The core of a strong ERM program

What does it take to have a strong Enterprise Risk Management program? How do you know you are asking the right questions to identify all your institution’s risks? You develop strong risk assessments.

Without asking the right questions, without assessing the right areas, using the wrong models, or without consistency across the board, you will not end up with the right risk assessments and, therefore, may end up mitigating or monitoring the wrong areas or assets in your bank.

Let’s start from the beginning. What is ERM? The simplest way I can describe ERM is an enterprise-wide continuous process to protect your organization’s assets while allowing you to fulfill your vision. ERM involves three key activities:

  1. Identifying and Assessing Risks
  2. Mitigating and Eliminating Risks
  3. Monitoring and Reporting Risks

The risk assessments fall under the first category, identifying and assessing risks throughout your organization. During this process is when you identify and assess unique risks to your institution, in addition to industry related risks that could affect all the banks in your area, in your state, or even globally. Examples of unique risks are:

Relationship Concentration. You need to assess how critical certain loan and deposit customer relationships are if you were to lose them. How would losing them impact your balance sheet? Also, do they have a following? Meaning, if a certain client leaves your bank, would other clients follow them and leave your bank as well? One example could be having key shareholders who have significant loans and deposits with your bank. If they liquidate their investment, would they also move their banking relationship? And if so, would other shareholders follow?

Portfolio Concentration. You need to assess if you have a concentration by type of loans such as commercial Real Estate or construction loans in your portfolio. Some rural banks may have their biggest concentration on agricultural (or “ag”) loans because there is nothing else to get in their market. These banks have to assess their risk if major ag loans default and perform a stress testing on this portfolio.

Succession Planning. Even though many banks are dealing with this issue, your particular bank could be at a higher risk if the current CEO is an owner who is also chairman and president of the bank. This presents a significant risk to your bank and you need to act immediately by putting a plan together.

Geographic area. Your bank could be located in a rural area where population is declining and you are losing clients consistently due to them moving away. Another issue could be competition to other banks that have established branches in your town and now there is even less market share to have.

What are the right areas to assess? You start by assessing each component of the ERM and perform annual risk assessments on these areas:

  1. Start with the ERM Risk Assessment first. Then all the other areas:
  2. Information Security, which includes:
    1. Disaster Recovery Plan (DRP)
    2. Business Continuity Plan (BCP)
    3. Cybersecurity
    4. Vendor Management
    5. Security Controls/Penetration Tests/Social Engineering
  3. Compliance
  4. Internal Audit – Internal Controls (some activities can be assessed every two or three years)
  5. Liquidity, which includes:
    1. Liquidity Contingency Funding Plan
    2. Liquidity Stress Testing
  6. Credit – Stress Testing by Portfolio (or for the largest credit facilities)
  7. Capital Plan
  8. Succession Plan
  9. Bank Secrecy Act
  10. ACH

What are the right questions to ask to help you assess the risks correctly? Follow a process. Start with risk assessment categories suggested by the Office of the Comptroller of the Currency, then add a few others. To identify risks, start with the eight from the OCC Guidelines:

  1. Credit
  2. Interest Rate Risk
  3. Liquidity
  4. Price
  5. Operational/Transactional
  6. Compliance/Regulatory
  7. Strategic
  8. Reputational

Plus a few others:

  1. Technology
  2. Customer
  3. Human Resources Management
  4. Earnings/Profitability
  5. Legal
  6. Capital
  7. Model – The OCC is now focusing on the Model Risk Management

Then, you move on to assess those risks following a process:

  • Develop an assessment criteria that is standard across the organization
  • Criteria should include both qualitative (descriptive assessments) and quantitative (data/numerical values)
  • If you use models then follow the OCC’s Supervisory Guidance on Model Risk Management
  • Assess all risks using the assessment criteria chosen
  • Assess risks interactions: All risks interact with at least one other risk or one risk can start a chain reaction and affect several other risks.
  • Prioritize risks by criticality (how important) and confidentiality (how confidential is the data)
  • Rate risks by impact (how it will affect the entire company) and likelihood/probability (how probable are risks to happen), vulnerability (how susceptible is the company) and speed of onset (how fast can this risk arise)
  • Respond to risks by creating a plan of action on how to mitigate or eliminate, and then monitor and report ongoing on each risk.
  • Track aggregate risk as well as the direction/trend of risk.

There is much more to risk assessments. My hope is to give you a basic idea of what is involved in creating and implementing the right risk assessments in your bank.


Marci Malzahn is president and founder of Malzahn Strategic, a community bank consultancy focused on strategic planning, enterprise risk management, cash management, and talent management. Marci is also a professional speaker and published author of three books. You can contact Marci for speaking engagements through her website at or email her at [email protected]. You can purchase Marci’s books at