The methodology of Enterprise Risk Management (ERM) often varies between the banking sector and the corporate world, reflecting the different challenges and regulatory environments each faces. By comparing these approaches, we can gain a clearer understanding of the driving factors and essential components behind each system.
Understanding the ERM Framework
An ERM system is usually composed of four key layers:
- Governance and Organization: This foundational layer outlines the structure of accountability, detailing how risk ownership, control, and assurance responsibilities are designated. Within this layer, risk committees play a pivotal role. Additionally, it establishes the risk taxonomy that underpins the entire policy structure.
- ERM Processes and Methodologies: This is where the overarching ERM approach and its associated processes are delineated. Financial risks typically prioritize limit structures, while non-financial risks lean towards matrices that map the severity and probability of both inherent and residual risks. This layer also covers incident management, risk and control assessments, risk appetite setting, and the monitoring/reporting procedures.
- Risk-specific Control Processes: At this level, the focus is on the mechanisms geared towards handling distinct types of risks. Non-financial risks, for example, are often overseen via specific controls—ranging from reconciliation protocols for financial statements to embedded system controls designed for cybersecurity threats.
- Risk and Integrity Culture: The final layer revolves around nurturing an organization-wide mindset and behavior toward risk. This includes leadership’s tone, incentive structures, consistency in risk governance, and strategies to identify and navigate risk-related conflicts and issues.
Comparing Banks and Corporates: Key Differences
Governance and Organization
The risk governance structures of banks and corporations display noticeable disparities. Banks, given their regulatory environment, tend to have more extensive centralized risk functions. They are mandated to have distinct roles like a Chief Risk Officer (CRO) in a second-line executive position. In contrast, corporations integrate risk management more directly into their operations and typically assign risk responsibilities to the Chief Financial Officer (CFO). It’s rare for a non-financial firm to have a separate risk executive.
In terms of function, corporate risk management mainly revolves around identifying and reporting on risks, with an emphasis on frameworks that oversee areas like capital market compliance, anti-corruption measures, and export risks. In contrast, banks have a CRO that addresses regulatory queries about incidents and the measures in place to remedy underlying problems.
Banks often adopt a highly quantitative approach, defining their risk profile in relation to available capital and then disseminating this down the organizational hierarchy. However, this approach is less feasible for non-financial risks. While creditworthiness can be predicted from financial data and market volatility gauged from market metrics, non-financial risks require a more context-specific understanding, making the banking model less applicable.
Corporates, given the nuances of their operations, typically build their risk-management strategies around expert data and performance metrics. They deploy this method for quality control and handling product-related risks, providing a more adaptable framework than most banks.
Risk-specific Control Approaches
Corporations, depending on their industry, have developed advanced non-financial risk management methods that banks can emulate:
- Managing Process Risks: Industries like automotive and pharmaceuticals have comprehensive approaches to risk management. The automotive sector, with its significant outsourcing, necessitates rigorous supplier monitoring for cost and quality. The pharmaceutical industry is well-versed in managing risks associated with R&D and adhering to strict production standards.
- Software Development and Deployment: As banks lean more towards rapid software development cycles, they can glean insights from the tech sector, known for its stable product development and smooth adoption processes.
- Corporate Security and Continuity: Industries like aviation, which have always grappled with geopolitical and safety risks, can offer valuable lessons in managing physical security challenges.
- Decision-making Bias Mitigation: Industries with high capital expenditure, such as oil and gas, have honed their skills in risk assessment for large projects, ensuring that decision-making is as unbiased as possible.
Risk and Integrity Culture
Corporations, with their relatively smaller risk teams compared to banks, have traditionally emphasized the cultural aspects of risk management. Notable integrity issues have arisen in various sectors, from the auto industry’s emission scandals to aviation’s autopilot failures. To counter these challenges, corporations have implemented measures like whistleblower systems, training programs, and employee surveys. While banks have integrated some of these measures, they often have not adopted them to the same extent, especially in the realm of non-financial risks.
In the ever-evolving landscape of risk management, both banks and corporates have much to learn from each other. By understanding the strengths and limitations of each approach, they can adapt and innovate, ensuring that they remain resilient in the face of emerging challenges.