Amy Woods Brinkley, Global Risk Executive at Bank of America, opened her remarks at the May 9, 2008 roundtable by looking at how Enterprise Risk Management has changed since the last time she spoke at an event hosted by North Carolina State University’s College of Management in 2005. At that time, the discipline of enterprise risk management was only beginning to be regarded as an essential discipline in the way that the disciplines of accounting, law and economics are regarded. Today, as the pace of change has accelerated, and the interconnections between risks and risk categories have multiplied by an order of magnitude, enterprise risk management has moved to the forefront as an essential element of the effective governance and operation of most major corporations.

At Bank of America there is buy-in at the CEO-level of the importance of enterprise risk management. In fact, it is considered a critical and explicit element of Bank of America’s definition of operating excellence. Bank of America’s key operating elements for achieving organic growth are innovation, using scale as a strategic advantage, building a strong brand, improving the customer experience, and managing risk and reward for consistent growth.

At Bank of America, risks are managed in four categories:

  • Credit
  • Market
  • Operational
  • Strategic

The risks in these categories are both overlapping and inter-related, and must be managed as such. In addition, you need to be focused on identifying new types of risk that may be emerging. At Bank of America, they are in the business of taking risks, and therefore, they approach the management of risk and reward as an enabler of growth. The keys to accomplishing this are:

  • First, establishing a culture of performance management and accountability. Everyone in the organization is a risk manager, and is accountable for managing risks. The relative importance or weight placed on risk management activities increases as you move up within the organization.
  • Implementing processes that are both comprehensive – taking into account all four categories of risk, and the way risks “jump” from category to category, and dynamic – recognizing that risks and the inter-relationship of risks are constantly changing.
  • Taking a forward-looking view of risk. The next major risk event is not likely to be something that has happened in the past. The increasing pace and complexity of innovation in the financial sector has led to greater interactions across types of risks in ways that may not have been contemplated.

Brinkley also commented on the current environment of the credit markets in the context of the three “L’s”:


  • Sustained low interest rates 2001-2003
  • Offset bust of tech bubble and staved off deflation


  • Confident in home prices, investors increased pursuit of yield, increased appetite for sub-prime-related investments
  • Financial innovation accelerated
  • All market participants took on added leverage


  • Write-downs and losses continue to increase

She also discussed how technological advances resulted in the industry placing more emphasis on the “science” of risk management during this time. Within the “science” of risk management, modeling is a key component. However, the use of modeling has its limits since so much weight is given to past trends and events that won’t necessarily hold into the future. She argued that we should place more emphasis on the “art” or common sense “what if” approach to risk management. We must test science with good judgment; ask tough “what if” questions, and then model possible outcomes. We need to continue to get better at both the art and science to become better risk managers, and not just risk technicians.

Brinkley then went on to discuss risk management in the context of business continuity. She stressed that both preparation and recovery plans are essential, but no one can successfully predict and plan for every possible event. At Bank of America, they have begun to focus on identifying and planning for “common impacts” across events rather than on identifying the myriad of potential events that could occur. This approach is expected to cover approximately 80% of the impacts of any event, and then the remaining 20% of impacts that may be unique to a particular event may require a customized plan. One critical element to success in this area is the recognition of the interdependence of business partners. The intentional planning activities that Bank of America has undertaken around business continuity have deepened and broadened relationships across the organization, and improved their ability to both predict and respond to potential events.

Brinkley concluded her remarks by discussing the importance of balance in managing risks. We must balance our understanding of what has changed with what hasn’t changed, and must use sound decision-making for the long run. We must balance the complexity of the businesses we enter with our risk management capabilities. We must balance the need for thorough analysis with the urgency to act. Risk managers must continue to get better at assessing risk and reward in order to achieve consistent, sustainable growth.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2008-05-09