The document discusses the importance of establishing a strong risk governance culture, structure, policies, and internal control environment to effectively manage enterprise risks such as credit, market, and operational risks. It emphasizes the need for clear risk appetite statements, well-defined governance structures, and robust policies and practices that encourage informed decision-making and help identify rogue behavior within organizations. Additionally, it outlines the benefits of strong risk governance including appropriate risk appetite and effective risk management systems tailored to the institution's business model.

1. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
1
JOIN. ENGAGE. LEAD.
4 CORE CAPABILITIES FOR
BUILDING STRONG RISK
GOVERNANCE
Effectively manage risk-taking activities

2. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
2
JOIN. ENGAGE. LEAD.
CORE CAPABILITIES FOR STRONG RISK
GOVERNANCE
Culture
Structure
Policies and procedures
Internal control environment

3. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
3
JOIN. ENGAGE. LEAD.
CULTURE
A strong risk management
culture accomplishes two
organizational objectives.

4. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
4
JOIN. ENGAGE. LEAD.
CULTURE: ORGANIZATIONAL OBJECTIVES
1. It helps the company make well-informed decisions.
A company with a strong risk management
culture promotes, encourages, and rewards
behaviors that avoid herd mentality,
conformation bias, or groupthink.

5. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
5
JOIN. ENGAGE. LEAD.
CULTURE: ORGANIZATIONAL
OBJECTIVES (CONT.)
2. It helps the company identifies rogue individuals
and/or groups.
It is said that 99.9% of people show up to work
every day intending to do the right thing.
But, sometimes individuals or groups are more
interested in their own personal gains than in
doing what is right.
In such cases, a strong governance and risk
management culture identifies those individuals
and purges them.

6. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
6
JOIN. ENGAGE. LEAD.
CULTURE: ORGANIZATIONAL
OBJECTIVES (CONT.)
• Senior management comes to a consensus
on what the company values are.
• And they live those values every day without
exception.
Set company
values
• Senior and executive management set the
tone by what they say and do.Set the tone
• The board and senior management develop
clearly articulated statements about risk
appetite and tolerance that spell out,
unequivocally, the company’s philosophy on
risk acceptance.
Articulate

7. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
7
JOIN. ENGAGE. LEAD.
STRUCTURE
Although there are various models,
there is no right governance
structure.
Each institution must determine
which structure is best suited for
its organization, i.e., one that will
support information flow,
escalation, decision making, and
accountability.

8. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
8
JOIN. ENGAGE. LEAD.
TYPICAL GOVERNANCE STRUCTURE
Board of
directors
Board’s risk
committees
Chief risk
officer
Management
committees

9. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
9
JOIN. ENGAGE. LEAD.
POLICES AND PROCEDURES
Policies communicate the
company’s risk appetite to
all stakeholders.
They describe what the
company is willing to do
and not willing to do.

10. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
10
JOIN. ENGAGE. LEAD.
POLICIES AND PROCEDURES (CONT.)
The statement of risk appetite is
operationalized through policies
(“What should we do?”) and procedures
(“How should we do it?”).

11. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
11
JOIN. ENGAGE. LEAD.
POLICIES AND PROCEDURES (CONT.)
Policies should be brief (no more than two or three pages)
and should express the following:
Policy
Overview
What is it
intended to
accomplish?
Authority
Who is
accountable
for
implementing
policy?
Implementation
How will the
policy be
implemented?
Exceptions
How should
exceptions
be handled?

12. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
12
JOIN. ENGAGE. LEAD.
INTERNAL CONTROL ENVIRONMENT
Internal control is frequently
defined as the systems,
processes, and policies that
enable an organization to meet
its strategic goals.

13. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
13
JOIN. ENGAGE. LEAD.
INTERNAL CONTROL ENVIRONMENT (CONT.)
An internal control framework
exists to align the amount of risk
assumed by the company with its
accepted risk appetite and risk
tolerance. However, it’s not as
simple as it sounds.

14. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
14
JOIN. ENGAGE. LEAD.
INTERNAL CONTROL ENVIRONMENT (CONT.)
A good internal control
environment is critical to ensuring
sound operations and achieving
the risk management goal
of “no surprises.”

15. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
15
JOIN. ENGAGE. LEAD.
INTERNAL CONTROL ENVIRONMENT (CONT.)
A truly effective and efficient
internal control structure requires taking a
deliberate and fundamental approach to
the design, execution, and
monitoring of the controls,
rather than just creating them to
address perceived outcomes.

16. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
16
JOIN. ENGAGE. LEAD.
8 BENEFITS OF STRONG RISK GOVERNANCE
1. The risk appetite is
appropriate for your
institution’s business model,
strategy, and execution.
2. The expected risks are
commensurate with the
expected rewards.
3. Management has
implemented a system to
manage, monitor, & mitigate
risk, & which is appropriate
for the company’s business
model and strategy.
4. The risk management
system informs the board of
the major risks facing the
company and how they are
being managed.
Strong governance helps to ensure that:

17. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
17
JOIN. ENGAGE. LEAD.
8 BENEFITS OF STRONG RISK
GOVERNANCE (CONT.)
5. An appropriate culture of
risk awareness exists
throughout your
organization.
6. There is recognition that
management of risk is
essential to the successful
execution of your
company’s strategy.
7. A well-developed capital
plan is in place to support
the established risk appetite
and strategic plan.
8. A stress-testing program
is in place to help determine
sufficient capital availability
based on your bank’s
strategic plan and risk
appetite.

18. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
18
JOIN. ENGAGE. LEAD.
RMA’s Governance and Policies Workbook further
examines the core capabilities required for a strong
risk governance culture, structure, policies and
procedures, and internal control environment.
The workbook provides detailed
examples of governance structures, risk
committee charters, and risk
dashboard in its appendix.
LEARN MORE

19. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
19
JOIN. ENGAGE. LEAD.
ENTERPRISE RISK MANAGEMENT
WORKBOOKS
To help you develop your ERM framework, RMA offers a series
of highly practical workbooks:
1. Risk Appetite Workbook, November 2010.
2. Scenario Analysis and Stress Testing for Community Banks,
February 2012.
3. Governance and Policies Workbook (includes “Response”),
November 2013.
4. Risk Measurement and Evaluation (in development).
5. Risk Data and Infrastructure (to be developed).
RMA members may download the workbooks for $0 (free!).
Not a member? Join today.

20. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
20
JOIN. ENGAGE. LEAD.
SHARE THIS PRESENTATION
Visit http://www.rmahq.org for information on risk management
Visit our blog at http://rmablog.rmahq.org/
RMA is a member-driven professional association whose sole purpose is to
advance sound risk principles in the financial services industry.
RMA helps its members use sound risk principles to improve institutional
performance and financial stability, and enhance the risk competency of
individuals through information, education, peer sharing, and networking.
Become a member today.