Expanding beyond Traditional Risk Areas: The Authors Teach RMA's Course Enterprise Risk Management for Community Banks. in This Article, the First of a Four-Part Series, They Survey the Landscape of Community Banks' ERM Efforts

Article excerpt

The financial crisis and its aftermath have drawn serious, if belated, attention to these enterprise risk management (ERM) tenets:

* Risks are interrelated.

* Historical observations cannot anticipate future projections.

* Boards must establish and monitor risk appetite.

This article will share experiences from the RMA course Enterprise Risk Management for Community Banks and anticipate future directions for ERM training. We start by examining the nature of existing risk management programs at community banks and then outline the work required to drive more complete ownership of the risk position. Readers can benchmark their own circumstances against these norms and decide whether additional ERM focus is needed at their institutions.

Prevailing ERM Competencies

In the weeks leading up to each course session, attendees voluntarily fill out a 30-question survey on ERM practices at their institutions. These surveys cover existing competencies and approaches, perceived weak spots, and future plans for development.

Our survey results and classroom conversations underscore an important point: Community banks already possess a number of well-developed competencies in the three "traditional" risk areas--credit risk, interest rate risk, and liquidity risk. In fact, very few banks are starting their ERM efforts from scratch, and many of those lacking any material infrastructure likely perished over the past few years. However, what appears to be the greatest area for development is in the "nontraditional" risk areas.

As will be noted below, community banks are not overly satisfied with how they have put these competencies together into a comprehensive, reliable, and proactive ERM approach. Table 1 shows the self-reported quality of ERM among surveyed banks. (More details on the numbers of banks, sizes, etc. will be provided later in this article.)

The average to slightly-above-average assessment is probably quite accurate. By attending RMA's full-day ERM course, these banks are probably more inclined to want to improve their ERM efforts. That alone probably elevates them to a level above the lowest tier in the industry. On the other hand, very few attendees claim to have an "outstanding" ERM practice. This, too, seems an accurate depiction of the evolving state of ERM practice.

The strongest existing risk management competencies address the three "traditional" risk types. Table 2 shows the proportion of surveyed banks that explicitly manage each of these risks. It should come as no surprise that virtually all the banks have formal risk management processes for credit, liquidity, and interest rate risk, as these pose the most immediate danger for most banks. Survey results also confirm a depth of reporting and oversight for these risks at the board and senior management levels.

We are also encouraged by the prevalence of risk management processes for new products. Nearly two-thirds of surveyed banks report having a formal approval process for new products that includes an assessment of risks. The practice of measuring and managing concentration risk in the loan portfolio is another example of a common risk management competency that is already in place. We are heartened to see that nearly all attendees are starting their ERM journey from a position of some strength, at least in certain areas.

Moving Beyond the Traditional Risk Areas

Our course surveys also highlight areas of risk management that are not nearly as prevalent as those for the three traditional risks. This finding suggests that existing organizational structures are not as well equipped to facilitate integrated risk management for the "nontraditional" areas.

In terms of organizational structure, risk responsibilities are typically scattered throughout the institution. Indeed, very few banks have a cohesive set of executive accountabilities and oversight structures. …