing of information firm-wide, banks should establish forums for discussion of risks across business lines and functions. This practice ensures that causes and solutions to risk events are understood across the bank, which helps to prevent their reoccurrence (and additional loss) in other areas. In addition, these forums help to identify risks that could have an impact on other areas of the bank. For example, what would happen if the area responsible for projecting liquidity levels were unaware that credit losses were going to materially exceed expectations? A second financial surprise might occur - creating more harm to the bank's reputation.

A forward-looking approach
A forward-looking approach is another important element of ERM. While no methodologies exist for accurately predicting risks, banks can identify potential risks before they lead to losses, such as through development of a set of relevant key risk indicators. These KRIs, as they are known, are different from performance measurements in that they are leading indicators. For example, while delinquency rates are useful measures of performance, a KRI that tracks the mix of new loan originations by risk grade or credit score can provide an early indication of future credit performance. Similarly, the concentration of wholesale deposits can be an indication of a bank's vulnerability to liquidity risk.

A second, simple way to create a forward-looking approach is to consider the potential risks associated with new strategies and new product proposals. For large banks, this is generally achieved through involvement of the bank's chief risk officer and other ERM staff in strategy and product development processes. Community banks can achieve a similar outcome by adding a step to their planning processes whereby managers are asked to consider what could potentially go wrong. It is often surprising how well managers understand these downside risks, even though they are often not communicated to executive management and the board as clearly as the upside opportunities.

ERM is attainable and affordable
There are many ways to implement ERM's value-adding elements, even with the limited resources of a community bank. Each of these elements - developing a holistic view of risk and returns, establishing a risk culture, creating three lines of defense against risk and developing a forward-looking view of risk - can help a bank to better understand and manage its risks. As many people in the financial services industry can attest, the benefits of ERM can far outweigh the costs.

Contact Rebecca Towne at rebecca.towne@rsmus.com.