June 2012 - All businesses face risk. From the high-tech conglomerate to the neighborhood start-up, organizations of all types operate within the ever-present uncertainties of the economy, competition, political and regulatory changes, technological innovations, and the environment. The financial services industry is no exception, and today, it is experiencing one of the most complex risk landscapes ever as it emerges from the recent financial crisis and recession.
In the post-crisis era, financial institutions have largely recapitalized and are flush with liquidity, but they continue to face significant challenges that affect their stability, growth, and profits. High compliance and operating costs and the extended low-rate environment are pressuring margins. Outside forces such as sovereign debt problems in Europe and growing regulatory demands are creating many near-term uncertainties. Furthermore, rapidly evolving technology, such as mobile and social media, is driving a shift in financial services delivery and opening up new security and reputation risks for financial organizations of all sizes.
The key to navigating today’s environment is to know the risks you face, understand their potential impacts, and create plans to manage those risks. While that sounds straightforward, many organizations fall into a one-dimensional risk management approach, isolating risks into silos and managing them with little consideration for how different risks interact and impact multiple areas of the business.
Embracing an Enterprise Risk Management (ERM) framework can empower organizations to break down risk silos, gain a comprehensive view of risk at the senior management and board level, and prioritize, assess, and manage risks as they relate to achieving strategic objectives.
According to the Risk Management Association, ERM is the capability of an organization to understand, control, and articulate the nature and level of risks taken in pursuit of risk-adjusted returns. Risks can be financial in nature, such as credit, liquidity, and capital adequacy risks, as well as driven by outside forces. Often overlooked risks, such as reputation risk, can be equally threatening to an institution’s success. A comprehensive ERM framework provides the mechanisms to identify, measure, and control these risks. It includes defining how much risk an institution is willing to take, how it will govern risk management, what data is needed to measure and evaluate risk, and what controls are needed to mitigate risk.
ERM has become widely adopted by financial institutions as they manage an ever-widening risk landscape. It can help a financial institution not only anticipate risk but also recognize opportunities.
An ERM framework enhances the institution’s ability to quantify risks and determine impacts, optimize risk versus return, and better understand risks that can affect – and derail – strategic priorities. Importantly in today’s environment, ERM can help institutions articulate their financial strength and resiliency during normal and stressed times, which is a necessity when striving to maintain a positive regulatory and rating agency standing.
Enterprise Risk Management at FHLBank Atlanta
FHLBank Atlanta has always viewed risk management as critical to supporting its shareholders’ businesses and protecting their investments in the Bank. Effective risk management helps the Bank develop and deliver products its shareholders need and achieve the financial performance that enables consistent dividend payments.
FHLBank Atlanta launched its formal ERM program after its safety and soundness regulator mandated in 2005 that each FHLBank create an ERM function. The Bank appointed a dedicated officer to direct the ERM program and initially focused on enhancing its risk assessment efforts and establishing an appropriate ERM structure at the management and board level. The program developed rapidly and continues to evolve today.
“We view Enterprise Risk Management as organizational business intelligence and risk optimization,” said Ken Yoo, Chief Risk Officer at FHLBank Atlanta. “It’s not about eliminating risks but acknowledging the ones we live with and determining the appropriate responses, all in relation to weighing risk versus return. The concept of Enterprise Risk Management supports making more informed business decisions, which can be done more effectively by quantifying and evaluating this risk/return tradeoff.”
FHLBank Atlanta began its ERM program by identifying and tracking key risk indicators and assessing their impact on the business. The goal was to make risk assessments forward looking and focused on emerging risks. Numerous reporting tools, including an enterprise-wide risk dashboard and heat map, which displays the entire universe of key and emerging risks, are used for regular management and board updates. As the program evolved, risk assessment and reporting transitioned from an annual event to an ongoing, dynamic process where key enterprise-wide risks are reported on a quarterly basis.
The Bank also implemented stress testing, using a similar methodology created by the Federal Reserve for the 19 largest banks in the United States. The stress test evaluates six key business activities against various economic variables under potential adverse and severe downturns. Results feed into two-year forecasts of income and the balance sheet. In addition to the stress tests, the Bank created a formal risk appetite statement and developed related metrics and reporting.
“Developing a risk appetite statement is a critical part of Enterprise Risk Management,” said Yoo. “It articulates the level of risk an organization is willing to take to pursue its strategic goals.”
From this process, FHLBank Atlanta identified nine categories of risk and defined five levels of risk appetite to be applied to each category. The Bank’s risk appetite framework continually compares current risk exposures for each of the categories to the Bank’s risk appetite and develops trends on how the organization’s risk profile changes over time. Importantly, the process brings all risk factors from across the Bank into a single report.
The Bank’s ERM program will continue to evolve with the changing business environment, but the focus will remain on supporting the Bank’s strategic objectives and ability to meet the needs of its shareholders.
“Our risk management approach is about helping the organization remain financially stable,” said Yoo. “If we can remain resilient in an uncertain environment, we’re better positioned to deliver value to our shareholders.”
Five Steps Financial Institutions Can Take to Build an Enterprise Risk Management Program
Enterprise Risk Management is not a “one size fits all” business approach. An ERM program can be customized to the strategies and makeup of each organization. However, there are certain processes that are critical to implementing an effective ERM program and helping the concept permeate through an organization’s culture.
- Build an organizational structure for ERM and assign an independent risk officer in the organization to be responsible for it. It is important that this dedicated officer has the ability to grasp the organization’s operations and strategies and apply risk management fundamentals to help others understand the overall risk/return profile. CEO leadership is pivotal in setting the appropriate structure and expectations.
- Identify a manageable risk universe and develop key risk indicators. Develop risk trend reporting and compare risks to limits and thresholds. This step will ultimately help define the organization’s risk appetite.
- Develop a formal, ongoing risk assessment process. Once key risks are identified and reporting systems are in place, complete a formal risk assessment at least annually to estimate the likelihood and impact of the risks. Report the results of the risk assessment to senior management and the board on a regular basis.
- Build out more mature risk management activities such as stress testing. Evolving regulations may expand stress testing requirements beyond the top 19 banks to second and third tier institutions. Additionally, create a process to evaluate risks versus returns,estimating the dollar impact of a risk and compare to potential returns.
- Demonstrate progress and value to senior management and the board in order to build support for the program. Evaluate how ERM supports the achievement of strategic objectives on an ongoing basis. Even if a program is working well, an institution should continue to review its practices, evaluating what works and what does not and make adjustments accordingly.