Creating the Right ERM Program for YOUR Community Bank€¦ · functional areas of the organization...
Transcript of Creating the Right ERM Program for YOUR Community Bank€¦ · functional areas of the organization...
Creating the Right ERM Program forYOUR Community Bank
ICBA – Community Banker University®October 30th, 2018
Marci Malzahn
President & Founder
Marci Malzahn – Malzahn Strategic• Professional Highlights:
• 23 years in banking: from teller to EVP/CFO/COO and CRO
• Started a bank in 2005 – Bank grew to $325MM in 10 years, now $725MM
• 5 years in nonprofit:
• CFO overseeing Finance, IT and HR
• Managed a $32MM budget, 28 employees
• 4 years with Malzahn Strategic consulting
• Professional Awards:• 25 On The Rise – Hispanic Chamber of Commerce
• Forty Under 40 – Minneapolis/St. Paul Business Journal
• Top Women in Finance – Finance and Commerce Newspaper
• Outstanding Women in Banking – North Western Financial Review magazine
• Education:• B.A. Business Management, Bethel University
• Graduate School of Banking, Madison, WisconsinCopyright 2018 Malzahn Strategic
Marci Malzahn – What I Do Now
Consulting and Coaching: • Strategic Planning
• Enterprise Risk Management
• Talent Management
Speaking:• Banking/Business
• Inspirational/Motivational
• Faith based
Writing:• Devotions for Working Women – A Daily Inspiration to Live a
Successful and Balanced Life
• The Fire Within – Connect Your Gifts with Your Calling
• The Friendship Book – Because You Matter to Me
Copyright 2018 Malzahn Strategic
Training Overview – Part I
• How Community Banks Can Survive and Thrive
• Strategic Plan Components
• ERM Building Blocks:
• Integrate All Areas into ERM
• The ERM Puzzle & Three Ongoing Phases
• New Definition of Banking Risk
• Top 8 Risk Categories plus a Few Others
Definitions Elements Components Areas
Copyright 2018 Malzahn Strategic
Training Overview – Part II
• ERM Risk Assessment Matrix – Definitions & Example
• List of Annual Risk Assessments
• Create the Risk Appetite and Tolerance Statement
• Implement Your ERM Program
• Integrate Your ERM Program into Your Strategic Plan
• Benefits from ERM Program
• Keep the Process Fun – Ongoing! – Flowchart
Copyright 2018 Malzahn Strategic
How Can Community Banks Survive and Thrive?
Do the right thing.
Do things right the first time…
ConsistentlyMarci Malzahn
ERM does both for your bank!
Copyright 2018 Malzahn Strategic
Increase Shareholder Value
• Establish best practices through ERM
• Create efficiencies
• Increased Board Governance knowledge
• Embrace ERM company-wide
• Use ERM to ensure strategies align with your organization’s mission, vision, and core values
• Ethics and culture are at the core of ERM
Copyright 2018 Malzahn Strategic
Embrace ERM at YOUR Bank
• Regulatory focus is increasing around ERM
• Regulators are expecting banks of all sizes to have a framework in place to address ERM – starting with BSA/AML and IT
“The whole concept of ERM continues to be pushed down to smaller and smaller institutions, and it certainly applies to anyone that’s crossed that $1 billion
threshold.”
Charles Umberger, EVP/CLO Waynesville NC
Article Embracing ERM at Community Banks by Monica Meinert
Copyright 2018 Malzahn Strategic
Create Your Own Strategic Plan
• Your plan must be unique
• Integrate ERM into Strategic Plan• Integrate other key components into ERM
• Integrate Talent Management into Strategic Plan
Copyright 2018 Malzahn Strategic
Strategic Plan Components
Strategic Plan
ERM
Marketing
BusinessPlan
Financials
Talent
Capital
Copyright 2018 Malzahn Strategic
ERM Building Blocks
Areas
Elements
Definitions
Components
Copyright 2018 Malzahn Strategic
Definition of ERM
Enterprise Risk Management (ERM) is a structured, consistent and continuous process across the whole organization for identifying, assessing, and deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives.
