Implementing ERM Enterprisewide in the Banking Industry

Banks face many types of risks every day, including credit, interest rate, price, liquidity, currency,
operational, legal, regulatory, fraud and reputation risks. At different times, one or more of these
risks seem to take on greater significance. During the sovereign debt crises of the 1980s, we
saw the banking industrys attention focused on currency risk. In the late 1980s and early 1990s,
interest rate risk and credit risk were significant concerns, as banking organizations in the United
States failed in record numbers. And, as we approached the beginning of the 21
st
century, banks
focused their attention keenly on technology risks.
More recently, managing regulatory risk has been the priority issue as banks cope with a host of
new or evolving regulations, including, but certainly not limited to, corporate governance, Basel II
and anti-money laundering requirements. Concurrently, spurred in part by innovations in
technology, banks also have been facing increased information security and fraud risks that can
threaten brand value. In fact, most banking organizations today certainly would rank managing
compliance risk and managing reputation risk which are often intertwined among their main
challenges.
Importance of Risk Management
Mismanaging risk can be very costly. Avoiding all risk is not an option. Besides, with no risk,
there is no reward. The only solution, therefore, is effective risk management.
The essence of risk management lies in maximizing the areas where we have some control
over the outcome, while minimizing the areas where we have absolutely no control over the
outcome and the linkage between effect and cause is hidden from us.
*

The underpinning of an effective risk management program is a thorough understanding of the
risks the uncertainties that face a business, where and how they arise, and in some
instances, how they can be exploited to a companys advantage. See illustration below.



*
Bernstein, Peter, L., Against the Gods: The Remarkable Story of Risk, 1996, published by J ohn Wiley & Sons, Inc.,
New York, p. 197.

2 protiviti

Environment risks are uncertainties arising externally that affect the viability of the enterprises
business model. These external forces include the actions of competitors and regulators, shifts in
market prices, technological innovation, changes in industry fundamentals, and the availability of
capital or other factors outside the companys direct ability to control.
Process risks are uncertainties affecting the execution of the business model, and therefore
often arise internally within the organizations business processes. Process risks arise when
internal processes do not realize the objectives they were designed to achieve in supporting the
entitys business model. For example, characteristics of poorly performing processes, or process
risks, include inadequate alignment with business objectives and strategies, dissatisfied
customers and inefficient operations. They also include diluting (instead of creating or
preserving) enterprise value, and failing to protect significant financial, physical, customer,
employee/supplier, knowledge and information assets from unacceptable losses, risk taking,
misappropriation or misuse.
Information for decision-making risks are uncertainties affecting the relevance and reliability of
information supporting managements decisions to protect and enhance enterprise value. These
risks arise when information used to support business decisions is incomplete, out-of-date,
inaccurate, late or simply irrelevant to the decision-making process.
This framework of three broad, interrelated categories of risk can, and should, be customized to
address specific industry risks. The following model categorizes the typical risks faced by
banking organizations into the three broad groupings. Each of the risks included in the model is
defined to promote consistent interpretation across the organization to provide a common risk
language.
PROTIVITI RISK MODEL
SM
FOR THE BANKING INDUSTRY


3 protiviti

Implementing ERM
The Protiviti Risk Model
SM
is designed to help bank management move beyond traditional risk to
enterprise risk management (ERM). Traditional risk management focuses on managing
uncertainties around physical and financial assets. With ERM, risk also may be viewed as a
positive: The objective of a risk management program is not only to protect, but also to create
enterprise value. Risk management is embedded in the companys strategy and is managed at
the top of the organization.


The banking industry is among the more advanced in implementing ERM concepts. Yet, very few
companies have implemented a truly enterprisewide approach across all of their operations. One
benefit of ERM is that it provides the means for rationalizing the multiple risk management
processes and systems that exist in many banks, thereby eliminating duplicative efforts and also
helping to identify any continuing gaps.
Adopting a common risk language is key to implementing and sustaining ERM, but it is just the
first step. Other important steps include:
Articulating the risk management vision, goals and objectives, along with a persuasive value
proposition for an ERM program
Establishing an oversight and risk management structure

4 protiviti

Conducting an enterprise risk assessment to identify and prioritize the companys critical risks
Performing a gap analysis of the current and desired capabilities around managing the critical
risks
Developing actionable plans for moving toward desired capabilities
Designing and implementing risk response plans for managing specific risks
Continuously assessing and improving capabilities
The level of effort required to implement ERM is not insignificant, nor are any two ERM solutions
alike. Companies have different objectives, strategies, structures, cultures, risk appetites and
financial wherewithal. The specific approaches, processes, methodologies, systems and metrics
that define the solution will differ from company to company. For most companies, ERM will
require a cultural change.
Our Point of View on ERM
Companies often cannot get beyond the theory and concepts of ERM to an understanding of how
to implement it tactically. At Protiviti, we believe that the tenets of effective ERM implementation
are:
Set realistic goals.
Leverage what the company has already.
Integrate with what the company does.
Keep ERM implementation simple.
About Protiviti
Protiviti (www.protiviti.com) is a leading provider of independent risk consulting and internal
audit services. We provide consulting and advisory services to help clients identify, assess,
measure and manage financial, operational and technology-related risks encountered in their
industries, and assist in the implementation of the processes and controls to enable their
continued monitoring. We also offer a full spectrum of internal audit services to assist
management and directors with their internal audit functions, including full outsourcing, co-
sourcing, technology and tool implementation, and quality assessment and readiness reviews.
Protiviti, which has more than 50 locations in the Americas, Asia-Pacific and Europe, is a wholly
owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert
Half International is a member of the S&P 500 index.
Our Financial Services Practice
Protivitis dedicated Financial Services practice includes professionals with deep industry
experience in banking, insurance, brokerage and investment companies. These financial
services professionals can work with you to find approaches to help you improve and establish
strategies for your business, as changes in the industry and regulatory environment impact your
organization.
Recommended industry-related publications include the Guide to Enterprise Risk Management
and FS Insights.



For additional information about the issues reviewed in this white paper or Protivitis services,
please contact:
Carol Beaumier Michael Schuchardt
Managing Director Managing Director
212.603.8337 312.476.6399
carol.beaumier@protiviti.com michael.schuchardt@protiviti.com
In October 2005, The Forrester Wave: Enterprise Risk Management Consultants, 4th
quarter, 2005, was released. The research identified Protiviti as a Leader in the field.
According to the study:
Protiviti has strong methodologies and was rated well by clients. In the client reference
category, Protiviti received a perfect score of 5 out of 5.
Protivitis service is an especially good fit for buyers that are looking for a strong source of
ERM thought leadership and shared knowledge and are looking for operational
implementation of an ERM program.
Protivitis well-developed risk taxonomy is a key differentiator from the other leading firms.































Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation
services.

2007 Protiviti Inc. An Equal Opportunity Employer