This post originally ran on CU Insight.
Risk. It’s something that every credit union must deal with. Risk and its management, once broadly accepted as part of the fuzzy territory of doing business as a financial institution, have become increasingly hot topics over the past five years, giving rise to the burgeoning field of Enterprise Risk Management or ERM.
One might ask why ERM is so important? The answer becomes clear when you consider the following factors:
- The number of credit unions is over 7,000.
- The complexity of running a credit union in today’s environment, when you consider safety and soundness, compliance, IT, etc., continues to increase by leaps and bounds. Just look at the number of regulatory proposals, AIRES Questionnaires, examiner manuals, etc., and you get an idea of the increasing complexities involved in conducting an annual examination.
- The demand for qualified examiners remains an ongoing and competitive challenge within and throughout the collective regulatory agencies.
Given these complexities, ask yourself how long would it take for an examination team to truly understand the full degree of risk factors affecting one credit union if they had to completely generate the data for analysis from scratch? From a purely pragmatic standpoint, there is a fundamental need by the regulatory agencies to aggressively promote the use of risk assessments among financial institutions. Throw into the mix the diversity of risk elements within each financial institution and it becomes clear that the regulatory agencies simply do not have the resources to develop a comprehensive analysis of enterprise risk for every financial institution out there.
Hence, the concept of looking for credit unions to shoulder their own Enterprise Risk Management was inevitable.
There seem to be countless definitions of ERM. But, recognizing the complexity of the above factors, we can appreciate the definition given by the trailblazers of ERM, The Committee of Sponsoring Organizations of the Treadway Commission, or more often known as COSO. COSO provided the following guidance on what constitutes effective ERM processes:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
This definition is central to the focus of building risk management functions that align with the CU’s strategies. In other words, ERM is about where a credit union is today, where it wants to go in the future and what elements stand in its way. As a result, we recognize the fundamental factors needed to implement an effective ERM program. We have identified four such factors that ensure that the ERM approach “fits” the credit union instead of trying to make the credit union fit ERM.
Strong ERM must be innately relevant to the credit union and its “vision.” COSO notes, “Among the most critical challenges for management is determining how much risk the entity is prepared to and does accept as it strives to create credit value.” As such, ERM must establish where the credit union is today and where it plans on going in its value-creation efforts. We frequently know what is defined as “Risk” as well as what is defined as “Management.” Yet, what do we define as Enterprise? One definition states that Enterprise is “a project undertaken or to be undertaken, especially one that is important or difficult or that requires boldness or energy.” Keeping ERM relevant to the credit union’s “Vision” requires that we know our Five Ws (who, what, why, where, when) today and in the future. Our collective assessment efforts must present those in a sound manner at given points in time, then seek to identify impediments to reaching those achievements and the corresponding risk mitigation.
Effective ERM cannot be achieved with a “silo mentality,” where each department declines to share key information with the other departments. It requires correlation throughout the enterprise. History has repeatedly shown that a failure to understand the cause and effect of pursued strategies by an entity upon all departments of the credit union results in weakness and, in some cases, failure. Many credit unions have recognized this factor and responded with the designation of a Chief Risk Officer. Establishing such a position is logical, but cannot become a silo itself. Rather, such an individual must serve as a go-between for the various departments in an effort to establish and continually reestablish the Enterprise Risk Assessment.
3. Target Driven
Because ERM covers the full array of risks within the organization, it requires a unique approach to analysis. The framework for ERM is established in key categories:
Objectives of an organization hit one or more of these categories. Those objectives will face a wide array of challenges to implementation including both internal and external events. As the credit union analyzes these events and corresponding strategies, it establishes the framework for measurement of ERM via the Enterprise Risk Assessment (ERA).
The Enterprise Risk Assessment provides an initial and ongoing tool for management. It engages such key elements as:
- Internal environment (where we are today)
- Objectives (where we are going)
- Event identification
- Impact likelihood (on an inherent and residual basis)
- Risk Response and Control Activities
- Information capture, communication and monitoring.
Following this format is a challenge, but leads to a logical, quantitative and qualitative presentation that yields significant benefits and facilitates the process with each succeeding year.
Although there is no question that the ERA must address qualitative elements (such as risk factors, strategies, etc.), those elements are best presented when quantified (such as key ratios and risk scores to be evaluated). The adage that we value what we measure is absolutely true of ERM and the ERA gives us that capacity from both a static (level) and dynamic (trend) perspective. No ERA can encompass every conceivable risk, but sound ERM provides a powerful tool that promotes internal and external confidence.
When properly pursued, the Enterprise Risk Assessment serves as a powerful document that:
- seeks to align the risk appetite and strategy of the credit union;
- facilitates enhanced risk response and decisioning guidance;
- reduces operational surprises and losses through facilitating an effective, coordinated response to the myriad of risks affecting different parts of the organization;
- promotes the ability to seize opportunities through proper management positioning and deployment of capital; and finally,
- helps ensure the effective reporting and compliance with laws and regulations while guiding the credit union away from the damage inherent in reputation risk and its associated consequences.
Ken Agle, President of AdvisX, our sister company, brings more than 25 years of experience covering almost all facets of financial institution risk management operations. He has conducted more than 350 compliance reviews and has assisted more than 200 financial institutions throughout the United States. He has developed and implemented systems and training programs on all phases of banking risk management, including, but not limited to BSA/AML, fair lending, loan review, HMDA, CRA, BSA, operational compliance, TILA, and RESPA. He has written numerous regulatory responses and appeals and has been instrumental in assisting institutions with challenging circumstances while facing regulatory enforcement orders. He has partnered with McGladrey & Pullen, RSMI, Promontory, Sheshunoff and other multi-region firms to provide support services to financial institutions. Mr. Agle specializes in strategic regulatory response and in developing and implementing both proactive and reactive tools and systems to preempt and resolve issues affecting today’s financial institution. For more information on BSA/AML services, contact Ken Agle.