Best Practices in Enterprise Risk Management

Many credit unions feel they are behind the curve compared to their peers’ enterprise risk management programs, said Vincent Hui, senior director of Cornerstone Advisors Inc., Scottsdale, Ariz., during a January CUES webinar: Cultivating a Mature Enterprise Risk Management Model.

In fact, when the 70 attendees were asked to rank the “maturity”
of ERM in the industry as a whole, 72 percent scored it low to moderate (ERM exists but is basically compliance) and 28 percent indicated moderate/high (ERM is clearly defined and getting off the ground).

When rating their own credit unions’ ERM maturity, participants were a bit more positive, with 50 percent scoring in the low-to-moderate range and 40 at moderate to high. Still 10 percent felt they were at a low level with little to no ERM traction. (See chart for more specific breakdowns.)

“The reason this is important is because ERM, in our view, is not just about checking the boxes and meeting regulatory requirements,” Hui said. “While that’s really important, ERM includes some strong business practices that really influence your positioning in the marketplace and help you achieve the types of strategic targets and initiatives your credit union is working toward."

Strategic ERM

Cornerstone evaluates the credit union industry’s ERM maturity on both the development of risk management practices and how CUs are executing those practices. Of the seven risk areas defined by the National Credit Union Administration (credit, interest rate, liquidity, compliance, reputation, strategic and transactional), one area often found lacking is the strategic element. ERM strategy in credit unions is marked by diffused ownership and weak links to earnings and capital, said Hui.

To begin developing a mature ERM model, a credit union must define its risk appetite. “This is not just a number or a statement. It must be both qualitative and quantitative in nature,” said Hui.

While the terms risk appetite and risk tolerance are often used interchangeably, Hui was quick to distinguish between the two. Risk tolerance is all the things your business model is exposed to, both controllable and non-controllable. Risk appetite focuses on those risks you can control across all your various risk categories. “This is not just how much risk I can take on but also where I’m not taking enough risk,” Hui said.

“ERM is part and parcel to your strategic planning process,” commented Cornerstone Senior Director Sam Kilmer, pointing out the need for credit unions to identify innovative ways to serve members and take strategic risks rather than lose out on serving members to risk-taking entrepreneurs outside the CU industry.

The allocation of risk appetite also contributes to an ERM model. “Even if you don’t have an explicit risk appetite, you have an implicit one. If your risk appetite only takes into account credit, interest and liquidity, you’re underestimating your overall risk profile,” Hui warned.

Role of Residual Risk

To overcome one stumbling block on the road to a mature ERM model, Hui advised credit unions to define residual risk. “When we work with clients that have trouble launching, they have trouble getting traction because ERM is viewed as a tedious process with a lot of forms to fill out,” he said. “We think there needs to be more focus on residual risk–what’s the impact of a process going wrong. What really needs to be looked at and communicated is the likelihood of it happening and what happens if it does. By framing the risk assessment with residual risk, we see more engagement.”

Kilmer used this comparison to help explain residual risk: “How many stones do I need to be looking at here, and how many and which ones are the big rocks?”

Outsourcing not the Answer

While Cornerstone advises credit unions on ERM’s strategic elements, Hui and Kilmer purposefully left out discussion about tools and vendors to help manage the ERM process. “What we’ve heard in our conversations with clients is people are all over the map on tools. Roughly one-third are using some tools to help. Roughly one-third are using Microsoft Excel, and one-third are using words and dialogue and a few reporting pieces,” Kilmer said.

Hui commented, “Can ERM be outsourced? No. Once you have some risk factors indentified, can you outsource some reporting? Yes. Can you outsource the actual residual risk elements? We believe no because if you outsource it, you also outsource ownership and accountability.”

Cornerstone uses a holistic approach to help credit unions develop internal ERM capabilities, by evaluating the individual risk environment and providing actionable recommendations–in alignment with NCUA’s seven risk categories. Find out more at cues.org/cornerstone.