Gallup finds 70% of people take their doctor's advice without getting a 2nd opinion or doing additional research. That is spooky when you consider a story that ran on CBS that found find people are misdiagnosed about 40% of the time and of those, 10% to 12% were so significant that if done properly in the first place, the person would not have died. Another 2005 study by the American Medical Association puts the misdiagnosis percentage closer to 10% to 15%. No matter, because the next time we get sick we are going to hit the internet to see what else might be wrong and get a 2nd opinion.
Managing risk is a tricky business and it is not always intuitive which path is the best one to take. To get started in enterprise risk management (ERM), community banks can take a few concrete steps. Begin the process by identifying someone who will be the chief risk officer. This person has the responsibility to make sure the bank is in full compliance with all regulations and is the executive that will drive development and implementation of an ERM strategy that incorporates all aspects of risk. They should have the acumen and drive to provide leadership and direction around ERM; establish an integrated risk management framework to capture risks across the bank; develop policies, procedures and processes to proactively manage the risk appetite of the bank; create reports to show key risk exposures and provide early detection of changing risks; develop a way to allocate capital to business lines based on risk; and communicate with and train employees on risk management. This person has an overriding goal of creating an integrated approach to managing risk throughout the bank.
Next, develop a risk appetite statement and distribute it throughout the bank. The risk appetite determines the amount and types of risk that a bank is willing to take in pursuit of a desired level of return. To begin this process, start by examining where you are today in terms of the bank's strategic objectives and stakeholder expectations. These can include a desired shareholder return, capital adequacy, regulatory standing, etc. The next phase is a review of existing business lines to determine how much risk is currently being taken in terms of capital, capacity to take risk, potential losses, etc. Once that is understood, consider setting risk thresholds to ensure the bank has the ability to withstand the risks of the current structure. Are you within your risk tolerances right now, or do you need to make some changes? Finally, make sure the appetite statement is discussed at length and formally approved by the Board. A robust appetite statement should incorporate a balanced mix of quantitative (capital adequacy, ROA, ROE, earnings volatility, etc.) and qualitative measures (reputational risk, regulatory standing, etc.). Overall, the goal here is to set a clear strategic direction around risk, tolerances and controls.
After the risk appetite statement, banks should develop a risk appetite framework. Here, bankers should conduct a risk assessment to identify risks within the bank; quantify risks to prioritize them; aggregate risks to begin to form a basis for controlling them; set up a way to monitor and report performance against risk-based limits driven by the risk appetite; and optimize the risks (align costs/benefits).
A 2010 survey by Bank Systems & Technology found 40% of banks expect to materially increase spending on risk management. That isn't surprising when you consider how important ERM is to both Boards and regulators these days. For those who still haven't yet embraced ERM, you may want to consider this a 2nd opinion and reconsider.