Lesson From Recent Bank Failures: Prioritize Risk Management

It will take more time to get full explanations behind the recent collapses of First Republic Bank, Silicon Valley Bank and Signature Bank. But there’s an immediate takeaway for everyone, not just for financial institutions: It’s critical to have an effective enterprise risk management (ERM) program. Among other problems, the banks’ risk management allegedly wasn’t properly calibrated for their business models.

Beyond banking

In a recent interview, Russ Porter, chief financial officer (CFO) of the Institute of Management Accountants (IMA), said that it’s a good time for CFOs to apply lessons learned from the recent bank failures to their company operations. While people are talking about the need to diversify their banking relationships, a bigger lesson is risk management for all industries and all types of businesses.

“The underlying theme really is making sure that CFOs are thinking about all of their business relationships and ensuring that they’re applying good risk management techniques in terms of assessing, implementing preventative controls and being prepared for mitigating actions should risks actually come to fruition,” said Porter, a former 30-year member of IBM’s finance team. He likened this situation to the popular adage of not putting all your eggs in one basket.

This doesn’t necessarily mean your business can never rely heavily on a bank, supplier, key person or customer. Instead, management needs to identify risks and evaluate how changes in the business environment could affect those risks. It’s also critical to brainstorm “balancing or mitigating actions” in case risks are realized.

Risky business

Risk is part of owning and operating a business. And, during this era of financial uncertainty, globalization and technological change, companies are being called on to manage an assortment of daunting risks. But excessive levels of risk can impair value, consume working capital and possibly lead to bankruptcy if left unchecked. Although business owners can’t eliminate all risk factors, they can manage their risk profiles by implementing a formal ERM program.

ERM goes beyond internal controls. It should be a top-down directive that infiltrates all levels of an organization. Effective ERM helps managers accomplish their strategic, operations, reporting and compliance objectives.

Traditional risk management techniques — which often are informal and ad hoc — use a “siloed” approach. In other words, each department in a company focuses on minimizing its own risks. This isolated approach is ineffective, because it wrongly assumes that the goal of risk management is to eliminate risk. Rather, the goal is to optimize risk, or to promote the company’s strategic objectives while maintaining an acceptable level of risk.

By comparison, a formal ERM program takes an integrated approach to managing risk, recognizing that many risks are enterprise-wide and interrelated. Consider a bank whose loan review department evaluates credit risk based only on potential financial losses from a borrower’s default. If the bank used ERM, it might also consider the risk that an increase in defaults would damage the bank’s reputation. In other words, the risk associated with bad loans extends well beyond lost receivables or the financial cost of foreclosure.

Proactive, holistic approach

Many businesses wait until they’re already in trouble before they address risks. But crisis management tactics provide only quick fixes for symptomatic problems. An ERM program starts managing risk while the organization is still healthy and has breathing room to develop effective mitigation strategies.

During his recent interview, Porter pointed out that risk management is an area where CFOs get to use their right brains and be creative about thinking through the different risks that could affect their organizations, while getting input from the left-brain side of the organization. Thus, it involves gathering information from operations’ view of the key risks, while also soliciting input from sales, marketing and human resources.

Sidebar: COSO Framework

A tool that’s been helpful to companies is the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management — Integrated Framework. This widely used guidance represents best practices in risk management.

COSO is a joint initiative of five private sector organizations that develop frameworks and guidance on enterprise risk management (ERM), internal controls and fraud deterrence. The five organizations are the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors and the Institute of Management Accountants (IMA).

The ERM framework discusses the significance of a risk to a company and the probability of that risk happening. And in the view of Russ Porter, chief financial officer of the IMA, it’s a great framework to help an organization assess which risks could put the existence of the organization in danger, as opposed to things that aren’t likely to happen. If risks from the latter category materialize, they’re unlikely to wipe out the business.

According to COSO, ERM is “a process … applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”