Crafting an Enterprise Risk Management Program for MSBs

As MSBs get larger and more complex, they may find examiners, auditors, and bank partners asking about the MSB’s ERM (enterprise risk management) Program.  To the Compliance Officer of a larger MSB, who just finished enhancing and maturing the AML/Fraud Program, it may seem challenging to have to create another Program from scratch.  Before you know it, you’ll be named the Chief Risk/Compliance Officer.  Congratulations, but what happens after that?  This multi-part article on ERM will walk you through a few action items to consider.

What are the risks facing the entire organization?  It seems like an easy question, and most MSB Risk/Compliance Officers can articulate their risks with ease in a conversation, and even state how much risk they’re willing to take.  But the art and science of ERM involves formally documenting those risks and risk appetite, and considering all risks across the organization.  It’s important to consider all risks because MSBs experience the same risks as many other financial institutions do (e.g.  strategic, financial, operating, compliance, legal, reputation risk) from their customers, products, geographies, operations, employees, third parties, and physical locations—if any—and these go beyond financial crimes risk.  If MSB Risk/Compliance Officers don’t look beyond financial crimes risk, then their enterprise risk assessment will essentially be a duplicate of the AML risk assessment.  That might not be enough to meet the needs of examiners, auditors, or bank partners.

ERM Elements to Begin With

ERM Programs aren’t built overnight.  They are usually started using a few elements of an ERM framework, and then enhanced and matured over time.  For those who take this approach, select a few elements of an ERM framework to focus on for your initial efforts.

Rather than rely on any one ERM framework to select elements, we’ll take common elements from various frameworks and build from there.  Some frameworks have as few as four elements, and some of the more granular frameworks have 10 or so elements, but the two most common elements to start with are:

• Identification and assessment of risk
• risk appetite

An MSB Risk/Compliance Officer who is crafting an ERM Program can get assistance from a consulting firm that specializes in this area, as these consultants have “seen it all before.”  At the very least, consider using a firm for the Risk Appetite piece, as this element can be a challenge to many due to its complexities.

We will address these two elements below.  In future articles, we’ll address other common elements of an ERM Framework and finish by discussing current hot-button issues with ERM, including third-party risk management, new products/services, fraud risk management, and board/executive oversight.

Identifying and Assessing Risk

This is an extensive activity that involves systematically identifying risks to the MSB across the typical risk categories of strategic, financial, operating, compliance, legal, and reputation.  The identification of risks will form the backbone of the Enterprise Risk Assessment.

Per the OCC, “Risk assessments should measure the inherent risk, which is the risk that an activity would pose if no controls or other mitigating factors were in place. A residual risk rating should be assigned after controls are taken into account. The risk assessment process should be candid and self-critical.”  (OCC Comptroller’s Handbook:  Corporate and Risk Governance)

The documentation of an enterprise risk assessment can be captured on a spreadsheet, or in any other manner you’re comfortable with that conveys a Functional Area, Risk Statement, Inherent Risk, Controls, and Residual Risk.  There are several open-source templates available for capturing a risk assessment because there is no one “correct” way to do it.  For your first enterprise risk assessment, remember that sometimes less is more.  A 25-column risk assessment doesn’t always convey more meaningful information, or results, compared to a simple 6-column risk assessment.

Here's an example row from a simple risk assessment template.

Before starting, you’ll want to determine what your risk rating scale will be.  For example, for assessing inherent and residual risk, you can choose a 5-point scale such as low, low-moderate, moderate, moderate-high, and high.  Or, you can also choose a 3-point scale such as low, moderate, high.  For assessing control strength, you can choose a 4-point scale such as Effective, Mostly Effective, Partially Effective, Not Effective.  As always, before choosing which scale to use, determine if procedures already exist that cover all risk assessments performed in the organization, and be consistent with those procedures.

To arrive at ratings, examiners, auditors, and bank partners will expect the process to be quantitative, but your first time through this process might be qualitative until your quantitative methodology is established.  Using information gained from year of experience in the industry, MSB managers can craft a meaningful risk assessment and add quantitative aspects as the risk assessment is enhanced.

When performing the first enterprise risk assessment, aim for progress over perfection.  Examiners, auditors, and partner banks may request that it be enhanced, but enhancing a risk assessment is a process that will naturally occur over time.  An imperfect enterprise risk assessment is better than nothing.  Note, though, that one of the benefits of working with a consultant on an initial enterprise risk assessment is that the consultant will typically already have a tool and methodology to use.  Be sure management reviews and approves the methodology before using it, though, and document this exercise.

Risk Appetite

This is a more esoteric and challenging topic. The risk appetite describes the amount of risk an organization is willing to accept to achieve its business objectives.  In practice, the risk appetite for the organization as a whole—and for each type of risk—is used for decision-making purposes, and it’s typically communicated as a statement.

Setting the MSB’s risk appetite is an exercise that involves management and leadership of the MSB evaluating and discussing how risks impact the organization’s ability to achieve its strategic objectives, and then setting limits for risk based on that.  For example, an organization with a risk appetite set at “high” will likely take on any amount of risk to achieve its goals, which is unlikely in any financial institution.  An organization with a risk appetite set at “low” will be much more cautious.  Frequently, institutions will have a low risk appetite in areas that could shut them down – typically liquidity risk and cybersecurity risk.  Institutions will have a low-moderate risk appetite in areas where significant harm could come to the institution, although not necessarily shut them down. An example of this would be for credit risk and even AML/OFAC risk.  It would be unusual to see any financial institution with an aggregate risk appetite greater than moderate.  Moreover, if an MSB were to have a risk appetite greater than moderate, that MSB may have trouble finding a bank partner.

The risk appetite statement is so important, regulators look for it to be approved by the Board, communicated to the entire organization, included in training, monitored, and reported on quarterly or at some frequency that makes sense based on the institution’s risk profile.

The risk appetite should be arrived at using quantitative methods as well, but it is usually such a difficult process to navigate initially that Risk/Compliance Officers will likely start with a qualitative approach.  As long as management can defend how they arrived at a rating, it should be accepted by examiners, auditors, and bank business partners, with the understanding that it will be enhanced.  The benefits of working with a consultant on the risk appetite go beyond being able to use the consultant’s tool and methodology.  The consultant can likely educate MSB management on what a risk appetite is, and skillfully extract from management’s comments what management’s appetite truly is.

Having completed the enterprise risk assessment and issued a risk appetite statement, the Risk/Compliance Officer is making progress in crafting a quality ERM Program for the MSB.  In the next part of this article, we’ll address other elements of an ERM Program, including Reporting and Analytics.