Implementing Enterprise Risk Management - a Guide to the "why" and "how" by Stephen Curry

Enterprise Risk Management (ERM) is a term a lot of financial institutions are hearing about from their regulators this year. At its heart, ERM is a comprehensive and strategic approach to identifying, assessing, and managing risks across an organization. The concept had its roots in the late 70’s, a period when there were many financial scandals, largely due to a lack of guidelines and standards for internal controls. The Treadway Commission was created in the mid-1980s by the SEC to investigate the accounting and auditing practices of public companies and identify potential weaknesses. The ERM framework was developed by this commission in the 1990s as an evolution of internal controls and in a response to the growing complexity of the business environment.

The new ERM framework provided a comprehensive and integrated approach to risk management that could help manage companies. The framework emphasized the identification, assessment, and management of risks across the entire organization, including strategic, operational, financial, and compliance risks. As organizations recognized the importance of aligning risk management with strategic objectives, ERM started to incorporate strategic risk management. This evolution involved integrating risk considerations into strategic planning, decision-making processes, and performance management frameworks. Today, ERM aims to provide a holistic view of risks that could impact an organization's ability to create value and achieve its goals.

The integration of data analytics and technology has further revolutionized ERM practices. Advanced analytics techniques, such as predictive modeling, data visualization, and AI/machine learning, enable organizations to enhance risk identification, assessment, and monitoring capabilities. Technology solutions, including risk management software and automation tools, have streamlined risk management processes and improved data management and reporting. ERM has also been influenced by evolving regulatory requirements. Regulators increasingly expect organizations to implement robust risk management frameworks and provide transparent reporting on risk exposures. Shareholders of publicly traded banks are also very supportive of ERM. Regulations, such as Basel III in the banking industry and the Sarbanes-Oxley Act in the United States, have shaped ERM practices and placed greater emphasis on risk governance, internal controls, and risk disclosures. Any bank which is on a growth path to going public should be implementing an advanced framework.

Key aspects of enterprise risk management include:

1. Risk Identification: The process of identifying and understanding risks that the organization may face, both internally and externally. This involves considering various risk categories, such as strategic, operational, financial, legal, compliance, reputational, and market risks.

2. Risk Assessment: A process of assessing the likelihood and potential impact of identified risks to prioritize them based on their significance. Risk assessments may involve qualitative and quantitative techniques, including risk matrices, scenario analysis, historical data analysis, and statistical models.

3. Risk Mitigation: Developing and implementing strategies and controls to manage and mitigate identified risks. This involves determining the most appropriate response to each risk, which may include risk avoidance, risk reduction, risk transfer, or risk acceptance. Risk mitigation strategies may include implementing internal controls, diversifying business operations, creating contingency plans, hedging or purchasing insurance.

4. Risk Monitoring and Reporting: Continuously monitoring and evaluating risks to identify changes in the risk landscape and assess the effectiveness of risk mitigation strategies is critical. This includes establishing key risk indicators (KRIs) and key performance indicators (KPIs) to track and measure risk exposure. Regular risk reporting to management and relevant stakeholders helps facilitate informed decision-making and proactive risk management.

5. Integration with Strategic Planning: Aligning risk management practices with the organization's strategic objectives and decision-making processes. ERM ensures that risk considerations are integrated into strategic planning, capital allocation, product development, and other business activities to support informed and risk-aware decision-making.

6. Risk Culture and Governance: Fostering a risk-aware culture throughout the organization and establishing appropriate risk governance structures. This involves promoting risk awareness, accountability, and transparency at all levels of the organization. Leadership engagement, clear roles and responsibilities, and effective communication are essential components of a robust risk culture and governance framework.

By implementing ERM, organizations can proactively identify and manage risks, enhance decision-making, protect against potential threats, exploit opportunities, and ultimately improve their resilience and long-term performance. ERM provides a structured and integrated approach to risk management, helping organizations navigate uncertain and complex business environments effectively.

Successful implementation involves several key steps. Here's an overview:

1. Establish Risk Governance Structure: the first step is to create a dedicated risk management function led by a Chief Risk Officer (CRO). Sometimes this is a new hire, or an internal promotion. Define the roles and responsibilities of the risk management team, allocate resources and establish a Board level risk committee to oversee ERM activities.

2. Define Risk Appetite and Strategy: Develop a clear Risk Appetite Statement that outlines the level of risk the bank is willing to accept. Align this statement with the bank's overall strategy and objectives. This step involves considering factors such as profitability, capital requirements, regulatory compliance, and customer satisfaction.

3. Identify and Assess Risks: Conduct a comprehensive risk identification exercise to identify all potential risks faced by the bank. These risks may include credit risk, market risk, liquidity risk, operational risk, compliance risk, and strategic risk. Once identified, assess the likelihood and potential impact of each risk to prioritize them accordingly.

4. Establish Risk Assessment Methodology: Define a consistent methodology for assessing risks. This may involve using qualitative and quantitative techniques such as risk matrices, scenario analysis, stress testing, and historical data analysis. Ensure that risk assessments are conducted regularly and are aligned with regulatory and Board requirements.

5. Develop Risk Mitigation Strategies: Based on the identified risks, develop strategies to mitigate, transfer, or accept each risk. Establish risk management policies, procedures, and controls to guide the implementation of mitigation strategies. This may include setting risk limits, defining risk management processes, and implementing risk monitoring and reporting systems.

