Remember those awkward pre-teen years? Uneven growth spurts. Life seems so complicated. We wonder how it will all turn out. Our vocabulary matches our limited range of experience. But humming along in the background are excitement and discovery. Perhaps we are destined for greatness! As we age, we first revel in reaching a certain level of maturity; then we come to the conclusion that the journey never ends. Such is the case with enterprise risk management.
The results of RMA's 2006 survey on the state of enterprise risk management present a picture that's a little like a pre-teen superstar. Just about everyone acknowledges that ERM is a good thing. We all know we have further to go to be successful. But as we explore risk management, we're "trying on" different ways of addressing it, and we can't seem to get a well-coordinated look. At times, there seem to be as many differences as there are similarities. Evidence of this can be found in the responses of the 31 institutions that took part in the survey.
However, the gold ring we all want to grab--competitive advantage through enhanced shareholder value--drives us onward through those awkward years. RMA's survey provides a snapshot of where banks are, a growth chart, and a glimpse into the goals institutions have established for ERM.
Increasing complexity means risks can be harder to identify and gauge. Without the right early-warning signals and appropriate actions, losses--large losses--can occur, threatening the institution, its customers, its shareholders, and the stability of the larger financial community. Bank examiners know this, and banks know that bank examiners know this. Institutions also have learned (or are learning) that ERM offers rewards beyond keeping examiners happy and shareholders safe. An ERM program means banks can take more strategic risks without shooting themselves--and others--in the foot. In turn, that means competitive advantage and happier shareholders. No one said that growing up is easy, but it does offer its rewards.
Banks represented in this survey include regional and national/global banks, divided almost equally among four ranges of asset size--less than $25 billion, $25-75 billion, $75-150 billion, and over $150 billion. The bankers who responded are chief risk officers or other high-level risk professionals.
To date, only 31% of the respondents have an ERM board committee, and 55.2% do not have a separate ERM unit charged with managing or coordinating the management of material institutional risks. Some believe that ERM is a responsibility of a senior finance officer; some have an ERM committee but no single individual or unit charged with the responsibility; and some have given employees throughout the organization the responsibility for managing risks within their own areas. However, 51.9% say that their ERM unit goes beyond gathering and aggregating data to include specific roles, responsibilities, and authority.
Respondents reported that their ERM management committees comprise the following functions:
* Entire executive management (38.7%).
* Chief credit officer or representative (35.5%).
* Operational risk officer (32.3%).
* Audit (32.3%).
* Chief financial officer or representative (25.8%).
* Compliance (22.6%).
* Legal (22.6%).
* President/COO (16.1%).
* Business unit heads (16.1%).
Meeting periods vary and can be weekly (13%), monthly (34.8%), quarterly (30.4%), and on an ad-hoc basis (8.7%).
Where They Are
The participating institutions have moved from looking at each risk independently, to aggregating some risk types without necessarily correlating the effects of these risks, to measuring and correlating many major risk types simultaneously. Correlation means seeing how a risk in one business line can affect other business lines. It means recognizing a concentration where an institution didn't think it had one. It means catching that rolling snowball before it sets off an avalanche.
The more challenging goal is to do so with processes that are automated and standardized. Finding a way to equate seemingly disparate risks in a variety of areas is the only way to truly catch those correlations and their effects. That's where the best-performing institutions are now.
We can see how far institutions are in this endeavor by what they currently include in their ERM framework. Most institutions are taking on the most obvious and overall risk considerations first. The following is the current snapshot by percentage groups of what is included in the ERM framework:
* 71-100%--commercial credit (83.9%), retail credit (77.4%), and operational (71%).
* 51-70%--asset/liability management (64.5%), market/ trading (61.3%), regulatory relations (61.3%), compliance (54.8%), and aggregated risk reporting (54.8%).
* 21-50%--reputation (45.2%), modeling (45.2%), economic capital modeling (41.9%), risk technology support (41.9%), audit (38.7%), legal (35.5%), strategic (35.5%), and business (29%).
