The OCC Walks the Enterprise Risk Management Walk—and So Should You

For years regulatory agencies, including the Office of the Comptroller of the Currency, have emphasized the importance of enterprise risk management (ERM) at financial institutions. Now the OCC is taking its own advice—and sharing its findings.

The agency’s recently released “Enterprise Risk Appetite Statement1 is the work of its Office of Enterprise Risk management, a function created last summer to “identify, evaluate, and manage risks to the agency,” according to the press release announcing its creation.

But more than that, it gives us a strong example of best practices.

  1. A holistic framework. Instead of considering risk from a piecemeal perspective, the OCC uses a holistic framework. It systematically evaluates risk in nine separate categories—supervision, human capital, strategic, reputation, technology, operational, legal, external and financial—and how those risks may “affect the agency’s ability to achieve its strategic goals.”

Financial institutions should use a similar approach, including vendor management, cyber security, business continuity planning and compliance under the umbrella of enterprise risk management for cohesive planning.

  1. Involving risk assessment in strategic planning. While the OCC is conservative by nature and its overarching priority is the safety and soundness of the federal banking system, it recognizes that “it is not practical or desirable to avoid all risk,” especially in an evolving financial landscape. Thus, the agency thoughtfully reviewed each ERM risk category, labeling its risk appetite as low, moderate or high.

It wasn’t a broad exercise. The agency dove into the details, separately assessing subcategories and giving the reasons for its assigned risk appetite.

For example, while the OCC has a low overall appetite for technology risk—including no risk tolerance for data security or business continuity planning—its open to moderate risk when it comes to innovative technology solutions.

This shows risk management isn’t a simple yes or no situation. It’s a careful discussion that balances safety and soundness with flexibility and opportunities for innovation. Reasons for every decision should be carefully documented.

  1. Someone to oversee it all. With the creation of the office, the OCC appointed its first-ever Chief Risk Officer, Linda Cunningham. More than a figurehead, she participates in the OCC Executive Committee and its National Risk Committee and reports directly to the Comptroller of the Currency.

Not only does she have the ear of the executive team, she has the power to ensure that the agency’s risk management objectives and strategies are communicated across the OCC—critical to making the initiative a success.

Financial institutions should be following the OCC’s lead on ERM. Make sure you have a strategic ERM plan that uses a holistic approach to risk management—one where every major risk category is systematically evaluated. Recognize the need for innovation, creativity and efficiency when assessing the institution’s risk comfort level—and document the reasons why. And put someone with authority in charge, ensuring that ERM is not just a thought exercise, but a central, bank-wide priority.