By Lisa Hochgraf
Despite their best efforts, most credit unions tend to under- or over-manage risk, Alan White told attendees of the most recent meeting of CUES Premier Networking Group for enterprise risk management.
How does he know? To explain, White compares the risk management staff of two of his credit union clients with about the same assets. One has a risk management group of eight. The other, three.
"That's a big spread," says the president/CEO of CUES Supplier member Vital Insight, CUES' strategic provider for CUES Enterprise Risk Management.
According to White, CUs generally do a pretty good job of managing financial risk (which exists in the balance sheet), but struggle to find the right balance when it comes to managing strategic risk (which exists in the marketplace) and operational risk (which exists in business processes).
White witnessed a board discussion at one credit union considering opening a new branch in which the sum total of the debate was whether there was enough money to do it (financial risk). White said he'd be just as concerned about the risks associated with working with new vendors (operational risk) and with the market's response to the new location (strategic risk).
White focused the bulk of his Premier Networking Group presentation on how attendees could manage operational risk by developing appropriate internal controls. In particular, he suggested ways to determine a CU's risk profile, prioritize identified risks, and perform process analysis.
With ERM, it's important to take a broad swipe and then prioritize, he said.
"We're going to look at a lot of stuff, but we're not going to look very hard," White said, noting that ERM needs to include training for vice presidents and others so they can document their business processes appropriately. To facilitate evaluating risk, a vice president might document her processes' inputs and outputs, supporting resources, and owners and executors. (In contrast, an auditor who was documenting a process he or she did not actually perform would need far more detail.)
The advantage of using ERM to build internal process controls for operations risk is that your credit union can become much more efficient, remove controls that are not needed, and re-focus time and effort on things that are needed, White said.
Lisa Hochgraf is a CUES editor who helps facilitate the Premier Networking Group for enterprise risk management.
Read a post about a previous meeting of the Premier Networking Group for enterprise risk management.
Learn more about the CUES Schools of Enterprise Risk Management.