A Midsize Bank’s-Eye View of Managing Enterprise Risk

By Tina Orem

In the literary world, crossing a threshold often signifies that a story’s hero has committed to a fantastic journey. In the banking world, however, it signifies that a financial institution has committed to major shifts in its regulatory framework. And when the threshold is $10 billion in assets, that commitment includes complying with new expectations for enterprise risk management, or ERM.

As with most heroes’ journeys, there are challenges along the way. Here’s what two bank executives said they’ve learned about ERM and passing that $10 billion threshold—and how other banks can be ready when it’s their turn.

1. Avoid foot-dragging

Procrastination can cause problems. If your bank plans to cross the $10 billion threshold at some point—even if that point is later rather than sooner—start learning the rules and building processes now, says Aimee Hamilton, who is EVP and ERM executive at Cadence Bank in Birmingham, Ala.

“Look at what the regulators are expecting of banks over $10 billion and build your process with an eye toward that,” she says. “Don’t build it for a much smaller, less complex situation when you know your bank is not planning to be in that situation long-term.”

Cadence Bank had $9.8 billion in assets at the end of the second quarter, and Hamilton says the $8 billion mark is a decent time to start taking a few steps.

“By the time you get to $10 billion, you’re technically meeting the requirements versus trying to do everything when you’re $9.5 billion,” she notes.

2. Get organized

For publicly traded bank holding companies, crossing the $10 billion asset threshold means establishing a board-level risk committee.

The ERM committee should involve people from the bank’s major lines of business, as well as its major operational and technological areas, Hamilton notes. Hamilton says her bank’s ERM committee, which she chairs, meets twice a month.

“We do the enterprise view here. It’s not just something that we do in risk management and then hand out to everybody,” she explains.

3. Build the infrastructure

“You’re fully expected to have a long-term strategic plan in place, and that has to be fully risk-assessed, depending on what markets you’re in, what products you plan on offering, how you plan to get to that $10 billion mark. And once you’re there, what do you look like? Everything that you do, particularly from a consumer standpoint, becomes subject to scrutiny,” says Tim King, who is EVP and chief risk officer at Dime Community Bank in Brooklyn.

At about $6 billion in assets, Dime Community Bank is well below the $10 billion threshold, but King says the bank already applies many of the rules, including establishing a risk committee.

“We’re basically running ourselves in many respects like a $10 billion institution,” he says.

It doesn’t come free, though. Expanding the scope of a bank’s risk management work usually requires investments in new tools and processes—especially on the modeling side, King warns. Crossing the $10 billion threshold often means needing to assess the impact of various macroeconomic scenarios, and that job requires a lot of coordination and more powerful analytics. Frequently, that means planning to spend money on more robust software and other technology that can do heavier lifting, he says.

“People who rely on Excel spreadsheets to be the de facto modeling process are just asking for trouble, because obviously you have to validate every single spreadsheet and make sure that the input is good, the output makes sense, the throughput has been tested…All that takes time and energy,” King warns. “Why not just go out and buy a package that has been tested for you and validated on a regular basis?”

4. Rev up the hiring engine (and budget for it)

Regulators will expect growth-minded banks to have very robust risk analytics infrastructures, and the $10 billion threshold often warrants bringing on a team of data analysts, compliance specialists and more supervisors to manage risk, King says. The associated modeling work also tends to get bigger and more complex, which also may require specialized staff, he says. And there are the third-party risk management programs to think about.

“All that stuff requires people and systems, and they all have a cost,” he says.

5. Spread the word

Perhaps most notoriously, crossing the $10 billion threshold means becoming subject to supervision for consumer compliance and UDAAP under the Consumer Financial Protection Bureau. The ERM teams at banks getting ready to cross the threshold need to get used to telling people outside of the ERM group—especially those on the product side—what they’re doing and why, Hamilton warns. “If you make this just a risk-management project, it’s not going to stick. You have to communicate and embed that culture,” she says.

Reaching out to the people who run a bank’s various lines of business helps teach them how the work they do every day is part of risk management, Hamilton adds. “They may not have considered that before. It’s an education process,” she says.

Tina Orem is a frequent contributor to the ABA Banking Journal.