5 minutes
The National Credit Union Administration has not made having an enterprise risk management program a requirement for natural person credit unions. However, the agency has issued guidance regarding ERM in Supervisory Letter 13-12, dated November 2013.
The NCUA states “there is no off the shelf solution” and credit unions should tailor their ERM program to fit their own complexities. This supervisory letter may predict where ERM in credit unions is headed. In many past instances, the NCUA has initially released guidance that later became rules. In this case, it’s good to be prepared for a potential new ERM NCUA regulation.
But to be in line with likely future regulations isn’t the only reason to establish an ERM program at your credit union. Here are three additional benefits to having one:
- An ERM program will show you opportunities you did not know were there. For example, if you conducted a risk assessment of your consumer lending program, and the results showed very low risk, this would provide an opportunity to take more risk and lend to more of your members.
- An ERM program will help your credit union focus on its most significant critical risks. Credit unions have a plethora of risks to manage. It is important not to get overwhelmed in the beginning while you are building your ERM program. Your ERM program will help you uncover your most significant or critical risks. For example, in the beginning of your ERM program, your credit union may decide to focus on the strategic risks critical to your future survival. By focusing on these risks, you will have the opportunity to “test drive” your program. As you become more comfortable with how things work, you can add more risks to be monitored and reported.
- An ERM program will decrease the impact major events will have on your credit union. Most people who know a hurricane is about to hit their area take certain precautions to try to minimize the damage. There will be storms at your credit union. Your ERM program will help you be prepared.
If you’re ready to create an ERM program, consider the following options: Purchase software, hire a consultant or implement a program on your own. Here’s how:
Purchase software. An advantage of purchasing software is that it can decrease the amount of time you spend on your ERM program. A disadvantage is that it can decrease the amount of time you spend on your ERM program. What? When considering ERM software, determine if it is going to produce data that will aid in your risk management decision process.
Input from the top down is necessary for your ERM program to be successful. An ERM program can’t be run in a silo. It should have accountabilities worked into it, and communication throughout your credit union is paramount to your program’s success.
Is there someone at your credit union who will be tasked with interpreting the data? How will the results be communicated? These are just a few questions to consider. There are many software options from which to choose. Be sure you choose one that fits the goals and objectives you have for your ERM program.
Hire a consultant. A consultant can be very helpful if you don’t have much ERM experience at your credit union, or a previous ERM effort failed or is stuck in the mud. A consultant can assist you with your ERM governance, policies and procedures, charter and committee. A charter should set the course for the future and a solid structure will help ensure your program will last well into the future. A consultant will help you determine who should be on your ERM committee and how the meetings should be structured so you get the most out of your program. Always remember, it is the credit union’s ERM program, not the consultant’s.
Implement your own ERM. If you decide to build your ERM program yourself, two established frameworks can help. They are ISO (International Standardization Organization) 31000 and COSO. (The Committee of Sponsoring Organizations)
ISO 31000 provides principles, framework and a process for managing risk and opportunities. It can be used by any organization regardless of size, activity or sector. COSO is a joint initiative of five private sector accounting firms dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.
Because we wanted to make sure we chose the best option, Apple Federal Credit Union, Fairfax, Va., explored all three of these choices, a process that took about 18 months. After all the research, we decided to hire a consultant to help us build our ERM program.
We wanted to set a baseline for our program, so we asked our consultant to conduct an enterprise risk assessment so we could see where we were. We did not feel, based on current projects in our queue, that we had the internal resources available to conduct the enterprise risk assessment on our own. After the enterprise risk assessment is complete, our consultant will then help us create our ERM charter, risk acceptance and tolerance, ERM committee and reporting schedule.
Much talk about planning should take place before you decide which method to use to get your ERM program up and running. Take the time to explore each method described above and then decide which would be best for your credit union. During the process, establish your risk tolerance and acceptance levels. Staying within these lines can make your credit union safe and sound. A finely structured ERM program will provide many benefits to your credit union and will help you maneuver through the ever- changing risk environment. Remember, what you don’t know can hurt you.
John W. Harwell is AVP/risk management for $1.9 billion Apple Federal Credit Union, Fairfax, Va.
