The Federal Reserve Bank of Philadelphia implements its own process for enterprise risk management

RMA Journal, The, July-August, 2005 by Spyro Karetsos

In 2003, the Federal Reserve System emphasized the importance of risk management by creating an ERM guidance document providing direction and defining a common risk language. In 2004, Spyro Karetsos, the Philadelphia Fed's enterprise risk management officer, developed an ERM implementation guide to plan Philadelphia's approach to integrating existing risk-based practices and tools. This ERM plan is being developed for the bank to strengthen its own risk management practices and is in no way a prescription for the financial institutions the Fed supervises. The effort does show banks throughout the U.S. that what's sauce for the goose is sauce for the gander. Similar efforts are being undertaken at banks throughout the Federal Reserve System. In fact, one of Karetsos's roles has been to pull together the ERM initiatives of all entities in the Federal Reserve System to provide a high-level enterprise view of risks and associated mitigation activities.

I think of enterprise risk management as a continuous journey. That's because it is not exact science but rather an evolving improvement initiative. Similar to quality programs such as Six Sigma, ERM is something that you're always working toward and may always be trying to refine. As a Federal Reserve Bank, we view our reputation as our greatest asset; therefore, our bank has always had a strong emphasis on controls. What ERM offers is an opportunity to leverage existing risk assessments and tools to form a holistic view of aggregate risk and interdependencies. The world of financial services is constantly evolving, and enterprise risk management must continue to evolve with it.

So if we're implementing something that may never be finished, how do we know if we're doing a good job? It's all about adding value. We want to feel confident that every step we take--integrating risk management activities, reducing redundancies, and enabling better-informed decisions--adds value. Also, all risk management decisions are made on a cost/benefit basis. A zero-risk tolerance environment not only is impossible, it's undesirable and cost prohibitive. The key is to balance risk and reward, and the Fed employs various risk specialists to vet the impact of actions taken by business lines and assess the effect on the institution within a given risk category.

The bank's approach to implementation is influenced by components it has deemed essential, including:

* Clear guiding principles, strong and visible corporate governance, and a common risk language that provides ERM definitions and a set of risk categories and subcategories.

* A bottom-up approach using a risk assessment process, risk response options, communication mechanisms, and monitoring techniques.

* A top-down approach of high-level, informal discussions of overarching strategic issues.

Many of our approaches to risk management are qualitative, as opposed to quantitative, and we are wary of developing a false sense of precision. We are mostly interested in identifying areas of concern, fostering an environment that promotes early communication of issues, and analyzing the potential impact to stakeholders. For that reason, we think in terms of "high," "medium," and "low" inherent and residual risk levels.

Corporate Governance

The corporate governance chart shown in Figure 1 is not an organizational chart, but rather a visual representation of responsibilities, interactions, and information flows, rib carry out its oversight responsibilities, the Board of Directors must have a sufficient number of independent outside directors who possess an appropriate degree of management, technical, and other expertise. We expect two existing subcommittees--the Budget and Operations Committee and the Audit Committee--to be responsible for the ongoing monitoring of the ERM program and the bank's risk profile. The Risk Management Council (RMC) provides top-down sponsorship, approval, and oversight of the bank's ERM program. This group reviews and approves the bank's risk policies, sponsors the bank's risk-aware culture, and communicates the bank's risk appetite.

[FIGURE 1 OMITTED]

The ERM officer establishes a risk management process to identify, prioritize, mitigate, measure, and report on risks at an enterprise level. This officer promotes ERM through training, education, and facilitated sessions and provides tools to business area management that are used to generate the enterprise-wide perspective. The officer periodically reports the bank's risk profile to the RMC and the Board of Directors.

The risk specialists conduct five main activities related to their area of expertise:

1. Validate best-practice controls.

2. Assess centrally owned controls on behalf of the bank.

3. Review the bank's risk profile, focusing on their areas of expertise.

4. Provide consulting/guidance to business areas to mitigate exposure.

5. Report on the bank's risk profile to the RMC as it relates to their areas of expertise.

ERM Self-Assessment