What exactly does risk management mean when it comes to banks and other financial institutions? There is no one answer really. The term carries a whole raft of connotations. 

During the credit crunch, risk management certainly meant management of portfolio risk and counterparty risk and any kind of risk that put banks at risk of an old-fashioned run. But risk also has a wider meaning: The kind of risk that most GRC practitioners think of--the R in GRC. And banks would be wise not to forgot about this aspect. A holistic view of risk is probably the wisest interpretation. 

Paisley has identified the key "management philosophy" deficiencies that have traditionally caused of bank failures. The report identified four main issues. Nearly half were the result of inadequate board supervision; 37 percent resulted from a too-dominant personality, such as a CEO or chairman; 32 percent resulted from volatile funding sources; and 26 percent born of overly ambitious growth attempts. The key "management operational" deficiencies by far was poor general lending policies, followed by poor loan administration and poor documentation and credit analysis. 

The key item is the first item: Board supervision. As the saying goes, a fish rots from the top. You can't really have a robust ERM program with a board that's committed to it. Compliance Week notes that boards ought to be huge supporters of stronger ERM because that will create the tools that will allow them to better do their job. Of course, a dominant personality may make it hard if he or she doesn't share the same goal. 

It would be easy to argue that this is mainly a big bank problem, where we've had no shortage of big-name bosses who served as chairmen and CEOs. 

But little banks have the same issues. Community banks aren't necessarily any better at governance and risk management than their big bank brethren. We have certainly seen many pay the price for poor risk decisions in the past--like pushing too far into condo construction lending or concentrating their portfolios in Fannie Mae shares. No wonder we're seeing lots of banks, more than 100, being asked by the FDIC to deliver a risk exposure plan, notes FinCriAdvisor. 

Regulators have been emphasizing that banks large and small need to get this aspect of risk management straightened out. The FDIC has gone so far as to endorse COSO, which offers guidance on good internal controls. This is much needed. In this environment, it's best to take a wide view on risk, seeing it as the rubric that encompasses the whole ball of wax--from portfolio and lending exposure to checks on executive behavior and everything in between. 

Banks have got to get systematic about this. - Jim