Institute of Internal Auditors (IIA)
ERM is a discipline that an organization can use to identify events that may affect its ability to achieve its strategic goals and to manage its activities consistent with its risk appetite.
Federal Reserve Board Governor Bies’ definition
Copyright 2018 Malzahn Strategic
Definition of ERM
Enterprise Risk Management (ERM) is “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Committee of Sponsoring Organizations of the Tradeway Commission (COSO)
Copyright 2018 Malzahn Strategic
My Definition of ERM
“An enterprise-wide continuous process to protect all your organization’s assets while allowing you to fulfill your vision.”
Marci Malzahn
Copyright 2018 Malzahn Strategic
ERM Building Blocks – Elements
ERM
Planning
Policies
Practices
Parame-ters
Protect-ion
Outcomes
Copyright 2018 Malzahn Strategic
ERM Building Blocks – Components
ERM
Comm. Charter &
Policy
Identify & Assess ALL
Risks
ERM Risk Assess. Matrix
Conduct Annual
Risk Assess.
Risk Appetite & Tolerance
Stmt.
Integrate into Strat.
Plan
Copyright 2018 Malzahn Strategic
ERM Committee Charter Components
• Purpose and Goal of Committee
• Committee Composition and Meetings
• Role of the CRO or ERM Committee Chair
• Responsibilities• Design and Implement Risk Management Practices
• Execute and Monitor Risk Management Practices
• Annual Evaluation
Copyright 2018 Malzahn Strategic
ERM Committee Members
Risk Management: CRO or Risk Manager (Chair)
Finance/Accounting, Budgets, Asset/Liability
Compliance Deposit and Loan Operations
Internal Audit Marketing
Credit Risk/OREO/Watch List, Loan Policy Shareholder relations, Board Director
IT, Disaster Recovery, Security Program HR (Payroll, personnel files, HR laws, 401K plan)
Cash/Treasury Management (Wire transfers, ACH, OLB, Remote Dep, Mobile Banking)
Sales Teams:Business Banking, Private BankingConstruction, Development, MortgageConsumer/Retail Banking
Copyright 2018 Malzahn Strategic
ERM Building Blocks – Areas
ERM
IT Security Program
Compliance
Succession Planning
Capital
DRP
Liquidity Contin-gency
Plan
Internal Audit
Copyright 2018 Malzahn Strategic
Integrate Each Area into ERM
• IT Security Program
• Compliance Program (Compliance Management System)
• Internal Audit Program (Internal Controls)
• Liquidity Contingency Funding Plan (CFP)
• Succession Planning (at all levels)
• Capital Planning DRP
Disaster Recovery Plan Vendor Management Program
Business Continuity Plan Social Engineering
Cyber Security Program Controls & Policies
Copyright 2018 Malzahn Strategic
IT Security Program Key Components
IT Security Program
DRP
Cyber Security
Vendor Mgmt.
Security Controls
Social Engineer-
ing
BCP
Copyright 2018 Malzahn Strategic
The ERM Puzzle
Copyright 2018 Malzahn Strategic
Three Ongoing Phases of ERM
Identifying and Assessing
Risk
Mitigating or Eliminating
Risk
Monitoring and
Reporting Risk
Copyright 2018 Malzahn Strategic
Identifying and Assessing Risk
• Use Risk Assessments enterprise-wide to identify risks and assess the types of risks
• Also identify unique and specific risks to your organization• (i.e. succession planning, relationship concentration, industry
concentration)
• Categorizing each risk across the organization by criticality and confidentiality
• Rate risks by: Impact and probability and vulnerability and speed of onset
Copyright 2018 Malzahn Strategic
Mitigating and Eliminating Risk
• Determine the steps your institution will take to mitigate risks identified
• Determine how your institution can eliminate certain risks
• Ensure your institution is comfortable with the residual risk
• Establish policies, processes, and procedures (also systems and outsourced expertise) to mitigate and eliminate risks
Copyright 2018 Malzahn Strategic
Monitoring and Reporting Risk
• Ongoing monitoring of risks identified• Establish accountability across the board
• Ensure policies, procedures, and systems in place are being followed AND are working (measuring)
• Ongoing reporting of risks and status to Board of Directors• Provide results from monitoring efforts
