Before the Launch…

Regulation is pushing the implementation of enterprise risk management at many financial institutions.

Both money center and community banks have been implementing some form of the ERM process over the last half-dozen years—many being pushed into implementation by Dodd-Frank in 2010. Corporate credit unions were also pushed to implement ERM by regulators through National Credit Union Administration rule 704.21. Credit unions, especially larger ones, are following suit.

Asset/liability management and risk-focused examinations have long been pillars of credit union operational and risk management activities. Some credit unions employ a full-time risk manager while others assign these responsibilities to a member of the senior leadership team, such as the VP/lending. Interestingly, NCUA Supervisory Letter No. 13-12 is both implicit about how favorably the NCUA views ERM, and explicit in stating that credit unions are not required to implement a formal ERM framework. 

Perhaps NCUA is so favorable toward ERM because the strategic and operational benefits made possible by adopting such a program include:

1. a far greater chance of achieving strategic and business objectives;
2. the ability to see adversity on the horizon and minimize its impact;
3. the ability to take advantage of value-creating opportunities; and
4. a persuasive demonstration to examiners that an ERM culture and practice are being embedded within the credit union and that all critical risks are being managed in relation to each other and considered in the aggregate as a portfolio.

Traditionally, the practice of risk management consists of five steps:

1. Identify and assess risks.
2. Analyze and prioritize risks.
3. Develop risk mitigation strategies.
4. Implement the mitigation strategies.
5. Monitor and report progress.

With the introduction and adoption of ERM by credit unions, an additional step and modifications to the traditional five steps should be included. The new step—planning—is critical in establishing the context surrounding the new ERM program. The planning and preparation stage should take place before an ERM program is initiated. It is at this point that

a credit union’s leaders need to discuss how the ERM program will be aligned with the CU’s strategic objectives, and be utilized as a compliance tool for examiners.

Link ERM to Strategy

Too many ERM programs are initiated and championed by a single individual or department from the bottom up without giving adequate consideration to both the needs and goals of the entire enterprise–a core ERM concept. The result is an ERM effort that is a narrowly focused extension of the sponsoring department. For example, an ERM effort championed by the compliance or regulatory group often becomes a compliance-biased program. An ERM process initiated by business-continuity planning will tend to focus on the issues associated with emergency management and crisis communications.

Obviously, these two organizational capabilities are important, but they should be considered within the overall context of the CU’s strategic goals. An ERM initiative that takes a holistic approach in a culture that supports it will not only leverage the best risk identification and treatments already in place throughout the organization, but also help to incorporate the same risk processes into the strategic planning process.

When ERM is aligned with the credit union’s strategic and operational goals, ERM can also lead to strategic and operational benefits. The methodology is to embed ERM within the strategic and annual business planning process. Because the strategic plan sets out a vision for the credit union’s growth over a multi-year time frame, incorporating the ERM process will support the strategic plan.

The reason is straightforward: While the strategic plan is based on various projections over time (among them economic and demographic), its starting line is existing conditions. However, there is an enormous range of changing circumstances with consequences that vary over time that can quickly turn favorable operating conditions into an extremely difficult environment.

Consider the wide range of outcomes, such as a change in interest rates, that are possible spanning the five-year time frame of 2014-2019. During the next five years, CUs will be impacted by political, economic, technological, social and legal factors, as well as fluctuating job growth at regional and local levels where branches operate.

Embedding the ERM process into strategic and business planning is not an end to itself. The ERM process supports the strategic plan, but it is executing the strategic plan with tactical actions that counts. When information about risks or obstacles is added early in the process and decisions are based on that data and information, the credit union will actually start to practice strategic risk management.  

Initiating the ERM Process

Adequate planning and preparation before initiating ERM are crucial. The planning step requires the active engagement and leadership of the credit union’s board of directors, CEO and leadership team. With the CEO leading the planning sessions, a constructive dialogue about ERM that will determine the unique shape and contour of the CU’s program can begin.

An initial planning session with the following agenda is a good place to start:

• Create an ERM charter: vision, mission, and purpose (more on this in the next section).
• Assign the supervisory committee to guide ERM activities.
• Identify how best to align the ERM process within the CU’s strategic plan.
• Define “risk” within the credit union.
• Establish timeline projections.
• Draft an initial “risk register” for the credit union. (This is a list of the identified risks that has been organized into categories. Most credit unions divide risks into seven categories: credit, liquidity, interest rates, transactions, reputation, compliance, and strategic.)
• Determine desired reporting schedules and formats.
• Discuss practical risk positions (appetite and tolerance).
• Identify internal and external resources and collaborations that will bring added robustness to the effort.

Addressing the various items on the agenda will take time. However, it is time well spent.

In addition to ensuring that all the CU leadership is “in sync,” ERM planning time also provides the opportunity to consider reporting, training, and communications protocols for the future. During times of economic uncertainty and an environment of increasing regulations, communicating with the board will provide greater comfort and assurance not only about risk management at the credit union but also its strategic direction, viability, and growth. Communication with middle management and rank-and-file employees provides a consistent direction and guidance in the area of risk management.  

The ERM Charter

An ERM charter created during ERM planning is an internal blueprint for executive leadership and middle management to follow. The strategic nature of the document warrants creation by senior executives who have a broad view and power within the organization. At the very least, the charter should state the vision, mission, and purpose of ERM within the organization.

It will set the tone from the top for ERM in one of two very different directions: Either risk management is a strategic support function, or it is about audit and control. We believe ERM should be aligned with and support the business activities of the organization. Risk management should collaborate with audit and compliance, but not be housed within compliance if the option exists.

Half of the foundational principals of ERM have to do with “preserve, protect, and comply,” but the other half have to do with supporting building the business. ERM should be employed to identify, assess, and address both threats and opportunities to the organization. More specifically, the goals of an ERM program should be: (1) minimize the impact of adverse events, (2) support business growth opportunities, and (3) enhance credit union governance. Make sure your charter reflects these ideas.      

Incorporating ERM process into the strategic plan will both support growth objectives and minimize the impact of adverse events that could hamper the credit union from achieving its goals. We view ERM as one more component added to a traditional strategic process:

1. Do an internal scan to address current strengths and weaknesses.  A Strengths, Weakness, Opportunity, Threats analysis is often employed.
2. Do an external scan to address the outside forces over which the credit union has little or no control, such as political, economic, technological, social-demographic, environmental, and legal factors.
3. Assess your CU’s strategic risk position by addressing the key questions of: (a) How much risk can we take? (b) What risks can we take? (c) When do we take the risk? The goal is to develop a risk appetite and tolerance statement.
4. Articulate your strategic and business plan, and create a budget to go with them. Without a budget, ERM is lip service.
5. Execute the decisions made that will produce the desired outcomes.

Adopting ERM positions the credit union’s risk management activities as a strategic function vs. its limited traditional use as an audit and compliance tool. The credit union’s strategic plan provides the platform from which to begin. It provides the direction for the credit union and assists with allocation of resources, including capital and people.

The active engagement of the board, CEO, and supervisory committee in ERM helps position the CU for success in bringing all the risk management pieces together.

John Bugalla is managing principal of ermINSIGHTS, Indianapolis.

James Kallman, Ph.D., is assistant professor of finance at St. Edwards University in Austin, Texas.