Enterprise Risk Management
During our recent history of the realization of a substantial number of regulatory impacts as a result of our economic downturn and the associated crises experienced within recent years, one of the most immediate impacts likely to affect community banks is a renewed regulatory emphasis on the concept of enterprise risk management. Core components of this concept, strategic planning and budgeting, have been present within the risk management systems of many banks for a number of years; however, regulatory agencies are now expressing an increased emphasis on this concept as the primary method by which institutions may monitor and control risk effectively.
Risk Assessment
One of the criteria most frequently referenced in the context of the development of an enterprise risk management system is the creation of an integrated, forward-looking risk assessment of all critical functions of the bank. In past years, most institutions have developed an array of risk assessment processes in response to various regulatory mandates, such as the information technology risk assessment required by the Gramm-Leach-Bliley Act, the Bank Secrecy Act risk assessment, and the identity theft risk assessment now required by the Fair Credit Reporting Act. Other banks, particularly those facing increased regulatory scrutiny, have also developed risk assessments to determine the adequacy of current capital levels with respect to their operating environment, taking into consideration factors such as asset quality, earnings strength, operational and fiduciary risks, and management effectiveness. Many institutions have also developed risk assessments to determine the level of audit coverage required over all key operational functions within the bank. In contrast to these independent, stand-alone risk assessments, regulators are now encouraging banks to develop a comprehensive risk management system that considers all risks to the bank, which may arise from safety and soundness concerns such as risks to capital, asset quality, management, earnings, liquidity, and rate sensitivity, as well as compliance, legal, or operational risks. This integrated risk management approach is being strongly encouraged due to the perception among the regulatory agencies that many failed or problem institutions failed to appropriately recognize and control all risks present within their operating environment. In application, this integrated planning approach will result in each business activity being controlled through a risk management program, which is united under a single umbrella of various modular risk assessment processes.
Response to Change
In order to assume a proactive stance in the management of the bank’s regulatory relationships, as well as to ensure that all risks facing the enterprise have been acknowledged, accepted, and mitigated where possible, the Board of Directors and senior bank management should establish a process to periodically re-evaluate their strategic plans and ensure that current risk assessment processes are sufficient to identify outstanding risks and potential vulnerabilities. In the opinion of the author, the days in which a community bank could present an abbreviated, overly generalized strategic plan to their examiners are quickly reaching a close. Examiners throughout the agencies are beginning to require institutions to develop strategic plans which clearly define specific operational targets over both a short and long-term time horizon. These objectives should be measurable in nature and the strategic plan should assign responsibility for the achievement of these objectives to specific personnel or positions. These objectives should also clearly acknowledge weaknesses in the bank’s current condition and provide guidance for the actions necessary to effectively mitigate these weaknesses. As an example, due to historically low interest rate environments, many institutions are experiencing declining net interest margins, creating greater difficulty in supporting infrastructure costs and diminishing an earnings forecast already weakened by loan losses.
In addition to measurable objectives for considerations such as portfolio growth, earnings targets, capital levels, and liquidity, the strategic plan should also provide consideration of other key concerns such as the establishment and maintenance of a comprehensive Compliance Management System (CMS) through which the regulatory and legal requirements applicable to the bank may be satisfied. As noted in a previous Compliance Corner article, the impact of regulatory reform, including the Dodd-Frank Wall Street Reform and Consumer Protection Act, is almost certainly going to result in a substantial increase in the consumer compliance burdens faced by community banks. Due to these recent regulatory reforms, as well as the scrutiny levied against the banking industry by Congress and various consumer groups, it is certainly not unreasonable to expect a notable increase in levels of scrutiny during future consumer compliance examinations. As institutions prepare to meet these additional compliance requirements, the Board and management should ensure these compliance risks are fully considered within the framework of their institution’s enterprise risk management system and that adequate resources have been allocated to the bank’s compliance function to effectively mitigate the risk of substantial consumer compliance violations.
As a complement to the development of a comprehensive, detailed strategic plan, senior management should also ensure that the bank’s budgeting projections provide adequate consideration of the goals and objectives outlined within the formal strategic plan. As an example, management should ensure that growth, liquidity, and capital projections outlined in the strategic plan are reasonable and accurately reflected within the bank’s budget projections. Management should also ensure that a defined process exists whereby actual performance may be contrasted against budgeted projections on a periodic basis. Reports regarding the accuracy of these budget projections should also be forwarded to the Board in order to allow for active monitoring of the bank’s progress toward realizing the established strategic objectives.
Although much of the banking industry is focused upon the impending changes resulting from the Dodd-Frank Act, as well as other recent regulatory amendments, evolving perspectives and standards promulgated by the regulatory agencies in relation to enterprise risk management are likely to have a considerably greater impact upon your institution within the course of the following year. Institutions that do not have a well-developed strategic planning and budgeting process or an effective enterprise risk management program should be mindful of these emerging requirements as these concerns will likely become a key factor in the course of upcoming examinations.