Enterprise Risk Management
CUs must scan the entire horizon for risk and reward.
The practice of enterprise risk management (ERM) is like giving your credit union an adjustable lens that offers you a wide-angle view of your entire organization and its competitive environment and a close-up look at specific risks and opportunities.
What used to simply be called “risk management” is now “enterprise risk management” to imply a much broader scope.
ERM also represents the evolution of management’s ability to assess how any credit union activity returns value to the organization, according to Tony Ferris, managing partner of The Rochdale Group. Assessing and mitigating risk are vital in that process.
“The heart of the matter is leveraging risk for opportunity,” says Ferris.
Traditional approaches to risk management looked at past occurrences that created vulnerability and losses. In contrast, Ferris says ERM now looks at what’s ahead to identify potential events that could seriously disrupt either operations or strategy.
That cost could take the form of either actual financial losses or missed opportunities from being risk-averse for the wrong reasons.
“There are opportunities staring you in the face that you might not see or might not take advantage of because you don’t understand them,” Ferris explains.
The squeeze on margins means credit unions must understand the return on investment for everything they do, not just loans and investments, he says. A good ERM program encompasses strategic, operational, transactional, and technological risk.
This enables your credit union to create a broad-based profile that measures risk in dollar terms. That will be invaluable when regulators eventually shift to risk-based capital requirements.
The ERM process
It’s a mistake to think of ERM as a formula that can be plugged into any credit union to assess risk, according to Ann Davidson, senior consultant for risk management at CUNA Mutual Group. Instead, ERM is an ongoing, credit union-wide process that involves many individuals.
“It requires extensive collaboration throughout your credit union to develop your approach and to identify and communicate about risk,” Davidson says. Elements of an ERM approach include assessing risk, developing policies, establishing controls, and monitoring performance.
While there must be an executive and possibly a Risk Oversight Committee to coordinate ERM, risk management never exists in a silo. The goal is to eliminate silos by stimulating connections and conversations that create a “risk culture” where management objectively identifies risk and manages
it through strategies such as insurance or fraud reduction.
A credit union-wide approach prevents unsafe risk concentrations in a specific area, such as real estate loans. It promotes information-sharing to rein in fraud, and it prevents credit unions from becoming risk-averse due to one individual’s or group’s perception, says Davidson.
NEXT: Culture change
Rising loan losses during the recession prompted Bellco Credit Union, Denver, to adopt an ERM approach in 2010. Bellco understood credit risk, but the disruptions created by the recession had a broader impact than we had factored into our risk projections, says CEO Doug Ferraro.
“We wanted to measure our risk in broader and deeper terms so we could really understand where we stood in worst-case scenarios and in any kind of economic fluctuation,” Ferraro says.
Bellco, with $2.2 billion in assets, considered recruiting an ERM executive but, instead, retained The Rochdale Group to educate employees and the board,as well as to administer its ERM process. The first phase was to introduce a new way of thinking about ERM, which took 12 months of education and continuing discussions. It changed the way employees at all levels think and act every day, Ferraro says.
“Once you understand what the risk is, you’re immediately going to start making decisions differently,” Ferraro says. “It changed our approach to the balance sheet, portfolios, what we were willing or not willing to do, and the profitability required to get into certain operations.”
As each employee began to consider how operations in his or her department affected other areas of the credit union, employees started to work as an enterprise-wide team. The board also received comprehensive training, which enhanced its understanding of the balance sheet and led to quicker, more informed decisions.
Bellco’s net charge-off ratio fell from its high of 2.41% in the first quarter of 2009 to less than 1% in the second quarter of 2012. Its delinquency ratio fell from a high of 1.78% in the fourth quarter of 2009 to 0.85% in the second quarter of 2012. Annualized fraud expense to average assets fell from 0.096% at the start of 2011 to 0.024% in mid-2012.
As losses fell, Bellco had fewer insurance claims, which likely reduced its premium increases. Bellco also addressed fraud with targeted measures, such as installing a behavior-based software program to identify potential card fraud.
ERM allows the credit union to decide whether or not the risk is significant enough to address, Ferraro says. “If so, what does it cost, and is it worth it?”
The ERM process helped Bellco recognize that it could afford to make bigger business loans and begin offering student loans to respond to members’ needs, Ferraro says. It also prompted employees to suggest making vehicle loans to first-time borrowers by using co-signers, which boosted loan volume without increasing risk.
NEXT: Gaining feedback
Implementing ERM creates opportunities for staff to provide feedback about broader issues, according to Joan Moran, president/CEO of the Department of Labor Federal Credit Union (DOLFCU), Washington, D.C.
