The cost of not doing ERM is at least $400 million

I know this is banking but I thought you might find Citi’s $400m fine and consent order and the regulator comments interesting:

 

 

The Comptroller finds, and the Bank neither admits nor denies, the following:
(1) For several years, the Bank has failed to implement and maintain an enterprise- wide risk management and compliance risk management program, internal controls, or a data governance program commensurate with the Bank’s size, complexity, and risk profile. (2) The OCC has identified the following deficiencies, noncompliance with 

12 C.F.R. Part 30, Appendix D, “OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches,” or unsafe or unsound practices with respect to the Bank’s enterprise-wide risk management and compliance risk management program: 

  1. (a)  failure to establish effective front-line units and independent risk management as required by 12 C.F.R. Part 30, Appendix D; 

  2. (b)  failure to establish an effective risk governance framework as required by 12 C.F.R. Part 30, Appendix D; 2 

    (c) failure of the Bank’s enterprise-wide risk management policies, standards, and frameworks to adequately identify, measure, monitor, and control risks; and 

    (d) failure of compensation and performance management programs to incentivize effective risk management