6. Implement Risk Monitoring and Reporting: Establish a robust monitoring framework to track risks on an ongoing basis. Implement risk monitoring tools and systems to capture key risk indicators (KRIs) and key performance indicators (KPIs) that provide early warning signs of potential issues. Develop regular risk reports for management and the risk committee to review and take appropriate actions.

7. Integrate Risk Management into Business Processes: Ensure that risk management becomes an integral part of the bank's day-to-day operations. Embed risk management practices into decision-making processes, product development, and strategic planning. Provide regular training and awareness programs to ensure that employees understand and adhere to risk management policies and procedures.

8. Conduct Independent Reviews: Periodically conduct independent reviews of the ERM framework to evaluate its effectiveness. This may involve engaging external auditors or consultants to provide an objective assessment of the bank's risk management practices. Identify areas for improvement and take corrective actions as needed.

9. Stay Abreast of Regulatory Requirements: Continuously monitor regulatory changes and ensure compliance with evolving risk management regulations. Maintain a strong understanding of industry best practices and benchmark against peer institutions to ensure the bank's risk management practices remain robust and up to date.

Remember, implementing ERM is an ongoing process that requires a commitment from the bank's leadership and engagement from all levels of the organization. By following these key steps, banks can establish a proactive risk management framework that enhances decision-making, safeguards the institution, and promotes long-term stability.

Here are a few examples of successful enterprise risk management (ERM) implementations in the banking industry:

1. JPMorgan Chase: JPMorgan Chase is known for its robust ERM framework. The bank has a comprehensive risk management structure, including a dedicated risk committee and a Chief Risk Officer (CRO) at the executive level. JPMorgan Chase has a strong risk culture that emphasizes accountability, risk awareness, and proactive risk management. The bank's ERM practices played a crucial role in navigating the 2008 financial crisis, as it had a solid risk management foundation in place.

2. Wells Fargo: Wells Fargo has implemented an effective ERM framework, which includes a structured risk identification process and regular risk assessments. The bank emphasizes a top-down risk culture, with the board of directors and senior management actively involved in risk oversight and decision-making. Wells Fargo has established clear risk appetite statements and robust risk monitoring and reporting mechanisms, enabling the bank to identify and address risks in a timely manner.

3. Citigroup: Citigroup has made significant strides in enhancing its ERM capabilities over the years. The bank has implemented a comprehensive risk governance structure, with a CRO overseeing risk management activities. Citigroup's ERM framework incorporates advanced risk analytics, stress testing, and scenario analysis to assess and manage risks effectively. The bank's strong risk management practices have helped it navigate various economic cycles and maintain stability.

Successful enterprise risk management (ERM) implementations are not limited to the banking industry. Here are a few examples of organizations from various sectors that have achieved successful ERM implementations:

1. Procter & Gamble (P&G): P&G, a multinational consumer goods company, has implemented an effective ERM framework to manage a wide range of risks across its operations. The company integrates risk management into its strategic planning and decision-making processes. P&G's ERM approach focuses on identifying and assessing risks related to supply chain disruptions, market volatility, regulatory compliance, and brand reputation. The company's risk management practices have contributed to its sustained growth and resilience in a competitive industry.

2. Tesla: Tesla, an electric vehicle and clean energy company, has established a robust ERM program to manage risks associated with its operations and technological advancements. Tesla faces risks such as supply chain disruptions, regulatory compliance, intellectual property protection, and emerging market dynamics. The company's ERM framework incorporates risk assessment, proactive risk mitigation measures, and ongoing monitoring and reporting. Tesla's ERM practices support its innovation-driven growth strategy while addressing risks inherent to its industry.

These examples demonstrate that successful ERM implementations extend well beyond the banking sector. Organizations across many industries have embraced ERM to identify, assess, and manage risks in a systematic and integrated manner. By implementing effective ERM frameworks, these organizations are strengthening their risk management capabilities, enhancing decision-making, and improving their ability to navigate uncertainties and achieve sustainable growth.

This presentation is being furnished on a confidential basis to provide preliminary summary information. The information, tools and material (collectively, information) contained herein is not directed to or intended for distribution or use by any person or entity who is a citizen or resident of or located in any jurisdiction where such distribution, publication, availability or use would be contrary to law or regulation or which would subject Endurance Advisory Partners, LLC, to any registration or licensing requirement within such jurisdiction.

The information presented herein is provided for informational purposes only and is not to be used or considered as an offer to sell, or buy securities or other financial instruments, or any advice or recommendation with respect to such securities or other financial instruments. The information may not be reproduced in whole or in part or otherwise made available without the prior written consent of Endurance Advisory Partners, LLC. Information and opinions presented have been obtained or derived from sources believed to be reliable, but Endurance Advisory Partners, LLC makes no representation as to their accuracy or completeness. Endurance Advisory Partners, LLC, accepts no liability for any loss arising from the use of the information contained herein.

This information is subject to periodic update and revision. Materials should only be considered current as of the date of the initial publication, without regard to the date on which you may access the information. Endurance Advisory Partners, LLC, maintains the right to delete or modify the information without prior notice.

Under no circumstances and under no theory of law, tort, contract, strict liability or otherwise, shall Endurance Advisory Partners, LLC be liable to anyone for any damages resulting from access or use of, or inability to access or use, this information regardless of whether they are dire, indirect, special, incidental, or consequential damages of any character, including damages for trading losses or lost profits, or for any claim or demand by any third party, even if Endurance Advisory Partners, LLC knew or had reason to know of the possibility of such damages, claim or demand.