In a world where bankers feel overwhelmed and disadvantaged by a seemingly one-size-fits-all regulatory environment, there remains one place where a financial institution has the freedom to do things its own way.
It’s a place where best practice dictates that a financial institution’s size, business lines, geography, and complexity be the deciding factor in how a program is structured.
This magical place is called risk management.
While all financial regulatory agencies care about risk, they also recognize that different financial institutions have different needs.
That’s due to the influence of The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and its framework for risk management, including its most recent iteration: Enterprise Risk Management—Integrating with Strategy and Performance. It’s considered the leading approach to ERM.
As COSO explains, “Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realizing value.”
COSO’s ERM framework is not a one-size-fits-all solution. It’s designed to be useful to organizations and institutions of all sizes, from a $120 million-asset community bank to Bank of America. The beauty of the framework is it provides flexibility when it’s needed. For instance, it doesn’t demand a risk committee or a risk officer, just recommendations for the type of work that needs to be done. It’s also rigid when necessary, specifically when it comes to ensuring that ethics and core values are followed. It doesn’t offer loopholes when it comes to doing the right thing.
Regulatory agencies have followed suit.
“Organizations can meet their specific needs with various tailored approaches that take into account their complexity, resources, and expertise. Credit unions that incorporate ERM into their infrastructure may resource the program internally, through paid consultants, or through a combination of outsourced and internal resources. NCUA does not view any approach as preferable, provided core principles, controls, and due diligence are properly established in the organization.”
NCUA goes on to say that there are several basic components that credit unions are likely to include: a risk culture, clear objectives, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.
“No single risk management system works for all community banks. Each bank should develop a risk management system tailored to its specific needs and circumstances. The sophistication of the risk management system should be commensurate with the bank’s size, complexity, and geographic diversity.”
However, all risk management systems need to identify, measure, and monitor risk, and set risk limits.
For example: “An important first step is selecting the right individual or committee to oversee the bank’s ERM process. While a qualified individual independent from day-to-day business line management is preferred to oversee the ERM process, for a small bank this may not be practical or possible. In that case, consider senior level staff members who have a good understanding of the bank’s operations across the various business lines. For example, a loan officer who does not have a complete understanding of operations or compliance requirements may not be fully capable of assessing all possible issues with a new deposit product. Placing that loan officer on a risk committee with staff members from other business lines, however, may result in an effective process and help ensure all relevant perspectives and potential risks are considered and addressed. As a check and balance, your bank may also consider engaging an outside consultant to periodically review the bank’s ERM process independently.”
When evaluating risk management, Fed examiners look for the following elements:
- Board and senior management oversight
- Policies, procedures, and limits
- Risk monitoring and management information systems
- Internal controls
However, the structure of the program is up to the bank. “An institution’s risk management processes are expected to evolve in sophistication, commensurate with the institution’s asset growth, complexity, and risk. At a larger or more complex organization, the institution should have more sophisticated risk management processes that address the full range of risks.”
The Fed goes on to give specific examples for each element, noting, for example, that while a large bank may benefit from an outside audit of internal controls, that may be overkill for a small institution. “In accordance with the Interagency Guidelines Establishing Standards for Safety and Soundness, a CBO [community banking organization] is expected, at a minimum, to have internal controls, information systems, and internal audit that are appropriate for the size of the institution and the nature, scope, and risk of its activities.”
In discussing each of the major risks banks face, the FDIC says that management should establish a risk management program that identifies, measures, monitors, and controls risks. Its intricacy and detail should be commensurate with the bank’s size, complexity, and activities. Thus, the program should be tailored to the bank’s needs and circumstances.
The Limits of Flexibility
While every risk management program should have the same goals of identifying, measuring, monitoring, and controlling risk, financial institutions have the freedom to structure these programs in a way that is most appropriate for its model, whether it’s one single risk committee, a large risk department or a chief risk officer. In the parlance of the day, you do you.
But that doesn’t mean that financial institutions can take a casual approach to risk management. Regulators have expectations for formal, documented programs that cover specific areas, including board oversight.
They expect you to get from Point A to Point B and show them how you did it. They just give your institution the freedom to decide the best way to get there.
So, the next time compliance mandates get you down, remember there’s one compliance-related area of banking where expectations are broader and programs are self-tailored.