Enterprise-Wide Risk Management (ERM)

Enterprise-Wide Risk Management (ERM) is defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as:

ERM is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

All financial regulatory agencies have adopted and strongly encourage COSO's ERM framework. Additionally, the Federal Reserve and OCC have provided further guidance regarding financial institution specific risks within the COSO ERM framework.

COSO's four categories of ERM framework for an entity's objectives

(Close Window)
  1. Strategic - high-level goals, aligned with and supporting its mission
  2. Operations - effective and efficient use of its resources
  3. Reporting - reliability of reporting
  4. Compliance - compliance with applicable laws and regulations

Eight Components of ERM as defined by COSO

(Close Window)
  1. Internal Environment
  2. Objective Setting
  3. Event Identification
  4. Risk Assessment
  5. Risk Response
  6. Control Activities
  7. Information and Communication
  8. Monitoring

Risk Area Definitions by both the FRB and OCC

(Close Window)

Risk Area Definitions by both the FRB and OCC:

  1. Credit Risk arises from the potential that a borrower or counterparty will fail to perform on an obligation.
  2. Market Risk is the risk to a financial institution's condition resulting from adverse movements in market rates or prices, such as interest rates, foreign exchange rates, or equity prices.
  3. Liquidity Risk is the potential that an institution will be unable to meet its obligations as they come due because of an inability to liquidate assets or obtain adequate funding (referred to as "funding liquidity risk") or that it cannot easily unwind or offset specific exposures without significantly lowering market prices because of inadequate market depth or market disruptions ("market liquidity risk").
  4. Operational Risk arises from the potential that inadequate information systems, operational problems, breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses.
  5. Legal Risk arises from the potential that unenforceable contracts, lawsuits, or adverse judgments can disrupt or otherwise negatively affect the operations or condition of a banking organization.
  6. Reputational Risk is the potential that negative publicity regarding an institution's business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reductions.

Additional Risks that are defined by the OCC

  1. Strategic Risk is the risk to earnings or capital arising from adverse business decisions or improper implementation of those decisions.
  2. Transaction Risk is the risk to earnings or capital arising from problems with service or product delivery.
  3. Compliance Risk is the risk to earnings or capital arising from violations of laws, rules, or regulations, or from nonconformance with internal policies and procedures or ethical standards.
  4. Price/Interest Rate/Foreign Exchange is the risk to a financial institution's condition resulting from adverse movements in market rates or prices.

NETBankAudit understands the challenges that community financial institutions face!