Enterprise Risk Management

Co-authored by Anat Bird and Tara Heusé Skinner, Vice President and Enterprise Risk Officer, Synovus Corporation

Enterprise Risk Management (ERM) is one of those old-new terms that gets bandied about every 15 years or so by bank executive management, every year by your business continuity department, and, since 9/11, every minute by your insurance underwriters. The term, ERM, is a bit misleading, though, since it implies that the activity has to do entirely with Risk. In reality, ERM has more to do with strategy than typical risk mitigation activities: insurance, fraud prevention and other specific risk containment activities.

ERM rose to the limelight again since Sarbanes-Oxley mandated its existence, and banks have been struggling ever since to define the function with greater specificity and accountability. It is a difficult task since risk management already exists within every bank to some degree, and there are line managers that are responsible for managing specific risks, such as interest rate, credit, liquidity, market, etc. What would the Enterprise Risk Manager do if all these risks are already managed effectively within the company? Is this a redundant position that should only be there to appease the regulators? How does the ERM executive add value to the organization without being perceived as another audit function that looks for what could go wrong in other departments?

The answer is, ERM has to do with strategy, not just hands-on risk management. While many banks are busy figuring out how to stretch their insurance dollar by paying twice the premiums for half the coverage they got a decade ago, ERM should focus more on managing the risks that are inherent to the bank's strategic position and strategic decisions, not just mitigating the risks that are par for the course. In other words, ERM creates value by recognizing the risks that are integral to each bank's strategy, and then develops tactics to mitigate those risks by taking an enterprise-wide view of such risks, employing a portfolio approach to risk reduction rather than taking a simple risk avoidance perspective.

Julius Caesar supposedly said, "Everything had to be done at once" as he described an unexpected three-pronged attack from an enemy while one part of his force was busy crossing a river, and another setting up camp. The same is true for banking and all other modern businesses. You are busy gaining and keeping a foothold in your markets, staying ahead of the competition and squeezing all of the efficiency you can find in your processes, plus dealing with the analysts and other outside constituencies whose interests and time horizons may differ greatly from yours. ERM, effectively deployed, can facilitate this juggling effort, rather than hinder it.

ERM is the engine behind Basel II, a framework adopted by over 100 countries including the US. It is designed to keep the worldwide financial infrastructure stable by expecting consistent application of certain standards across the globe, thereby evening the playing field and ensuring that all banks meet a minimum of capital and risk management standards. In early 2003 US banking regulators declared that most US banks do not have to comply with the Basel II rules, given the huge price tag associated with compliance and the heavily international flavor of the regulation. At the same time, as William J. McDonough, then the Chairman of the Basel Committee and President of the NY Fed, said that Basel II was designed expressly "to provide tangible economic incentives for banks to adopt increasingly sophisticated risk management practices." Unfortunately, Basel II has been anything but a positive economic incentive; it is perceived as another regulatory burden that will create further inequities between mega and ordinary banks.

ERM can be the path to finding the economic incentives in increased risk management sophistication. There are excellent reasons to adopt increasingly sophisticated risk management practices. Here are five things to think about as you look for them:

1. GO ON AN INCENTIVE HUNT. There are tangible economic incentives; some will be easy to find, others, harder and unique to your institution. Possibilities include:
   • LOWER CAPITAL ALLOCATION. Basel's intent can apply to non-Basel banks. The banks that are able to measure their risks accordingly may be able to effectively reduce the amount of capital they have to set aside for their risks. Current rules about capital are of a "one size fits all" nature and don't reflect your level of risk-taking or risk-averseness. Measure your risk; lower your capital.
   • IMPROVED RATING. Despite the rhetoric right now, do you honestly expect that the ratings agencies are going to view all banks in the same manner? Non-Basel banks won't be punished for being non-Basel banks, but those banks that have sophisticated means to measure and monitor their risks are going to be deemed more higher-ratings worthy. What will just one ratings grade do to your cost and availability of funds?
2. YOU WILL BE JUDGED BY YOUR OVERSIGHT AND CONTROLS:
   • MARKET CAP. If you are publicly held, the words "market cap premium" should get your attention. In addition to the ratings agencies, Wall Street isn't planning on treating sophisticated banks and unsophisticated banks the same way either. Will it improve your market cap premium if you apply analytical rigor to your enterprise-wide risks? Possibly. Will it hurt your market cap if you don't? Bet on it.
   • THE RATINGS DARK SIDE. While the upside of using sophisticated risk management practices includes improved ratings, the downside might involve a downgrade, with the subsequent negative impact on your cost and availability of funds.
   • INSURANCE COMPANIES. Being perceived as managing your risks well on the enterprise level could be used as an important lever during negotiations with the insurance companies for anything from D&O to other insurance elements whose costs have been soaring.
3. WHAT THE REGULATORS THINK MATTERS, particularly if you are a "large complex banking organization." Large is defined these days as anywhere from $1 billion in assets or above. Complex? Well, that's just about everybody in today's banking environment. Lest you think the regulators are getting mysterious, they spelled out your steps over five years ago in SR 99-18. In it, regulators are told to see if the banks they supervise (1) identify and measure all of their material risks, (2) relate capital to their risk levels, (3) state explicit capital adequacy goals with respect to risk and (4) assess conformity to their stated risk objectives. Are you doing that? Do you know how? If you don't, you might incur the regulators' wrath, which is never a good thing.
4. YOUR CUSTOMERS ARE GETTING SMARTER. Sooner or later, your best customers are going to catch on that they are subsidizing the risk of your worst customers. If you don't right price your products and services according to risk, your best customers are going to tire of paying that subsidy and go to the competitor with the lower price. They might not even realize why. They'll just know there's cheaper money on the other side of the fence. So your more sophisticated competitor will not only retain their best customers, they'll acquire yours, too. That leaves you reactionary, not properly compensated for the risks you take, and lowering your price just to stay competitive, thinning out an already thin margin.
5. GET PAID FOR THE RISKS YOU TAKE. Banks notoriously price their loans according to what they believe the market will pay;rather than getting properly compensated for the level of risks they take. Consequently, they often overprice their lowest risk customers and under-price the worst risk customers. When you "right price" according to risk, you'll increase the pricing on your most risky customers. Not only will the margin improve, but pricing will accurately reflect the actual risk incurred by the loan.

Everything really does need to be done at once. Bottom line: Superior risk management practices are really good for your bottom line.