Reaching for Equilibrium

We often hear good sound bites like, “Risk is everybody’s job” and “Risk is embedded in everything we do.” But the brutal truth is that many credit union departments think of risk as an afterthought—or as an obstacle to strategic goals.

Over the last few years, the National Credit Union Administration has issued guidance in such areas as risk categories, enterprise risk management models and risk-based capital. To comply and further embed risk management in their operations and governance, credit unions have created risk committees, enterprise risk management programs, and chief risk officer roles.

However, after more than two years and significant investment, risk is still viewed by many credit unions as the domain of the risk and/or finance department. In other words, consistent accountability by lines of business—the real owners of risk in the first place—is lacking.

One way to help embed risk management into departmental behaviors and decision-making is to include risk metrics on departmental dashboards or scorecards—just like the enterprise dashboards and balanced scorecards many credit unions have or are developing to manage their overall businesses.

Risk Metrics to Measure Performance

Risk metrics do exist today. Lending and credit functions have multiple credit risk metrics, such as risk ratings, delinquency rates and charge-offs, while finance departments often have market and interest rate risk metrics in their dashboards and scorecards. While these are very prominent metrics, they are not the only risks that these and all other departments need to take ownership of and manage against.

An example is regulatory and compliance risk. Metrics for this risk, such as number of findings and average days outstanding for unremediated items, usually fall within the compliance or internal audit department, both oversight functions. One rarely sees these types of metrics in the scorecards or dashboards of the actual owners of these risks—the relevant department executives and managers. This sends the implicit message that these metrics are not important. In other words, ownership of them is not really enforced until something bad happens.

Another example is strategic risk. One of the biggest risks for any credit union is the loss of high performers. By definition, strategic risk is enterprise-wide—or close to it. Yet, the management of strategic risks is often narrowed to a specific function or department.

In this example about loss of high performers, human resources departments typically have metrics like employee retention rate and percentage of performance reviews completed on time. However, we rarely see comparable metrics on departmental scorecards, even though these managers are the ones who most influence whether a high performer stays or goes. This strategic risk related to one of the CU’s most critical assets is a top priority of boards and the CEO, but it rarely gets cascaded down to the rest of the organization.

The lending and finance departments may do a great job of measuring and managing credit and asset/liability risk, respectively, but they also need to monitor and manage other risks (e.g., compliance and strategic) within their departments. In other words, departments that have relatively mature risk metrics still lack an overall balanced scorecard perspective. If these groups are lacking, it does not bode well for other departments (branches, operations, etc.) where risk processes and metrics are less mature.

Risk Metrics by Department

Defining the metrics for the risk management portion of a department’s balanced scorecard should cover two broad themes:          

• enterprise level risks that impact all areas of the institution and
• risks that are unique to the department based on its scope of responsibilities and operating model.

Enterprise-level metrics usually relate to the compliance, reputation, and strategic risk categories, as defined by NCUA. These typically cover compliance, HR, information technology and project activities.

We discussed some examples of compliance and HR-related risk metrics earlier. When it comes to IT, the metric that should be monitored is the health of the project, much of which is IT-related. There may be a management committee (e.g., IT steering committee) that reviews overall project portfolio health, but individual projects tend to be inconsistently tracked and monitored within a departmental scorecard. Many of these projects are strategic in nature (or they would not have made it through the approval process), but they often are not important enough to be in a department’s scorecard—a disconnect that has both short- and long-term consequences.

Another enterprise-level metric that should be considered is performance against service-level agreements for external customers (i.e., members) and internal customers (i.e., staff from other departments). These metrics typically straddle risk and quality/customer experience and should be included in any scorecard. These metrics should relate to overall service-level agreement performance (i.e., metric = percentage of SLAs met) vs. the results of a specific SLA.

Tracking a specific SLA may make sense if it is absolutely critical to the credit union’s competitive position (i.e., strategic risk). In this case, it would typically be department-specific, our second risk metric category. An example is turnaround time for a loan application. The scorecard would compare actual results against target and any shortfalls would highlight the risks to growth and differentiation, since speed and responsiveness are often key competitive differentiators for credit unions.