The credit union, with $70 million in assets, is part of the Midsized Credit Union Roundtable for Virginia, the Carolinas, Maryland,and the District of Columbia. Nine credit unions participating in the roundtable have worked together since early 2011 to retain an ERM consultant and share information about implementing ERM.
Moran says her peers convinced her to involve front-line employees.
“We took it to the front line because these employees really know what happens on a daily basis,” Moran says. “We learned that there’s often a difference between what really happens and what our procedures say should happen.”
The credit union had barriers to break down, with front-line staff located at the credit union’s two branches in D.C. and Moran and the back-office processes in Maryland. ERM improved information sharing between the two locations, resulting in a new process for training all 15 of the credit union’s employees about the Bank Secrecy Act, for example.
Moran credits ERM for increasing the credit union’s confidence about longer terms on investments. DOLFCU now uses ERM to assess every policy, procedure, vendor, product, or service.
“People have to stop putting things in drawers and saying, for example, this is the business-continuity drawer and this is the risk drawer,” Moran says. “It doesn’t work that way. We all need to recognize that.”
NEXT: One umbrella
Georgia’s Own Credit Union formed an ERM department in May 2010 to encompass internal audit, compliance, legal services, and risk management (which includes business continuity, disaster recovery, fraud, security, and incident response). The credit union, with $1.7 billion in assets, retained an ERM consulting firm to provide training and resources while starting the process.
Adoption was part of a larger strategic decision to reorganize operations to manage the credit union horizontally across the enterprise and eliminate silos, according to Eric Broome, senior vice president of ERM and general counsel.
“As a credit union, we’re more nimble, we’re more proactive versus reactive, and there’s more risk infusion as far as the decision-making process,” Broome says.
The credit union also improved fraud recoveries and lowered insurance costs for broader coverage after getting bids from multiple vendors.
Using an ERM approach allows Georgia’s Own to use new third-party vendors more effectively, while quickly embracing new technologies, Broome says.
“You can never eliminate risk but by considering risk factors up front and incorporating risk mitigation into your decision making process, you can make more informed decisions as an organization,” Broome says.
As credit unions adopt ERM, they should develop a process that matches their risk profile based on size, delivery channels, and products and services. “There’s no ‘one-size-fits-all’ ERM program,” he says.
Start your ERM efforts with the belief that it can be done, encourages Broome. “ERM isn’t rocket science,” he says. “It’s using sound decision-making processes, doing your due diligence in new products and services, and including an evaluation of risk and vehicles to mitigate that risk up front.”
NEXT: ERM evolution
Technology Credit Union in San Jose, Calif., embraced ERM in 2010.
The credit union, with $1.6 billion in assets, uses an ERM framework developed by the Committee of Sponsoring Organizations of the Treadway Commission—a joint initiative supported by leading organizations of accountants, financial executives, and auditors.
Training the board and management team in ERM terminology was essential so they could weigh the credit union’s “risk appetite,” says Michael Luckin, senior vice president of ERM.
Establishing risk appetite, which guides resource allocation and aligns people with operations, relies on determining what it would take to achieve a specific goal in a specific time frame. This offers a framework for assessing the related risk, Luckin says.
Next, the credit union must determine whether it can mitigate the risk with its policies, procedures, vendor management, or insurance.
Finally, it must decide, he says, whether it’s willing to accept the residual risk—the “hit” the credit union would take in a worst-case scenario.
Assigning value to risk is important, says Luckin. Employees, for example, learn to participate in objective, transparent discussions that rank risk on a one-to-five scale. Then, the ERM department creates a “heat map” that creates a visual depiction of the risks associated with a particular activity, says Luckin. The board and managers quickly learn to identify the degree of risk based on where an activity falls on the map.
“It’s not a scientific process; it’s verbal communication among staff to articulate the inherent risks, mitigating controls and residual risk,” Luckin says. “If you can’t reduce that, then you make a big decision: Can we live with the residual risk?”
Insurers and regulators have offered positive feedback about Technology Credit Union’s ERM adoption. Now, the credit union is strengthening its ERM process with a governance risk compliance software program that’s streamlining the policy-approval process and ensuring policies remain up-to-date with evolving regulations.
ERM will never be “done”—it will always be evolving to match the risks facing credit unions, says Luckin.
Credit unions involved in ERM say that while implementing ERM is a multiyear process, the payback starts much sooner. Early benefits are often surprising.
Ferris says one credit union that was pushing for more loan volume had already developed marketing plans when the ERM process revealed its operations structure couldn’t handle higher volume.
If the credit union had gone forward, it would have been unable to handle loan demand, failed to meet objectives, and taken a public relations hit by failing to provide good member service.
That reinforces the ERM premise that pursuing any form of return carries risk. “You can’t extract risk and return from each other,” Ferris says.