Developing-Strong-Ra Icba Webinar Handout 11-6-18

Developing a Strong Enterprise-Wide
Risk Assessment for Your ERM Program

ICBA – Community Banker University®
November 6, 2018
Marci Malzahn
President & Founder
Marci Malzahn – Malzahn Strategic
• Professional Highlights:
• 23 years in banking: from teller to EVP/CFO/COO and CRO
• Started a bank in 2005 – Bank grew to $325MM in 10 years, now $725MM
• 5 years in nonprofit:
• CFO overseeing Finance, IT and HR
• Managed a $32MM budget, 28 employees
• 4 years with Malzahn Strategic consulting
• Professional Awards:
• 25 On The Rise – Hispanic Chamber of Commerce
• Forty Under 40 – Minneapolis/St. Paul Business Journal
• Top Women in Finance – Finance and Commerce Newspaper
• Outstanding Women in Banking – North Western Financial Review magazine
• Education:
• B.A. Business Management, Bethel University
• Graduate School of Banking, Madison, Wisconsin
Copyright 2018 Malzahn Strategic 2
Marci Malzahn – What I Do Now
Consulting and Coaching:
• Strategic Planning
• Enterprise Risk Management
• Talent Management
Speaking:
• Banking/Business
• Inspirational/Motivational
• Faith based
Writing:
• Devotions for Working Women – A Daily Inspiration to Live a
Successful and Balanced Life
• The Fire Within – Connect Your Gifts with Your Calling
• The Friendship Book – Because You Matter to Me
Copyright 2018 Malzahn Strategic

Webinar Overview
• The Big Picture (foundational knowledge):
• Strategic Planning
• Enterprise Risk Management
• The Risk Assessment Process
1. Identify Risks Using Risk Assessments
2. Develop Assessment Criteria
3. Assess Risks
4. Assess Risk Interactions
5. Prioritize Risks
6. Respond to Risks
Webinar Overview Cont.
• Risk Assessment System (RAS)
• CAMELS Rating and How They Relate to Risk Assessments
• Top 8 Risks and Other Important Risks to Assess
• ERM Risk Assessment Matrix – Sample Template
• Annual Risk Assessments Recommended and Areas Assessed
• IT Risk Assessment – Sample Template
• Other Risk Assessments: Internal Controls, Insurance and New Initiatives
• Ongoing Monitoring and Reporting Tools
• Bringing It All Together

Strategic Plan Components
ERM
Capital Marketing
Strategic
Plan
Business
Talent
Plan
Financials
6
My Definition of ERM
“An enterprise-wide continuous process to protect all your

organization’s assets while allowing you to fulfill your vision.”
Marci Malzahn

Three Ongoing Phases of ERM
Identifying
and
Assessing
Risk
Monitoring Mitigating
and or
Reporting Eliminating
Risk Risk

Identifying and Assessing Risk
• Use risk assessments enterprise-wide to identify risks and assess the
types of risks
• Also identify unique and specific risks to your organization
• (i.e., succession planning, relationship concentration, industry concentration)
• Categorizing each risk across the organization by:
• Criticality and confidentiality
• Rate risks by:
• Impact and probability/likelihood
• Vulnerability and speed of onset
Mitigating and Eliminating Risk
• Determine the steps your institution will take to mitigate some of the
inherent risks
• Determine how your institution can eliminate certain risks
• Ensure your institution is comfortable with the residual risk
• Establish policies, processes, and procedures to mitigate and

eliminate risks

Monitoring and Reporting Risk
• Ongoing monitoring of risks identified
• Establish accountability across the organization
• Ensure policies, procedures, and systems in place are being followed
AND are working (measuring)
• Ongoing reporting of risks and status to board of directors

• Provide results from monitoring efforts
• Directors learn about risks, get updates, understand their liability
• Use tools such as “heat maps”

Risk Assessments for All ERM Components
IT Security
Program
Internal
Compliance
Audit
ERM
Liquidity
Succession
Contingency
Planning
Plan
Capital
DRP
12
Risk Assessments for All IT Security Program
Components
DRP
Cyber
BCP
Security
IT Security
Program
Social
Vendor
Engineer-
Mgmt.
ing
Security
Controls

Risk Assessments Characteristics
• Should be practical, sustainable, and easy to understand.
• Process should be done in a structured and disciplined way.
• Should be standardized across the organization.
• Should be customized to your institution’s size, complexity, and
geographic area.
• Risk assessments should be a useful tool in the decision-making
process and strategic planning of the organization.