In addition to particular SLAs, other relevant department-specific risk metrics typically cover the NCUA Transactional Risk Category and center on the unique policies and processes for the department. Examples include error rates in operations areas and system uptimes in IT.

The good news is that these types of department-specific metrics have more traction within the respective departments because ownership is unique and clear. In addition, enterprise risk assessments identify and provide a baseline for these key operational risks that need to be measured and tracked. The bad news is that, despite this foundation, we rarely see these types of metrics in scorecards. Adding them can lead to increased and more consistent adoption of the metrics and enhanced maturity of the tracking and reporting process.

As with any dashboard, the risk metrics should be focused on areas that drive value to members and the institution. As a rule of thumb, risk metrics should be limited to five, as too many metrics dilute focus and make prioritization more difficult.

Obstacles to Overcome

Credit unions striving to establish departmental scorecards and include risk metrics in them may face challenges.

Gathering and tracking risk data is not perceived as worth the effort. While there is some merit in this argument (e.g., this is not something that general ledgers capture), it is often used as an excuse to do nothing. Since we are focusing on risks that carry the most impact, the level of effort to capture and track is worth it. Such solutions as workflow, data warehouses and emerging ERM solutions can contribute to gathering and reporting of this data. For example, if the credit union’s loan origination system can’t track the loan pipeline and time to close, it may be time to think about whether this is the right long-term solution, or push the vendor on when it will be available.

Risk metrics are evaluated in a vacuum and trade-offs are not well understood. Even if the metrics are captured and tracked, they need to be aligned with a governance model that establishes the appropriate weight and attention when reviewing balanced scorecard results. Most business reviews focus on growth without some measure of risk review (other than credit). Instead, it is left to the risk committee (if there is one) or some other governance body to review the risk metrics.

This approach really dilutes effectiveness, since risk is not evaluated in the context of growth, earnings, member experience and quality. Governance gaps are also compounded by the lack of clear risk appetites. Without the context of how much risk the CU wants to take on in certain areas, management cannot make the right decisions and trade-offs, even if there is good governance.

For example, when an operations area experiences losses, how should it be evaluated? If a CU has a low risk appetite for losses, it may put in more controls and quality assurance resources. However, it will have likely increased its cost structure and negatively impacted member experience because it is now taking more time to complete a business process. In this case, the CU has traded operational risk for lower productivity and potentially lower member satisfaction—other metrics in a balanced scorecard. Is that acceptable? To answer this question, the CU must have a clear sense of its risk appetite.

The lack of a link between risk metrics and performance evaluations blocks behavior changes. Progressive credit unions clearly connect balanced scorecards that include risk with how managers are evaluated and how variable compensation is awarded. However, this is more the exception than the rule. The most effective way to turn the sound bites (“Risk is everybody’s job” and “Risk is embedded in everything we do”) into reality is to link risk management to rewards, and this requires sustained support by both the board and the CEO.

What CUs Should Do

If credit union boards and management are serious about “living the sound bites,” we encourage them to do the following:

1. Develop very clear and specific risk appetites during strategic planning, including what trade-offs are acceptable. Quantify as much as you can, since it will be easier to manage if it is measured. Saying “we will accept moderate risk” is not enough!
2. Leverage existing risk assessments to highlight the highest impact risks by department; build risk metrics around them.
3. Define and create specific SLAs in each area. Know what is important to “customers,” whether internal or external, and track it. Start with Excel if you need to.
4. Incorporate risk data into any information management initiative, e.g., data warehouse, new reporting solutions. This will expand the scope of those projects, but the future benefits are invaluable. If you don’t have such an initiative, create teams to work on critical risk metrics.
5. Revisit your governance model and determine whether the discussions about balanced scorecard and risk are in the right forums, including the scope and agenda for risk committees. Risk metrics should be owned by departments and discussed in business reviews, operating committees, etc. The risk function should focus on oversight (e.g., are policies being followed, are our risk models covering the right risks?).

By making risk a part of how success is measured at the manager/department level, CUs can truly create and manage against a balanced scorecard—and, more importantly, really make risk management part of everything they do.

Vincent Hui is a senior director with Cornerstone Advisors, a CUES Supplier member and strategic provider based in Scottsdale, Ariz.