ERM is a Journey

Previously, Harwell wrote “ERM: Why and How” about starting a program.

Let’s imagine for a moment that you’ve been asked to lead a group of settlers. Your team will be traveling through uncharted territory and will begin in Fresno, Calif., and head east. The goal is to reach Santa Fe, N.M., where the group plans to build a home. There has never been a group attempt to reach Santa Fe from the west. What should you do at this point? You could:

1. accept the risk and begin the journey without knowing what lies ahead;
2. mitigate the risk by sending a scout team ahead to inform you of any obstacles;
3. transfer the risk by contracting experienced guides to help lead the group; or
4. avoid the risk and refuse to lead the group.

In this case, let’s assume you’ve decided to accept the leadership role and forge ahead and mitigate the risk. A scout team is moving ahead of the group. Runners are relaying messages back to the group leader. The group has been traveling for several days through the desert and conditions are beginning to improve. The group is anxious to hear what the runners have to say. On this particular day a runner reports a huge canyon just a few days ahead.

This is how I explain risk to the team here at $2 billion Apple Federal Credit Union, Fairfax, Va. I ask team members if there were leading this group, would they want to know about a huge canyon ahead. Almost always they say yes, they would like to know. Then I ask them why, and they say so they can plan ahead. That is exactly why enterprise risk management is so important. Risk managers want to provide information that will help you deal with risks before the risks are presented to you.

Having the knowledge that a canyon is in the way allows you the opportunity to ask questions like, is there a way through the canyon or is there a way around it? How will these decisions affect the reaching of our goal?

Apple FCU is about one year into our formal ERM program. Upon reflection there are three main things we have learned over the past year.

1. It is important to establish risk awareness.
2. It is important to establish risk terminology.
3. It is important to establish risk measurements.

Establishing Risk Awareness

It always gets my ERM senses tingling when a department manager tells me of a new product or service he or she wants to offer—and that this new offering brings absolutely no risk to Apple FCU. My response is always, “Oh, really. Please do tell how you were able to transfer all the risks. You mean that if the product or service is a bust there is no reputation risk? That if our stated goals and objectives are not met, there is no strategic risk?” You get the picture. There is risk in everything we do, and being aware will help you make the right decisions as you move forward.

Establishing Risk Terminology

It is important that everyone on your team use the same terminology regarding ERM. There are many synonyms for the word risk. How staff interpret the meanings may differ, and that is why staff should use the same words. Each term should also be defined so it is understood how each term should be used. Here is an example. Key risk is a risk with the potential to have a significant impact on earnings, capital or franchise value. This is distinguishable from an ordinary risk, which most likely doesn’t pose a significant potential threat, either now or in the foreseeable future. This definition places boundaries and provides guidance to managers regarding risks that should concern us.

Establishing Risk Measurements

As we at Apple FCU continue to monitor our key risks, it is important for us to know which direction the risks are heading. The risk may be increasing, decreasing or stable. These risk measurements can tell you if you’re headed for trouble, or they may show you could afford to take additional risks. Keeping archives of past data is essential for charting and graphing each risk. This information will prove helpful when preparing the risk response.

ERM is definitely a journey. Getting buy-in from stakeholders and establishing a risk culture at your credit union will make the job of the risk manager much easier. It is very gratifying when a co-worker seeks me out to discuss the risks associated with a new product or service before it is launched. We at Apple FCU have made many positive steps over the past year, but there is still much work to be done as our ERM program grows and matures.

CUES member John W. Harwell, NCCO, NCRM, is AVP/risk management for $2 billion Apple Federal Credit Union, Fairfax, Va.