Risk Assessments Characteristics
• Should be documented
• Reviewed and approved by senior management and Board of
Directors at least annually
• Communicated to all staff
• Monitored, managed, and implemented by ERM team members
• Flexible to change with the institution’s changing risk profile

The Goal of Risk Assessments
• Evaluate all the potential threats to your institution based on specific
circumstances
• Analyze the scale of the threats based on criticality, likelihood,
severity, and impact
• Prioritize the threats based on results of risk assessment
• Prepare plan/strategies to mitigate and possibly eliminate major risks
• Implement mitigating strategies at all levels for all risks assessed
• Perform risk assessments ongoing at least annually

The Risk Assessment Process
1. Identify Risks First
Risk assessments follow event identification and precede risk response
3. Assess Risks
5. Prioritize Risks
6. Respond to Risks

1. Identify Risks
• List ALL the potential risks of the organization
• Organize risks by category (financial, operational, strategic, etc.) and
sub-category where appropriate
• Prioritize all risks so senior management and board’s attention is on
the key risks
• The prioritization is accomplished by performing a risk assessment

• Develop a common set of assessment criteria (scale) to be used
across all functional areas of the organization (simple yet comprehensive).
• Scales should help in ranking and in prioritizing risks (i.e., 1 = Incidental,
2 = Minor, 3 = Moderate, 4 = Major, 5 = Extreme).
• Risks as well as opportunities are usually assessed in terms of impact

(how it will affect the entire enterprise) or likelihood (i.e., 1 = Rare, 2 = Unlikely,
3 = Possible, 4 = Likely, 5 = Frequent)
• Ask the questions of vulnerability (how susceptible?) and speed of onset

(how fast could the risk arise? 1 = Very Low, 2 = Low, 3 = Medium, 4 = High, 5 = Very High;
How fast could you respond or recover?)

3. Assess Risks
• Consists of assigning values to each risk and opportunity using the
defined criteria.
• The values should be the same in all areas across the organization.
• Use qualitative questions/criteria (descriptive assessment scales).
• Perform a quantitative analysis of the most important risks

(using numerical values for impact and likelihood).

• Risks in one area interact with other areas in the organization.
• Need to recognize how risks interact with each other –
Reputation Risk
• Take the integrated approach and view all risks from the holistic
perspective – thus Enterprise Risk Management.
• Group related risks into broad risk areas
• Use risk interaction maps

How Risks Interrelate – Reputational Risk
Technology
Strategic Liquidity
Reputational
Legal Operational
Credit

5. Prioritize Risks
• Determine which risks require immediate attention of senior
management and board of directors.
• Prioritize by comparing the level of risk against agreed upon target
risk levels and tolerance thresholds.
• Impact and likelihood or impact and vulnerability
• Develop the Board’s Risk Appetite and Tolerance Statement after risk
assessments are done.
• Qualitative aspect = What do you want to do?
• Quantitative aspect = How much are you willing to lose?

6. Respond to Risks
• After conducting the risk assessments input as to how to respond to
each risk.
• Decide to either accept, reduce, share, avoid, or eliminate each risk.
• Perform cost-benefit analysis (i.e. is the cost to prevent or reduce a

certain risk higher than the risk itself?)
• Formulate a response strategy and develop plans.

