Professional Documents
Culture Documents
ERM
Capital Marketing
Strategic
Plan
Business
Talent
Plan
Financials
6
Copyright 2018 Malzahn Strategic
My Definition of ERM
Marci Malzahn
Monitoring Mitigating
and or
Reporting Eliminating
Risk Risk
Internal
Compliance
Audit
ERM
Liquidity
Succession
Contingency
Planning
Plan
Capital
DRP
12
Copyright 2018 Malzahn Strategic
Risk Assessments for All IT Security Program
Components
DRP
Cyber
BCP
Security
IT Security
Program
Social
Vendor
Engineer-
Mgmt.
ing
Security
Controls
• The values should be the same in all areas across the organization.
• Use qualitative questions/criteria (descriptive assessment scales).
Technology
Strategic Liquidity
Reputational
Legal Operational
Credit
• Evaluate separately:
• Quantity of risk – reflects level of risk assumed in the course of doing business
(low, moderate, or high)
• Quality of risk management – assesses whether the institution’s risk
management systems are capable of identifying, measuring, monitoring and
controlling that amount of risk (strong, satisfactory, insufficient (new), or weak)
Capital Adequacy
Assets
Management Capability
Earnings
Liquidity
Sensitivity to Market Risk/IRR
Technology
ERM
Risks
Technology Operational/Transaction Strategic Reputation
Inherent
Risk
Status Plans for Improvement Monitoring Tool(s) Risk Mitigators Consequences
Residual
Risk
Trend of
Risk
Priority
Scale =
1-5
Impact
= 1-5
Likeli-
hood =
1-5
Vulnera-
bility =
1-5
Speed
of Onset
= 1-5
38
Copyright 2018 Malzahn Strategic
ERM Risk Assessment Matrix
INSTITUTION NAME
ENTERPRISE RISK MANAGEMENT (ERM) RISK ASSESSMENT MATRIX
AS OF DATE
Title Definition Example
Identify each type of
Example Risk #1: Example Risk #2: Example Risk #3:
Risks
Risk or "Risk
Operational/Transaction Strategic Reputation
Categories"
Risk of an activity with NO
Inherent
Risk
Risks
Risk or "Risk
Operational/Transaction Strategic Reputation
Categories"
Plans for Improvement List the tasks, systems, new
procedures, new processes,
new talent to be hired, etc.
that your institution plans to
implement in the next 12
months to reduce/minimize,
improve or eliminate this risk
Risk or "Risk
Operational/Transaction Strategic Reputation
Categories"
What is the priority ranking of
this particular risk in YOUR
institution based on Criticality
(can you run your institution
without it?) AND
Priority Confidentiality (how sensitive
Scale = is the data)? Scale = 1-5
1-5 1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
HOW will this particular risk
impact YOUR entire
institution? Scale = 1-5
Impact 1=Incidental
= 1-5 2=Minor
3=Moderate
4=Major
5=Extreme
Copyright 2018 Malzahn Strategic 41
ERM Risk Assessment Matrix Cont.
How LIKELY (or probable) is
this particular risk to happen in
YOUR institution? Scale = 1-5
Likeli-
1=Rare
hood =
2=Unlikely
1-5
3=Possible
4=Likely
5=Frequent
How SUSCEPTIBLE to this
particular risk is YOUR
institution? Scale = 1-5
Vulnera-
1=Rare
bility =
2=Unlikely
1-5
3=Possible
4=Likely
5=Frequent
How FAST could this risk arise
at YOUR institution? Scale = 1-
Speed 5 1=Very Low
of Onset 2=Low
= 1-5 3=Medium
4=High
5=Very High
Credit 5
Operational/
Transactional 5
Strategic 5
Earnings/
Profitability/Capital 5
Liquidity 4-5
Human Resources
Management 4
Reputation 4
Compliance/
Regulatory/Legal 3
S
INSTITUTION NAME
Asset Type: Application/Software,
Process, or System
DATE OF ASSESSMENT
E
Asset Medium: Paper or Electronic
Fiserv
Vendor Name
Y
Controls/Procedures in Place? Y or N
Mitigation of Risks
H
NP, C
Threats/Vulnerabilities: Level of
information, potential
Threat/Vulnerability Likelihood:
Low, Medium, High
Liability
Auto
Cybersecurity
Umbrella
Electronic
Will this product be used only by one client Who will lead this new product launch or
or small segment? Or will we be able to project?
market it to other customers?
If this product will only be used by one client, How do you plan to market this new product?
discuss customer profitability to justify
investment.
Copyright 2018 Malzahn Strategic 60
New Initiatives Strategic Risk Assessment
Strategic Questions for New Divisions/Depts./Branches/Locations
Does this new division or department align with What other active initiatives does the bank have
the bank’s vision and overall strategic objectives? going on at the moment?
Does this project/new initiative align with the Is this initiative Merger/Acquisition related? If yes,
Board's Risk Appetite and Tolerance Statement? then additional (separate) due diligence is
required.
How will the new division or department benefit Is this a discretionary project?
the institution? What is our due diligence plan?
What is the timeline? Who will perform it?
Who will lead the entire new initiative?
Can the bank provide the infrastructure to support Who will communicate to all staff about the new
this product? What's our capacity to support this initiative? Who and how will the communication
new product/division/project? take place for the entire organization to know?
What regulations apply? How will the bank comply What are the monitoring and reporting tools you
with those regulations? will put in place to monitor the risks identified and
assessed? (Policies, Procedures in place?)
What could go wrong? What could the Who will train the staff and customers on new
"unintended consequences" be as a result? product?
What has to go right? (in order for the bank to What department will support the new product?
pursue this initiative)
Impact
Opportunities Risks
Extreme Major Moderate Minor Incidental Incidental Minor Moderate Major Extreme
Likelihood
Frequent
Likely
Possible
Unlikely
Rare
Source: Risk Assessment in Practice by COSO
Likelihood
ID Risk
1 Capital
2
3
2 Earnings
3 Liquidity
Impact
Source: Risk Assessment in Practice by COSO
Copyright 2018 Malzahn Strategic 64
Reporting: Risk Appetite & Tolerance
Statement Quarterly Reporting
BOARD RISK APPETITE & TOLERANCE STATEMENT QUARTERLY REPORTING -EXAMPLE
As of DATE
Red = Several
Yellow = Parameters
Descriptions of Parameters Green = Some Not Met,
Description of What Appetite Not Being Met or Being Tolerance Parameters Exams/ Audits
Is Being Watched Watched being met Not Met Issues
1 Credit
2 Earnings/Profitability/Capital
3 Liquidity
4 Interest Rate Risk
5 Technology
6 Strategic
7 Reputation
8 Operations/Transactional
9 Compliance/Regulatory/Legal
10 Human Resources
11 Customer
12 Model
13 Price
Copyright 2018 Malzahn Strategic 65
ERM Risk Assessment Heat Map
Risk Assessment Grid
LIKELIHOOD
1 2 3 4 5
Rare Unlikely Possible Likely Frequent LEGEND
1 Incidental
IMPACT
2 Minor 10 3
3 Moderate 8 Mitigate
4 Major 6 1,5,9 4,7
5 Extreme 2 Mitigate
Manage
Risk Assessment Heatmap Monitor
5 Frequent Make Do
LIKELIHOOD
4 Likely
Make Do
3 Possible 3 4,7 2
2 Unlikely 10 1,5,9
1 Rare 8 6
1 2 3 4 5
Incidental Minor Moderate Major Extreme
IMPACT