ERM case study

Community Bank ERM Case Study

ERM – it is about winning.

Organizations using resources the most effectively win every time. Enterprise Risk Management (“ERM”) is the bank’s primary tool for resource utilization. Banks without ERM will have a difficult time competing with banks that have embraced this management approach.

Community banks are loaded up with compliance costs. It is essentially a government information tax on the industry. When we talk about ERM, community bankers immediately see this tool as yet another regulatory burden. The reason they do is because regulators usually bring it up around the time the community bank grows to around $1 billion in assets. In actuality, regulators are suggesting this management approach because they have seen in other larger organizations how ERM has had a dramatic impact on the company’s performance. They are not suggesting another compliance burden; they are trying to help the growing community bank compete.

The purpose of ERM has nothing to do with compliance or this information tax that banks are accustomed to paying. ERM is a tool used to provide an exponential return on the bank’s organizational investment. Following is a quick case study on the implementation of ERM by a community bank.

Bank A

Walking into Bank A was like walking back into time. To say the furniture and accessories were out of date would have been a grand understatement. Think shag carpet and woodwork that looks like it is out of an old biker bar. There were some other unique things that I cannot even mention. This organization was being forced by the regulators to implement ERM. We were there to help get them past the regulators, but also to help them understand the tremendous opportunity ERM would create for the organization.

 

Where do we start with ERM?

 

I ride dirt bikes. On this machine I manage my risk. Enduro racing on a dirt bike involves quick calculations of what can often be treacherous situations like driving through tight trees, down deep ravines, up almost completely vertical embankments with jutting rocks and tree roots, through water and mud and the like. You get the picture. I approach each of these recurring scenarios with speed and make split second decisions about whether I can handle what is in front of me. There is usually another way out, but only if I stop my momentum. If I were to deploy ERM in this scenario I would have scanned the trail before I started, determined my risk tolerance for every obstacle and built a bridge out or around the obstacles that I knew I did not have the guts or training to cross in advance. If my competition failed to do this and could not follow my path who wins? You have got it. I win every time.

 

So, with ERM we start with an assessment of the organization’s risk appetite. Strategic plans are required for every bank. Many if not most community banks hire someone to write this plan so it can sit on a shelf and be provided to the regulators when they ask for it. However, a strategic plan should be the organization’s identification and assessment of the road and the obstacles ahead. It should be your decision in advance of just how difficult of a trail into the future your organization handle can. The strategic plan should be telling you how you plan to spend your limited and valuable resources.

 

It might be helpful here to define the term risk. Look it up and you will see that the definition can be simply stated as “uncertainty”. Uncertainty is around every corner on my enduro trail or it can be every minute in a banking environment. Therefore, without knowing the level of uncertainty or risk that we face – i.e., risk tolerance – it is impossible to manage that risk. ERM must start with a definition of the organization’s risk tolerance.

 

In our example, the organization had one of those off the shelf strategic plans that no one in the organization beyond the CEO that ordered it had read. Therefore, the bank’s risk tolerance had not officially been decided or communicated. We had to dig it out of them. In our effort to make this assessment here is what we were told – “We don’t want to change. We like everything the way it is today. We like our customer base, our approach, our systems and our teams.” We looked out in the lobby and agreed that this was, in fact, their position. This conclusion may not necessarily be a bad idea. The Bank’s leaders were telling us that their tolerance for something new and changing was very, very low.  We could equate this to my wanting to ride my same old bike the same way I always had because it worked for me before while new competitors were entering my race with a higher tolerance for risk on faster, newer machines.

 

To determine the actual risk tolerance for the Bank we had some simple conversations with senior management to compare the current state to the expected future state for the following topics:

 

  • Customer segments
  • Customer value
  • Delivery channels
  • Customer relationships
  • Cash flow streams
  • Key resources
  • Required activities
  • Necessary Partnerships
  • Cost structure

The answers to these questions helped the Bank’s management team identify where deciding to not change exposed the organization to various levels of risk. For example, by not changing competitors were increasing customer value through various new delivery channels and attracting new customer relationships that our Bank could not attract.

 

Given a more defined future state for the organization albeit reluctant to change we then turned our focus from the Bank’s risk appetite to its risk management strategies. Risk management really and simply means that the Bank needs to manage these potential “future” threats or things that could go right or wrong that could stop or slow the Bank’s execution of its future strategies – even if that meant staying the same.

