ERM 101: What’s Your FI’s Risk Appetite?
Risk is about preventing loss. Every dollar an institution doesn’t lose is essentially one dollar gained. But that doesn’t mean there isn’t a place for risk when it is carefully assessed and measured.
Every institution needs to understand its overall appetite for risk and include it as a consideration when making strategic decisions. It’s not just about nothing ventured, nothing gained. It’s deciding how much venture is worth a potential gain or loss.
This is more than a philosophy. An institution’s risk appetite should be determined by the board and then translated into a written document, including policies and procedures that can guide the institution in its strategy setting and decision making. There are many ways to draft a risk appetite statement, but at its core it should serve as a guide for strategic decision making and resource allocation.
For instance, it can outline whether an institution has a low, moderate or high tolerance for risk in several key categories such as lending, technology, or operational risk. Any new proposed activity should be risk assessed to see whether it falls within limits for tolerance. Activities that are viewed as riskier, but within limits, can be allocated additional resources for measuring and monitoring risk.
That’s why it’s essential to look at risk strategically.
Risk Aversion Can Be Just as Dangerous as Risk Seeking
While too many big banks have made headlines and nearly toppled the financial system by ignoring risk, some institutions are on the opposite end of the risk spectrum. They fall short of their potential by passing up opportunities due to the perceived risk without ever delving into the details. They make strategic decisions based on snap assumptions and gut reactions instead of careful assessments. Whether its marketplace lending or innovations in payments, these off-the-cuff assumptions about why a product or service won’t work can be just as dangerous as automatically assuming that they will.
How many institutions put off adopting mobile check deposit because the very idea scared them? Many of these institutions didn’t take the time to understand the potential risk and rewards of the technology, assuming that fraud would pose too much of a barrier. That gave others institutions a leg up in adopting the technology, wooing customers enchanted by the idea of depositing checks quickly and easily with the device that’s always in their pocket. It was a lost opportunity that likely resulted in losing customers lured away by convenience. Those customers aren’t coming back.
Missed opportunities are deadly. But ignoring risk is worse.
It All Comes Back to ERM
A carefully calibrated risk tolerance is essential to success, helping determine strategy, but it’s useless without tools to measure and monitor risk.
That’s where enterprise risk management (ERM) comes in. ERM identifies, assesses, mitigates, measures, monitors, and communicates risk across an institution. This provides essential feedback to the board and management. It provides the knowledge needed to ascertain whether a business activity falls within an institution’s risk tolerance and regularly monitors internal and external factors to alert the institution of any changes.
Your FI’s Risk Tolerance Might Not Change, But the Risk Environment Will
In an evolving threat landscape with changing economic conditions, a risk assessment may lose its relevance over time. ERM ensures that risks are continually managed, regularly monitoring and adjusting risk assessments. External factors can be economic, regulatory, political, environmental market-related, technological, legal, and financial, among others. Trends in corporate governance and best practices can also play a role. Not every change will require a full risk assessment revision. Sometimes it’s enough to just note a growing trend and keep an eye on it. Regular monitoring prevents mission creep, where strategy shifts over time, rendering risk assessments obsolete.
ERM also aids in developing and executing strategies to mitigate potential risks, helping the board and management decide where to spend limited economic and human capital resources. In a world with limited resources, it is necessary to understand whether a risk control is effective and how much impact it has on an institution in order to justify the expense. For instance, if an institution is making a large investment in a control for a low-risk activity, those resources may be better deployed on a high-risk activity. Similarly, an assessment may determine that a control is not particularly effective and should be discontinued.
Ultimately, ERM creates value by uncovering opportunities and threats, optimizing resource use, helping an institution stay abreast of current conditions, and ensuring the promotion of strategies that support the institution’s mission, vision, and values.