“I can’t give you any feedback on your ERM Program. You’re the only small community bank that at $250MM in assets, has a complete ERM Program. Keep doing what you’re doing.” Those were the words of my FDIC examiner when I presented to them my first complete ERM program for the bank I helped start. At that point back in 2012, the bank had just reached the $250MM asset size and was about seven years old. During another conversation, my FDIC examiners told me that the bank “had a strong foundation and a solid infrastructure.”
As the CFO & COO of the bank and later as the CRO, those words made me feel good and I can tell you I slept well the almost ten years I spent with the bank from inception until I left to start Malzahn Strategic. However, those words also left me with the feeling that I was on my own, with very little guidance to continue developing the ERM Program. The lack of guidance is precisely one of the main reasons small community banks are not ready, nor able in many cases, to create a complete ERM Program. The other reason is because creating an ERM Program is not, at least not yet for small community banks under a certain asset size, a regulatory requirement.
I would never want more regulatory requirements for banks. Instead, I strongly recommend that community banks under $500MM in assets establish a complete, yet simple, ERM Program. There are several ERM software packages available. However, they are too expensive and too cumbersome for small banks to use. They simply don’t have the time, resources, internal expertise, or the energy to devote to such programs. But small community banks don’t have to use those sophisticated and intimidating software packages. What the regulators want is for banks to know all their risks, put mitigating factors in place, and be aware of the residual risks they have in every area of the bank. Regulators want to know that you know your story from the risk perspective.
Even though credit risk is one of the biggest risks for banks, they now also have to focus on other important risks such as technology and operational risk. Unfortunately all the risks are interrelated. If one high risk area is affected, the ripple effects flow to the other risk areas such as capital, earnings, legal, or reputational, for example.
There is the perception that creating a complete ERM program is monumental and banks then tend to focus on certain pieces such as Cybersecurity, or Compliance, or the Disaster Recovery Plan, and they are not looking at the “enterprise-wide” approach. They are missing opportunities to make their bank the best it can be. They are missing all the benefits of having a complete ERM Program. So today I would like to share some of those benefits:
- Establish best practices enterprise-wide. When you create an ERM Program, it forces you to look at your entire organization and many of the practices that get implemented are best practices that will help the bank overall, not just to mitigate a specific risk.
- Increase efficiencies. The same way, as you establish new best practices, you find other ways of doing things and, as a byproduct, your bank becomes more efficient. Efficiency ratio is a key measurement of profitability and most banks are looking for ways to become more efficient.
- Establish an ERM process. One of the best practices that you should establish is an “ERM process,” which means now you have a process to run new ideas through. For example, if you are thinking of adding a new division or a new product, you answer a series of questions such as “What are the new risks the bank will have by adding this new division or product?” and “How are we going to mitigate those new risks?” “Is the reward worth the new risks?” Going through this process will eliminate not only new unnecessary risks, but will also save your staff valuable time wasted on new products or divisions that may not be profitable for your bank.
- Build the team. One of the best results of creating an ERM Program is creating an ERM team. When I created the ERM Committee, I carefully selected one person from each area of the bank to represent that area and to bring their opinion and expertise to the table. This practice not only helped create a complete program but it also built the team like nothing had before. Now each team member learned about other areas of the bank and learned the importance of each of those areas. They also saw how the entire bank worked as a whole, as one company. That was the most rewarding experience I had during this process.
- Create awareness, enterprise-wide. When you establish an ERM program across the organization, employees learn about other areas of the bank and become aware of potential risks the company may encounter in the future. The program, as a byproduct, creates a “risk aware” culture. Everyone is looking out for the good of the company.
- Opportunity to assess risk, enterprise-wide. The process of conducting a risk assessment organization-wide, uncovers risks that most owners/leaders had not thought about in the past. As you put in place mitigating factors, and educate the staff, you improve processes across the board and are able to eliminate some of the risks.
- Prepare for the future. There is nothing like knowing your current risks and potential new risks to help you prepare for the future. The process of testing your processes, current systems, disaster recovery plan, or business continuity plan, opens your eyes to be prepared for the future.
- Create accountability. The ERM committee meets with regularity through the year (even as little as quarterly) and committee members have an on-going list of monitoring and reporting tasks. Results of testing, running new products through the ERM process, and the reporting to the Board of Directors, creates continued accountability within the organization.
- Educate and involve the Board of Directors. Very few banks have completed a Board Risk Appetite and Tolerance Statement. But this is a very important step to complete. This is the summary of all your bank policies along with the level of tolerance/risk you’re willing to take in the various risk categories. From here, you can sound the alarm when your bank is approaching the high level of tolerance in the various risk categories.
- Create a sound infrastructure and a solid foundation. Putting in place a complete, yet simple, ERM program, in the end creates a sound infrastructure and a solid foundation upon which your bank will grow into the future.
Okay, there were eleven benefits but the “Ten Benefits” sounded better for the title!
Tell your story from the risk perspective. Once your ERM program is complete you will feel equipped to tell your bank’s story from the risk perspective—not just the credit risk perspective but from all potential risks your bank could possibly be faced with now and in the future.
These are some of the great benefits that your bank can enjoy from implementing a complete, yet simple, ERM program. At Malzahn Strategic (www.malzahnstrategic.com) we work with banks that want to increase their profitability by improving their operational efficiencies. We focus on Strategic Planning, Enterprise Risk Management and Talent Management.