Risk Assessment System (RAS)
• What is “supervision by risk”?
• Evaluating risk
• Identifying existing and emerging problems
• Ensuring that institution’s management takes corrective action before
problems compromise the institution’s safety and soundness
• RAS provides framework to measure, document, and communicate:
• Quantity of risk
• Quality of risk management
• Aggregate risk
• Direction of risk for the eight risk categories
• Updated guidance expands the assessment of strategic and reputation risks
Source: OCC Updated Guidance on Risk Assessment System Bulletin 2015-48
Risk Assessment System (RAS) Structure
• Evaluate separately:
• Quantity of risk – reflects level of risk assumed in the course of doing business
(low, moderate, or high)
• Quality of risk management – assesses whether the institution’s risk
management systems are capable of identifying, measuring, monitoring and
controlling that amount of risk (strong, satisfactory, insufficient (new), or weak)

Risk Assessment System (RAS) Structure
• Identify and take action on emerging risks in a timely manner

• Provides both:
• Current (aggregate risk) – combined quantitative and qualitative risks (low,
moderate, or high)
• Prospective (direction of risk) view of an institution’s risk profile – assessment
of movement of the aggregate risk in 12 months (decreasing, stable, or
increasing)

What Are CAMELS Rating System?
• Examiners use results from RAS to incorporate in CAMELS rating
• Primary risk categories that examiners consider within each
component area
• Quality of risk management practices
• When RAS and CAMELS rating systems are used together:
• Provide a holistic view of the institution’s condition
• Support planned activities and supervisory findings

CAMELS-T Rating System Categories
Capital Adequacy
Assets
Management Capability
Earnings
Liquidity
Sensitivity to Market Risk/IRR
Technology

New Definition of Banking Risk
The potential that events will have an adverse affect
on an institution’s current or projected
financial condition and resilience
• Financial Condition: Includes impacts from diminished capital

(impact from losses, reduced earnings, and market value of
equity) and liquidity
• Resilience: Recognizes the institution’s ability to withstand
periods of stress (based on stress testing)

Top 8 Risk Categories
1. Credit – Person/entity’s failure to meet the terms of any contract
with the institution
2. Interest Rate – Movements in interest rates (repricing, basis, yield
curve, and options risk)
3. Liquidity – The institution’s inability to meet obligations when they
come due (contingency funding plan)
4. Price – Changes in the value of either trading portfolios or other
obligations that are entered into as part of distributing risk

Top 8 Risk Categories
5. Operational – Inadequate or failed internal processes or systems,
human errors or misconduct, or adverse external events
6. Compliance – Violations of laws or regulations, or nonconforming to
prescribed practices, internal policies, and procedures, or ethical
standards.
7. Strategic – Adverse business decisions, poor implementation of
business decisions, or lack of responsiveness to changes in the banking
industry and operating environment.
8. Reputation – Negative public opinion. Inherent to all activities.

Plus a Few Other Risks
1. Technology – Risk in all technologies used

2. Customer – Risk from dealing with fraudulent entities
3. Human Resources Management – Violations to HR laws
4. Earnings/Profitability – Losses in investments and earnings
other than credit

Plus a Few Other Risks
5. Legal – Failure to comply with statutory or regulatory

obligations, lawsuits
6. Capital – Direct losses to capital due to all risks being
interrelated
7. Model – Potential for adverse consequences from
decisions based on incorrect or misused model outputs

Types of Risks
ERM
Technology Transaction/Operational Strategic Reputational

Compliance/Regulatory Liquidity Interest Rate Risk Credit Administration
Legal Human Resources Earnings/Profitability Capital

ERM Risk Assessment Matrix – Definitions
• Risks: Identify each type of risk category
• Inherent Risk: Risk of an activity with no controls in place
(low, moderate, high)
• Consequences: If the risk occurs, identify damage
• Risk Mitigating Factors: Activities that can control the risk and
consequences of it happening
• Monitoring Tool(s): Tools used to monitor risks

ERM Risk Assessment Matrix – Definitions
• Plans for Improvement: If current mitigating factors are insufficient,
describe plan to improve
• Status: Tracking mechanism to track progress on plans for
improvement (person accountable for each action)
• Residual Risk: The risk that remains after controls are taken into
account
• Trend of Risk: Increasing, stable, decreasing – provides a baseline for
future assessments of this risk

