Main Menu

ERM for Financial Institutions: Mitigating risk amid regulatory pressures and requirements


Enterprise Risk Management, ERMFinancial institutions are in an environment of increasing regulation, such as oversight from the U.S. Consumer Financial Protection Bureau and other regulators, as well as new capital requirements, stress testing and other obligations. Consequently, they must understand their risks. For these organizations to gain a better perspective of their risks and define ongoing strategies to address their unique challenges, implementing an Enterprise Risk Management (ERM) program is a key strategic step toward staying ahead of the game.

"ERM can also help financial institutions navigate and assess their strategy and make sure that they understand what potentially may impact their strategy, both negatively and positively," said Bianca Sarrach, Manager, Advisory Services at Brown Smith Wallace. "ERM puts all of that into one bucket and really helps a bank or any financial institution understand the risk certain strategies may have on the business."

We spoke with Sarrach to get some insight into what is necessary to start an ERM program and what makes it successful.

What is needed to implement a successful ERM program?

Essentially, the only thing financial institutions need to begin an ERM program is the commitment of the management team and board. If the management team is not on board with putting an ERM program in place, it will be a struggle to integrate ERM and to maximize the benefit of such a program.

We do not require organizations to have any plans–we do not even require a deadline or timeline. As long as they have a commitment to do it, we can work with the team to customize an approach that will fit with the long-term goals of the institution.

What are the first steps to building an ERM program?

The first step is to determine the structure of the ERM program – who reports to whom, what kind of structure does the organization want? There are all kinds of different structures for putting an ERM program in place. Do you want individual teams? Do you want facilitated or individual meetings? It depends on the type of organization.

Do you have a good organizational structure in place? By understanding the foundation and structure of the organization, we can help build an ideal vision of what the organization's ERM could look like. We can incorporate ideas they have as well as provide some examples of what we have seen at other financial institutions. It is important to understand how the departments communicate with each other as well as what the reporting structure looks like so we can help build a long lasting program. We work with management to define the timeline and help everyone see the vision of the program.

What follows those initial steps?

Once the foundation of the program is built, we begin discussions to determine the risks of the organization. Typically, we will look at key players from different areas in the organization to understand what risks they face in each of their areas and what they do to mitigate risks they currently face. We do this for every area within the organization. In a bank, for example, we identify risk within each department, from lending to back office operations, including process and strategic, external and internal. Once those are established, additional meetings with management are held to rate the risks and further determine which risks are considered significant as a group. It is important to build a framework that not only identifies the risks but also considers strategies to mitigate them.

What's one example of a company that was successful in implementing an ERM program?

There was one smaller organization that sat down and decided while they are not required to have an ERM program, it would be a good benefit for them. The board and management team developed an initiative that resulted in enhanced management meetings. They have established what they consider to be their significant risks and monitor how those risks can impact the bank, including positive and negative impacts. The result:  a successful ERM program. Now, for everybody who works at that bank, it is simply a part of their daily tasks to think about risk and how it affects various aspects of the organization.

By far the biggest benefit was they finally understood what different parts of the bank were doing and how different risks managed by different departments can impact the bank as a whole. ERM really helped them understand the different parts of the organization better, which is a big part of ERM – making sure you really understand your organization and everything that plays into it.

What are some of the obstacles and pitfalls of implementing an ERM program?

In developing an ERM program, some organizations design a process that becomes a burdensome exercise. That is typically where ERM programs fail. You need to make sure everybody is on board – make sure the board and management have an invested interest, make sure your staff buys in. Build a program that enhances daily operations. ERM is not a one-time project, it's an ongoing mindset and it has to become part of management of the organization. Continuously and over time, it has to become part of everyday tasks and strategy.

Are there any final points readers should know about ERM for financial institutions?

An important step within the ERM program is to communicate and "socialize" it within the organization so that you're not just going through the motions. Emphasizing and communicating your ERM strategy and program to your board and your employees is a significant part of the process. Without effective communication, program implementation will not be successful.

Bianca Sarrach, CIA, CFSA, CRMATo discuss an ERM strategy for your institution, please contact Bianca Sarrach at 314.983.1365 or


Back to Page