TraceRisk ERM Blog

    How to apply the KISS Methodology to ERM at your Community Bank

    Posted by Robert Maslac on Dec 11, 2015 1:36:07 PM
    Find me on:
    LinkedIn

    KISS - Keep it Simple Silly: ERM Guidance in laymens terms

    Enterprise Risk Management, or “ERM” for short, came into clear focus when, in 2000, the Office of the Comptroller of the Currency (OCC) issued Bulletin OCC 2000-16 on Risk Modeling. For the first time, the agency was expressing its concerns about how [national] banks were measuring risk exposure across all aspects of their operations. In the years following, the OCC, FDIC, FRB and FFIEC issued literally hundreds of guidance letters on ERM and community banks have wrestled with how to cope with the Risk Management process ever since.

    And, it’s not getting easier. See the OCC’s recent announcement regarding the strengthening of its Risk Analysis Division by appointing a Deputy Controller for Risk Analysis (see OCC News Release 2011-153) who “will play a vital role in the OCC’s supervision of national banks, and, as a group, they provide the expertise we depend on to ensure that banks use quantitative models safely and effectively.” Then there is the FDIC’s recent press release: “The Board of Directors of the Federal Deposit Insurance Corporation (FDIC) today approved the organizational plan of the Office of Corporate Risk Management (OCRM) that will assess external and internal risks faced by the FDIC.” These announcements suggest the OCC and FDIC will be intensifying their scrutiny on ERM initiatives at community banks in 2012 and beyond. So, how can you prepare?

    In our first installment entitled “Use the CUBE”, we broke down the elements of the Basel Commission’s Integrated Framework so you could see how the ERM process works. If you missed it, ask for a copy by contacting us at rmaslac@tracerisk.com

     

    In this issue, we’ll focus on how to simplify your ERM to achieve desired results. And we’ll use an old favorite acronym: “KISS” which means “Keep It Simple, Stupid” to help get you started.

    Let’s begin by establishing an overall structure for ERM. The officer responsible for risk management should develop an ERM charter and policy (get your peer reviewed Risk Charter here is you don't have one), a comprehensive risk assessment, procedures for mitigating and monitoring risk and a good communications system. Developing risk policies, procedures and a charter will require some thoughtfulness if they are too stringent you’ll stifle creativity and become a slave to the provisions in the documents; if they are too relaxed you’ll lose alignment with your objectives. It may be helpful to obtain an opinion on your final product from legal counsel, your internal auditors or an ERM consultant.

    The centerpiece of the program is a good risk assessment tool that will facilitate C-Suite officers’ understanding of real and potential risks so that they can decide how to accept, reduce, avoid, transfer and harness real, perceived and emerging risks. Some banks develop their own risk assessment tools, while many others acquire risk assessment tools from industry experts. Either way, be careful to choose a risk assessment methodology that closely fits your bank’s operating profile, product and service offerings, budget and ease-of-use expectations. If the tool is too complex or costly, it will likely not be effective. And, don’t forget that your internal auditors can be very helpful in working with you in the assessment process. The illustration on the next page describes the areas where internal audit can provide meaningful assistance.

    As you perform your risk assessments, keep in mind that your Board and your regulators will have plenty of questions regarding the conclusions you reached so be prepared to provide both narrative explanations and references that support your outcomes. Simple scores or ratings will not suffice.

    Once you’ve completed your risk assessments and ascertained where risk exceeds the bank’s risk appetite or risk tolerance, the applicable officers, staff, board members, service providers and vendors should be invited to actively participate in the remediation process. As risks are addressed, it will be important to document the corrective actions taken and the testing performed that validated the effectiveness of the remediation.

    Then, when you’ve completed these steps, you’ll be ready to report on the status and activities of your Enterprise Risk Management Program with confidence.

    ERM_Risk_Fan.jpg

    How Auditors Can and Should Participate in Enterprise Risk Management


     

    Topics: Strategy, Enterprise Risk, Compliance, COSO

    Archives

    Categories

    About Us

    TraceRisk is created specifically for community banks. Our proprietary solutions take the hard work out of risk management.

    Subscribe via Email

    Contact Us

    • 1-877-711-4824
    • 95 Argonaut
    • Aliso Viejo, CA 92656

    © Copyright 2015 TraceRisk

      |  Website & Branding by Sawmill Creative