Enterprise Risk Management (ERM) is a top-down approach to managing organization-wide risks, ensuring profitability, performance, and regulatory compliance.
The practice of ERM is crucial in banking as it can help banks and other financial institutions prevent, detect, assess, and mitigate risks due to operational disruption, financial volatility, non-compliance, regulatory violations, etc.
However, ERM implementation in the banking industry poses unique challenges, especially to the small-and-medium-sized institutions.
This blog discusses the top challenges in ERM implementation in banking and shares some effective strategies and best practices to address those.
Enterprise Risks Management (ERM) Implementation Challenges
Financial institutions may choose from various ERM frameworks and standards such as COBIT, COSO, ISO 27001, RIMS, SOC 1 Type 2, SOC 2 Type 2, CMMC, NIST, and FedRAMP, etc.
They may also consider customizing a framework based on their business goals, structure, technology, and available resources. However, implementing an enterprise risk management framework can be immensely complex.
Below are the top challenges often encountered by Chief Risk Officers (CROs), Operational Risk Managers (ORMs), and other stakeholders while implementing an ERM program.
1. Resistance to Change
ERM implementation requires changes in existing policies, processes, and procedures. However, the typical resistance to change can lead to pushback and potentially sabotage the project. The reluctance may occur due to employees’ experience with past organizations or apprehension of potential loss of jobs when the process involves automation or modern digital technologies.
2. Lack of Qualified Personnel
ERM implementation requires niche domain expertise and guidance from senior stakeholders such as the CRO. It also requires strong leadership with a commitment to adequate resources and time for an effective ERM process. The lack of qualified personnel with optimal expertise can hamper implementation and jeopardize the success of the ERM program.
3. Lack of Perceived Benefits of ERM
One of the challenges in ERM implementation is the lack of perceived value of ERM, which causes other organizational initiatives to take precedence. As a result, management prioritizes other objectives and may not allocate sufficient resources to identify risks and implement ERM.
4. Lack of Management Support
Reporting the impact of ERM on strategic goals may present difficulties, particularly during the project’s initial phases. Reporting issues may hamper the trust-building process with stakeholders and curtail their support. This situation can derail ERM implementation due to inadequate resources and buy-in from other stakeholders.
5. Difficulties in Defining/Quantifying Risks
Establishing a formal risk management framework and common risk nomenclature are among the most difficult challenges in building or implementing a risk management program. Failure to constitute a consistent risk definition and procedures can jeopardize the program’s success and aggravate the organization’s risks.
6. Challenging Regulatory Environment
The ever-changing regulatory environment results in disparate regulatory norms across different jurisdictions, high scrutiny, and fear of compliance failures despite best efforts due to human error or unanticipated events. The obligation to comply with various laws and regulations in a volatile market and geopolitical landscape necessitates a highly diligent approach to adopting, customizing, and implementing ERM.
7. Cost Justification
Demonstrating an ERM framework’s value to justify costs in an ROI-driven environment could hamper decision-making. ERM risk-and-reward metrics are less prescriptive and thus remain voluntary for many organizations, resulting in a value proposition that lacks regulatory language and compliance encouragement.
8. Planning Horizon
The time or planning horizon for an enterprise risk management assessment depends on the organization’s willingness to invest in risk management. Companies often prefer short-term planning horizon, as it generally needs less training, is less expensive, and provides risk estimation than long-term ones. For successful ERM objectives, banks and financial institutions must choose a solution consistently.
9. Lack of Ownership
Another significant difficulty in developing and implementing an ERM framework is determining who should own the ERM, which is frequently debated and unclear at the board, director, audit committee, and management levels.
10. Risk Reporting
Organizations frequently struggle with determining what information to disclose to internal and external constituents, as well as how to communicate the risk. Furthermore, concealing sensitive information while offering risk insights is crucial to avoid business lawyers raising issues with external regulators, stakeholders, and auditors.
Strategies to Address ERM Implementation Challenges
Successful implementation of ERM depends on various factors. Financial institutions need various additional pre-requisites to overcome multiple inherent challenges for ERM to be successful, including:
1. Gradual Implementation
Incremental changes instead of making large-scale changes at once can reduce risks, increase agility, and support transparency. Institutions need to have realistic ambitions and make small-scale changes. This will help build credibility in the organization and ease up the ERM implementation.
2. Consistent Communication
Communicating the benefits of ERM to all stakeholders, including employees, management, and the board of directors can help overcome the resistance to change. Consistent reporting of the impact of ERM implementation on the organization’s strategic goals, risk exposure, and decision-making can help. Banks can also involve employees in the implementation process by soliciting their feedback and addressing their concerns.
3. Support from Top Management
Gaining strong support from the top management can foster ERM implementation in the organization. The team concerned can garner the necessary support by highlighting the benefits of ERM and demonstrating its alignment with the organization’s strategic goals. Further, risk officers can involve stakeholders in the ERM implementation process by keeping the management informed and incorporating their inputs/feedback.
4. Diligent Needs Assessment
The institution must conduct a thorough needs assessment to determine the resources required for ERM implementation. Following this step, they need to prioritize the activities and allocate resources, accordingly. Additionally, financial institutions may also consider outsourcing some of the ERM implementation activities to third-party providers. This can help them freeup their internal resources for important operational/business activities.
Best Practices for ERM Implementation
Following are some of the best practices that can help financial institutions overcome ERM implementation challenges:
1. Develop a Comprehensive ERM framework
A comprehensive ERM framework should outline the risks, risk tolerance, risk appetite, organizational objectives and goals, implementation plan, and risk management processes. It should also define the roles and responsibilities of all stakeholders and provide clear guidelines for risk-taking and decision-making.
2. Perform a Thorough Risk Assessment
Conduct a complete risk assessment, covering all aspects to identify and prioritize risks at the business level. This evaluation should consider the organization’s business objectives, data insights, and stakeholder inputs.
3. Prepare a Risk Management Plan
A risk management plan based on the risk assessment results can be crucial in specifying the mitigation strategies. The plan should include measures such as risk mitigation, risk transfer, risk avoidance, and risk acceptance. It should also establish risk tolerance limits and provide rules for risk monitoring and reporting.
4. Create an Implementation Plan
Planning is a critical step in ERM implementation and comprises the following:
- The scope of the project
- The objectives
- The stakeholders
- The resources
- The timetable
- The risk management processes
5. Communicate the Plan to Stakeholders
The implementation strategy should be communicated to all stakeholders, including the management team, staff, customers, and suppliers. The communication should be straightforward and concise, emphasizing the benefits of ERM.
The numerous challenges associated with ERM implementation can derail or sabotage risk management projects and make the process frustrating and time-consuming. However, with the right approach and best practices, institutions can overcome these challenges and implement ERM successfully.
Additionally, monitoring and reporting the progress of ERM projects is critical to bring in the necessary changes for effective outcomes.
Anaptyss provides a domain-led Enterprise Risk Management practice to help banks and financial institutions implement ERM frameworks, securing their business from critical risks across all levels.
Associate Director – Enterprise Risk Management