Back to ERM Basics – ERM Policies

Written by M&M Consulting

March 31, 2023

All regulatory eyes are back on Enterprise Risk Management (ERM) and executives at financial institutions can expect robust ERM exams in 2023 – no tea leaves required for this one. This article will look at the foundation of an ERM Program, meaning the ERM Policy.

By now every financial institution should have some type of ERM Policy. Whether the policy is relatively new or seasoned over five years, three findings seem to pop up consistently from auditors and examiners, and those are:

  1. To cite the lack of coverage of the technology systems (MIS) considered in the ERM Policy. Many ERM policies will include ‘aspirational’ statements about data analysis, aggregated data, Key Risk Indicators (KRIs), and the various reporting produced for management, committees, and the Board, and never include any wording about the need for, or reliance on, adequate technology systems to support the data analysis, aggregating, or computation of performance against KRIs. In other words, how does all this reporting come to be?The discussion of technology systems in an ERM Policy should include the requirement for a data and technology structure that supports the institution’s reporting needs, along with the need to understand where this data is, how to capture it, and how to aggregate it.
  2. To cite the lack of coverage for the strategic plan. This doesn’t mean the strategic plan has to be restated in the ERM Policy, but since the discipline of practicing ERM is to ensure the financial institution meets its strategic goals and objectives, this relationship to the strategic plan should be mentioned at the beginning of the ERM Policy.
  3. To cite the lack of reference to “Talent Management.” Examiners like to bandy about the phrase “qualified and competent management,” and a good talent management program will ensure that staff have the necessary skills to support the ERM Program. This section can be brief, but should reference existing staff and the talent acquisition program.

The inclusion of this information in the ERM Policy isn’t a heavy lift, and could eliminate potential findings in the future.

You May Also Like…