Beyond Spreadsheets: Modern ERM for 2026
Beyond Spreadsheets: Modern ERM for 2026
ERM Pilot | ERM Series, Part 1 of 3 by William Hord - Chief Strategy Officer
For most of the past two decades, enterprise risk management at financial institutions meant a risk register in Excel, a quarterly report to the board, and a binder that came down from the shelf before an examination. That era is over — and regulators have made clear they know it.
The OCC's Spring 2025 Semiannual Risk Perspective states plainly that financial institutions need a "forward-looking, integrated risk view" — not backward-looking documentation. The NCUA's 2026 Supervisory Priorities Letter echoes this, listing data-driven balance sheet monitoring and real-time risk visibility as explicit exam expectations for credit unions of all sizes. These are not aspirational statements. They are the lens through which your next examiner will evaluate your ERM program.
The Fragmentation Problem
Most institutions don't lack risk data. They lack connected risk data. Credit risk lives in the loan origination system. Interest rate risk is modeled in a separate ALM tool. Operational risk events are tracked in a ticketing system. Vendor risk may exist in a spreadsheet owned by one person in procurement. None of these systems speak to each other, and the result is exactly the blind-spot environment regulators warn against.
The FDIC's 2025 Risk Review specifically highlights net interest margin compression, CRE concentration, and deposit volatility as compounding concerns — risks that interact with each other in ways a siloed reporting structure simply cannot surface. When deposit outflows accelerate and CRE loan maturities cluster in the same quarter, an institution needs to see both signals on one dashboard, in real time. A monthly ERM report stitched together from five disconnected sources will not get you there.
What Examiners Are Actually Looking For
The OCC's FY2025 Bank Supervision Operating Plan directs examiners to evaluate whether institutions can stress-test borrowers "most vulnerable to inflation and higher operating costs" and whether those results are integrated into board-level risk conversations — not filed in a drawer. This is a meaningful shift from checking whether stress tests exist to evaluating whether they drive decisions.
The Federal Reserve's supervision framework has similarly elevated expectations around risk governance: board risk committees, a credible Chief Risk Officer function, and audit processes that are genuinely independent and integrated into the ERM cycle. Governance shortcomings — an ERM function with no real authority, a board that receives risk reports without acting on them — are increasingly treated as amplifiers of every other risk in the institution.
Interest Rate and Credit Risk in a High-For-Longer Environment
The OCC's guidance is direct: institutions must understand and manage risk to asset values and deposit stability "under a full range of plausible interest rate scenarios." That means not just modeling a base case and a 200 bps shock — it means pressure-testing funding assumptions, back-testing rate models against recent history, and maintaining contingency funding plans that are actionable, not theoretical.
On the credit side, CRE concentration — particularly office and retail — and leveraged commercial lending remain focal points. The FDIC and NCUA have both flagged these portfolios as areas where accurate risk ratings and proactive renewal stress tests are non-negotiable examination expectations.
The Path Forward
Modern ERM is not about more reports. It is about better data architecture, integrated risk views across disciplines, and the governance discipline to act on what those views reveal. Institutions that invest in connecting their risk data — whether through purpose-built platforms or disciplined process redesign — will enter examinations with confidence. Those that don't will spend exam preparation weeks manually assembling a picture their systems should have been showing all along.
The question is not whether your institution needs to modernize its ERM program. The OCC, FDIC, Federal Reserve, and NCUA have already answered that. The question is when — and how.
ERM Pilot unifies enterprise risk data across ERM, Business Continuity, Vendor Management, and Compliance in a single, continuously current platform. Start a free trial at ermpilot.com.
Article References —
1. Office of the Comptroller of the Currency. Semiannual Risk Perspective, Spring 2025. Washington, D.C.: OCC. Available at: https://www.occ.gov/publications-and-resources/publications/semiannual-risk-perspective/files/pub-semiannual-risk-perspective-spring-2025.pdf
2. Office of the Comptroller of the Currency. Fiscal Year 2025 Bank Supervision Operating Plan. Washington, D.C.: OCC, October 2024. Available at: https://www.occ.gov/news-issuances/news-releases/2024/nr-occ-2024-111a.pdf
3. Federal Deposit Insurance Corporation. 2025 Risk Review. Washington, D.C.: FDIC. Available at: https://www.fdic.gov/analysis/2025-risk-review.pdf
4. National Credit Union Administration. NCUA's 2026 Supervisory Priorities. Letter to Credit Unions, January 14, 2026. Available at: https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/ncuas-2026-supervisory-priorities
5. National Credit Union Administration. 'NCUA Issues 2026 Supervisory Priorities Letter to Credit Unions.' Press Release, January 14, 2026. Alexandria, VA: NCUA. Available at: https://ncua.gov/newsroom/press-release/2026/ncua-issues-2026-supervisory-priorities-letter-credit-unions