RISK MANAGEMENT AND TAZERS

The world we live in can be strange at times. In a sad but true story reported last week by NBC, British police used a stun gun to subdue a blind man. It seems police officers were responding to multiple reports that a man was walking around a small English town with a samurai sword. When police responded, they said they mistook the cane the man was using for the sword in question and when they asked the man to stop and he did not respond (he thought he was about to get mugged), an officer used his Taser. Once they recognized the mistake, police apologized and took the man to a hospital for treatment. We wonder - is it really that difficult to confuse a blind person with a red and white tipped cane as a man carrying a samurai sword? This is a very sad and odd incident indeed. To eliminate this from occurring in the future, perhaps the English police should do a risk assessment on their officers. Many community bankers we know have already been working on risk assessments, as a component part of setting up an overall enterprise risk management (ERM) program. No matter where you are in the risk assessment process, some helpful hints might get you further down the road, so we explore them today. In general, risk assessments should incorporate a systematic approach to identify and assess the possibility that a given event will occur that could adversely affect the bank's ability to achieve its goals and objectives. To fully understand what we are talking about here, let's break this down further. To determine how far the risk assessment needs to go, it is important to understand the bank's objectives and areas of possible risk. To get started, focus on the 80-20 rule and expend efforts on the 20% of objectives that generate 80% of the risk. You can do so by listing risks in the first column of a spreadsheet, then in the next column rating the impact or severity using a number scale and then in the third column rating the likelihood or probability that the event will occur (again using a number scale). Then, using simple math, you can add up or multiply the columns and come up with a "heat map" commonly used to begin the risk assessment process. Once the heat map has been created, you now know where to focus your energy, as you take the next step in this process. Step back, look at the heat map and determine how wiling the bank is to accept each of the risks and what you would do if they were to occur. This information can be invaluable to management teams and boards alike, because it focuses efforts on not only recognizing where risks exist within the bank, but gets both groups thinking about ways to measure, monitor and control those risks. By understanding potentially adverse events, management teams and boards can be more proactive in protecting the bank. The point of assessing risk is to understand where it is coming from and the impact it could have on the bank. The point of having a risk appetite statement is to make sure the bank's acceptable risk levels are understood by all. The point of an enterprise risk management program is to make sure the bank operates within the risk appetite boundaries now and in the future. Managing risk is the responsibility of every business unit, so if you see risk increasing, make sure management is aware New products or services, concentrations, cutting corners, a lack of training, correlations and a host of other factors can all cause or exacerbate risks within the bank, so it is critical to be aware and spread the word when you see an issue surfacing. Banking is a business full of risks and it is management and the board's responsibility to manage those risks. Having a decent risk management framework is also a fundamentally good way to avoid getting tasered by a risk somewhere down the next road.