ERM Risk Assessment Matrix –Sample Template
Risks
Technology Operational/Transaction Strategic Reputation
Inherent
Risk
Status Plans for Improvement Monitoring Tool(s) Risk Mitigators Consequences
Residual
Risk
Trend of
Risk
Priority
Scale =
1-5
Impact
= 1-5
Likeli-
hood =
1-5
Vulnera-
bility =
1-5
Speed
of Onset
= 1-5
38
ERM Risk Assessment Matrix
INSTITUTION NAME
ENTERPRISE RISK MANAGEMENT (ERM) RISK ASSESSMENT MATRIX
AS OF DATE
Title Definition Example
Identify each type of
Example Risk #1: Example Risk #2: Example Risk #3:
Risks
Risk or "Risk
Operational/Transaction Strategic Reputation
Categories"
Risk of an activity with NO
Inherent
Risk
CONTROLS in place. Scale =

Low, Moderate, High
Monitoring Tool(s) Risk Mitigators Consequences
If this risk occurs, identify

damage with NO CONTROLS in
place (list everything that
could potentially go wrong)
List ALL the activities your

institution does in order to
control (or mitigate) this risk
and its consequences from
happening
List ALL the tools your
institution uses and ALL the
monitoring activities already in
place in order to monitor this
risk

ERM Risk Assessment Matrix Cont.
Title Definition Example
Risks
Risk or "Risk
Categories"
Plans for Improvement List the tasks, systems, new
procedures, new processes,
new talent to be hired, etc.
that your institution plans to
implement in the next 12
months to reduce/minimize,
improve or eliminate this risk
This is your tracking

mechanism to track progress
Status
on Plans for Improvement.

There should be a person
accountable for each item.
Risk of an activity that remains

Residual Risk
for the institution AFTER ALL

controls and mitigating tools
are in place. The risk that the
Board is willing to "tolerate."
Based on current market

Trend of Risk
conditions. Provides a baseline

for future assessments of this
risk. Scale = Increasing, Stable
or Decreasing

Risks
Risk or "Risk
Categories"
What is the priority ranking of
this particular risk in YOUR
institution based on Criticality
(can you run your institution
without it?) AND
Priority Confidentiality (how sensitive
Scale = is the data)? Scale = 1-5
1-5 1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
HOW will this particular risk
impact YOUR entire
institution? Scale = 1-5
Impact 1=Incidental
= 1-5 2=Minor
3=Moderate
4=Major
5=Extreme
How LIKELY (or probable) is
this particular risk to happen in
YOUR institution? Scale = 1-5
Likeli-
1=Rare
hood =
2=Unlikely
1-5
3=Possible
4=Likely
5=Frequent
How SUSCEPTIBLE to this
particular risk is YOUR
institution? Scale = 1-5
Vulnera-
1=Rare
bility =
2=Unlikely
1-5
3=Possible
4=Likely
5=Frequent
How FAST could this risk arise
at YOUR institution? Scale = 1-
Speed 5 1=Very Low
of Onset 2=Low
= 1-5 3=Medium
4=High
5=Very High

Goal: Identify Top 10 Risks and Strategies
SAMPLE BANK TOP TEN RISKS
AS OF DATE
Team/ Target Percentage

Risk Description/ Strategic Risk Responsible Completion Progress to 2017 2018
Type of Risk Initiatives Rating Specific Tasks/Strategies for Each Risk Person Date Date Budget Budget
Technology 5
Credit 5
Operational/
Transactional 5
Strategic 5
Earnings/
Profitability/Capital 5
Interest Rate Risk 4-5
Liquidity 4-5
Human Resources
Management 4
Reputation 4
Compliance/
Regulatory/Legal 3

Annual Risk Assessments – Sample List
Credit Compliance Technology

BSA, OFAC, AML
IT General
Fair Lending Wire Transfers
BCP & DRP
UDAAP Unlawful Internet
Vendor Mgmt.
Gambling
Stress Testing Cybersecurity:

ACH
Electronic/Internet
Portfolio Fraud
Mobile/Online/Web
Individual Credits Red Flag
RDC/Wires/ACH

Annual Risk Assessments – Sample List
Internal Internal
Others
Controls Controls
Fixes Assets, HR,
CRA, Consumer
A/P, ALLL, A/L, Branch Inc./Exp. Accts.,
Complaint, Incentive
Capture, Call Report, Investments, Loan
Compensation Plan,
Capital, Cash Controls Processing, Official
Incident Response
Checks
Insurance Sales, Non-

