In my 34 years of experience as an internal auditor, I’ve seen a wide variety of enterprise risk management control failures. And to my thinking, they all share one common denominator: a failure by the board or the CEO to implement an effective ERM program that addressed the right risks.
That has become all the more clear in light of the financial crisis of the last 18 months, where many banks failed to understand the risks confronting them—and then just failed, period. An effective ERM program might not have prevented all these failures, but it certainly would have identified the risk exposures sooner.
A paper by Paisley, “ERM Assessment Guide,” had an interesting breakdown of the root causes of bank failures. Paisley identified four typical causes: 49 percent were the result of inadequate board supervision; 37 percent were due to the presence of a dominant figure such as a CEO or chairman; 32 percent stemmed from an over-reliance on volatile funding sources; and 26 percent were from excessively growth-oriented philosophies.
Of course, in reality, most failures trace back to a combination of causes that cascaded out of control. But in my experience, a dominating figure is almost always accompanied by inadequate board supervision.
For example, I left a previous job because of the CEO; he was a dominating figure who controlled the board, and had volatile product lines or other operating concerns that put the company at risk, and was trying to grow at a pace that put too much reliance on tomorrow’s deposit growth. That CEO later assumed leadership of another, larger financial institution; he kept pushing high-risk strategies such as mortgage-backed securities, and the credit union ultimately went into conservatorship while racking up billions in losses.
I wasn’t surprised that these losses occurred. The CEO was the type of leader who would put his company at risk for the potential income, without adequately evaluating the potential loss. A good ERM program would have captured these types of loss exposures with effective mitigating controls.
I am not as worried about large banks because national bank examiners put so much pressure on controls, compliance, and regulations that the only question is how quickly and effectively the ERM programs will be implemented. At small and mid-sized institutions, however, I suspect the boards and senior management still see these programs as an expense rather than an investment. In reality, boards should be the biggest supporters of ERM because this will be their tool for monitoring and evaluating the performance of their company.
The one key factor is that the board must ensure that its ERM program is developed and implemented correctly; otherwise, the ERM effort won’t be cost-effective. Garbage in, garbage out. The foundations of effective ERM programs should be:
Identify your key risks and loss exposure areas and develop indicators/trigger points to measure their performance, so that changes in any areas of risk (like mortgage-backed securities) will raise an alert that must be analyzed immediately to determine the cause and effect of the changes.
Ensure that a good foundation is in place in the operational processes, so that you can properly measure the efficiency and effectiveness of your company.
Implement accountability throughout the organization starting from the top (that is, the entity level). Proper accountability is lacking in a lot of companies today.
Companies would be better off to develop a good manual ERM program first before purchasing any ERM software systems. Once the direction of your ERM has been solidified, then you can consider using a good software program for measuring your performance.
The following are examples of manual ERM processes I’ve performed that strengthened the company’s operations and prevented potential losses.
Example 1: At an independent bank, the examiners had made a comment on large Currency Transaction Reports (CTR) and adherence to the Bank Secrecy Act. To rectify the exposure and keep our audit independence, we had the branches send all CTRs and suspicious transactions to us (the internal audit department) for review before they were sent to the IRS. For almost a year we maintained a monthly spreadsheet, by branch, of all CTRs received and the ones that had to be returned for corrective action before mailing. The results identified which branches or tellers needed the most training, and we were able to keep errors to a minimum.
In reality, boards should be the biggest supporters of ERM because this will be their tool for monitoring and evaluating the performance of their company.
We had also emphasized the importance of suspicious transactions as part of the review process, and one branch notified me about a young lady making $5,000 cash deposits every other day. Our reporting of the incidents ultimately led to the FBI breaking up a drug ring that was about to smuggle millions through San Francisco Bay. We also discovered a check-kiting scheme that resulted in no loss for us, but nicked two other banks for $400,000.
Example 2: At another independent bank, the examiners had given us a “less than satisfactory” rating for lack of proper adherence to Regulation B and Regulation Z. We had six months to resolve the issue. As a result, the credit manager and I decided to give all loan officers a Reg B and Reg Z examination that we had developed. The results identified which officers needed training and the specific areas of the regulations that we had to focus on. We worked with the training manager to focus on these specific areas, and at the end of the six months we went from “less than satisfactory” to “outstanding” (the highest possible rating).
I could go on. Recently I put together a PowerPoint presentation on ERM from my own experience, and it ended up running 110 pages! That shows there is no universal, perfect way to implement an effective ERM program. But in order for it to be done the most important thing is to continue improving and strengthening your ERM process.
I want to close with five general areas that I think need to be included in successful ERM/GRC programs:
An effective strategic plan that is properly executed, monitored, and updated on an ongoing basis;
A budget plan used as a tool for measuring and monitoring expenses, including changes that need to be properly reviewed and approved;
Measurement of soft-dollar costs whenever possible to determine the true cost of the process and the product’s breakeven point;
Management information reports to provide the necessary information to make good business decisions;
A concerted effort to eliminate silos in your organization.
No comments yet