Effective ERM | By L. Randy Marsicano
Community-based financial institutions are facing big challenges today. There are more compliance and risk management processes, policies and regulations present than ever before, while the environment grows more competitive. By following three basic principles that cover operation, finance and governance, your institution can create and implement an effective and efficient enterprise risk management program that can stand up to today’s challenges.
Getting the ball rolling starts with looking at how your people are working to assess and mitigate risk. Effective risk management relies on teamwork, which means overcoming silos. The people and departments in your financial institution must be committed to enterprise risk management, working together to identify and mitigate risk, and eliminating silos.
One way to create an enterprise-wide view of risk is to structure your approach as a bottom-up risk management program. That means starting with the technologies, vendors and functions used in each of the products and services you offer. Once you have this inventory, you can be effective in performing risk assessments across functional areas and weigh the risks and controls using common criteria. Now, you can optimize efforts to allocate control resources, conduct control testing, and align management’s expertise to develop risk mitigation strategies for the entire institution.
Risk Assessment Costs
A simple rule of thumb for risk management is this: If you can measure the cost of risk management, you can make it cost less.
There are several ways to measure the cost of risk management. You can start with the hard costs like facilities, equipment and technology vendors and consultants, but don’t forget about the soft costs of people’s time. A common approach here is to take an average hourly rate for a mid-level or grade of managers, and add to it an hourly component that includes administrative costs, benefits, taxes, and other costs directly linked to the cost of the employee. This “fully loaded” hourly rate can be applied to the hours a resource spends on risk management to produce a soft cost of that resource.
Once you have this soft cost, you can determine the fully loaded costs of time spent on internal audits and other internal risk management activities. When you have an understanding of the blended hard and soft costs of each risk management area, you can then match this to your organization’s functional risks, like credit, information security and regulatory compliance, to create an accurate picture of your risk and risk management spending. The CRO or risk management committee can then make adjustments and compose strategies to make your risk management program more effective and cost-efficient.
Install Strong Governance
Strong risk management governance is crucial to the success of your enterprise risk management program. Every community-based financial institution needs a chief risk officer, whether it is a dedicated role or part of an exciting executive’s responsibilities. This individual is the evangelist about the benefits and best practices of enterprise risk management for the entire institution.
Without this role, the effectiveness of the program will diminish over time. There are various internal and external forces that drive the need for this valuable role. Internally, there are numerous risk indicators that require monitoring, changes to the business that require evaluation and emerging risks that need to be evaluated. Externally, there are regulatory changes, growing competitive pressures, new product introductions and increased scrutiny as an organization approaches and crosses the $1 billion mark.
Strong risk governance is needed to set the institution’s risk appetite, establish the key risk indicators and determine the resources to be allocated to assess and mitigate risk. The risk management governance team should do a thorough assessment of current practices for assessing risk, work to “convert” everyone in the institution to be more risk-minded, create a common language to communicate risk and decide if the institution needs more resources and technology to address risk.
Creating a robust and highly effective enterprise risk management program will bring significant change to your institution. Enterprise risk management isn’t just another compliance requirement. It’s not another management practice. And it’s not going away. ERM is a powerful and effective approach to risk management that will make your institution stronger, sounder, and more successful in achieving its current and future business goals.■
Randy Marsicano is the manager of professional services at WolfPAC Integrated Risk Management, a secure, web-based enterprise risk management solution used to automate the identification of risks, threats and control gaps.