Despite the importance of holistic ERM systems, Gartner's McKibben cautions that, like so many of the challenges faced by banks, ERM cannot be a pure technology play. "The technology does provide the consistent view across the organization, but it just enables the strategy," he insists.
Dana Wiklund, research director with Boston-based Financial Insights, also warns banks to look beyond technology to establish a culture of risk management throughout the organization. Although tools such as dashboards that allow a broad set of people within the organization to view the bank's risk position are a tremendous benefit, he says, there's no substitute for good people and policies. "There are millions of pieces of data housed in banks on multiple databases. However, what is needed is for the processes and people to become more efficient," Wiklund comments. "The technology itself will not keep banks out of trouble — it's the people who have to do this."
Recalling the industry turbulence of 2008, Barbara Matthews, founder of BCM International Regulatory Analytics in Washington, D.C., and the former U.S. Treasury attaché to the EU, notes, "A number of firms treated their risk management systems as something that just spit out all the answers. People who know how to use the technology to guide, rather than substitute for, judgment on strategic direction will be able to position their firms for survival."
As such, the chief risk officers and other risk managers at banks must come from slightly different stock than their predecessors if they wish to thrive in the current risk-aware environment. Much like the evolution of the CIO role in banks, the CRO position increasingly will require people with a broader sense of how the bank's business works.
According to Accenture's Grau, to optimize the risk management culture at a bank the CRO, CFO and CIO must join forces in the intertwined areas of risk management, cost cutting and streamlining the bank's operations. "Today's CROs are being told to do a better job with less," he comments. "The only answer is simplicity. Simplify the factory — go through all the legacy systems. The CRO must partner with technology and cost-savings initiatives and drive which businesses stay and which ones go."
In other words, enterprise risk management is a team effort. "[CROs] are not the only managers of risk," points out Gartner's McKibben. "They set the policy and try to guide the practices in the bank on a consistent basis. But the CRO leads with a risk management committee."
A shared risk management structure is even more critical for small banks, notes Steve Fritts, associate director of risk management policy with the FDIC (Washington, D.C.). Not all institutions, he notes, can afford to have one person exclusively dedicated to risk management. "Having a CRO can be a valuable part of risk management at a larger organization. But in reality, having a stand-alone CRO who builds systems around risk is not economically feasible for many community banks," he explains. "Instead, you want to have a culture of risk management and awareness for all employees."
Adds Michael Jackson, associate director of technology, supervision branch, with the FDIC, "That job is too large for one individual to handle. Risk has to be embedded in the culture. Business unit owners identify the risk for their areas, and the CRO identifies and coordinates the risk for the entire organization. It's a tremendous job."
Experts agree that to be effective, risk management must be baked into every aspect of what the bank does. IBM's Adler suggests that banks embrace the idea of more-open sharing of data throughout the organization. "People will disregard any information that doesn't meet their self-interest," he opines. To avoid this, "Have more information available to more people so someone is always watching it."
BCM's Matthews says it's no secret that things will get tougher for banks in the coming year as their risk management practices are subjected to greater scrutiny. But it's a matter of "enhancing" a bank's risk culture, she says, rather than instilling one, as managing risk is what banks have always done. "With broad-based government ownership of banks in the U.S. and the deep scrutiny and public skepticism, the world of risk is expanding beyond that which can be quantified," Matthews notes. "The CRO is now in the hot seat."
6 Benefits of ERM
According to Boston-based Financial Insights, enterprise risk management is a risk assessment process that spans the bounds of an organization. Some of the benefits of an ERM strategy include:
1. Preservation of capital. An ERM program enhances a firm's ability to generate, preserve and grow capital for stakeholders.
2. Aligned risk tolerance. An enterprisewide view of risk aligns organizational segments around a universally agreed upon tolerance for risk.
3. Greater accountability and transparency. ERM processes provide visible accountability through ongoing risk assessments, controls and monitoring.
4. Best practices. The very fact that processes are deployed adds to the improvement and the emergence of best practices.
5. Increased communication. Increased communication vertically and horizontally within the firm aligns business objectives and accountabilities.
6. Understanding interdependent risks. An ERM process not only exposes risk inherent to a particular segment but also should indicate where risk might cross over to another business segment.