 

Business risks or threats can be categorized into three main groups. These are external threats or those not controlled by the organization, operational threats or the internal stuff and information for decision making risk. There are lots of sub-categories and we use a risk map that we have defined over the last 30 years to identify key business risks. What we needed to do next for the Bank is perform a risk assessment. This risk assessment is intended to evaluate the Bank’s current risk management strategies, people, processes, and technology that are in place today, but intended to support the “future state” of the organization. This is our advance look down the enduro trail to compare the obstacles we think we will face to our current machinery and skill set. To accomplish this our team interviewed the Board of Directors, senior management, middle management, a sprinkling of staff members, some key service providers, and a few key customers. We reviewed executive and management reporting in each business unit and observed audit and compliance reporting for the past twelve months. We reviewed the Bank’s financial condition including a special review of any extraordinary losses. Our team also looked at customer distribution by type, geography, etc. as well as business continuity and insurable risk management reporting. Generally, our interviews take about 8 to 12 hours and our observations about the same.

 

This “gap analysis” resulted in around 125 observations of potential “threats” to the organization. This means that under pressure of moving to or dealing with a desired future state we anticipate that the existing people, process, or technology could break under this new stress. The good news is that once we prioritized these potential threats then the “high risk” threats were down to around 20 items and around 40 moderate risk threats.

 

Remember the organization that utilizes its limited resources most effectively wins. In heading to this future state now we have targeted specific and important risk that needed to be addressed by management. Once we discussed each of these gaps with management, we were able to reduce the truly important risks that could stop or slow the Bank’s execution of its future strategy down to around 15 total issues. Targeted priorities are limits on resource usage like a dam holding back water in a lake. With the strategic plan and the risk assessment the Bank can now open its dam of resources and focus them with power and confidence on strategy execution and on addressing specific threats. Also, by working on these future potential threats in advance the Bank should almost entirely avoid the chaos created by what would otherwise be unexpected events.

 

The key to the community bank ERM model is that this risk assessment and response concept cannot become dormant. With a regular assessment of risk, the Bank can on an agile basis re-direct its limited resources on a regular basis regularly to expected “future” threats. Eventually, as future threats are planned for and avoided the current day to day chaos almost certainly in our experience go down dramatically. Everyone is still very busy, but the Bank’s leadership will see a dramatic change in focus of personnel toward more value creation strategy execution and less on fighting unexpected fires. It will be like a bridge has been built across the deep ravines, mud, and rock of my enduro dirt bike track making for an easy path to the finish line.

 

The question is how to you turn a one-time risk assessment into an ongoing ERM process. The idea is relatively straightforward, but the execution takes some time and skill to perfect. First, the bank must establish some critical key performance indicators (KRI’s). These KRI’s should exist in each area of the organization and should measure the Bank’s current performance relative to aspects of the business that could stop or slow strategy execution if one or more of these KRI’s are not met. Finding the data and building out these KRI’s is a lot harder than it sounds. This is where it can take some time to get the ERM process fully implemented. Once implemented, what happens next is very valuable, provides focus and results in an extremely targeted use of limited resources.

 

With the KRI’s in place, now across the enterprise the Bank has a complete inventory of how and where its resources should be applied. These three areas represent our business “risk management” efforts focused on the future instead of those issues of today or the past that we would classify as “management” issues. They are as follows:

  1. Strategic initiative development and deployment
  2. Risk assessment gaps that must be corrected
  3. Root causes of sustained KRI’s that are important and underperforming.

Throughout the remainder of the year, the Bank would establish an ERM committee that will update and address each of these “lists” on a regular basis. We always recommend a monthly meeting because the environment changes constantly and priorities should follow suite promptly. Annually or perhaps every two years the management team can re-address its overall risk appetite through an updated strategic plan and gap analysis.

 

In addition to the process above, it is important to train the Board of Directors and the management team on the purpose of the ERM process, KRI’s, etc. so that the organization is speaking the same language. We were able to accomplish that as well in this example. Ultimately, within one year of implementing this process performance increased in the areas of new loans, deposit customers, use of technology and efficiency. The Bank’s performance caught the attention of another institution and the Bank’s owners were able to sell the Bank at a much greater multiple than would have ever been achieved in its old operating state.

 

While this is an example of ERM in a financial institution the theory applies across any organization large or small. The more limited the resources, the more important an ERM function is to the organization. We would love to answer any questions you may have about the purpose of ERM.cost

Build a bridge

to a better future

Industries