Pub. 5 2016 Issue 8

T ODAY’S FOCUS ON managing risk is nothing new, although the intensity has never been greater. Enterprise Risk Management (ERM) has been an industry concern since September 2004, when the Committee of Sponsoring Organizations (COSO) began promoting the idea that effective accounting and internal control systems must include a risk management component. But evolving issues such as Cyber- security, Credit Risk Management, Vendor Management, and BSA/AML regulations have made it a priority. Most banks have a risk management process in place today. However, even if the process is covering every applicable risk factor – and most are not – the major concern is that the process as it exists today is typically very disparate with policies and procedures housed in many forms with reliance on inefficient tools like Excel spreadsheets and Word documents. Worst of all, there is a huge time investment required from the staff responsible for assessing risk and managing policies and controls. The Federal Financial Institution Examination Council, comprised of state and federal financial institution regulators, refined the ERM definition for banks as the process of identifying, measuring, monitoring, and managing risk. The importance of the process cannot be understated. But the complexity of implementing robust risk management systems at community financial institutions can also be time consuming and expensive. It shouldn’t be. At the very core, banks are in the risk mitigation business. So, Enterprise Risk Management is nothing more than a framework to effectively manage that business. It should be integral to how we run our business on a day-to-day basis and as a result, it should only take a matter of hours – not days or weeks – to conduct or update a bank-wide risk assessment. Requirements vary based on size of institution. Generally, institutions with assets of $10 billion to $50 billion have extensive formal requirements, such as maintaining a Risk Committee, chaired by an Independent Director that meets at least quarterly, developing specific risk mitigation policies and procedures, establishing controls for these policies and monitoring for its compliance. Institutions over $10 billion have regulatory mandated Stress Testing requirements. Institutions over $50 billion have the same general requirements although they are much more detailed and comprehensive. In addition, their Risk Committee must report directly to the Board of Directors and they must hire a Chief Risk Officer who reports to both the CEO and to the Board. For banks under $10 billion, regulators require they implement a risk management system tailored to its specific needs and circumstances - commensurate with their size, complexity, and geographic diversity. l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 24 A PRACTICAL SOLUTION TO ENTERPRISE RISK MANAGEMENT