Long-Term Capital Management, a hedge fund management firm, famous for its quantitative trading approach and its belief, supposedly borne out by its risk models that said it was taking minimal risk, collapsed in the late 1990s. In September 2008, Lehman Brothers collapsed too. Enterprise failure due to inadequate risk management is also real. Risk management is therefore a critical corporate function.
The experience of spectacular corporate failures has demonstrated that the quantitative approach to risk assessment is insufficient. Human intuition and judgement must complement the mathematical models. This dilemma is elegantly summarized in the Introduction to ‘Against the Gods: The Remarkable Story of Risk’ by Peter L. Bernstein, “The story that I have to tell is marked all the way through by a persistent tension between those who assert that the best decisions are based on quantification and numbers, determined by the patterns of the past, and those who base their decisions on more subjective degrees of belief about the uncertain future. This is a controversy that has never been resolved.”
To manage risk and realize value, corporate management must remain focused on calculated and well-informed risk taking. Over the last decade, considerable effort has gone into the development of quantitative risk analysis and management techniques at the individual project level and at corporate portfolio level; the identification of risk factors and anticipation of possible adverse short and long-term consequences, options to mitigate risk factors and improving the management of high-risk activities, policy making and compliance auditing. Enterprise Risk Management (ERM) helps in identifying and selecting among alternative risk responses – risk avoidance, reduction, transfer and acceptance. It helps to ensure effective reporting and compliance with laws and regulations and to avoid damage to an entity’s reputation and associated consequences.
ERM in financial institutions aims to ensure the proper infrastructure is in place to identify top threats and the right strategies are in place to manage them. By the nature of their business, all banks and credit unions assume some level of risk but an effective ERM program allows them to better identify and mitigate risks to their strategic plan.
Banks and CUs have slowly moved away from a siloed approach to risk management (i.e., with different internal groups responsible for each type of risk) and more towards a holistic view of enterprise wide risks. In the past ten years, most financial institutions with $2.5 billion in assets and above have put a formal ERM program in place. This is generally separate from the audit function which is primarily focused on compliance with policies and procedures. ERM is focused on assessing risks and establishing mitigation strategies when risk triggers suggest an elevated level of risk is present. In smaller institutions, the two roles may be complementary but in larger banks and credit unions the ERM function and the audit function are usually separate.
The fundamental key to competitive success is that strategic error or opportunity be detected as early as possible. Seeing corporate risks, errors and mistakes early means damage and loss can be avoided. When the errors become large and reality hits hard then everyone can see the problem, but it’s too late to do anything other than adopt a damage minimization policy.
Reality is unpredictable, and no amount of quantitative risk analysis and computer modeling is going to change that. Human intuition and judgement are fallible. Structures and policies must be designed to make errors visible and correctible, the earlier the better. Ultimately, the key to managing risk is having the ability to detect emerging patterns and to help them take shape. People tend to spread good news and hide bad news so there must be corporate incentives among employees to raise and discuss risk concerns. It is important to implement a corporate climate for risk taking, a climate that allows risks and errors to be identified early, to be discussed and controlled, so that the ongoing future of the corporation is not put in jeopardy.
Mardi Leslie, a former community bank supervisor, says the key points to any comprehensive ERM program, should include input from every level of the organization including the Board of Directors and senior officers, branch managers, line officers, and customer service representatives. The portfolio view of risk should incorporate significant risks for all these levels.
Eddie Rivera, Chief Financial Officer at the Credit Union National Association (CUNA) says they promote a bottom-up, top-down approach to identifying risk. “Everyone who works in a credit union has the obligation to identify risk,” says Rivera. “We stress the buy-in support from senior management and the board is absolutely necessary. ERM must be embraced and priorities set for the management, board and employees.”
During the 2008 financial crisis, some regional banks, community banks and credit unions avoided large losses by informally using ERM principles – setting risk triggers – that gave them early warning of trouble ahead. Leslie believes an appropriate risk management program should be tailored to the complexity of the bank or credit union, for example, large institutions will have higher standards for risk management. While most major regional banks have already developed a formal ERM program, ERM is still a work in progress at some community banks where general concepts may be informally applied. The benefits to putting a more formal program in place is that the Board can be assured that risks are being tracked and appropriately addressed. When selected risk triggers are crossed, then the specific mitigation strategy should be employed. “The key point of an ERM program is that results support the strategic direction of the bank,” she explains. “If banks don’t have an ERM program in place, a good place to start is by looking at higher risk areas. In some community banks these can include highly profitable niche programs.”
She advises any banker considering setting up an ERM program to consult guidelines established by COSO (Committee of Sponsoring Organizations of the Treadway Commission). Originally formed in 1985, COSO is a joint initiative of five private sector organizations dedicated to providing thought leadership through the development of frameworks and guidance on ERM internal control and fraud deterrence. In September 2017, the COSO Board released an update to their 2004 Enterprise Risk Management–Integrated Framework that is retitled as Enterprise Risk Management—Integrating with Strategy and Performance. COSO’s fundamental principle is that good risk management and internal control are necessary for the long-term success of all organizations.
