Enterprise Risk Management Considerations for Today's Financial Institutions
Risk management has been a major area of focus over the last few years for many
financial institutions. Most, if not all, of the largest institutions have implemented
a risk management organizational structure—Enterprise Risk Management (ERM)—to
formalize the practice and oversight of risk. Adoption of ERM concepts at smaller
and simpler institutions is increasing, albeit inconsistently, driven by the recent
financial crisis, increasing regulatory expectations, and increasing market scrutiny
of risk management practices (e.g., by rating agencies and analysts).
We believe that the focus on risk management is not going away anytime soon and
that regulators and other stakeholders will continue to raise the bar across a wider
range of smaller and simpler institutions. For example, numerous recent regulatory
initiatives (e.g., Basel III, Dodd-Frank) have substantial focus on ERM and, as
proposed, would require implementation of much of what is currently practiced by
only the largest and most complex institutions. In addition to regulators, external
stakeholders such as rating agencies and investors are increasingly looking at risk
management practices in greater detail in evaluating a financial institution.
Widespread differences remain in the definition and practice of ERM. So far,
regulatory requirements have been only loosely defined and inconsistently applied.
While many financial institutions will need to invest in ERM to address regulatory
requirements, there is significant potential for redundancy and wasted investment.
In this article, we explore possible ways to derive value from an investment in
ERM. We make the case for ERM as an initiative to enhance stakeholder value with
a focus on ERM as it applies to financial institutions.
Hallmarks of an ERM Program at Large Financial Institutions
While some of the largest financial institutions have had ERM programs for decades,
there is no single definition of ERM, and organizational structures can vary significantly.
At a high level, ERM is typically defined as the process by which institutions assess,
monitor, and manage risks to their organization for the purpose of increasing stakeholder
value. Stakeholder value is defined here as an appropriate balance of return relative
ERM is typically independent of profit-generating activities in the business units,
and it is not meant to replace front-line risk management (e.g., credit underwriting,
trade compliance, servicing). Rather, ERM typically serves as an independent source
of risk measurement and can be a voice critical of business practices and even risk
management practices within the lines of business. In addition, ERM is responsible
for the aggregation of the risk profile across the entity, including important correlations
of risk from one business to the next. This is important because the various types
of risk inherent in a financial institution (e.g., credit, interest-rate, and liquidity
risk) do not exist independently, but are frequently interrelated and can reside
in various parts of an organization.
Within ERM, there are typically specific functions aligned to the categories of
risk as defined by the Basel Accords—Credit Risk, Market and Liquidity Risk, and
Operational Risk—all with formalized definitions and responsibilities. Organizationally,
many institutions also have a chief risk officer (CRO) and a risk committee of their
board of directors charged with oversight of risk. Many of the largest and most
complex institutions have converged on an ERM function aligned to this definition,
although this structure is not universal.
ERM in Recent Regulation
Recent proposed regulation will adopt the structure developed at the largest and
most complex institutions and require it at many that are smaller and less complex.
On January 4, 2012, the Board of Governors of the Federal Reserve System issued
a proposed rule for comment entitled “Enhanced Prudential Standards and Early Remediation
Requirements for Covered Companies.” This proposed rule is intended to address specific
aspects of much broader regulatory initiatives, specifically the Dodd-Frank Act
and Basel III. It would build off of some requirements for ERM as defined in the
U.S. version of Basel II, as completed in the mid 2000s, and applicable to banks
with over $250 billion in assets. This proposed rule specifically calls for large
and/or complex financial institutions to have “more robust, enterprise risk management”
along with the need for active senior management involvement in risk management
and the need for an enterprise-wide evaluation of risk, in contrast to a silo approach.
This proposed rule essentially requires that complex or larger firms (those with
assets in excess of $10 billion) implement an ERM program with specific features.
This regulation would also apply to publicly traded bank holding companies with
$10 billion or more of total assets and any other company covered by Dodd-Frank.
Specifically, this regulation would require that:
- The board of directors establish a formal risk committee with appropriate expertise.
- The institution establish a CRO position with appropriate expertise and stature.
The CRO will oversee ERM.
- The CRO must report directly to the risk committee and the CEO.
- The institution will reinforce the independence of the ERM function.
This proposed rule is just the latest in a trend of regulation that raises the bar
on requirements related to risk management. While this regulation applies to publicly
traded banks with greater than $10 billion in assets, we commonly see concepts from
regulation meant for larger institutions applied, at least in part, to a much broader
set of institutions. In prior regulation, ERM concepts from the 2006 U.S. version
of Basel II applied only to institutions with over $250 billion in assets, so lowering
the bar to $10 billion is clearly moving in the direction of smaller and simpler.