Collateral safekeeping, Online entries/GL, OREO,
Deposit Investments,
OD, Dep. Processing, Payroll, Prepaid Exp.,
Pre-Need Trust, Safe
Employee Accts. Wires
Deposit Box, Insurance

IT Areas Assessed in IT Risk Assessment
• Information Technology Security
• Information Technology: All Systems, All Hardware and Software Inventory
• Disaster Recovery Plan
• Threat Analysis
• Vendor Management Program
• Asset Inventory
• Internal Physical Security: System, Policies, Training
• Cybersecurity:
• Website: Security, Compliance, Backup
• All Online Banking Products: mobile, remote deposit, wire transfers, ACH

BSA Areas Assessed
• Wire Transfer Program: System, Controls, Agreements
• ACH Program: System, Controls, Agreement
• Office of the Foreign Assets Controls (OFAC)
• Anti-Money Laundering (AML)

Internal Control Areas Assessed #1
• Accounts Payable
• Allowance for Loans and Lease Losses (ALLL)
• Asset/Liability Management
• Branch Capture
• Call Report Preparation
• Capital
• Cash Controls
• Collateral Safekeeping
• Correspondent Lending
• Deposit Processing/New Deposit Account Opening Procedures
• Director, Officer, and Employee Accounts
• Dormant Accounts (if applicable)
• Due From Accounts (Correspondent Banks)
• Fixed Assets
• Human Resources: Hiring and Termination Practices, Payroll,
Personnel Files, Personnel Files, Performance Evaluations,
Retirement Plans
• Income and Expense
• Internal DDAs
• Internet Banking
• Insurance
• Investments
• Loan Processing/New Loan Account Opening Procedures
• Mortgage Loans in Transit (MLIT)
• Official Checks
• Online Entries: General Ledger, Loan, and Deposit Processes
• Other Real Estate Owned (OREO)
• Other Liabilities
• Overdrafts
• Payroll
• Prepaid Expenses and Other Assets
• Remote Deposit Capture
• Secondary Market
• Wire Transfers
Categories Included in IT Risk Assessment #1
• Asset Type: Application/Software, Process, System
• Asset Medium: Paper or Electronic
• Vendor Name
• Controls/Procedures in Place
• Description of Risks Associated with Asset
• Risk Mitigation: Description for Mitigation of Risks
• Risk Rating: Low, Medium, High
• Criticality to Institution: Levels 1 to 5 with 5 being the most critical

Categories Included in IT Risk Assessment #2
• Residual Risk: Low, Medium, High
• Information Classification: Public, Non-Public, Confidential
• Threats/Vulnerabilities: Level of Damage, Type of Vulnerability
• Threat/Vulnerability Likelihood: Low, Medium, High
• Vital Resources: Description of Vital Resources to the Institution’s
Operations
• Recovery Point Objective: Description of How the Information or
Asset Will be Recovered
• Recovery Time Objective: Approximate Time of Recovery
Fiserv/ITI
Core System:
ASSET NAME
S
INSTITUTION NAME
Asset Type: Application/Software,
Process, or System
DATE OF ASSESSMENT
E
Asset Medium: Paper or Electronic
Fiserv
Vendor Name
Y
Controls/Procedures in Place? Y or N
have no inhouse backup.

Core system is critical to the
Description of Risks Associated with
operations of the institution. We

Asset
Risk Mitigation: Description of

Fiserv has backup sites.
Mitigation of Risks
H
Risk Rating: Low, Medium, High

5
Criticality to Institution: Levels 1 =

lowest to 5= highest
L
IT RISK ASSESSMENT
Residual Risk: Low, Medium, High

IT Risk Assessment Template
NP, C
Information Classification: Public,

Non-Public, Confidential
fraud
Confidential
Threats/Vulnerabilities: Level of
information, potential
Damage, Type of Vulnerability

M
Threat/Vulnerability Likelihood:
Low, Medium, High
Vital Resources: Description of Vital

operation of institution
Client information, daily
depends on core system
Resources to the Institution's

Operations
Fiserv
Will use backup site and
Recovery Point Objective (RPO):

remote DRP location from
Description of How the Information

54
or Asset will be recovered

2 days
Recovery Time Objective:

