Enterprise Risk Management Considerations for Today's Financial Institutions

Risk management has been a major area of focus over the last few years for many financial institutions. Most, if not all, of the largest institutions have implemented a risk management organizational structure—Enterprise Risk Management (ERM)—to formalize the practice and oversight of risk. Adoption of ERM concepts at smaller and simpler institutions is increasing, albeit inconsistently, driven by the recent financial crisis, increasing regulatory expectations, and increasing market scrutiny of risk management practices (e.g., by rating agencies and analysts).

We believe that the focus on risk management is not going away anytime soon and that regulators and other stakeholders will continue to raise the bar across a wider range of smaller and simpler institutions. For example, numerous recent regulatory initiatives (e.g., Basel III, Dodd-Frank) have substantial focus on ERM and, as proposed, would require implementation of much of what is currently practiced by only the largest and most complex institutions. In addition to regulators, external stakeholders such as rating agencies and investors are increasingly looking at risk management practices in greater detail in evaluating a financial institution.

Widespread differences remain in the definition and practice of ERM. So far, regulatory requirements have been only loosely defined and inconsistently applied. While many financial institutions will need to invest in ERM to address regulatory requirements, there is significant potential for redundancy and wasted investment. In this article, we explore possible ways to derive value from an investment in ERM. We make the case for ERM as an initiative to enhance stakeholder value with a focus on ERM as it applies to financial institutions.

Hallmarks of an ERM Program at Large Financial Institutions

While some of the largest financial institutions have had ERM programs for decades, there is no single definition of ERM, and organizational structures can vary significantly. At a high level, ERM is typically defined as the process by which institutions assess, monitor, and manage risks to their organization for the purpose of increasing stakeholder value. Stakeholder value is defined here as an appropriate balance of return relative to risk.

ERM is typically independent of profit-generating activities in the business units, and it is not meant to replace front-line risk management (e.g., credit underwriting, trade compliance, servicing). Rather, ERM typically serves as an independent source of risk measurement and can be a voice critical of business practices and even risk management practices within the lines of business. In addition, ERM is responsible for the aggregation of the risk profile across the entity, including important correlations of risk from one business to the next. This is important because the various types of risk inherent in a financial institution (e.g., credit, interest-rate, and liquidity risk) do not exist independently, but are frequently interrelated and can reside in various parts of an organization.

Within ERM, there are typically specific functions aligned to the categories of risk as defined by the Basel Accords—Credit Risk, Market and Liquidity Risk, and Operational Risk—all with formalized definitions and responsibilities. Organizationally, many institutions also have a chief risk officer (CRO) and a risk committee of their board of directors charged with oversight of risk. Many of the largest and most complex institutions have converged on an ERM function aligned to this definition, although this structure is not universal.

ERM in Recent Regulation

Recent proposed regulation will adopt the structure developed at the largest and most complex institutions and require it at many that are smaller and less complex. On January 4, 2012, the Board of Governors of the Federal Reserve System issued a proposed rule for comment entitled “Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies.” This proposed rule is intended to address specific aspects of much broader regulatory initiatives, specifically the Dodd-Frank Act and Basel III. It would build off of some requirements for ERM as defined in the U.S. version of Basel II, as completed in the mid 2000s, and applicable to banks with over $250 billion in assets. This proposed rule specifically calls for large and/or complex financial institutions to have “more robust, enterprise risk management” along with the need for active senior management involvement in risk management and the need for an enterprise-wide evaluation of risk, in contrast to a silo approach.

This proposed rule essentially requires that complex or larger firms (those with assets in excess of $10 billion) implement an ERM program with specific features. This regulation would also apply to publicly traded bank holding companies with $10 billion or more of total assets and any other company covered by Dodd-Frank. Specifically, this regulation would require that:

  • The board of directors establish a formal risk committee with appropriate expertise.
  • The institution establish a CRO position with appropriate expertise and stature. The CRO will oversee ERM.
  • The CRO must report directly to the risk committee and the CEO.
  • The institution will reinforce the independence of the ERM function.

This proposed rule is just the latest in a trend of regulation that raises the bar on requirements related to risk management. While this regulation applies to publicly traded banks with greater than $10 billion in assets, we commonly see concepts from regulation meant for larger institutions applied, at least in part, to a much broader set of institutions. In prior regulation, ERM concepts from the 2006 U.S. version of Basel II applied only to institutions with over $250 billion in assets, so lowering the bar to $10 billion is clearly moving in the direction of smaller and simpler. We expect this trend to continue.

