Explore This Section

SRC Insights: Fourth Quarter 2008

Enterprise Risk Management: Getting Back to the Basics

The current economic downturn—a changing interest rate cycle and an increasing decline in the credit industry—has presented unique risk management challenges for many financial institutions. Because managing corporate risk (specifically, enterprise risk) is, quite possibly, the key component for an institution's continued survival, it is important to understand the elements that make for an effective enterprise risk management program and to adopt the necessary prudential actions that identify, measure, monitor, and control risk. This article will discuss issues around common strategies to address risk and the benefits of implementing an enterprisewide approach to monitor and manage risk exposure.

The Issues

As economic problems began to materialize late last year, it became apparent that many financial institutions underestimated or devalued their emerging risks, possibly driven by their overconfidence in how risk and opportunity were being managed. As a result, enterprise risk management programs were either constructed incorrectly or deemed inefficient to address the overall risk approach and appetite for many institutions. Most enterprise risk management programs delved deeply into "hot," or most common, key risks, often avoiding the less transparent—albeit important—risks.

In addition, institutions placed little emphasis on risk correlation, the process of evaluating one specific risk and its impact on other risks, which ultimately led to miscalculations in risk monitoring measurements. Ideally, a risk management program for any financial institution should assess the relationship that a particular risk, such as credit risk, has with other identified risks, such as market or compliance risk.

Whenever significant financial distress occurs, it is often typical for institutions to react to a crisis by identifying and managing the immediate risk exposure, while enterprisewide risk exposure is often neglected. A good example of this rationale surfaced with the current credit downturn. Many institutions employed a reactive approach by enhancing current and instituting new policies and procedures and strengthening underwriting standards. What may have been overlooked with the credit meltdown and the industry's reactive approach, however, was the unexpected impact on liquidity and capital positions, operational controls, and industry reputation. Combined with increased liquidity pressures, unanticipated credit losses created a negative impact on institutions' capital positions and their ability and willingness to seek capital markets funding. The ultimate result was an unequal level of oversight apportioned to credit, liquidity, and capital risk management.

The Basics of Enterprise Risk Management

Asking and answering basic questions, like "What can go wrong?," "What will we do if something goes wrong?," and "If something happens, how will we pay for it?," can help any institution understand, assess, and mitigate its corporate risk. Each institution should consider where it stands in regard to enterprise risk management.

Enterprise risk management defined. By definition, enterprise risk management is the identification, management, measurement, and oversight of an institution's various business risks. It is a structured approach to managing uncertainty. As such, an institution's enterprise risk management framework should be designed to determine potential uncertainty and how much risk the institution is willing to accept. This concept can only be realized, however, if all of the institution's various risks are reviewed or assessed in collaboration, rather than isolation. One single transaction can have a plethora of other related risks tied to it, and when hidden under an institution's radar, it can have a tremendous domino effect.

Enterprise risk management in a changing environment. In today's highly complex and competitive banking environment, an institution's enterprise risk management program should be the quintessential component to its ongoing management and oversight. Enterprise risk management oversight is one of the most fundamental elements of any prudent risk management program. It is management's responsibility to establish strategic objectives and cascade those objectives throughout the corporation. Institutions that have embraced the concept of risk identification using enterprisewide oversight are better positioned to proactively address their risk in any given financial environment.

Historically, many institutions have understood the concept of designing an enterprise risk management program that enables them to maximize their rate of return at an acceptable risk level. With any enterprise risk management program, though, one of the most critical pieces to its effectiveness is understanding the direct relationship between strategic objectives and risk management components.

Effective enterprise risk management should enable the management team to handle any uncertainty or risk through the implementation of strategies and objectives that strike a balance of return and risk. To that accord, an institution's enterprise risk management process must keep pace with a growing and changing risk profile. An enterprise risk management process is a dynamic function and should be modified, validated, and approved as an institution's business plan changes.

The standard tools used in conjunction with established credit risk management monitoring, for instance, were not suited for the more complex credit products that institutions were offering. In essence, these tools failed to effectively identify impending risk.

Successful enterprise risk management. Financial institutions with effective enterprise risk management programs have active board and senior management who not only play a significant role in the adoption and maintenance of the programs, but also accept ownership and promote compliance. Their ability to assess overall risk on an enterprisewide level, understand the risk interconnections, and translate risk assumptions into effective risk mitigants is crucial.

Establishing a culture that acknowledges risk ownership from everyone within the institution is an equally important responsibility of the board and senior management. And having strong board and senior management oversight is a key factor for distinguishing an institution's financial performance.


The main objective of any risk management program is to reduce risk. Economic downturns will occur periodically, and implementing a sound enterprise risk management program that incorporates effective risk identification and correlation, remains dynamic, and utilizes active management oversight will provide a better foundation for overcoming adverse financial environments.

If you have any questions on matters related to enterprise risk management, please contact your primary regulatory agency. For those institutions supervised by the Federal Reserve Bank of Philadelphia, please contact Ivy M. Washington at (215) 574-6642.

The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.