• Directors learn about risks, get updates, understand their liability
• Use tools such as “heat maps”
Copyright 2018 Malzahn Strategic
New Definition of Banking Risk
The potential that events will have an adverse effect on an institution’s current or projected financial condition and
resilience
• Financial Condition: Includes impacts from diminished capital (impact from losses, reduced earnings, and market value of equity) and liquidity
• Resilience: Recognizes the institution’s ability to withstand periods of stress (based on stress testing)
Copyright 2018 Malzahn Strategic
Top 8 Risk Categories 1-4
1.Credit – Obligor’s failure to meet the terms of any contract with the institution
2.Interest Rate – Movements in interest rates (repricing, basis, yield curve, and options risk)
3.Liquidity – The institution’s inability to meet obligations when they come due (Contingency Funding Plan)
4.Price – Changes in the value of either trading portfolios or other obligations that are entered into as part of distributing risk
Copyright 2018 Malzahn Strategic
Top 8 Risk Categories 5-8
5.Operational – Inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events
6.Compliance – Violations of laws or regulations, or nonconforming to prescribed practices, internal policies, and procedures, or ethical standards.
7.Strategic – Adverse business decisions, poor implementation of business decisions, or lack of responsiveness to changes in the banking industry and operating environment.
8.Reputation – Negative public opinion. Inherent to All bank activities.
Copyright 2018 Malzahn Strategic
Plus a Few Other Risks
1.Technology – Risk in all technologies used
2.Customer – Risk from dealing with fraudulent entities
3.Human Resources Management – Violations to HR laws
4.Earnings/Profitability – Losses in investments and earnings other than credit
Copyright 2018 Malzahn Strategic
Plus a Few Other Risks
5. Legal – Failure to comply with statutory or regulatory obligations, lawsuits
6. Capital – Direct losses to capital due to all risks being interrelated
7. Model – Potential for adverse consequences from decisions based on incorrect or misused model outputs
Copyright 2018 Malzahn Strategic
ERM Risk Assessment Matrix -Definitions
• Risks: Identify each risk in your institution
• Inherent Risk: Risk of an activity with no controls in place (Low, Moderate, High)
• Consequences: If the risk occurs, identify damage
• Risk Mitigating Factors: Activities that can control the risk and consequences of it happening
• Monitoring Tool(s): Tools used to monitor risks
Copyright 2018 Malzahn Strategic
ERM Risk Assessment Matrix -Definitions
• Plans for Improvement: If current mitigating factors are insufficient, describe plan to improve
• Status: Tracking mechanism to track progress on plans for improvement (establish accountabilities)
• Residual Risk: The risk that remains after controls are taken into account
• Trend of Risk: Increasing, Stable, Decreasing – provides a baseline for future assessments of this risk
Copyright 2018 Malzahn Strategic
Types of Risks
Technology Transaction/Operational Strategic
Reputational Compliance/Regulatory Liquidity
Interest Rate Risk Credit Administration Legal
Human Resources Earnings/Profitability Capital
ERM
Copyright 2018 Malzahn Strategic
Develop Assessment Criteria
• Develop a common set of assessment criteria (scale) to be used across all functional areas of the organization (simple yet comprehensive).
• Scales should help in ranking and in prioritizing risks (i.e., 1 = Incidental, 2 = Minor, 3 = Moderate, 4 = Major, 5 = Extreme).
• Risks as well as opportunities are usually assessed in terms of impact (how it will affect the entire enterprise) or likelihood (i.e., 1 = Rare, 2 = Unlikely, 3 = Possible, 4 = Likely, 5 = Frequent)
• Ask the questions of vulnerability (how susceptible?) and speed of onset(how fast could the risk arise? 1 = Very Low, 2 = Low, 3 = Medium, 4 = High, 5 = Very High; how fast could you respond/ recover?)