According to Michael Cohn, CPA, of Wolf & Co., a preferred ERM partner to the Western Bankers Association, the COSO framework is more effective on a large scale but mid-sized banks and community banks have a harder time adapting COSO to their businesses. Instead, some prefer to use a model called “The Three Lines of Defense in Effective Risk Management and Control” devised by the Institute of Internal Auditors and the Risk Management Association. This outlines that the first line of defense is operational management, the second line is risk management and compliance functions, the third is internal audit. “Whereas internal audit and the role of the Board are well defined, what’s not well defined is a strong clear line between risk takers and risk managers and this framework shows them how to do that,” Cohn says.
In addition, several regulators, such as, the OCC (Office of the Comptroller of the Currency) and the NCUA (the National Credit Union Administration) have written guidance on ERM. Both the FDIC and Federal Reserve have extensive guidance for institutions on establishing appropriate risk management programs.
NCUA identifies eight risk categories that fall under the ERM process:
- Compliance risk
- Credit risk
- Interest Rate risk
- Liquidity risk
- Reputation risk
- Strategic risk
- Transaction risk
- Cyber risk
Within the next two to five years, Cohn believes there will be a risk management practice at all institutions with the right sophistication and complexity to match their business. “I think all but the smallest banks will have a formalized ERM plan in place,” he predicts. “Obviously, some will have a more sophisticated program than others. External data will feed directly to their risk management tools and technology. If the world continues to change at this rate, then threats will come up fast and will not be as visible as many bankers think.”
He observes that the asset size of institutions where a Chief Risk Officer (CRO) exists is getting lower each year. Most with $2.5 billion in assets will have a CRO, many at $1.5 billion will have one and those with under $1.5 billion will have a risk management committee. “The role of the CRO has been and will continue to evolve as we emerge from what I refer to as the Renaissance of ERM,” he says. “And, of course, the tools in the CRO’s toolbox will continue to strengthen.”
Wolf & Co. has several customers in California for its WolfPAC software tool for ERM that is specifically designed for mid-sized regional banks, community banks and credit unions. “Most of our clients have an ERM program in place and someone in charge of it,” Cohn says. “The CRO and people who work in the Office of the CRO are dedicated to risk management and not wearing other hats. They also have processes in place to synthetize threats that may come in the form of market risk, operational risk, strategic risk and reputational risk,” he adds.
Credit unions also abide by COSO’s framework and leverage COSO’s definition of ERM as it relates to culture, capabilities and practices. For the past six years, CUNA, the national trade association for credit unions, has been offering two risk management certification schools a year for its members. One takes place in April and the other in December and they are run in partnership with the Rochdale Paragon Group. These are increasingly popular programs that give CUNA members the opportunity to network and share best practices with other risk professionals across the country. These schools also allow members to become credit union risk management experts. “We continue to mature our ERM model at CUNA,” says Rivera, CUNA’s CFO. Some credit unions, he says, are in their infancy with ERM programs while others are more developed. Regardless of what stage they’re at, ERM programs need to mature over time and will always have room for improvement. Regulatory risk assessments have already been identified. These include creating a risk management committee, improving risk awareness and ensuring that the risk process and mitigating efforts are being reported to the management and board. Some credit unions have added a CRO role too.
According to the consulting group, CEB Gartner, companies now expect heads of risk management to enforce a standard approach toward risk-taking across the organization. But their research shows that nearly half of all CROs observe decisions that are inconsistent with the firm’s risk appetite. They believe the solution depends on better co-ordination and alignment between Corporate Risk, Finance and Strategy teams. They outline the three steps risk leaders should take to improve cross-functional collaboration and to ensure their firm’s growth strategy aligns with its risk appetite:
- Improve alignment between risk and strategic planning.
- Define risk appetite in proper context.
- Set a dynamic, not static, risk appetite.
About the Firm and the Author
McDermott + Bull is a full-service retained executive search firm with a dedicated Financial Institutions practice. The firm’s Financial Institutions Practice Group partners with boards and senior leadership teams to align talent strategies with business strategies for banks, credit unions, investment banks, asset managers and investment advisory firms. Clientele include the likes of Columbia Bank, Golden 1 Credit Union, First Republic Bank, Silicon Valley Bank, SAFE Credit Union, First American Trust Company, Bank of Marin, Technology Credit Union, Wescom Credit Union, Western Federal Credit Union, Luther Burbank Savings, East West Bank, Houlihan Lokey, Washington Trust Bank, Exchange Bank, Opus Bank, Banc of California and United Capital.
Brandon Biegenzahn is the President of McDermott + Bull, and he also co-chairs the firm’s Financial Institutions Practice Group. Brandon is a corporate attorney by trade having practiced with Sheppard, Mullin, Richter & Hampton, and Buchalter Nemer in their corporate finance departments. Brandon received his Bachelor of Arts from the University of Southern California and his Juris Doctorate from Penn State.