Approximate Time of Recovery
(hours, days or weeks)
Categories Included in Internal Controls Risk
Assessment #1
• Growth/New Activities
• Policies and Procedures
• Regulation and Compliance
• MIS/IT System Changes
• Turnover
• Quality of Management

Categories Included in Internal Controls Risk
Assessment #2
• Training
• Date of Last Audit
• Previous Exceptions
• Risk of Monetary Loss
• Nature of Items
• Nature of Operations

Internal Controls RA – Template
INTERNAL CONTROLS RISK ASSESSMENT
AREA BEING ASSESSED: Accounts Payable

SCALE USED: 1 = Incidental
2 = Minor
3 = Moderate
4 = Major
5 = Extreme
CATEGORY SCORE EXPLANATION OF CATEGORY REASON FOR SCORE

Has there been any growth in this
area/department? New activities Changed vendors. Previous vendor
Growth/New Activities 4 performed? went out of business.
Have policies been updated within the
last 12 months? Are there written Need to write new procedures
Policies and Procedures 4 procedures in place? based on new vendor system.
Does your policy comply with
appropriate regulation? Did you fall out
of compliance during the last 12
Regulation and Compliance 1 months for any reason? No change.
Were there any system changes within
the last 12 months or since the last
IT System Changes 5 assessment? New AP external vendor system.
Have there been any staff turnover
which may result in more potential
Staff Turnover 3 errors? One new staff member.
Is management involved in the daily
Quality of Management 1 operations of this activity? No change.
Has the staff attended training on any
new regulations, policies, or
procedures in the last 12 months or
Training Performed 3 since the last assessment? In progress.
What was the date of this area/
department's last audit conducted
Date of Last Audit 3 either by your internal or external 1/31/2016
Did you have previous exceptions
noted either in an audit or regualtory
Previous Exceptions 1 exam? None.
Potential for internal fraud if
Does this area present any risk to your authorities are not setup correctly in
Risk of Monetary Loss 3 institution on monetary loss? new system.
A/P - payable of all bank's invoices,
What is the nature of the new or directors, and employee
Nature of Items 3 changed items in this area? reimbursements.
What is the nature of operations in this
Nature of Operations 3 area/deapartment? Finance
Add up all the individual scores and

TOTAL SCORE: 34 transfer to the Summary Report Copyright 2018 Malzahn Strategic 57
Institution Insurance Policies
• Property and Casualty
• Liability
• Directors and Officers
• Auto
• Cybersecurity
• Umbrella
• Electronic
Insurance Policies Risk Assessment
ANNUAL YOY PEER
INSURANCE PREMIUM PREMIUM COMPARISON
POLICY NAME PURPOSE COMPANY LIMIT DEDUCTIBLE COST INCREASE LIMITS
Property & Casualty
Liability
Directors & Officers
Auto
Cybersecurity
Umbrella
Electronic

New Initiatives Strategic Risk Assessment
Strategic Questions for New Products or Projects:
What is the purpose of this product/project? What is the new product profitability? What's
the financial justification for this product?
What's the ROI?
Who is your target market for this product? What is the timeline for this product or
project to be completed?
Will this product be used only by one client Who will lead this new product launch or
or small segment? Or will we be able to project?
market it to other customers?
If this product will only be used by one client, How do you plan to market this new product?
discuss customer profitability to justify
investment.
Strategic Questions for New Divisions/Depts./Branches/Locations
Does this new division or department align with What other active initiatives does the bank have
the bank’s vision and overall strategic objectives? going on at the moment?
Does this project/new initiative align with the Is this initiative Merger/Acquisition related? If yes,
Board's Risk Appetite and Tolerance Statement? then additional (separate) due diligence is
required.
How will the new division or department benefit Is this a discretionary project?
the institution? What is our due diligence plan?
What is the timeline? Who will perform it?
Who will lead the entire new initiative?
Can the bank provide the infrastructure to support Who will communicate to all staff about the new
this product? What's our capacity to support this initiative? Who and how will the communication
new product/division/project? take place for the entire organization to know?

