Here are some examples of questions board members and CEOs might ask to begin this critical part of developing a sound ERM. We find in our work with organizations that assembling confidential board and management responses to these questions is often enlightening and can help to strengthen the risk culture.

1.    Have the major perceived risks to the organization been:

a.     Identified?

b.    Ranked? 

c.     Discussed with the board?

2.    What risks do you see that are not clearly identified or a part of management/board focus?

3.    Has the board approved a risk appetite statement?

4.    What are the incentives and penalties for officers who identify risk in the organization?

5.    How are the “cons” of a major new initiative handled in executive management and board sessions? Does an atmosphere of “Group Think” prevail or are alternative ideas encouraged?

6.    What happens when a major risk is uncovered that was not identified by management?

7.    How are concerns about executive performance handled?

8.    Is the board conversant with the various risks?

9.    Is there a split on the board?

10. Does the board add value to strategy development?

11. Can you clearly describe your bank’s strategy?

12. Does the entire executive management team have responsibility for ERM or has one lower level officer been assigned the responsibility?

13. Have both performance and leading indicators been identified for all major risks? (For example, on asset quality, a key performance indicator is the coverage ratio. Risk indicators for various concentrations in the portfolio, might include industry performance ratios.)

14. How are risks monitored and reported?

15. How strong are your controls on risk? (For example, audit or policy limits and reporting)

Just answering these questions and having a candid, thorough discussion of what that means for ERM in your organization, will take you a long way in developing a strong ERM.