Copyright 2018 Malzahn Strategic
ERM Risk Assessment Matrix -Sample
Ris
ks Technology Operational/Transaction Strategic Reputation
Inh
ere
nt
Ris
kC
on
seq
ue
nce
sR
isk
Mit
igat
ors
Mo
nit
ori
ng
Too
l(s)
Pla
ns
for
Imp
rove
me
nt
Stat
us
Re
sid
ual
Ris
k
Tre
nd
of
Ris
k
Priority
Scale =
1-5
Impact
= 1-5
Likeli-
hood =
1-5
Vulnera-
bility =
1-5
Speed
of Onset
= 1-5
Copyright 2018 Malzahn Strategic
ERM RA Matrix – Example - Operational
Title Definition Example
Ris
ks
Identify each type of
Risk or "Risk
Categories"
Example Risk #1: Operational/Transaction
Inh
ere
nt
Ris
k
Risk of an activity with NO
CONTROLS in place. Scale =
Low, Moderate, HighModerate/High
Co
nse
qu
en
ces If this risk occurs, identify
damage with NO CONTROLS in
place (list everything that
could potentially go wrong)
*Risk to earnings (operational losses), capital, and reputation from problems
with service or product delivery *Internal fraud *Reputation Risk *External
Fraud *Lost opportunities due to lack of products or inability to service
customers (Earnings risk) *Staff turnover *Business disruption due to systems
failures *Low quality of due diligence
Copyright 2018 Malzahn Strategic
ERM RA Matrix – Example - Operational
Ris
k M
itig
ato
rs List ALL the activities your bank
does in order to control (or
mitigate) this risk and its
consequences from happening
*On-going education for staff *Policies and procedures *Internal and external
audits *On-going maintenance of systems and equipment *Dual Control in
place *Segregation of Duties *Bond Insurance *Annual core system DRP testing
Mo
nit
ori
ng
Too
l(s) List ALL the tools your bank
uses and ALL the monitoring
activities already in place in
order to monitor this risk
*Internal and external audits (which include surprise cash audits) *Review
daily reporting *Vendor communications *Review of policies and procedures
*ATM Anti-Skimming devices
Pla
ns
for
Imp
rove
me
nt List the tasks, systems, new
procedures, new processes,
new talent to be hired, etc.
that your bank plans to
implement in the next 12
months to reduce/minimize,
improve or eliminate this risk
*Product enhancements *Policy & Procedure enhancements *Continue to
improve efficiencies
Copyright 2018 Malzahn Strategic
ERM RA Matrix – Example - Operational
Stat
us
This is your tracking
mechanism to track progress
on Plans for Improvement.
There should be a person
accountable for each item.
Ongoing
Re
sid
ual
Ris
kRisk of an activity that remains
for the bank AFTER ALL
controls and mitigating tools
are in place. The risk that the
Board is willing to "tolerate."
Moderate
Tre
nd
of
Ris
k
Based on current market
conditions. Provides a baseline
for future assessments of this
risk. Scale = Increasing, Stable
or Decreasing
Stable to Increasing
Copyright 2018 Malzahn Strategic
ERM RA Matrix – Example - Operational
Priority
Scale =
1-5
What is the priority ranking of
this particular risk in YOUR
bank based on Criticality (can
you run your bank without it?)
AND Confidentiality (how
sensitive is the data)?
Scale = 1-5
1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
5
Impact
= 1-5
HOW will this particular risk
impact YOUR entire bank?
Scale = 1-5
1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
5
Copyright 2018 Malzahn Strategic
ERM RA Matrix – Example - Operational
Likeli-
hood =
1-5
How LIKELY (or probable) is
this particular risk to happen in
YOUR bank? Scale = 1-5
1=Rare
2=Unlikely
3=Possible
4=Likely
5=Frequent
4
Vulnera-
bility =
1-5
How SUSCEPTIBLE to this
particular risk is YOUR bank?
Scale = 1-5
1=Rare
2=Unlikely
3=Possible
4=Likely
5=Frequent
3
Speed
of Onset
= 1-5
How FAST could this risk arise
at YOUR bank? Scale = 1-5
1=Very Low
2=Low
3=Medium
4=High
5=Very High
5
Copyright 2018 Malzahn Strategic
Annual Risk Assessments - Examples
Credit
Fair Lending
UDAAP
Stress Testing
Portfolio
Individual Credits
Compliance
BSA, OFAC, AML
Wire Transfers
Unlawful Internet Gambling
ACH
Fraud
Red Flag
Technology
IT General
BCP & DRP
Vendor Mgmt.
