While regulatory pressures following the worst financial crisis since the Great Depression may have been the impetus for many financial institutions to adopt enterprise risk management, several community banks and credit unions now embrace ERM as a tool to help them balance their risks and opportunities.
User-friendly ERM software products, consulting services and training programs being made available through industry trade associations are helping ease financial institutions' transition to ERM from traditional operational risk management, industry experts say.
“If there is no risk, there are no profits. Every banker gets this,” said Michael Cohn, director of WolfPAC Solutions, a division of Boston-based Wolf & Co. P.C. that provides ERM software and consulting services to financial institutions.
Incorporating ERM into a community bank or credit union's strategic planning process not only helps them identify the risks to their operations that need to be mitigated, but also what risks they may be willing to take to grow their business, he said.
“Historically, risk management is a backward-looking view of breakdowns, threats and vulnerabilities. ERM for financial services firms enables them to leverage opportunities quicker and expand their reach from a consumer-lending perspective,” said Tony Ferris, managing partner at The Rochdale Group Inc., an Overland Park, Kan.-based ERM consultant that focuses on financial institutions.
“People are beginning to realize that you can extract real value from ERM if it is implemented effectively,” said William Bruce, a London-based senior vice president at Marsh Risk Consulting, a unit of Marsh Inc., who specializes in the financial services industry.
However, for an ERM program to be effective, “you need to secure the endorsement from the organization's leadership,” which includes members of a financial institution's board of directors as well as members of management, he said.
Public Service Credit Union launched its enterprise risk management program about 41/2 years ago, partly in response to regulatory changes, but also to identify growth opportunities, said Cyndi Koan, executive vice president and chief strategy officer at the Denver-based financial institution with $1.3 billion in assets.
“During the recession, we hired someone to develop a robust enterprise risk management program,” Ms. Koan said.
In addition to a vice president of risk management who developed the program and a risk management coordinator to assist in the effort, the credit union has a risk management committee made up of department heads who meet monthly to identify and evaluate existing and emerging risks and mitigation efforts, and see whether there is any residual risk left over after those measures are employed, Ms. Koan said.
The risks are sorted into seven categories — interest rate risk, credit risk, strategic risk, transaction risk, liquidity risk, compliance risk and reputation risk. The risks are fed into software, ERM Director, that Rochdale developed. It uses Monte Carlo simulations to evaluate the probability of certain risks occurring and provides a range of possible outcomes.
This ERM exercise revealed that the credit union had the appetite to take on some additional credit risk.
“That has allowed us to make loans to people with slightly lower credit scores than in the past,” Ms. Koan said. To mitigate that risk, the credit union charges those individuals somewhat higher interest rates, she said.
The ERM process also revealed that “we had more mitigation in place than we realized,” Ms. Koan said. “We had done more things than we had documentation around. So it certainly renewed our efforts to make sure our documentation and operational policies and procedures are up to date and clearly outline all the steps that were taken.”
While ERM now is embedded in the Denver-based credit union's business strategy, Mazuma Credit Union in Kansas City, Mo., introduced its ERM program less than a year ago, said Shannon Dawson, director of risk management at the financial institution, which has $476 million in assets.
“The executive team saw the need to enhance the risk management,” said Mr. Dawson, who assumed his new post 10 months ago after working previously as a bank examiner in the federal Office of the Comptroller of the Currency.
“We're trying to remove the silos from risk management, make it a more integrated approach to identifying, evaluating and managing our risks within our organization,” Mr. Dawson said. “We believe that can help us optimize our performance levels. We don't just focus on the so-called "bad risks.' We also look at opportunity costs, the risk levels we are willing to take on. Maybe we're not taking enough risk or maybe we're not implementing the right processes to maximize our returns.”
Mr. Dawson also uses ERM Director, which contains a “risk library” of approximately 260 risks he has identified, including “third-party data breach,” which was added following the year-end 2013 data breach announced by Target Corp.
Both Mazuma and the Denver-based credit union are reissuing credit cards to members who are concerned that their information may have been compromised by the breach, Mr. Dawson and Ms. Koan said.
“That was a risk we could not control,” Ms. Dawson said. “But how we respond, we can control.”