We expect this trend to continue.
Investment in ERM as an Initiative to add Stakeholder Value
With the added regulatory burden that will likely accompany regulation of ERM, we
believe that financial institutions should look for ways to derive value from the
investment. Financial institutions are already in the business of taking on and
managing risk; without it, they would theoretically at best earn only a risk-free
rate of return. As such, risk management is fundamental to how financial institutions
operate. ERM practices help to ensure that analysis and measurement of risk are
applied independently, consistently, transparently, and with the right expertise
in order for the right risk vs. return balance to be applied. These activities
are fundamental to creating a sustainable banking business.
Incremental investments in ERM, whether required by regulation or not, should be
aligned to a long-term strategy, which, in turn, is aligned to the institution’s
risk appetite and business model. To some institutions, consideration of risk is
already an integral part of the firm’s DNA, and realistically, little value will
be generated by additional investment for the purpose of regulatory compliance.
However, for other firms, investment in ERM will help them to better manage the
critical risk vs. return balance and create a sustainable franchise. Investment
in ERM can support a number of shareholder value added initiatives, including:
Improved long-term profitability through loss avoidance
- Improved capital management (capital requirements decline with lower levels of risk)
- Improved liquidity management
- Risk-adjusted performance measurement
- Risk-based pricing
- Improved portfolio management
- Avoidance of risk concentrations
- Improved capital budgeting (economic capital concepts are gaining greater adoption)
- Enhanced regulatory and investor relations
A Roadmap to ERM
An ERM function should be highly tailored to a specific institution and its business
model. For example, some financial institutions generate returns from credit risk
in consumer business, others focus on commercial, others focus on interest-rate
risk, and some focus on more operationally intensive, fee-based services. The risk
management infrastructure that accompanies an ERM function must be tailored to the
return-generating activities and strategy of the institution. Before investing in ERM,
an institution should address a number of foundational questions:
What are the kinds of risks your institution understands, is good at managing, and is willing to accept in pursuit of return?
- What is your institution’s risk appetite? How much risk are you willing to take on and manage?
- Is your risk appetite consistent with your return targets? (A low risk appetite typically cannot support high return targets.)
- What strategic advantages enable you to generate a return in areas in which you are willing to take on risk?
- What is the right organizational structure for ERM at your institution? What is the role of the board? How can you most efficiently balance the need for independence of risk evaluation and measurement with the need to avoid duplication and minimize expense?
- What external (e.g., regulatory, rating agency, etc.) requirements will apply?
- What are the infrastructure gaps? Do you have the right expertise to support quantification of risk?
- Does ERM have the right management and board support? Who are the internal sponsors of ERM?
Once these foundational questions are addressed, the next step is to perform a gap analysis, followed by detailed planning. Implementation challenges typically include: organizational change management as roles and responsibilities are redefined, establishing a culture of risk awareness across the business, and redesigning processes and procedures to include check-points with ERM.
Most of this is not new. It is important to remember that financial institutions are already in the business of risk management. In most cases, ERM is less about hiring new staff and building new infrastructure than it is to make clear organizational roles and responsibilities and, in some cases, removing conflicts of interest. Front-line risk management activities typically remain outside of ERM, with the ERM function charged with independent analysis and measurement of risk including the effectiveness of risk management within the lines of business. If that separation is not already in place, a reorganization of responsibilities may be needed. A gap analysis to identify existing strengths and weaknesses in risk management relative to the institution’s strategic vision is a typical next step. Finally, with a strategic vision defined and a detailed gap analysis completed, planning and execution of the ERM deployment are the typical next steps. Careful up-front planning can help an institution achieve its goals and avoid multiple reorganizations or potential regulatory or other stakeholder concerns.
Many financial institutions have been significantly focused on enhancing risk management practices over the last few years. ERM functions typically put significant rigor around the independent measurement and management of risk. We believe that formal ERM functions that had typically only been put in place at the largest financial institutions will see more widespread application. This is driven by regulators, shareholders, rating agencies, analysts, as well as internal stakeholders. For institutions that choose to implement ERM, we offer some ideas on how to make investment in ERM a value-add initiative.
John F. Stewart, Ph.D, CFA, FRM, is Senior Vice President and Chief Risk Officer at the Federal Home Loan Bank of Seattle.