Risk Management Questions
What are the new risks to the bank? What are the mitigating factors for the new risks
to the bank?
What regulations apply? How will the bank comply What are the monitoring and reporting tools you
with those regulations? will put in place to monitor the risks identified and
assessed? (Policies, Procedures in place?)
What could go wrong? What could the Who will train the staff and customers on new
"unintended consequences" be as a result? product?
What has to go right? (in order for the bank to What department will support the new product?
pursue this initiative)

Monitoring: Opportunity & Risk Maps
COMBINED RISK AND OPPORTUNITY MAP EXAMPLE
Impact
Opportunities Risks
Extreme Major Moderate Minor Incidental Incidental Minor Moderate Major Extreme
Likelihood
Frequent
Likely
Possible
Unlikely
Rare
Source: Risk Assessment in Practice by COSO

Monitoring: Heat Maps
HEAT MAP SAMPLE
Likelihood
ID Risk
1 Capital
2
3
2 Earnings
3 Liquidity
Impact
Source: Risk Assessment in Practice by COSO
Reporting: Risk Appetite & Tolerance
Statement Quarterly Reporting
BOARD RISK APPETITE & TOLERANCE STATEMENT QUARTERLY REPORTING -EXAMPLE
As of DATE
# Risk Type Risk Appetite Risk Tolerance Status
Red = Several
Yellow = Parameters
Descriptions of Parameters Green = Some Not Met,
Description of What Appetite Not Being Met or Being Tolerance Parameters Exams/ Audits
Is Being Watched Watched being met Not Met Issues
1 Credit
2 Earnings/Profitability/Capital
3 Liquidity
4 Interest Rate Risk
5 Technology
6 Strategic
7 Reputation
8 Operations/Transactional
9 Compliance/Regulatory/Legal
10 Human Resources
11 Customer
12 Model
13 Price
ERM Risk Assessment Heat Map
Risk Assessment Grid
LIKELIHOOD
1 2 3 4 5
Rare Unlikely Possible Likely Frequent LEGEND
1 Incidental
IMPACT
2 Minor 10 3
3 Moderate 8 Mitigate
4 Major 6 1,5,9 4,7
5 Extreme 2 Mitigate
Manage
Risk Assessment Heatmap Monitor
5 Frequent Make Do
LIKELIHOOD
4 Likely
Make Do
3 Possible 3 4,7 2
2 Unlikely 10 1,5,9
1 Rare 8 6
1 2 3 4 5
Incidental Minor Moderate Major Extreme
IMPACT

ERM Risk Assessment Heat Map
Rank Risk Impact Likelihood Description

1 Stra tegi c 4 2.5 Stra tegi c Pl a n not s ha red wi th the s taff
2 Technol ogy 5 3 IT Securi ty Progra m i ncompl ete (mi s s i ng key a rea s s uch a s Vendor Ma na gement Progra m)
3 Ea rni ngs 2 3 Low Loa n to Depos i t Ra tio a nd thus l ower ea rni ngs
4 Model 4 3 No vendor va l i da tion reports recei ved from cri tica l vendors
Huma n
5 Res ources 4 2 La ck of s ucces s i on pl a nni ng a t a l l l evel s (es peci a l l y a t the top l evel s )
Ma na gement
6 Li qui di ty 4 1 Continue to moni tor l i qui di ty on rel a tions hi p concentra tion
7 Stra tegi c 4 2.5 No Stra tegi c Pl a n i n pl a ce
Compl i a nce/
8 2.5 1 Need to upda te BSA Pol i cy a nd Procedures
Regul a tory/Lega l
9 Reputation 4 2 La ck of Vendor Ma na gement Progra m i n pl a ce i ncrea s es i ns titution's reputationa l ri s k
Opera tiona l /
10 2.5 2 La ck of i ntegra tion between vendor s oftwa re a nd core s ys tems -ri s k of ma nua l errors
Tra ns a ctiona l

Bringing It All Together
• Start with your Strategic Plan

• Establish an ERM Program
• Complete ERM Risk Assessment – foundational for ERM Program
• Complete Risk Assessments enterprise-wide
• Standardize Risk Assessments using similar scales
• Be proactive and continue to strengthen your Risk Assessments

