There can be no doubt that 2010 will be the year of regulatory compliance. Not only are there new regulations that will take effect this year, but Congress is poised to enact substantial changes and additions to the body of banking regulations in response to the current economic crisis and the global financial meltdown.
With every institution scrambling to keep up and prepare for the implementation of these member-driven modifications, why should management or the board of directors be concerned about the benefits of enterprise risk management (ERM)? What advantage could possibly be gained by adding another layer to an already cumbersome process?
In the broadest terms, the current economic downturn has presented increasing management challenges for every financial institution. ERM is not an additional layer, but a means to channel common strategies and leverage resources to mitigate, monitor, and manage risk exposure. ERM drives actions that identify, measure, examine, and control risk.
Going forward, management and boards are likely to focus on broader strategic risks which can be defined as the potential for failure, significant loss, or reduced opportunity for gain. Considering all the factors that might threaten or adversely affect a credit union’s operations or business model, the credit union should assess even seemingly improbable risks that could jeopardize its survival.
ERM brings the identification, management, measurement, and oversight of the institution’s risks together in a structured approach to managing uncertainty. In the context of knowing how much risk an institution is willing to accept, ERM assesses the collaborative potential of risk that is possible and extrapolates it in the circumstance of the domino effect. Directors and senior management must be aware of all of the significant implications so the overall business strategy risk framework is known and understood.
Those institutions that had already planted the seeds of ERM enjoyed a distinct advantage and were positioned to proactively address the risks that surfaced in the unique environment of the current crisis. Moving into 2010 with the voluminous regulatory changes, striking a balance between risk and return will be even more of a challenge.
Successful ERM does not just happen. Active boards and senior management must establish a culture that focuses on risk interconnections and translates mutual risk assumptions into effective risk mitigation. There must be an environment of trust and respect that exists between lines of business and an overriding commitment to a shared mission in order for ERM to work.
A risk-resilient organization continuously scans the business environment for changes that could impact strategy and objectives, makes necessary adjustments to its course, and recognizes that certain risks may be too large to manage alone. Through a collaborative process with all players at the table, ERM places all stakeholders on an equal playing field with each contributing to the solutions that mitigate their shared risks.
Having all the business and operational units already at the table and working in tandem is a huge advantage in a crisis. Market risk, credit risk, liquidity risk, portfolio risk, and reputation risk may be of primary concern, but other risks can be equally disruptive.
Suggested strategies to implement ERM processes include:
Risk identification and assessment
- Collect clean and trusted data related to potential risk
- Prepare and organize data based on governance structure, policies, and resources
- Involve all business and operational disciplines in investigative efforts
Risk measurement and reporting
- Each business or operational center needs to identify key projected risk factors
- Assess key controls available across centers
- Expose simulations or models of anticipated risk consequence
Risk mitigation and management
- Ensure technological capacity to analyze data in complex risk models
- Create risk indicators, risk reports, and risk model outputs across centers
- Determine possible actions to mitigate risk
- Play out scenarios to determine expected outcomes
- Mobilize relevant teams to take action quickly
- Allocate resources as needed to stabilize positions
- Adjust scenarios for key drivers such as interest rates and credit conditions
- Look for long-term solutions and not short-term outcome responses
- Provide reports in framework to determine results
- Adjust strategies to respond to risk controls and compliance
- Assess risk significance, interconnectedness with other risks and implications
- Determine future course of action, based on collaboration with partners
Moving away from the “silo” approach of risk management (i.e., different internal groups responsible for each type of risk) and embracing a more “holistic” tactic may also result in the elimination of redundancies in controls and the streamlining of analysis.
ERM should also help credit unions keep up with the changing regulatory environment, maintain pace with business growth and product complexity, and balance communication with the directors. In the end, risks taken by the institution should enjoy a commensurate level of reward based on effective controls.