Cybersecurity: Electronic/Internet
Mobile/Online/Web
RDC/Wires/ACH
Copyright 2018 Malzahn Strategic
Annual Risk Assessments - Examples
Internal Controls
A/P, ALLL, A/L, Branch Capture, Call Report, Capital, Cash Controls
Collateral safekeeping, OD, Dep. Processing,
Employee Accts.
Internal Controls
Fixed Assets, HR, Inc./Exp. Accts.,
Investments, Loan Processing, Official
Checks
Online entries/GL, OREO, Payroll, Prepaid Exp.,
Wires
Others
CRA, Consumer Complaint, Incentive Compensation Plan, Incident Response
Insurance Sales, Non-Deposit Investments, Pre-Need Trust, Safe
Deposit Box
Copyright 2018 Malzahn Strategic
Set Risk Management Appetite
• “Risk Appetite is the amount of risk an entity is willing to accept in the pursuit of value” (COSO).
• To determine risk appetite, Board and management should agree on 3 steps:• Develop Risk Appetite
• Communicate Risk Appetite
• Monitor and Update Risk Appetite
Copyright 2018 Malzahn Strategic
Categories of Risk Appetite
• Existing Risk Profile
• Risk Capacity
• Risk Tolerance
• Desired Level of Risk
Copyright 2018 Malzahn Strategic
Risk Appetite & Tolerance Statement
Appetite = Qualitative = The Pursuit of Risk
Tolerance = Quantitative = What You Can Bear
• How to build a Risk Appetite and Tolerance Statement• Set targets for each risk category
• Set tolerance levels for each risk category
Copyright 2018 Malzahn Strategic
Implement Your ERM Program #1
• Board of Directors sets the tone – support ERM team
• Create ERM Charter and form Committee
• Perform ERM Risk Assessment using Matrix• Assign responsibilities to Committee members and teams
• Committee is responsible for implementing ERM Program
Copyright 2018 Malzahn Strategic
Implement Your ERM Program #2
• Complete all the ERM Components and its corresponding Risk Assessments• IT Security Program
• Compliance Program
• Internal Audit Program
• Liquidity Contingency Funding Plan (CFP)
• Succession Planning
• Capital Planning
• Board Risk Appetite and Tolerance Statement
Copyright 2018 Malzahn Strategic
Implement Your ERM Program #3
• Assign accountability to members
• Meet at least quarterly
• Monitor monthly and report to Board of Directors
• Perform formal annual review of program
• Update and present to Board of Directors for annual approval
Copyright 2018 Malzahn Strategic
On-Going Monitoring & Reporting Opportunity & Risk Maps
COMBINED RISK AND OPPORTUNITY MAP EXAMPLE
Impact
Opportunities Risks
Extreme Major Moderate Minor Incidental Incidental Minor Moderate Major Extreme
Likelihood
Frequent
Likely
Possible
Unlikely
Rare
Source: Risk Assessment in Practice by COSO
Copyright 2018 Malzahn Strategic
On-Going Monitoring and Reporting: Heat Maps
HEAT MAP SAMPLE
Like
liho
od
ID Risk
1 Capital
2 Earnings
3 LiquidityImpact
1
2
3
Source: Risk Assessment in Practice by COSO
Copyright 2018 Malzahn Strategic
Integrate ERM into Your Strategic Plan
• As you conduct the ERM Risk Assessment – what are your strategies to mitigate and avoid certain risks?
