Enterprise Risk ManagementCo-authored by Anat Bird and Tara Heusé Skinner, Vice President and Enterprise Risk Officer, Synovus Corporation Enterprise Risk Management (ERM) is one of those old-new terms that gets bandied about every 15 years or so by bank executive management, every year by your business continuity department, and, since 9/11, every minute by your insurance underwriters. The term, ERM, is a bit misleading, though, since it implies that the activity has to do entirely with Risk. In reality, ERM has more to do with strategy than typical risk mitigation activities: insurance, fraud prevention and other specific risk containment activities. ERM rose to the limelight again since Sarbanes-Oxley mandated its existence, and banks have been struggling ever since to define the function with greater specificity and accountability. It is a difficult task since risk management already exists within every bank to some degree, and there are line managers that are responsible for managing specific risks, such as interest rate, credit, liquidity, market, etc. What would the Enterprise Risk Manager do if all these risks are already managed effectively within the company? Is this a redundant position that should only be there to appease the regulators? How does the ERM executive add value to the organization without being perceived as another audit function that looks for what could go wrong in other departments? The answer is, ERM has to do with strategy, not just hands-on risk management. While many banks are busy figuring out how to stretch their insurance dollar by paying twice the premiums for half the coverage they got a decade ago, ERM should focus more on managing the risks that are inherent to the bank's strategic position and strategic decisions, not just mitigating the risks that are par for the course. In other words, ERM creates value by recognizing the risks that are integral to each bank's strategy, and then develops tactics to mitigate those risks by taking an enterprise-wide view of such risks, employing a portfolio approach to risk reduction rather than taking a simple risk avoidance perspective. Julius Caesar supposedly said, "Everything had to be done at once" as he described an unexpected three-pronged attack from an enemy while one part of his force was busy crossing a river, and another setting up camp. The same is true for banking and all other modern businesses. You are busy gaining and keeping a foothold in your markets, staying ahead of the competition and squeezing all of the efficiency you can find in your processes, plus dealing with the analysts and other outside constituencies whose interests and time horizons may differ greatly from yours. ERM, effectively deployed, can facilitate this juggling effort, rather than hinder it. ERM is the engine behind Basel II, a framework adopted by over 100 countries including the US. It is designed to keep the worldwide financial infrastructure stable by expecting consistent application of certain standards across the globe, thereby evening the playing field and ensuring that all banks meet a minimum of capital and risk management standards. In early 2003 US banking regulators declared that most US banks do not have to comply with the Basel II rules, given the huge price tag associated with compliance and the heavily international flavor of the regulation. At the same time, as William J. McDonough, then the Chairman of the Basel Committee and President of the NY Fed, said that Basel II was designed expressly "to provide tangible economic incentives for banks to adopt increasingly sophisticated risk management practices." Unfortunately, Basel II has been anything but a positive economic incentive; it is perceived as another regulatory burden that will create further inequities between mega and ordinary banks. ERM can be the path to finding the economic incentives in increased risk management sophistication. There are excellent reasons to adopt increasingly sophisticated risk management practices. Here are five things to think about as you look for them:
Everything really does need to be done at once. Bottom line: Superior risk management practices are really good for your bottom line. |