Enterprise Risk Management for Community Banks
Dumas, Edward B., The RMA Journal
This article outlines a way to implement an effective ERM program for community banks. Risk management systems and processes in these banks will vary, based on the complexity, amount, and types of risk assumed. However, common to all is the need for bank management to identify, measure, monitor, and control the risks faced by their institutions. The essence of these risk management activities is to ensure that the right information gets to the right individuals at the right time so they can make the right decisions.
The business of banking has always involved risk management. Certainly, bankers have a long history with credit risk management, and they are no strangers to cycles in commercial and consumer lending. More recently, with changes in markets and operating conditions during the 1980s, interest rate risk gained more prominence. Then during the early 1990s, growing markets for derivatives and structured products prompted additional concerns about the complex and interconnected risks that these products might possess. Next, during the mid-to-late 1990s, growing reliance on computer-based models, together with a few notable problems with model accuracy, resulted in new concerns about model risks. Most recently, headlines describing prominent instances of control failures have renewed the focus on operational and reputation risks. Finally, with growing reliance on technology, information systems and information security have become increasingly important.
Enterprise risk management (ERM) has evolved, in large part, as banks have incorporated lessons learned from these well-publicized issues. The changing environment has resulted in the need to 1) continually identify risks and understand their full implications, and 2) have requisite policies, controls, information systems, and procedures in place to monitor trends and manage those risks on a prospective basis. It is therefore important at the outset to recognize ERM as a process that is embedded in everything a bank does. While ERM organizational design, supporting functions, and systems may vary across banks, the risk management goals remain the same; further, ERM should be implemented within the context of executing the bank's strategic plan.
It is worth noting that regulators are thinking along the same lines. For example, the
Comptroller's Handbook (1) states that "OCC supervision of community banks focuses on the bank's ability to properly manage risk," and further states that "even the existence of high risk in any area is not necessarily a concern, so long as management effectively manages that level of risk."
It is understandable that community bankers may believe that the high-profile problems prompting Sarbanes-Oxley and other legislation and regulation were relevant only to larger or more complex organizations. Moreover, the thought of hiring additional risk managers may have seemed a bit paradoxical since every employee manages risk. Whether it is administrative staff correctly following operating procedures or a lender determining appropriate loan covenants, everyone's job necessarily involves some aspect of risk management. Therefore, the community banks might well ask what a new ERM program should do that is not already being done, especially considering their small employee bases comprised of managers and staff with broad sets of responsibilities.
The narrow answer is that ERM should ensure that the bank's system of internal controls is complete and effective, which would include appropriate separation of duties, even for a small staff. More broadly, ERM should improve the bank's ongoing performance through facilitation of better management decision making and by instilling a clear risk management discipline for all employees to follow.
Step 1: Scope of activity. The first step in implementing an ERM program for a community bank is to conduct a gap assessment between employee job responsibilities and the following sets of functions (also shown in Figure 1):
[FIGURE 1 OMITTED]