The annual risk of death from heart disease is 1 in 5, while the risk of death from cancer is 1 in 7. While both are events we wouldn't wish on anyone, they are also a fact of life. Knowing heart disease is a higher risk than cancer empowers people to begin managing that risk by exercising more, eating right, etc. We all know that risk is part of banking, but the current credit crisis provides a good reminder that there is always room for improvement. Greater board oversight, stronger risk management practices and more active executive involvement are all critical aspects of a proper risk management framework. For community banks seeking to control risk, it all begins with an enterprise wide approach. Today we examine this concept more closely.
In the old days, bankers used to control risk by telling the CFO it was theirs to control. That seemed to make some sense, since the CFO was intimately involved in the financials and as such would be in a position to perhaps control it. That worked for awhile, but the world became more complex. As that happened, bankers turned to their legal counsel in many cases to augment the work done by the CFO. As things have evolved even further, more and more banks have created a new job function entitled "chief risk officer" or "enterprise wide risk manager."
The days of simply allowing departments to manage risk within their own unit and without regard to the overall company are slowly but surely going away. Bankers have become more aware that risks taken in one area of the company can drastically increase the risk profile of another unit and raise the risk profile of the enterprise as a whole. In addition, when groups are left to manage risk without an overarching set of rules, parameters or coordination, things can run amuck.
In 2009, those banks that have not already done so should begin moving to an enterprise wide risk management ("ERM") approach. Doing so does not eliminate the need for business units to manage risk, but it does provide a common platform, approach and culture that help break down individual silos. For ERM to succeed and thrive, all groups within the company must be part of the process. That includes the board of directors, management and employees.
Some may be wondering just how the board can get involved and what role they should play. Banks may be somewhat surprised to learn they have already taken steps in this arena simply by establishing an audit committee. That is good, but it is time for the audit committee to determine how much risk the company should take, make sure management embraces risk controls and to help set policies that will control risk throughout the organization. Boards can sleep better at night, once they clearly communicate to management that risks should be managed in a holistic manner. Management is assigned the responsibility to control these risks, but uniformity throughout the organization is critical.
Risk management doesn't have to be defensive. While many of us intuitively think that way when we ponder how to "control risk," it is more about setting a framework around company objectives and appetite. Minimizing the impact of certain risks is the underlying goal, not creating a structure that avoids risk altogether. Do this and opportunities can be quickly leveraged.
It is interesting to note that people are more likely to die from a hospital infection (1 in 38), than the flu (1 in 63) or a car accident (1 in 84). Since we aren't going to stop driving around or interacting with others, to manage these risks, we have also designed airbags and flu shots (if only we could think of something better for the hospital issue). Banking is an industry that is all about risk taking, but risk should be managed around the entire organization. The best way to do this is to focus over time on developing a platform that manages risk across all departments, customers, products and services. It is certainly a process, but taking the first step is critical, particularly since we operate in one of the fastest changing industries.