• Know the bank regulations – know your local industry
• Establish policies to comply with regulations
• Establish procedures and processes to comply with policies
• Establish an organizational and operational infrastructure to support current size and scalable for future growth
• Establish Key Performance Indicators (KPI) and Key Risk Indicators (KRI) and reporting
Copyright 2018 Malzahn Strategic
Key Performance Indicators (KPI) Examples
Total Assets Texas Ratio
Total Liabilities Net Interest Margin
Net Income Loan to Deposits Ratio
ROE Assets Managed per Employee
ROA Tier 1 Capital Ratio
Efficiency Ratio Total Risk Based Capital Ratio
ALLL Yield on Earning Assets
OREO Cost of Funds
Copyright 2018 Malzahn Strategic
Key Risk Indicators (KRI) Examples
Global/General:• From global economy to your State to your City
• Unemployment Rate nationwide and in your State
• GDP
Local/Unique to Your Institution:• Lack of Risk Awareness at the Board level in your institution
• High employee turnover
• Loosening of credit standards
• Using some KPI’s as KRI’s
Copyright 2018 Malzahn Strategic
Board Risk OversightResponsibilities on ERM
Reviewing, challenging, and concurring with management on:
• Proposed strategy and risk appetite
• Ensure risks are managed within tolerance
• Alignment of strategy and business objectives with the organization’s mission, vision, and core values
• Significant business decisions including M&A’s, capital allocations, funding, and dividend-related decisions
• Approving management incentives and compensation
• Approve all major changes to risk policiesSource: COSO 2017 ERM Publication
Copyright 2018 Malzahn Strategic
CEO & Senior Management Responsibilities on ERM
• Sponsor the organizational governance for risk and compliance activities
• Delegate policy formulation and day-to-day risk oversight to Internal Risk Management committee
• Focus on the organization’s top ten risks and set strategies to mitigate those top risks
• Designate an internal “Risk Leader” to lead the organization’s ERM Program
• Monitor and report to the Board of Directors
Copyright 2018 Malzahn Strategic
Stages of Integration Progression
Reactive
Aware
Strategic
Copyright 2018 Malzahn Strategic
Reactive Stage
• Lack of board or senior management emphasis on risk
• No common risk lingo
• No risk management planning
• Ad hoc approach
• Missing coverage of risk areas
Copyright 2018 Malzahn Strategic
Aware Stage
• Some board and senior management support
• Risk leader identified
• Periodic risk profiling
• Key risks defined in common vocabulary
• Recognized need for ERM
Copyright 2018 Malzahn Strategic
Strategic Stage
• Proactive board and senior management involvement
• Risk managed and assessed across entire organization
• Common language and approach used and understood
• Real-time analysis of risk portfolio
What stage is your organization at?
Copyright 2018 Malzahn Strategic
ERM Building Blocks – Components
ERM
Commit-tee
Charter
Identify & Assess ALL
Risks
Risk Assess. Matrix
Conduct Annual
Risk Assess.
Risk Appetite & Tolerance
Stmt.
Integrate into Strat.
Plan
Copyright 2018 Malzahn Strategic
Integrate your Talent Management Program into your Strategic Plan
• Conduct a Talent Assessment
• The right (ERM) people in the right places
• The right positions to support current bank needs and projected growth
• Establish Succession Plan for all key positions of the bank
• Board Succession Plan
• Board training and ongoing all-staff education and training
Copyright 2018 Malzahn Strategic
Integration of ERM and Talent Management into Your Strategic Plan
Strategic Planning
Talent Mgmt.
ERM
Copyright 2018 Malzahn Strategic
Benefits from YOUR ERM Program
1.Establish best practices enterprise-wide.
2.Increase efficiencies.
3.Establish an ERM process (Strategic Risk Assessment for New Initiatives).
4.Build the team.
5.Create awareness, enterprise-wide.
6.Opportunity to assess risk, enterprise-wide.
Copyright 2018 Malzahn Strategic
Benefits from YOUR ERM Program
7.Prepare for the future.
8.Create accountability.
9.Reduce performance variability.
10.Enhance enterprise resilience.
11.Create a sound infrastructure and a solid foundation.
12.Tell your story from the risk perspective.
Copyright 2018 Malzahn Strategic
ERM – Fun and Ongoing Process!
• The tone at the top – Continued Board support
• Rotate who presents to the Board
• Have off-site meetings to increase focus and fun
• Celebrate the small accomplishments and milestones
• Form or participate in ERM peer groups – keep learning!
