Credit rating uplift,
$2M+ in annual savings.

The situation.

A midsized U.S. commercial bank had grown faster than its risk infrastructure. ERM existed on paper — committee charters, a risk register, an annual board update — but the program wasn't decision-grade. Risk appetite statements were generic. KRIs lagged the business by quarters. Regulator feedback had drifted from "developing" to "needs work." Most consequentially, the bank's credit rating was constraining its bond issuance economics, adding measurable cost to every funding round.

The complication.

The bank had two false starts before engaging us. A Big-4 firm had delivered a 200-page framework that everyone politely ignored. A boutique had built KRI dashboards that the board never opened. Both engagements ended with the bank's CRO holding the bag and the program no closer to defensible. The CISO, who had inherited a sliver of the ERM ownership, told us flatly: "We don't need another framework. We need something the board actually uses and the agencies actually believe."

What we did.

We ran a 90-day rebuild structured around three commitments: every artifact would be tied to a decision someone had to make; we'd interview every senior leader before writing anything; and we'd treat regulator and ratings-agency expectations as design inputs, not afterthoughts.

• Weeks 1–2: Diagnostic. Interviews with 14 senior leaders, review of three years of board materials, mapping of existing risk taxonomy against COSO ERM, NIST CSF, and FFIEC heightened standards.
• Weeks 3–6: Risk appetite rebuild — quantified statements per Tier-1 risk, owned by named executives, with thresholds the board would actually act on.
• Weeks 7–10: KRI redesign — collapsed from 47 metrics to 18, every one tied to an appetite statement, every threshold mapped to an escalation. Dashboard built in the bank's existing GRC platform.
• Weeks 11–13: Board calibration — three executive sessions to socialize the framework, a final dry-run, then the live board presentation. Parallel briefings to the OCC and the ratings agencies.

The outcome.

Within six months, the bank's external credit rating was raised one notch. The CFO attributed the move directly to the strengthened risk-governance posture in the ratings agency's analyst notes. The economic impact, in the CFO's own quantification: more than $2 million in annual bond interest expense saved across the funding stack.

The OCC follow-up exam validated the rebuilt program with no findings in the risk-governance category — the first such result in three exam cycles.

Why it worked.

The previous engagements failed because they optimized for the consultant's deliverable, not the bank's decision cycle. We optimized in the other direction. Every page of the final framework existed because a specific person at the bank — usually the board, the CRO, or an examiner — had to make a specific decision with it. Frameworks that fail this test get filed; frameworks that pass get used.

Recommended next reads