Susan S. Bies, Member of the Board of Governors of the Federal Reserve System in Washington, DC spoke on April 28th to over 200 business professionals at the last of three Spring 2006 ERM Roundtables.  As a major leader within U.S. banking supervision, Governor Bies provided her perspectives on enterprise risk management (ERM).  While her comments focused heavily on implications for banking institutions, her comments emphasized the importance of ERM for enterprises across all types of industries.

Importance of ERM

The Federal Reserve has placed extensive emphasis on the need for effective risk monitoring, particularly through internal controls, and has approached its supervision of banking institutions through risk-focused examination procedures.  For several years, enterprise risk management across multiple organizational units within an institution has received greater focus.

Governor Bies emphasized that one of the major concerns for today’s growing enterprises, is the need to pay closer attention to aggregated risk exposures.  While most organizations are effectively managing risks on an exposure-by-exposure basis, few have adopted sufficiently sophisticated approaches for considering how multiple risk exposures might interrelate and combine, placing the enterprise at dangerously high levels of enterprise-wide risk.  Governor Bies suggested that a successful ERM process can help meet the challenges of addressing the complex portfolio of risks arising from rapid growth, strategic planning, constrained information systems, among numerous other potential threats facing today’s complex enterprise.

Defining ERM

While ERM as a business paradigm is rapidly emerging, the topic of ERM can be defined differently by many different people.  Governor Bies defines ERM as “as a process that enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capability to build stakeholder value.”  Based on that definition of ERM, Governor Bies used the ERM framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO – see www.coso.org) to provide a structure for her emphasis on many of the critical components necessary for effective ERM implementation.  She noted that the COSO ERM Framework provides an effective tool that can be used by organizations of all types when developing an ERM approach to risk oversight and management.

Embracing ERM to Derive Tangible Value

If implemented correctly, ERM should be a component of basic strategic planning in order to identify and seize opportunities and to reduce the frequency and severity of operational surprises.  Governor Bies noted that one area of tangible value provided by ERM for financial institutions is in the area of compliance risk.  The Federal Reserve expects banking organizations to have an infrastructure in place that can identify, monitor, and effectively control the compliance risks that they face.  Governor Bies noted that if a banking organization views compliance as a “one-off project,” a banking organization is placing itself at risk.  She emphasized the need for the board of directors to establish a top-to-bottom compliance culture that is well communicated throughout the organization.  An ERM approach to risk management helps facilitate this enterprise-view of compliance risk.

Another area of focus of the Federal Reserve is on operational risk, which is gaining relevance for banking organizations as they rapidly embrace new revenue streams related to transaction processing, servicing accounts, and selling sophisticated financial products.  Through many of its operational processes, such as wire transfers, a banking organization could suffer significant financial loss from unauthorized or inaccurate processing.  Thus, banks are reaching out to non-financial institutions to learn more about managing operational risk exposures. Furthermore, as banks implement more advanced models to estimate and manage credit-risk and market-risk exposures, financial institutions require more knowledgeable employees to identify system requirements and interpret results appropriately.

Information security poses a significant threat to all organizations, particularly banking institutions, due to their significant reliance on sophisticated IT-based systems to handle customer transaction processing and other core operations.  Cyber attacks and security breaches have cost the financial services industry millions and have done considerable reputational damage.  Governor Bies emphasized that “effective management of information security risk, even when focused on a specific function, requires an enterprise-wide approach to yield a true and complete evaluation of the associated risks.”

Fed’s View of Risk Management

Governor Bies’ concluding remarks emphasized the Federal Reserve’s view that all banking organizations need effective risk management.  She noted that an enterprise-wide approach is appropriate for setting objectives across the organization, instilling an enterprise-wide culture, and ensuring that key activities and risks are monitored regularly.  For ERM to be effective at protecting and enhancing value, senior management must be involved in ERM, having key responsibility for determining the level and types of risk the organization can accept and what risk mitigation strategies are necessary to bring risk exposures in line with agreed-upon levels of risk appetite.  Governor Bies finished by noting that organizations should look at the discipline of enterprise risk management as a way to ensure that they are effectively dealing with uncertainty and the associated risk and opportunity.

Click below for a link to the full speech.