Building out an enterprise risk management (ERM) program can be overwhelming for financial institutions and others in the financial services industry. Risk management is a broad umbrella covering a wide range of risks, including operational, cybersecurity, compliance, reputation, and financial risk, among others. With so many areas to cover, it’s hard to know where to begin or how to get it all done.
One common mistake banks make when faced with an overwhelming task like building out a risk management program is to kick the can down the road. They decide they are too busy, and the job is too big, so they’ll dig in once things quiet down.
This creates two problems:
Problem #1: A quieter time isn’t coming
We all like to imagine that a simpler, quieter time is just down the road. We just need to reach a deadline or milestone and we’ll have plenty of time to tackle our backlogged to-do lists.
The problem is that a quieter time isn’t really coming. When Aristotle said, “nature abhors a vacuum,” he probably wasn’t talking about project management, but he may as well have been. New projects are always coming to take the place of those that are finished. It’s rare to finish a project and then wonder “What should I do next?” The next thing has already been defined and mapped out. There is no pause.
Problem #2: Exposing the institution to unknown amounts of risk
The goal of risk management is to identify, assess, measure, mitigate, and monitor risk to ensure your financial institution isn’t taking on too much or too little risk. Your institution’s risk exposure needs to align with its risk tolerance.
The longer you wait to build out a risk management program, the longer your institution is exposed to unchecked risk.