Saturday, April 16, 2011

Enterprise-wide Risk Management (ERM): Yawn

I attended an industry presentation on ERM this past week put on by RSM McGladrey.  The topic highly interested me, not because it is interesting, but because everybody is talking about it and there are differing opinions about what to do about it. What an opportunity for a non-audit, non-compliance, non-IT, and non-credit blogger to write about it!

First I would like to say that the McGladrey speaker really knew his stuff and was balanced. So often I hear commentary on ERM by advocates that think it is the next best thing to, say, online banking. Well, no it isn't. It is not likely to make your FI a lick of money. That said, here is my criteria for an ERM program:

"A successful ERM will result in reduced losses that exceed the investment made in the ERM program."
~ jeff for banks

Why else would an FI embark on ERM? If the investment in ERM exceeds losses foregone, then don't invest in an ERM program. It's not worth the money. As community FIs, regulators force us to throw enough money down a black hole without us volunteering to do so.

But managing risk across organizational silos is highly fragmented in FIs. It makes sense to coordinate the effort into one area. Perhaps, as suggested by one attendee at the presentation, ERM could streamline risk management efforts to make reporting more relevant, less voluminous, and less labor intensive. If this was a by-product of ERM, then I'm in! I think your Board of Directors (Trustees for CUs) would appreciate reducing the size of monthly Board reports for monitoring risk.

An organization's risk profile looks like the bubble chart below from McGladrey's presentation. But not all risks are equal. If we were to quantify risk across the industry, Credit Risk would rank at 10 for greatest risk (on a hypothetical scale of 1 to 10), but other significant risks would be much lower such as Liquidity and Interest Rate Risk (perhaps 4's). How would a non-audit, non-compliance, non-credit person develop a ranking system for risks?
Look at past experience to determine levels of risk. For example, perform a lookback over a meaningful sample period (perhaps 10 years, or at least one economic cycle) to identify where your FI actually lost money. A second criteria could be to query your personnel with the greatest knowledge of the risk to quantify the possible loss and the likely loss from a certain risk. By developing such a discipline, the FI should determine how much resources, if any, should be dedicated to mitigating the risk.

The bubble chart above contains too much in the form of risk categories, as most categories have sub-risks. The McGladrey presenter mentioned having 20-25 risks worth monitoring and mitigating, although he was not married to it. As ERM evolves, we have to guard against monitoring so many risks that the processes that result are inefficient in their application and ineffective at preventing those risks that represent the greatest potential loss.

For example, I was evaluating processes in a client's deposit operations function where one of the ladies in the department sorted through a large stack of checks for two hours each day. I asked why she did it. She said the Bank had a check fraud about seven years ago, and therefore she had to manually review all checks over $5,000. I asked what a fraud might look like. She didn't seem clear. I asked how many she has prevented since the undertaking. She said none.

Here was an FI that allocates two employee hours per day to prevent a fraud that she probably would not prevent. The investment in resources significantly outsized the risk. I put to you that this example will be all too familiar if we implement ERM without evaluating the size and likelihood of risk. And processes, like government programs, last forever.

This past economic cycle made clear that the single greatest risk FIs face is credit risk. I don't see this changing. Even FIs that failed due to liquidity had their woes start with credit risk, including the credit risk in the FIs investment portfolio. So let's not fool ourselves into thinking that somehow "employee fraud", or some other risk, ranks nearly as high.

But there are risks that can have materially negative impacts on our business. So a CEO and Board can efficiently and effectively monitor the greatest risks to the safety and soundness of the FI, consider implementing a well thought out ERM that is focused, efficient, and effective.

Any thoughts on what such an ERM program would look like?

~ Jeff


  1. I have a three letter response: EFI

  2. Poster child for failure to detect fraud!

    But, as you and I both know Todd, if someone actually audited them, disaster may have been averted.

    It's like the government cry when they fail to enforce their own laws that "something must be done!". So they pass yet another law that they won't enforce. But they feel good about themselves for having done something regardless of its effectiveness.

    I suppose ERM is a good comparison to that.

    ~ Jeff

  3. I just realized your comment was probably geared towards the employee fraud not being as significant as credit risk. Point taken on EFI. That was an employee fraud of grand proportions.

    ~ Jeff

  4. No risk mitigation measure can be effective if those who are supposed to act to mitigate the risks to the institution indulge in unethical practices to report huge profits to get big bonuses or to serve their vested interest. In such a scenario regulator of the industry has to be proactive to protect the interests of various stakeholders.

  5. Satish,

    That is true if unethical people take risks at the expense of the FIs other constituencies. But risk mitigants normally require multiple layers of unethical people/practices to be pulled off. If not, then FIs should look at the effectiveness of their mitigants.

    I disagree that the regulator should be charged with protecting the interests of various stakeholders. Aside from the FIs that pose systemic risk, regulators are charged with protecting the FDIC/NCUA insurance fund, which protects depositor dollars and maintains confidence in the system. Anything else is regulatory over-reach (comment does not include SEC responsibilities for publicly traded FIs).

    ~ Jeff

  6. This comment has been removed by a blog administrator.

  7. This comment has been removed by a blog administrator.