What Is Enterprise Risk Management?

by Ken Agle
President, AdvisX

When it comes to today’s business world, there is no escaping risk. Not long ago, risk was considered part of the fuzzy territory of doing business as a financial institution. Today the principle of risk and risk management has become a hot topic for financial institutions and has given rise to the burgeoning field of Enterprise Risk Management, or ERM. When viewed positively, Enterprise Risk Management can be as much about pursuing opportunity as it is about disaster.

But what is Enterprise Risk Management and its principle tool, the Enterprise Risk Assessment? There is little question that even the smallest financial institution must coordinate a series of complex operations involving numerous disciplines. Given these complexities, ask yourself how long would it take for an examination team to understand fully the full degree of risk factors affecting one FI if they had to completely generate the data for risk analysis from scratch?

From a purely pragmatic standpoint, there is a fundamental need for the regulatory agencies to promote aggressively the use of risk assessments among financial institutions. Throw into the mix the diversity of risk elements within each financial institution, and it becomes clear that the regulatory agencies simply do not have the resources to develop a comprehensive analysis of enterprise risk for every financial institution out there. Such complexities and the risks of failure in approaching them in a strategic setting would seem the genesis of defining ERM.

We can appreciate the definition given by the trailblazers of ERM, The Committee of Sponsoring Organizations of the Treadway Commission, more often known as COSO. COSO provided the following guidance on the components of effective ERM processes:

Enterprise risk management is a process, that is affected by an entity’s board of directors, management and other personnel, It is designed to identify potential events that may affect the entity and is applied in a strategy setting across the enterprise. Its aims to manage risk within the entity’s risk appetite and to provide reasonable assurance regarding the achievement of entity objectives.

This definition is central to the focus of building risk management functions that align with the FI’s strategies. In other words, ERM concerns where the FI is today, where it wants to go in the future and what elements stand in its way. We can therefore recognize the fundamental factors needed to implement an effective ERM program.

The Three Corners of ERM

We have identified three foundational factors that are required to ensure that the ERM approach of any financial institution (FI) “fits” that particular FI instead of trying to make the FI fit the ERM. These factors must be established if the Enterprise Risk Assessment is to be understood.

1. Vision

A strong ERM must be relevant to the FI and its “vision.” COSO notes that “Among the most critical challenges for management is determining how much risk the entity is prepared to and does accept as it strives to create credit value.” Hence, ERM must establish where the FI is today and where it plans on going in its value-creation efforts.

We frequently know what is defined as “Risk” as well as what is defined as “Management.” But what do we define as Enterprise? One definition states that Enterprise is “a project undertaken or to be undertaken, especially one that is important or difficult or that requires boldness or energy.” Keeping ERM relevant to the FI’s “Vision” requires that we know our Five Ws (who, what, why, where, when) both today and in the future.

Our collective assessment efforts must present those in a sound manner at a given point in time, and then seek to identify impediments to reaching those achievements and the corresponding risk mitigation.

2. Correlation

Effective ERM cannot be achieved with a “silo mentality,” in which each department declines to share key information with the other departments. It requires correlations throughout the enterprise. History has repeatedly shown that a failure to understand the cause and effect of pursued strategies by an entity upon all departments of the credit union results in weakness and, in some cases, failure.

Many FIs have recognized this factor and responded with the designation of a Chief Risk Officer. The establishment of this position is logical, but it cannot become another silo. Instead, the individual in this position must serve as a go-between among the various departments in an effort to establish and continually reestablish the Enterprise Risk Assessment.

3. Target Driven

Because ERM covers the full array of risks within the organization, it requires a unique approach to analysis. The framework for ERM is established in the following key categories:

  • Strategic
  • Operations
  • Reporting
  • Compliance

The objectives of an organization involve one or more of these categories. Those objectives will face a wide array of challenges to implementation, including both internal and external events. As the credit union analyzes these events and corresponding strategies, it establishes the framework for measurement of ERM by the Enterprise Risk Assessment (ERA).

The Fourth Corner of ERM

The Enterprise Risk Assessment provides an initial and ongoing tool for the Enterprise Risk Management of any FI. It engages key elements such as the following:

  • Internal environment (where we are today)
  • Objectives (where we are going)
  • Event identification
  • Impact likelihood (on an inherent and residual basis)
  • Risk response and control activities
  • Information capture, communication and monitoring.

Following this format within an assessment document is a challenge, but it will lead to a logical, quantitative and qualitative presentation that yields significant benefits and facilitates the process in each succeeding year.

Although there is no question that the ERA must address qualitative elements (e.g., risk factors, strategies, etc.), these elements are best presented when quantified (e.g., key ratios and risk scores to be evaluated). The adage that we value what we measure is absolutely true of ERM, and the ERA gives us that capacity from both static (level) and dynamic (trend) perspectives. No ERA can encompass every conceivable risk, but sound ERM provides a powerful tool that promotes internal and external confidence.

When properly pursued, the Enterprise Risk Assessment serves as a powerful document that:

  • seeks to align the risk appetite and strategy of the institution;
  • facilitates enhanced risk response and decision making guidance;
  • reduces operational surprises and losses through facilitating an effective, coordinated response to the myriad of risks affecting different parts of the organization;
  • promotes the ability to seize opportunities through proper management positioning and deployment of capital; and finally,
  • helps ensure the effective reporting and compliance with laws and regulations while guiding the credit union away from the damage inherent in reputation risk and its associated consequences.

ERA is the quantitative and qualitative tool of ERM. It is a living document that serves as both an informative guide and an insightful instructor. There is no question that examiners today are pressing harder and will continue to do so in their search for ERAs that are dynamic and specific to your institution.

For more information on AdvisX Enterprise Risk Management services, please contact Ken Agle.