ERM: Not just for the ‘bigs’

Timothy J. Okrie

Wikipedia defines enterprise risk management as “something used in business that includes the methods and processes used by organizations to manage risk and seize opportunities related to the achievement of their business objectives.”

It used to be that the banking regulatory community gave you a pass on having a formalized and documented ERM program within your organization, but the tide, as they say, has turned. In today’s banking world, you will still see the larger banks with more than $1 billion in assets being asked by the regulators for copies of their ERM program documentation — not only the output but the input and how they reached their conclusions.

Simply stated, traditional ERM programs consider a holistic process and how your organization evaluates and manages risks. ERM programs help organizations perform an in-depth look at their internal controls, prior-year findings and current regulatory pronouncements to determine depth of exposure.

The message being sent to community and regional banks has been more and more regulation versus less; that is, until the recent changes in the political climate. Most regional and community banks do not have access to the human capital and organizational structure to develop and build ERM programs. They should not be taking the potential pull-back in regulatory expectations as a given but rather viewing an ERM program as a “best practice” when it comes to the topic of risk management and corporate governance.

Many smaller regional and community banks spend too much time and energy on developing their ERM strategies, building programs that are predicated on regulations that have not yet taken effect or on programs that do not align with their business and organizational structure. Needless to say, programs developed in this manner are not very cost effective or efficient in the identification and measurement of risks facing the institution.

Most, if not all, small and regional community banks lack the required resources and/or appropriate bandwidth to assist in building ERM programs that address their needs.

It has been proven that not having an ERM program of some sort leads to poor examination results, regardless of the size of the financial institution, i.e., the larger the institution, the tighter the scrutiny and larger potential fines. This fact lends credence to the premise that having some sort of ERM program plays a role in enhancing the profitability of the bank, helping it deal with risk, control and governance issues as seen by their customers and regulators. Before embarking on new initiatives and business endeavors, a bank should consult its ERM program to assess the risks, issues and impact on its operations and risk profile. This is an excellent way to gain efficiency and effectiveness from the must-have cost of an ERM program to a value-added program to assist with business risk management.

One of the best ways community and regional banks can build elements of an ERM program is to inventory, assess and understand what they are doing related to the following elements of their business. At a minimum, the regulators will likely want to understand the following (please note this is not an exhaustive list, just illustrative):

Use of third parties in the conduct of the day-to-day running of the bank. We are not talking about who cuts the grass around the branch and home offices but rather who are your third-party IT suppliers that provide critical functions.

How are you handling the Bank Secrecy Act and anti-money laundering? Many regional and community banks outsource this function to third parties. How do you handle exceptions? Who’s responsible for following up on exceptions?

How are you handling the regulatory “alphabet?” Who is responsible within the organization for understanding and maintaining compliance with the various rules and regulations? Do you have a named internal auditor, chief risk officer or chief compliance officer?

Do you have a disaster recovery business development plan? Does your plan cover both man-made and natural disasters?

Doing something around risk management, even if not a full-blown ERM system, will get you some credit with regulators. Many regulators are aware of the trade-off between the costs of trying to grow the bank or make it bullet proof from a regulatory perspective.

A little effort goes a long way.


Timothy J. Okrie is managing director of BKD Enterprise Risk Solutions. He can be reached at [email protected]