ERM, HALLOWEEN AND THE IMPORTANCE OF CULTURE

In honor of Halloween today, we begin with a Reuters report of a newly discovered "headless" ladybug. The insect apparently can pull its head into its throat; much like a turtle pulls its head into its shell. As of this point, there are just two known specimens of this ladybug (known as ladybird beetles), making it the rarest species in the U.S. We think author Washington Irving, who wrote The Legend of Sleepy Hollow, would be interested in seeing this bug if he were still alive today - Happy Halloween. Yesterday's edition focused on the value of doing a risk assessment as part of a decent enterprise risk management (ERM) program, the point of doing it and the purpose of setting a risk appetite statement. Today, we pick up with a discussion around how to make a cultural shift toward embracing ERM at a community bank. For a long time, community banks have actively monitored and managed the biggest risk of all - credit. That is good as it is a significant portion of ERM for a community bank. Credit risk management is critical, but how this risk and others are managed within a broader context is also important. Risks can come from all angles, so beyond credit risk it is important to incorporate market, operational, liquidity, legal and reputational risks into an ERM program. Examiners will look at these risks every time, so having a program that expressly tracks and manages them is a great place to start. Once the risk components are identified, you then need to sit down to discuss how to deal with each one. For instance, asking such questions as: who will be in charge of monitoring each risk; what reports will be produced to track the risk; whether the risk is getting better, worse or the same; what actions are needed to protect the bank against unacceptable levels of each risk and other questions are all part of that vetting process. Once these two big pieces are completed, it then becomes the role of senior managers throughout the bank to adopt a culture of risk management. It must be aligned with business objectives and strategy. The very best banks also make sure employees understand how they fit into the puzzle and how they can directly or indirectly impact things. It is crucial that everyone in the bank take direct responsibility to manage risk. Employees throughout the bank should be encouraged to raise the awareness of managers when they see something that doesn't make sense from a risk standpoint or that does not seem to follow the stated risk appetite statement. It is then incumbent upon managers to provide positive feedback to staff, to ensure the feedback process is positive and the bank is protected over the long-term. In similar fashion, every new hire to the bank should be taught how important it is to be aware of and take proactive steps to protect the bank against undue risks. Ethics are critical; as are proper policies and procedures, but everything eventually boils down to people. Having open channels of communication are the single best way we know to make sure risks are surfaced quickly, before they become too big to manage. Finally, it is important to keep your eyes and ears open as a management team. Poor decisions are usually made by a small handful of people, but they can be very impactful. Understanding this, reinforcing the value of ethical and professional behavior at all times and making sure all employees know policies and procedures are all good places to focus additional resources. Enjoy Halloween and beware the ghosts and goblins that tend to haunt any decent enterprise risk program to avoid a frightful result. Carefully navigate your own risk by steering your broomstick safely around the neighborhood this Halloween.