While attending a recent banking conference in the Midwest, when we tried to return home we found that someone who worked in the air traffic control center in Chicago (which directs traffic across a 7 state area), had decided to express his dissatisfaction with his life and work by setting the facility on fire. Given that Chicago O'Hare International Airport is the busiest airport in the country, one has to ask the advisability of letting an unstable person (or anyone else) have access to the wiring and computer equipment that controls crucial functions without dual control. Banks always require such controls when it comes to money, wires, ACH, etc. so this baffles us. This fellow's action resulted in more than 2,000 flights being cancelled all across the US and many people were not able to get to their destination for 3 or 4 days. We can only wonder what Enterprise Risk Management (ERM) plan the air traffic control facility had in place, and now that this has occurred, what is their Plan B.
In banking, ERM is being called a bank regulatory "hot button" and a best practice, but it is really more than that. It is a means of measuring whether banks have the ability to identify, monitor and measure risk to protect them from such dire incidents. When things go bad, regulators often find a lack of adequate risk management, particularly in identifying the root cause of identified weaknesses. This makes banks unable to appropriately address those weaknesses, and as a result regulators are looking more closely at risk management practices.
More specifically, ERM focuses on identifying, monitoring and controlling the risks that impact the earnings and capital of a bank. In the past, examiners typically asked what the bank's risk management process was, what the most important risks were, and how they were monitored and reported. Expected responses included board reports and minutes, policies and procedures, internal/external audits and a formal risk management program.
As risks have evolved, risk management has also evolved. Questions now are more likely to be coined as "let's see your risk management system," business continuity plan and evidence that testing has occurred. More and more, regulators want to see something formalized. They are looking for active board and senior management oversight, adequate policies, procedures and limits, adequate risk management, and comprehensive internal controls. Beyond that, regulators expect risk measurement to be both quantitative and qualitative--especially around new products and services.
For community banks, creating a workable ERM system should include a number of steps such as: departmental self-assessment, senior management review, distillation down to a "Top 10 Risks" list, and an ongoing process for updating that list to reflect any changes. Once the Top 10 are determined, consequences, risk mitigators and monitoring tools should be identified, along with the ability to monitor the level and trend of each risk. Not all risks need to be addressed and some may be low risk or low priority, but they should still be identified.
None of this is a new concept; it is just a formalization of what banks have done in one way or another for some time. ERM can enhance shareholder value, so don't go at it just as a regulatory check box. Build something that can help your bank.
Thinking back to the air traffic control incident, it was an inconvenience to countless travelers and likely cost the airline industry a bundle. One surely hopes that serious ERM work will take place at the FAA, and given this real life example, it is worth doing at your bank too. Beyond that, watching the beleaguered airline representative try to reschedule hundreds of people at an understaffed desk makes one consider lightly staffed branches and what can happen when things don't go according to Plan A. Protect your bank, customers and staff with a comprehensive ERM program. It creates a Plan B, so everyone knows what to do if your bank experiences an adverse event.