3 Tips for Ramping up Your Enterprise Risk Management Program
Author: Michael Cohn
Are you happy with the state of your Enterprise Risk Management Program? It’s becoming clear that regulators view ERM as a necessity for financial institutions as they strive to remain safe and sound.
Your board and CEO expect that a minimal ERM program exists. In addition, they expect it to produce risk information consumable for them and other constituents, including:
- Auditors; and
Robust enterprise risk management programs can be complex and overwhelming to start. That said, how do you enhance your initial efforts? Here are a few points that will help get you on your way.
#1 – You Need to Take Your ERM Program Seriously
It may seem convenient just to hit the main risk components relevant to your compliance or ALM risk requirement. However, remember that if you have a breach or outage, what was convenient for you has the actual consequences of a significant loss of revenue and reputation.
Risk management is about protecting your institution, not getting a check in the box. Therefore, the CRO needs to instill the value of risk management as an ongoing practice throughout the institution. That includes everybody from junior associates to the c-suite. It’s the only way to implement successful controls that ensure the total safety of the institution.
#2 – Organize Your Enterprise Risk Management Program
Three organizing principles make up the three-legged stool of ERM:
- Finance; and
Your operations department will implement the controls you’re looking to put in place, but only after getting the funding from finance.
Are you spending money within the institution? If so, there has to be governance in place to discern the effectiveness of your process. However, the governing group cannot do that without data and feedback from the operations group.
Much like a stool with each leg a different length, if one group in your risk management program is not as organized as its counterparts, there is little chance you’ll be successful. Therefore, you need to organize your ERM program with three capable and fully formed functions to help keep the program level.
#3 – Understand Your Costs
If you don’t know how much it costs, you can’t make it cost less. You’ve probably gone through your institution and broken it down into areas of high, medium, and low-risk subsets. You now have to decide how to cover all your risks with your money.
Surprise! You don’t have the budget to cover all of your risks. Most institutions don’t. So, how do you decide where to put the money? First, look at what you currently spend on risk management and how that relates to the high, medium, and low-risk areas you already mapped.
- Are there high-risk areas that you currently don’t spend any budget mitigating?
- Are there low-risk areas where you can reallocate the funds?
Moving the money to the highest risk areas maximizes your dollar’s efficiency. Not to mention, it’s a great conversation starter in budget talks if you need to justify a more significant spend.
So how do you know if you have allocated enough to keep you safe and sound? First, take stock of changes to your business and business environment and compare those changes to your spending last year. Then, ask yourself if you can still sleep well at night with what you’re spending.
- Key Risk Indicators & Key Performance Indicators: Is the Difference Important?
- A Teenage Perspective is The Fastest Way to Understand Your Risk Appetite
- Three Risk Factors to Present to Your Board
Attribution: Michael Cohn
Originally Published: 2015 — Updated: 2022