Investment in ERM as an Initiative to add Stakeholder Value

With the added regulatory burden that will likely accompany regulation of ERM, we believe that financial institutions should look for ways to derive value from the investment. Financial institutions are already in the business of taking on and managing risk; without it, they would theoretically at best earn only a risk-free rate of return. As such, risk management is fundamental to how financial institutions operate. ERM practices help to ensure that analysis and measurement of risk are applied independently, consistently, transparently, and with the right expertise in order for the right risk vs. return balance to be applied. These activities are fundamental to creating a sustainable banking business.

Incremental investments in ERM, whether required by regulation or not, should be aligned to a long-term strategy, which, in turn, is aligned to the institution’s risk appetite and business model. To some institutions, consideration of risk is already an integral part of the firm’s DNA, and realistically, little value will be generated by additional investment for the purpose of regulatory compliance. However, for other firms, investment in ERM will help them to better manage the critical risk vs. return balance and create a sustainable franchise. Investment in ERM can support a number of shareholder value added initiatives, including:

  • Improved long-term profitability through loss avoidance
  • Improved capital management (capital requirements decline with lower levels of risk)
  • Improved liquidity management
  • Risk-adjusted performance measurement
  • Risk-based pricing
  • Improved portfolio management
  • Avoidance of risk concentrations
  • Improved capital budgeting (economic capital concepts are gaining greater adoption)
  • Enhanced regulatory and investor relations

A Roadmap to ERM

An ERM function should be highly tailored to a specific institution and its business model. For example, some financial institutions generate returns from credit risk in consumer business, others focus on commercial, others focus on interest-rate risk, and some focus on more operationally intensive, fee-based services. The risk management infrastructure that accompanies an ERM function must be tailored to the return-generating activities and strategy of the institution. Before investing in ERM, an institution should address a number of foundational questions:

  • What are the kinds of risks your institution understands, is good at managing, and is willing to accept in pursuit of return?
  • What is your institution’s risk appetite? How much risk are you willing to take on and manage?
  • Is your risk appetite consistent with your return targets? (A low risk appetite typically cannot support high return targets.)
  • What strategic advantages enable you to generate a return in areas in which you are willing to take on risk?
  • What is the right organizational structure for ERM at your institution? What is the role of the board? How can you most efficiently balance the need for independence of risk evaluation and measurement with the need to avoid duplication and minimize expense?
  • What external (e.g., regulatory, rating agency, etc.) requirements will apply?
  • What are the infrastructure gaps? Do you have the right expertise to support quantification of risk?
  • Does ERM have the right management and board support? Who are the internal sponsors of ERM?

Once these foundational questions are addressed, the next step is to perform a gap analysis, followed by detailed planning. Implementation challenges typically include: organizational change management as roles and responsibilities are redefined, establishing a culture of risk awareness across the business, and redesigning processes and procedures to include check-points with ERM.

Most of this is not new. It is important to remember that financial institutions are already in the business of risk management. In most cases, ERM is less about hiring new staff and building new infrastructure than it is to make clear organizational roles and responsibilities and, in some cases, removing conflicts of interest. Front-line risk management activities typically remain outside of ERM, with the ERM function charged with independent analysis and measurement of risk including the effectiveness of risk management within the lines of business. If that separation is not already in place, a reorganization of responsibilities may be needed. A gap analysis to identify existing strengths and weaknesses in risk management relative to the institution’s strategic vision is a typical next step. Finally, with a strategic vision defined and a detailed gap analysis completed, planning and execution of the ERM deployment are the typical next steps. Careful up-front planning can help an institution achieve its goals and avoid multiple reorganizations or potential regulatory or other stakeholder concerns.

Conclusion

Many financial institutions have been significantly focused on enhancing risk management practices over the last few years. ERM functions typically put significant rigor around the independent measurement and management of risk. We believe that formal ERM functions that had typically only been put in place at the largest financial institutions will see more widespread application. This is driven by regulators, shareholders, rating agencies, analysts, as well as internal stakeholders. For institutions that choose to implement ERM, we offer some ideas on how to make investment in ERM a value-add initiative.

John F. Stewart, Ph.D, CFA, FRM, is Senior Vice President and Chief Risk Officer at the Federal Home Loan Bank of Seattle.