How to Ensure ERM Works at Small Companies, Too
By Bill Stephens who would put his company at risk for has been solidified, then you can consider
Compliance Week Guest Columnist the potential income, without adequately using a good software program for mea-
Senior Audit Consultant, TheDoctors.com evaluating the potential loss. A good ERM suring your performance.
program would have captured these types The following are examples of man-
I n my 34 years of experience as an inter-
nal auditor, I’ve seen a wide variety of
enterprise risk management control fail-
of loss exposures with effective mitigating
controls.
I am not as worried about large banks
ual ERM processes I’ve performed that
strengthened the company’s operations
and prevented potential losses.
ures. And to my thinking, they all share because national bank examiners put so
one common denominator: a failure by much pressure on controls, compliance, Example 1: At an independent bank, the
the board or the CEO to implement an ef- and regulations that the only question is examiners had made a comment on large
fective ERM program that addressed the how quickly and effectively the ERM pro- Currency Transaction Reports (CTR)
right risks. grams will be implemented. At small and and adherence to the Bank Secrecy Act.
That has become all the more clear in mid-sized institutions, however, I suspect To rectify the exposure and keep our au-
light of the financial crisis of the last 18 the boards and senior management still dit independence, we had the branches
months, where many banks failed to un- see these programs as an expense rather send all CTRs and suspicious transactions
derstand the risks confronting them—and than an investment. In reality, boards to us (the internal audit department) for
then just failed, period. An effective ERM should be the biggest supporters of ERM review before they were sent to the IRS.
program might not have prevented all because this will be their tool for moni- For almost a year we maintained a month-
these failures, but it certainly would have toring and evaluating the performance of ly spreadsheet, by branch, of all CTRs re-
identified the risk exposures sooner. their company. ceived and the ones that had to be returned
A paper by Paisley, “ERM Assessment The one key factor is that the board for corrective action before mailing. The
Guide,” had an interesting breakdown of must ensure that its ERM program is results identified which branches or tell-
the root causes of bank failures. Paisley developed and implemented correctly; ers needed the most training, and we were
identified four typical causes: 49 percent otherwise, the ERM effort won’t be cost- able to keep errors to a minimum.
were the result of inadequate board su- effective. Garbage in, garbage out. The In reality, boards should be the biggest
pervision; 37 percent were due to the pres- foundations of effective ERM programs supporters of ERM because this will be
ence of a dominant figure such as a CEO should be: their tool for monitoring and evaluating
or chairman; 32 percent stemmed from an the performance of their company.
over-reliance on volatile funding sourc- » Identify your key risks and loss ex- We had also emphasized the impor-
es; and 26 percent were from excessively posure areas and develop indicators/ tance of suspicious transactions as part
growth-oriented philosophies. trigger points to measure their per- of the review process, and one branch
Of course, in reality, most failures formance, so that changes in any areas notified me about a young lady making
trace back to a combination of causes that of risk (like mortgage-backed securi- $5,000 cash deposits every other day. Our
cascaded out of control. But in my experi- ties) will raise an alert that must be reporting of the incidents ul