• Reward team for working together successfully
Copyright 2018 Malzahn Strategic
ERM Program Flowchart
Approval Process #1
Board of Directors
Tone at the Top
Board Risk Co.
President/CEO Designates
Internal ERM Leader
President/CEO and ERM Leader
select ERM Committee
Copyright 2018 Malzahn Strategic
Approval Process #2
Establish Bank ERM Committee
(formalize it)
Develop/Write ERM Committee Charter & Policy
Integrate ERM with Strategic
Plan
Copyright 2018 Malzahn Strategic
Phase I – Identify & Assess Risks #1
Set Risk Management
Appetite
Establish KPI’s & KRI’s (Tolerance)
Summary of ALL Types of Risks
(Identify Unique Risks)
Copyright 2018 Malzahn Strategic
Phase I – Identify & Assess Risks #2
List ALL Risk Assessments for each Risk/Area
Identify Risk Assessments
You Do & Missing
Incorporate ALL other ERM
Components/ Areas
Copyright 2018 Malzahn Strategic
Phase I – Identify & Assess Risks #3
Establish Standard
Assessment Criteria
Develop Ranking Scale to Prioritize
All Risks
Use Qualitative & Quantitative
Questions
Copyright 2018 Malzahn Strategic
Phase I – Identify & Assess Risks #4
Conduct All Risk Assessments
(track findings)
Assess Risk Interactions
(Interrelated)
Prioritize Risks based on Ranking
& Criteria
Copyright 2018 Malzahn Strategic
Phase II – Mitigate & Eliminate Risks
List Mitigating Factors for Each Risk (Systems,
Tools)
Establish Policies, Procedures &
Processes
Eliminate Some Risks if Possible
Copyright 2018 Malzahn Strategic
Phase III – Monitor & Report Risks
Identify Monitoring
Tools for each Risk/Area
Identify Improvement Plans for each
Risk/Area
Report on Monitoring Activities
Create Reporting Process
Copyright 2018 Malzahn Strategic
Ongoing ERM Process #1(Identifying & Assessing New Risks, Mitigating & Eliminating, and Monitoring &
Reporting on Risks)
Board Risk Appetite & Tolerance Statement
Establish a Strategic Risk
Assessment for New Initiatives
Establish ERM Committee
Ongoing Meetings
Copyright 2018 Malzahn Strategic
Ongoing Process #2(Identifying & Assessing New Risks, Mitigating & Eliminating, and
Monitoring & Reporting on Risks)
Monthly: Progress Reports
New Initiatives
Quarterly: Emerging Risks
Review ERM Matrix
Annually: Complete Review &
Approval of ERM Program
Copyright 2018 Malzahn Strategic
Resources• FDIC Risk-Based Assessment System – Financial Institution Letters (FILs)
https://www.fdic.gov/deposit/insurance/risk/FILS.html
• OCC Bulletin 2015-48 Updated Guidance on Risk Assessment System https://www.occ.gov/news-issuances/bulletins/2015/bulletin-2015-48.html#
• OCC Comptroller’s Handbook: Community Bank Supervision https://www.occ.gov/publications/publications-by-type/comptrollers-handbook/pub-ch-ep-cbs.pdf
• COSO (Committee of Sponsoring Organizations of the Treadway Commission) www.coso.org (2017 Publication “ERM – Integrating with Strategy and Performance”
• Credit Union Act https://www.ncua.gov/Legal/Documents/fcu_act.pdf
• NCUA (National Credit Union Administration) https://www.ncua.gov/regulation-supervision/Pages/default.aspx
• Credit Union National Association www.cuna.org
Copyright 2018 Malzahn Strategic
Questions?Thank you!
Marci Malzahn, President & Founder
Consulting: www.malzahnstrategic.com
Free Resource: 30 Minute ERM Strategy Session with Marcihttps://www.linkedin.com/pub/marcia-marci-malzahn/1/6/729
Speaking & Books: www.marciamalzahn.com@marcimalzahn
612-242-4021
Copyright 2018 Malzahn Strategic