I attended an industry presentation on ERM this past week put on by RSM McGladrey. The topic highly interested me, not because it is interesting, but because everybody is talking about it and there are differing opinions about what to do about it. What an opportunity for a non-audit, non-compliance, non-IT, and non-credit blogger to write about it!
First I would like to say that the McGladrey speaker really knew his stuff and was balanced. So often I hear commentary on ERM by advocates that think it is the next best thing to, say, online banking. Well, no it isn't. It is not likely to make your FI a lick of money. That said, here is my criteria for an ERM program:
"A successful ERM will result in reduced losses that exceed the investment made in the ERM program."
~ jeff for banks
Why else would an FI embark on ERM? If the investment in ERM exceeds losses foregone, then don't invest in an ERM program. It's not worth the money. As community FIs, regulators force us to throw enough money down a black hole without us volunteering to do so.
But managing risk across organizational silos is highly fragmented in FIs. It makes sense to coordinate the effort into one area. Perhaps, as suggested by one attendee at the presentation, ERM could streamline risk management efforts to make reporting more relevant, less voluminous, and less labor intensive. If this was a by-product of ERM, then I'm in! I think your Board of Directors (Trustees for CUs) would appreciate reducing the size of monthly Board reports for monitoring risk.
An organization's risk profile looks like the bubble chart below from McGladrey's presentation. But not all risks are equal. If we were to quantify risk across the industry, Credit Risk would rank at 10 for greatest risk (on a hypothetical scale of 1 to 10), but other significant risks would be much lower such as Liquidity and Interest Rate Risk (perhaps 4's). How would a non-audit, non-compliance, non-credit person develop a ranking system for risks?
Look at past experience to determine levels of risk. For example, perform a lookback over a meaningful sample period (perhaps 10 years, or at least one economic cycle) to identify where your FI actually lost money. A second criteria could be to query your personnel with the greatest knowledge of the risk to quantify the possible loss and the likely loss from a certain risk. By developing such a discipline, the FI should determine how much resources, if any, should be dedicated to mitigating the risk.
The bubble chart above contains too much in the form of risk categories, as most categories have sub-risks. The McGladrey presenter mentioned having 20-25 risks worth monitoring and mitigating, although he was not married to it. As ERM evolves, we have to guard against monitoring so many risks that the processes that result are inefficient in their application and ineffective at preventing those risks that represent the greatest potential loss.
For example, I was evaluating processes in a client's deposit operations function where one of the ladies in the department sorted through a large stack of checks for two hours each day. I asked why she did it. She said the Bank had a check fraud about seven years ago, and therefore she had to manually review all checks over $5,000. I asked what a fraud might look like. She didn't seem clear. I asked how many she has prevented since the undertaking. She said none.
Here was an FI that allocates two employee hours per day to prevent a fraud that she probably would not prevent. The investment in resources significantly outsized the risk. I put to you that this example will be all too familiar if we implement ERM without evaluating the size and likelihood of risk. And processes, like government programs, last forever.
This past economic cycle made clear that the single greatest risk FIs face is credit risk. I don't see this changing. Even FIs that failed due to liquidity had their woes start with credit risk, including the credit risk in the FIs investment portfolio. So let's not fool ourselves into thinking that somehow "employee fraud", or some other risk, ranks nearly as high.
But there are risks that can have materially negative impacts on our business. So a CEO and Board can efficiently and effectively monitor the greatest risks to the safety and soundness of the FI, consider implementing a well thought out ERM that is focused, efficient, and effective.
Any thoughts on what such an ERM program would look like?