4 steps to enhance and advance your ERM program

Three pieces of guidance that can help institutions understand what regulators are looking for in a robust and mature ERM program include the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework, the Federal Reserve (Fed) SR 16-11, and the Office of the Comptroller of the Currency’s (OCC's) heightened standards for risk management and governance.

• COSO ERM framework¹
  • Consists of 20 principles organized into five interrelated components that support effective practices and provide an integrated approach to enterprise risk management
  • Focuses on the importance of ERM in the strategic planning process and embedding it throughout an organization
• Fed supervisory guidance SR 16-11
  • Includes the Fed’s guidance for assessing risk management at supervised institutions with total consolidated assets less than $100 billion
  • Establishes the standards for board and senior management oversight; policies, procedures, and limits; risk monitoring and management information systems; and internal controls
• OCC heightened standards for risk management and governance
  • Establishes minimum standards and guidelines for large financial institutions to establish and adhere to a risk governance framework to manage and control their risk-taking activities
  • Provides minimum standards for an institution’s board of directors to oversee the risk governance framework

For some organizations, it takes a triggering event, such as regulatory changes or operational issues, to make ERM a priority. But an organization shouldn’t wait for regulatory events, operational losses, mishandling of client transactions, or internal control breakdowns to shine a light on issues that can happen without a mature ERM program. It’s important for companies to have a vision for their ERM program that’s supported and championed by the CEO and board. Creating a proactive approach can help organizations get ahead and prepare for regulatory, market, or operational risk events.

COSO has established a comprehensive ERM framework that serves as a blueprint for organizations to effectively identify, assess, and manage risks. This framework comprises five interrelated components that collectively enable a robust and integrated approach to risk management.

• Governance and culture. Establishing an organizational culture that promotes ethical values, desired behaviors, and a strong understanding of risk management is the foundation of a mature ERM program. Laying that foundation requires a variety of practices, including developing a well-defined ERM framework, establishing clear governance structures and committee charters, assigning risk ownership to each risk pillar, promoting board independence and regular self-assessments, and fostering a culture of continuous reinforcement through training and socialization.
• Strategy and objective-setting. An effective ERM program aligns the organization’s strategic objectives with its risk appetite. A well-defined risk appetite statement (RAS) that encompasses both qualitative and quantitative factors and is socialized across the organization offers a set of guiding principles for decision-making and strategy-setting. As part of this process, it’s important to engage in robust planning to establish the RAS, with senior leadership involvement and board approval. Once the RAS is approved, regular monitoring and reporting of the organization’s risk profile against its stated risk appetite helps maintain a strong ERM program.
• Performance. Once risk appetite and strategy are in place, organization leadership should implement processes to evaluate risks that might affect achievement of the entity’s strategic objectives. By establishing a risk taxonomy, risk assessment methodology, and policies and procedures to support, organizations are better able to identify, assess, prioritize, and respond to risks. Performing comprehensive and dynamic risk control self-assessments, identifying risk interdependencies, developing key risk indicators (KRIs), and monitoring emerging and top risks are essential ways to both maintain and measure the performance of strategy and business objectives.
• Review and revision. Organizations must continuously review and revise their ERM practices to adapt to changing circumstances. A variety of triggers might lead organizations to assess changes to their environment, including, but not limited to, significant organizational growth, changing products or services, new third-party relationships, updated technology, regulatory or industry changes, new strategic initiatives, or breaches of KRI limits. Implementing a formal process for assessing and managing the risk in new or modified products and services is also critical.
• Information, communication, and reporting. Effective risk management and governance require transparent, relevant, and timely risk reporting to stakeholders, and it’s vital to establish robust controls over the completeness and accuracy of this reporting. Clear, complete, and concise reporting to management and the board, with a focus on exceptions and action plans, fosters accountability and informed decision-making throughout the organization and provides support for prioritizing a mature ERM program.

After completing the assessment, organizations should have a clear, realistic look at their ERM program maturity. From there, they can identify gaps and prioritize actions to advance the program. Organizations should consider a phased implementation approach to advance their program responsibly. Drafting an ERM road map or project plan with specific milestones and tasks can help with that prioritization.

In an increasingly complex and interconnected risk environment, a reactive or fragmented approach to risk management is no longer sufficient. Creating and maintaining a robust ERM program is not a simple task – it’s a multistep, multiyear journey that requires both constant reinforcement and sustained commitment, especially from an organization’s leadership. However, prioritizing the development and continuous enhancement of an ERM program can help financial institutions better position themselves to navigate uncertainties, seize opportunities, and maintain the trust of stakeholders and regulators.

¹ COSO guidance is property of the Committee of Sponsoring Organizations of the Treadway Commission and subject to copyright.