Find answers to questions such as: What makes an ERM program effective? How should it be implemented?
Enterprise Risk Management
Do not let the concept of enterprise risk management scare you. Although the concept of ERM is attracting considerable attention lately, banks have been doing risk management for years.
For example, most banks already compile:
C — Capital plans.
A — Individual asset ratings, loan review and ALLL calculations.
M — Management succession plans and compensation analysis.
E — Budgets and business plans.
L — Contingency funding plans and cash flow analytics.
S — Interest rate risk analytics and asset liability management.
The issue is not that banks are not managing risk, because they are. The problem is that risk management is not integrated; rather, it happens in silos. The real key to ERM is therefore incorporating the existing risk analytics into a comprehensive, integrated framework.
Rather than re-invent another costly process (the industry should learn the lesson from the failure of Sarbanes-Oxley), FinPro Inc. recommends that banks follow the same risk approach used by regulators, namely the CAMELS format. Note that the risk analytics banks already conduct has been categorized in that manner above.
From a regulatory perspective, ERM is the process of identifying, measuring, monitoring and controlling all risks in a given entity following the CAMELS format.
The key to ERM is to bring all of the silo-based risk assessments under one comprehensive umbrella so that they can be integrated into one process that uses one model. Two examples that illustrate this need:
As part of an institution’s capital planning process, the need to shrink the balance sheet as a strategy to improve capital ratios is identified. This will improve the capital position of the bank, at least on a ratio basis. The problem, however, is that the balance sheet reduction may harm earnings and liquidity. Fixing one risk in a silo environment may negatively impact the entire bank.
As part of an institution’s asset quality review process, the need to sell non-performing loans as a strategy to improve the asset quality ratios is identified. The problem is that a sale of non-performing loans at a discount will hurt income and capital and may result in an increased overall risk profile for the bank.
Clearly, these examples highlight the need for a single process and model to combine the disconnected analysis of each risk component.
To address this, FinPro has designed an eight-phase ERM process that is interactive, integrated and leverages work banks already do. This process has been vetted by all of the agencies and measured against the Committee of Sponsoring Organizations of the Treadway Commission recommendations for accounting purposes.
In essence, the ERM process builds off of the base CAMELS format, incorporates other risk areas such as legal/regulatory(+), reputation(+) and operations (+), integrates all risk management under one model and provides ongoing quarterly review capabilities. It layers an eight-stage program onto the regulatory framework as follows:
The ERM Process:
Identifies risk through a CAMELS +++ self-assessment which includes detailed ratio analytics, regulatory targets, peer benchmarking and future projections.
Measures risk by identifying each risk component, delineating the data and analytics required to measure the risk, prioritizing and rating the risk and finally identifying key measurement metrics for each risk component.
Monitors risk by modeling projections using a single comprehensive model. When done this way, banks can stress test risks on a single-variable or multiple-variable approach and instantaneously see the results on the entire organization, eliminating the silo effect.
Controls risk by re-evaluating policies and procedures, ensuring that the bank has the appropriate infrastructure (people, systems, process) and by forecasting the ERM position of the bank at any point in the future.
The key to making this process work is a single model that integrates:
- Capital planning.
- Strategic planning.
- Interest rate risk analytics (ALM).
- Stress testing.
- Overall risk assessment.
In addition to the single variable stress tests, multiple variable stress tests must also be conducted. As an example, the Federal Reserve recently ran tests involving several economic variables. Banks must devise stress tests that translate changes in economic variables into how they will impact the bank using one holistic process that provides multiple scenarios, which can be stress tested and be forward-looking. A single, integrated model allows for complete risk assessment and stress testing as a forward-looking, pro-active process, as opposed to a static, historical analysis. Banks must also understand that ERM is not a “one size fits all” activity and each institution must have a unique prioritization of risks.
The results are clear. Banks need to have a comprehensive ERM program. This program should:
- Not be Sarbanes-Oxley re-dux: expensive, utilitarian and unusable.
- Utilize work banks are already doing.
- Leverage of the process already utilized by primary regulators.
- Include management and the board of directors through self-assessments.
- Allow for detailed integrated modeling.
- Provide for ongoing monitoring and reporting.
ERM is not a scary thing. Rather, if done correctly, ERM builds off processes bankers already undertake and will not just help a bank with the regulators, but will also build real value for the bank and its shareholders.
Donald J. Musso is president of FinPro Inc. in Liberty Corner, N.J. Contact him at 908-604-9336 or finpro(at)finpronj.com.
Copyright (c) December 2011 by BankNews Media.