How do I Implement ERM?
Derek Yankoff, Chief Strategy Officer
What does ERM do, actually?
- Defines and assigns Risk Values (i.e., Inherent Risk, Threats, Vulnerabilities, Annual Rates of Occurrence, Annual Loss Expectancy, Risk Appetite, Risk Tolerance, and Audit Frequency) for every Subject to be assessed.
- Provides ‘use cases’ that give context to the Subjects to be assessed by risk owners and managers.
- Provides Key Risk Indicators (KRIs) which will be rated for Probability and Impact.
- Sums up Probability and Impact ratings to reach Residual Risk outcomes and help determine audit frequencies.
- Provides “How We Reached Our Conclusion” for explaining current Residual Risk outcomes and offers links your own policies, procedures, forms, memos and other documentation that support Residual Risk outcomes.
- Provides an decision making custom reports specifically designed for risk owners and managers, senior management, the Board and your regulators.
- Provides a method for performing comprehensive “bottom up” risk assessments and for performing risk assessments on emerging products, services and activities before they are deployed.
- Provides flexibility when assigning risk owners and risk managers while maintaining full administrative control and oversight by the Chief Risk Officer.
- Includes supplementary policies, procedures, accessories, tools, resources, forms and immediate, one-touch access to relevant regulatory guidance (no need to ever leave the TraceRisk website to do regulatory research).
Who should perform the risk assessments?
Most banks today have assigned the responsibility for risk management to a Chief Risk Officer. Typically, he or she will be the “gatekeeper” for managing enterprise risk and overseeing the risk assessment process. But, it’s your bank’s risk owners and risk managers who actively participate in the risk assessment process and the TraceRisk implementer can help the Chief Risk Officer identify who they are.
What will the implementation process look like?
Ideally, assign a risk expert to assist your bank with implementing the solution of choice and maximizing all its capabilities and features. The implementer will be performing risk assessments with your staff and should also furnish the bank with a set of supplementary tools and resources including but not limited to:
- ERM Policy, Procedures and Committee Charter (editable)
- Checklist - Addressing Risk Management Shortfalls (for Board of Directors’ use)
- Report Descriptions and Who Should Get Them (reporting TraceRisk outcomes)
- “Chief Risk Officer’s Risk Management Report to the Board” template
- Glossary & Definitions; Illustrations; Tips & Tricks when using TraceRisk
What does the Implementer do, exactly?
The Implementer assigned to your bank will ideally decades of enterprise risk management experience and be thoroughly familiar with all aspects of the your chosen solution. This individual will work closely with your risk owners and risk managers to accomplish the following:
- Identify relevant business objectives before meetings or visitation commences.
- Conduct an initial on-site meeting with senior management, risk managers and risk owners.
- Identify the events or conditions that could affect the achievement of objectives.
- Explain what Key Risk Indicators (KRIs) are and how they are used.
- Assist risk owners and managers in assessing the likelihood and impact of risks across their assigned risk subjects. (This is the fun stuff)
- Provide insight and tips on how to use the rich data sets captured on each of the 4 Dimensions of Risk: Subject, Silo, COSO & Risk Inventory. (More fun stuff)
- Provide detailed guidance on how to succinctly and uniformly write conclusions on risk assessment outcomes (outcomes are called “Residual Risk”) and how to develop risk mitigation plans and techniques.
- Demonstrate how to quickly produce meaningful reports for the Board, the regulators and Executive Management. The variations of the reports are entirely intended audience driven.
- Train on use of the “New Product/Service - Risk Analysis”
- Train on use of the “Risk Response” (for indicating how problematic conditions on higher risk Subjects will be handled).
- Share Best Practices in all aspects of risk assessment and ERM program development.
When should you get started?
Now is the time to start performing your risk assessments. The FRB, OCC, FDIC and CFPB have issued plenty of guidance on risk management and they expect your bank to have your risk assessments done and ready for their field examiners to review.
Let’s get started so you can see what your bank’s risk profile looks like and get some risk mitigation in place beforeyour next regulatory examination.