It’s no secret that enterprise risk management should inform every decision the board and C-suite make. Yet there are many ways that ERM falls short:
- It’s reactive. ERM should be a proactive exercise and a priority at board meetings. Responding to problems as they emerge, instead of anticipating and mitigating them, will not make an institution successful.
- It’s stymied by silos. ERM is not a department or solely the domain of the chief risk officer. Everyone needs to be involved and share information.
- It doesn’t inform decision making. ERM adds value to decision making and should be a component of all strategy and objective discussions.
- There’s no ownership. Authority, accountability, and responsibility for risk management should be clearly defined and enforced.
ERM & The Board
The board is responsible for setting an institution’s overall risk tolerance, but that assumes that the board is well equipped to fill this role effectively and ethically. It assumes that the board takes its fiduciary responsibilities seriously. It assumes that when it tasks management with executing strategy, that it watches carefully to ensure that enterprise risk management is central to the process. At the board level, ERM is all about governance, and the board must be aware of these obligations.
It’s essential that the board has the skills, experience, and business knowledge to not take everything management says at face value. Board members aren’t there to rubber stamp management’s plans but to serve as sounding boards and collaborators who ask tough questions and pose alternative strategies and scenarios to understand why the decisions being made are the best choice.
A good board has the knowledge, experience, and skills to understand and question board decisions. Its knowledge and skills should evolve with the times and the challenges facing the institution. Should an institution shift strategies and move into more mortgage or real estate lending, the board’s make up should reflect that. The members need to understand how ERM works and understand how the institution’s objectives match up with its risk taking and tolerance.
Just as important, a board needs to be independent with no conflicts of interest. Board members need to be able to objectively evaluate the institution and its performance. Those with financial relationships, including as an investor, customer, or vendor, may be tempted to make decisions in their own best interest instead of the institution’s. Those with close relationships to management may be unduly influenced by friendship or past employment.
Research has shown that emotions play a role in enterprise risk management. Underachieving is the second most common fear CEOs experience, according to a survey of 116 CEOs and other high-level executives in a variety of industries published in Harvard Business Review. (Imposter syndrome is the first.) The researchers found that fear of underachieving “can sometimes lead them to make bad risks to overcompensate.” Those who fear political attacks from colleagues (the fourth most common fear) are often mistrustful and overcautious. Those who fear looking foolish are less likely to “speak up or have honest conversations.”
These and other fears can result in siloed thinking, lack of ownership, or tolerating bad behavior and result in “poor decision-making, focusing on survival rather than growth… and failing to act unless there’s a crisis.”
One way to avoid this problem is by seeking out executives with emotional intelligence, the study says. These are people that provide “guidelines for communication” and encourage people to “speak up without fear of consequences” because honesty leads to better decision making.
For example, “One financial services company’s business unit CEO has great emotional intelligence, and in running the company over the last four years has created a healthy group dynamic to debate the unit’s strategy and ongoing decisions. The unit’s revenue and profits have grown.”
CFOs & ERM
CFOs and accountants are most closely linked with financial, compliance, and credit risk, yet best practices suggest they are in a position to strongly contribute to ERM.
“To add value, accountants need to be seen as risk experts who are outward-looking and provide valuable insights to manage risk in a way that supports their organizations in responding to uncertainty and achieving their objectives,” wrote the International Federation of Accountants (IFAC) in a report, Enabling the Accountant’s Role in Effective Enterprise Risk Management.
CFOs who take the time to understand risk across the enterprise are better able to communicate the value of engaging in or avoiding activities, IFAC suggests. This includes:
- Aligning risk management with value creation and preservation;
- Driving insights and enabling decisions through provision of risk modeling and analytics, data governance and identification of organizational risk appetite; and
- Enabling integration and interconnectivity by breaking down silos across the organization to share information.
CROs, CEOs, and Incentives
A CRO may be responsible for policies and strategies, but those won’t go anywhere without management and board support. If management chooses to turn a blind eye to risk when tempted by increased profits or encourages a CRO to engage in overly risky strategies, risk management will be nonexistent. Unfortunately, some CEOs were incentivized to prioritize short-term profits over long-term stability leading up to the financial crisis, according to a study in Harvard Business Review.
Research has shown that a contributing factor to the crisis was CFOs who were encouraged to focus on maximizing risk-adjusted returns for shareholders, “using their expertise to bring risk right up to the edge of allowable limits, with no wasteful margin for error.”
“When they [CEOs] had more skin in the game — for example, if they held a lot of stock in the company — they restrained the CRO’s push for risky derivatives. But the opposite was true when CEOs received more compensation in the form of performance pay (like a big cash bonus), which rewards outsize risk taking but doesn’t penalize losses,” the study reported.
Incentives need to align with ERM. In 2016 Wells Fargo agreed to pay $185 million in fines and fire 5,300 employees after thousands of employees secretly opened over 2 million deposit and credit card accounts for unwitting customers—transferring customers’ funds into them and often collecting fees, according to the Consumer Financial Protection Bureau.
It wasn’t just a few bad apples. It was a systemic problem—one spurred by compensation incentives and intense pressure to meet sales goals. Employees were financially incentivized to increase checking and credit card account openings, but it appears Wells Fargo didn’t consider the potential for abuse. Had ERM been part of the decision-making process, the bank might have realized the risk that employees might exploit the system to maximize compensation and built safeguards to prevent it. It could have drafted strong account opening and management policies and procedures and a system to ensure those policies and procedures were followed.
Everyone at an institution, especially those at the top, needs to make risk management a priority. While a smart risk management strategy can help bolster profits, the true goal of risk management is to balance profits with protecting the institution from threats to its long-term success. The board and C-suite need to understand the role of ERM and support its proper execution.