Finding a champion
As a banker, you manage risk daily. You are already running a risk management program, so you do not need a complete overhaul or new staff to start an Enterprise Risk Management program. The first steps in establishing an ERM program should be focused on finding the right champion to spearhead the initiative. Not only is it essential to identify someone with a good rapport across the organization, but also someone with a thorough understanding of banking operations and risk management. This individual need not be hired externally; rather, find someone within the organization who has the right persona and characteristics to take on the responsibility. They should be curious and comfortable engaging with senior management, department heads and employees, which makes it that much easier to keep open lines of communication throughout the process.
Facilitating communication
Once you’ve identified your champion, the next step is to set up and facilitate communication between key parties, such as the CEO, CFO, chief credit officer and pertinent operations personnel. The goal here is to gain a comprehensive understanding of the bank’s strategic directives. By engaging in meaningful conversations with stakeholders, risks can be effectively identified, further providing a solid foundation for the risk management program.
Standardizing risk terminology
It is essential to standardize and quantify risks before you can create a risk management program that aligns with the bank’s objectives. To start, I recommend using a pain scale analogy that you would see in a doctor’s office. What hurts, and how bad does it hurt? You can then categorize risk levels from very low to very high or keep it simple and start with low to high. See Figure 1. This helps stakeholders identify which risks are tolerable and which could require mitigation. By assessing potential losses, you can better gauge their risk appetite and establish measurable metrics for risk exposure.
Figure 1 demonstrates an example of a 5-scale rating that includes quantifiable measurements of losses, as well as harder-to-quantify qualitative impacts. Formulate your risk impacts and have that initial discussion first before getting into the classic formula (Likelihood x Impact = Inherent Risk). It is much more difficult right out of the gate to discuss the likelihood of the risk materializing, but focus on the question, “If this risk happens, how bad could it be?” There is no right answer for the quantifiable loss limits, it is all dependent on your bank’s size and risk appetite. Use numbers that make sense for your bank.
Quantifiable losses should also be considered by risk type (i.e., credit, liquidity, compliance, legal, reputation, strategic, sensitivity to market risk, operational, etc.). Your regulators have already provided you with Reports of Examination categorizing your risks, start with those.
Engaging the board and assessing risk appetite
At this point, it is crucial to involve the board of directors in the risk management process. Specifically, to ensure alignment between senior management and the board as it relates to their respective perspectives on risk. Through reviewing risk appetite statements and pain index metrics, the board gains insight into the bank’s risk profile and can provide valuable input. Opening this type of dialogue ensures that strategic directives are executed within the established risk appetite while promoting a unified approach to risk management. Orienting the board with already existing policy limits will help generate dialogue; start with your pre-established risk limits that are already in place in documents like your ALCO policy to build momentum, then take the same approach across the other risk areas.
Centralizing risk data and reporting
One of the most significant challenges for small community banks is centralizing risk data for analysis, a task that is often siloed across different departments. By structuring and aggregating risk data, you can create a comprehensive view of your risk exposure. In these instances, start simple with Excel spreadsheets to organize and analyze the data, ensuring that it is accessible and understandable for all stakeholders. Once you have a good grasp on the levels of risk, begin to report to the senior management and your board across each of the risk categories. This does not have to be sophisticated, but justify it with a simple dashboard of risk categories, their respective risk levels and some supporting bullet points. Simply put, our strategy is “X,” therefore we are taking “Y” types of risks. Here are our risk levels and whether we are or are not within our risk appetite.
While implementing a risk management program for small community banks can seem daunting, with a clear and systematic approach, it is achievable. With these tips at their disposal, small banks can effectively manage risk, make informed decisions and strengthen their position in an ever-changing financial landscape. Remember, there are valuable, free resources available online from reputable sources that can further aid in building a robust risk management program. By taking proactive steps, any small community bank can safeguard its operations, protect its stakeholders and navigate the dynamic banking environment with the utmost confidence.
Figure 1: Risk Impact Scale