From time-to-time, we will be sharing ideas with you that will help your bank achieve the maximum effect of your Enterprise Risk Management (ERM) initiative. We begin with the Integrated Framework “Cube” which sets forth an organized way of developing your ERM solution and we’ll keep it simple.

COSO Integrated Framework - "The Cube"

The Cube illustrates how to organize your ERM program so that you are clear about what you wish to accomplish. It describes an orderly top-down approach that begins with understanding your Internal Environment which includes Strategy, Operations, Reporting and Compliance.

1.  Objective Setting forms the “scope” of your risk assessment using the environmental elements mentioned above. Defining objectives that are both specific and measurable is critical to accomplishing a meaningful risk assessment. Once you’ve settled on your objectives, you can begin to look at your risk management strategies; that is, how much risk your bank is willing to assume in pursuit of your objectives. That’s called “risk appetite”. If you know your risk appetite, it follows that you can allocate your resources accordingly. Resource allocation in the ERM context should be appropriate to respond to the risks you’ll identify in the next step called Event Identification.

2.  Event Identification is the process of developing an “inventory” of incidents inside and outside the bank that can affect the achievement of the bank’s strategy and objectives (think people, process and technology). It may be useful to employ the traditional S.W.O.T. technique when working through event identification.

3.  Risk Assessment is the centerpiece of the Cube. To assess the risk of a subject or group of subjects, you should know what the Key Risk Indicators (KRIs) are within those subjects. The KRIs should be organized in a way that allows for rating/scoring the probability and impact of adverse events or conditions to arrive at a measurable residual risk. Often this is accomplished using mathematical formulae built into software or web-based applications that facilitate the process.

Anything that affects the achievement of your objectives should be identified by the “owners” of those subjects, functions, areas and activities under review. The owners should consider historical data, current conditions and potentially problematic events or conditions that have or would have an effect (presumably negative) on objective achievement.

4.  Risk Response is quite simply, is the remediation or mitigation the bank will put in place in order to avoid, transfer, harness, reduce or accept identified risks. Often, there is a cost-benefit relationship in the risk response phase of ERM. Risk appetite and risk tolerance (the acceptable deviation from a risk threshold) also factor into the risk response phase.

5.  Control Activities are the actual steps the bank will take to manage its risks. Policies, procedures, training, segregation or rotation of duties, authorities and limits assignments, dual controls and many more such actions constitute the control activities that are part of risk management.

6.  Information & Communication is the internal reporting (communication) of outcomes (information) resulting from the risk assessment process to all levels of the bank, i.e., staff and line personnel, executive management, and, of course, the Board of Directors. Information & Communication will also be external; that is, the bank will report to shareholders, regulators and other agencies (e.g., SEC) on the sufficiency of the bank’s controls.

7.  Monitoring. Monitoring ensures that internal controls continue to operate effectively. Monitoring

So, there you have it!  A brief primer on how to think about structuring an ERM program for the community bank. It’s called the Integrated Framework and if you’d like to know more...  click the link below!