You may not have heard of Jorge Agustin Nicolas de Santayana y Borras, but you probably know one of his most famous quotes: “Those who fail to learn from the past are doomed to repeat it.” He is more commonly known as George Santayana, and his maxim has relevance to modern banks when it comes to risk management.It’s no secret that the risks financial institutions face are growing and expanding rapidly — from artificial intelligence (AI), FinTech, and cyberattacks to third-party partnerships and commercial real estate lending struggles. All of these are just the tip of the iceberg when it comes to enterprise risk.The All-Encompassing World of Enterprise Risk ManagementFor community financial institutions (CFIs), Enterprise Risk Management (ERM) is a strategic approach encompassing the entire organization's risk landscape. Unlike traditional methods, ERM adopts a top-down perspective, identifying, assessing, and preparing for various risks holistically. It enables managers to shape the institution's overall risk position across different business segments, emphasizing firmwide surveillance and coordination. ERM not only mitigates operational, financial, and compliance risks but also uncovers firmwide opportunities. Effective communication and a dedicated team overseeing ERM implementation are vital. Through ERM, CFIs navigate risks effectively while capitalizing on broader growth opportunities in the financial landscape.Components of an Effective Enterprise Risk Management Framework
There are a number of considerations that go into building an effective ERMF framework. Here are a few of them:
There are a number of considerations that go into building an effective ERMF framework. Here are a few of them:
- Risk Culture. A strong risk culture is foundational to effective risk management. It encompasses the attitudes, behaviors, and understanding of risk within the institution. Promoting risk awareness and accountability, encouraging open communication, and supporting sound decision-making are critical elements of a healthy risk culture.
- Three Lines of Defense:
- First Line: Business units that generate risks are responsible for managing them directly. They implement controls and ensure compliance with policies.
- Second Line: The risk management and compliance functions provide frameworks, policies, and oversight. They guide, challenge, and support the first line.
- Third Line: Internal audit provides independent assurance to the board and management. They evaluate the effectiveness of governance, risk management, and control practices.
- Risk Appetite. Risk appetite defines the level and types of risk the institution is willing to accept in pursuit of its objectives. It guides decision-making, strategic planning, and resource allocation, ensuring that the institution operates within its defined risk tolerance.
- Risk Identification and Assessment. Identifying and assessing potential risks is critical to understanding their impact on the institution. This process includes both qualitative and quantitative methods to evaluate risks and their potential consequences, ensuring they are managed within the institution’s risk appetite.
- Control Activities. Control activities are actions taken to mitigate identified risks. These include policies, procedures, and other mechanisms designed to ensure that risk responses are effectively carried out. Regular review and testing of controls verify their effectiveness and alignment with risk management objectives.
- Monitoring and Reporting. Continuous monitoring and reporting are essential to track the effectiveness of risk management activities. Regular updates to management and the board ensure that they are informed of the institution’s risk profile and any significant changes or emerging risks.
Enterprise Risk Management TipsAs you assess your institution's ERMF, here are some tips to help you strengthen your strategy and your team’s position when it comes to evaluating and addressing these risks:
- Experienced Risk Committee. Banks need a board-level risk committee to oversee the risk function, including members who have some experience in risk management. Does your institution have an established board risk committee, is it properly functioning, and does it have the knowledge and skill to monitor risk? Here is one guide for the basics of creating a strong risk committee.
- Continuous Improvements. An effective ERM program is not a one-and-done exercise. CFIs need to continually look for ways to improve their ERM program, in order to stay ahead of emerging risks and maintain a strong risk management culture.
Effective enterprise risk management is vital to maintaining a strong and vibrant CFI. While it’s important to establish a solid enterprise risk management system, it’s also necessary to regularly monitor how it’s working. Here is a checklist for enterprise risk management systems.