Sources
• FDIC Risk-Based Assessment System – Financial Institution Letters
(FILs) https://www.fdic.gov/deposit/insurance/risk/FILS.html
• OCC Bulletin 2015-48 Updated Guidance on Risk Assessment System
(https://www.occ.gov/news-issuances/bulletins/2015/bulletin-2015-48.html#)
• OCC Comptroller’s Handbook: Community Bank Supervision

https://www.occ.gov/publications/publications-by-type/comptrollers-handbook/pub-ch-ep-cbs.pdf
• COSO (The Committee of Sponsoring Organizations of the Treadway

Commission) www.coso.org
• Credit Union Act https://www.ncua.gov/Legal/Documents/fcu_act.pdf
• NCUA (National Credit Union Administration)
https://www.ncua.gov/regulation-supervision/Pages/default.aspx
• Credit Union National Association www.cuna.org

Marci Malzahn, President & Founder
mmalzahn@malzahnstrategic.com
Consulting: www.malzahnstrategic.com
https://www.linkedin.com/pub/marcia-marci-malzahn/1/6/729
Speaking & Books: www.marciamalzahn.com
@marcimalzahn
612-242-4021

Developing-Strong-Ra Icba Webinar Handout 11-6-18

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Developing-Strong-Ra Icba Webinar Handout 11-6-18

Uploaded by

Copyright:

Available Formats

Developing a Strong Enterprise-Wide

Risk Assessment for Your ERM Program

Copyright 2018 Malzahn Strategic

Copyright 2018 Malzahn Strategic 5

“An enterprise-wide continuous process to protect all your

Copyright 2018 Malzahn Strategic 7

Copyright 2018 Malzahn Strategic 8

• Determine how your institution can eliminate certain risks

• Ensure your institution is comfortable with the residual risk

• Establish policies, processes, and procedures to mitigate and

Copyright 2018 Malzahn Strategic 10

• Ongoing reporting of risks and status to board of directors

Copyright 2018 Malzahn Strategic 11

Copyright 2018 Malzahn Strategic 13

Copyright 2018 Malzahn Strategic 14

Copyright 2018 Malzahn Strategic 15

Copyright 2018 Malzahn Strategic 16

Copyright 2018 Malzahn Strategic 17

Copyright 2018 Malzahn Strategic 18

• Risks as well as opportunities are usually assessed in terms of impact

• Ask the questions of vulnerability (how susceptible?) and speed of onset

Copyright 2018 Malzahn Strategic 19

• Perform a quantitative analysis of the most important risks

Copyright 2018 Malzahn Strategic 20

Copyright 2018 Malzahn Strategic 21

Copyright 2018 Malzahn Strategic 22

Copyright 2018 Malzahn Strategic 23

• Decide to either accept, reduce, share, avoid, or eliminate each risk.

• Perform cost-benefit analysis (i.e. is the cost to prevent or reduce a

• Formulate a response strategy and develop plans.

Copyright 2018 Malzahn Strategic 24

Copyright 2018 Malzahn Strategic 26

• Identify and take action on emerging risks in a timely manner

Copyright 2018 Malzahn Strategic 27

Copyright 2018 Malzahn Strategic 28

Copyright 2018 Malzahn Strategic 29

• Financial Condition: Includes impacts from diminished capital

Copyright 2018 Malzahn Strategic 30

Copyright 2018 Malzahn Strategic 31

Copyright 2018 Malzahn Strategic 32

1. Technology – Risk in all technologies used

Copyright 2018 Malzahn Strategic 33

5. Legal – Failure to comply with statutory or regulatory

Copyright 2018 Malzahn Strategic 34

Technology Transaction/Operational Strategic Reputational

Copyright 2018 Malzahn Strategic 35

Copyright 2018 Malzahn Strategic 36

Copyright 2018 Malzahn Strategic 37

CONTROLS in place. Scale =

If this risk occurs, identify

List ALL the activities your

Copyright 2018 Malzahn Strategic 39

This is your tracking

on Plans for Improvement.

Risk of an activity that remains

for the institution AFTER ALL

Based on current market

conditions. Provides a baseline

Copyright 2018 Malzahn Strategic 40

Copyright 2018 Malzahn Strategic 42

Team/ Target Percentage

Interest Rate Risk 4-5

Copyright 2018 Malzahn Strategic 43