A study by Stanford University finds the top 10 things people do on the internet in order are: check email (cited by 90% of people surveyed), search for general information (77%), surf (69%), read (67%), have a hobby (63%), review product information (62%), look up travel information (54%), do work (46%), play games (36%) and buy something (36%). No matter what you do on the internet, we are sure searching is continually going on at community banks given ongoing and substantive changes in the industry. To save you some searching, we continue our discussion from yesterday on Enterprise Risk Management (ERM), as we attempt to help banks that are just beginning to go down this path or are seeking further information on the subject to enhance existing programs.
One reason many community bankers we talk with struggle with ERM is that it is really more of a journey than a destination. ERM is a fluid process that shifts its path as it travels department by department. It can be used in strategy setting, is designed to take into account risk throughout the entire organization and gives assurance to the Board and management team that the organization is continually managing risk within its appetite. That is easy to say, we know, but many who have tried to implement an ERM program have become bogged down in the details and find such an approach difficult.
To get things rolling, we suggest trying to focus on 7 major themes. First, sit down and think about the bank's own internal structure. Ask yourself how the bank's management team and Board view risk. Try to nail down in a short summary the overall philosophy toward risk, appetite, environment and values the bank espouses. This process will help set the tone and can be done using something as easy as a piece of paper and pen.
Next, focus on corporate objectives. ERM is designed to make sure the objectives are consistent with the risk appetite, so spend some time examining where the bank is heading and whether or not the objectives support the mission.
The third component to consider is the process of conducting a risk assessment. To understand where risks are coming from and what impact they can have, it is important to step back and make an assessment. For this piece, be sure to consider the likelihood of a given risk occurring and the impact of the risk to determine the best way to manage it.
Another key area of consideration is in event identification. Here, bankers will need to separate risk from opportunity and if that risk is derived from internal or external sources (or both). In so doing, risks can be better identified, mitigants put in place to manage and opportunities leveraged.
Once you have potential risks listed, start thinking about how to respond to each. Should you avoid the risk entirely, accept it, reduce it, or mitigate a portion of it? The goal throughout this process is to work to align risks that already exist within the bank's overall risk tolerances and appetite.
Polices and procedures are yet another area banks are quite familiar with and that bear a review as part of the process. Are current policies and procedures effective, do they need refinement; do they lead to additional risk or help control it?
Finally, think about how information flows in, out and through the bank. To manage risk, systems may need to be enhanced in order to identify, capture, monitor and report changes in risk on an ongoing basis.
Don't get too upset if the process seems like it takes awhile to get going. Searching for risk in the bank, identifying its source, determining how acceptable it is and taking action to mitigate or control it is a process unto itself. Our advice is to start simply and continue to slowly build over time.