* 0-20%--finance (19.4%), marketing (6.5%), and other (insurance, Sarbanes-Oxley, risk and control self-assessments, 9.7%).
Participants employ ERM to varying degrees in the following activities:
* Create individual assignments for all major risk types--credit, market, and operations.
* Report and monitor risks.
* Assist in credit approval, economic capital, internal credit review, and internal audit.
* Assist in credit (wholesale and retail), model validation, and regulatory relations/compliance monitoring.
* Act as an active partner in policy setting, decision making, and strategic planning.
* Assist in setting strategy and methodology for risk aggregation and analysis, and in setting reporting policies and guidelines for review of the risk profile.
* Delegate all risk authority, set policy governance/approval, set limits with the line, provide governance for all new products and initiatives, and assist in fraud detection and prevention, compliance efforts, insurance risk management, and more.
* Manage organizational credit, operational, and market risks at a consolidated enterprise level.
* Assist in the implementation of risk and control self-assessments and provide oversight for model risk management and regulatory interface.
If we consider Risk to be a language, bank staffs are gaining fluency. Some 75% of participants say a common risk language is broadly used and understood throughout the organization. Not surprisingly, the most familiar terms are risk profile, risk threshold and limits, loss given default, probability of default, and economic capital.
Most institutions (74.2%) report that ERM knowledge is acquired on the job; 54.8% credit outside seminars and conferences or individual reading; and 45% credit industry discussion groups. Web seminars, audio conferences, mentors, in-house trainers, and self-study materials are other methods of instilling awareness and knowledge of ERM.
Table 1 provides the main benefits ERM implementation has brought to survey participants' institutions, as well as what they see happening in the next 18-24 months.
No initiative, particularly one that involves significant ongoing investments of time and money, can be sustained without proven success. Respondents were asked how their institutions currently measure the effectiveness of ERM and how they plan to measure it in the coming 18-24 months. Most telling among the responses shown in Table 2 are 1) the decreased expectation to measure success based on favorable regulator and market analyst reviews and 2) the significantly increased expectation to measure success by shareholder value and improved risk-adjusted profitability. This is the promise of enterprise risk management, and those who are farthest along in achieving a full ERM program will have an important competitive advantage over their peers. Let the growing continue.
Contact Beverly Foster by e-mail at email@example.com.
Beverly Foster is editor of The RMA Journal.
Table 1 The Benefits of ERM--Now and in the Future In 18-24 Benefit Current Months Protected/enhanced shareholder value through 19.4% 12.9% improved stock price or better credit rating Opportunity to identify and assess risk "in 45.2% 38.7% total" Ability to apply consistent policies and 45.2% 19.4% standards Improved systems capabilities 9.7% 16.1% Reduced losses 16.1% 29.0% Improved strategic decision making 12.9% 48.4% Ability to set a common risk culture--risk 48.4% 25.8% appetite, language, etc. Process improvement (improved efficiency) 12.9% 25.8% Improved communications 38.7% 22.6% Improved risk-adjusted returns and fewer 9.7% 29.0% surprises Improved understanding of risks and controls 48.4% 25.8% Support for growth and strategic initiatives 6.5% 32.3% Protection against catastrophic losses 0.0% 9.7% Other 0.0% 3.2% Table 2 Measures of Effectiveness-Now and in the Future In 18-24 Measure Current Months Lower losses 22.6% 35.5% Loss avoidance 22.6% 25.8% Reduced volatility of earnings 25.8% 25.8% Improved shareholder value 12.9% 41.9% Favorably looked upon by regulators and market 67.7% 41.9% analysts Quicker to market with products 9.7% 12.9% Fewer deviations from compliance 48.4% 16.1% Lower capital requirement 9.7% 25.8% Improved audit results 35.5% 19.4% Improved risk-adjusted profitability 19.4% 58.1% Other 3.2% 3.2%…