A 360º View

Survey the entire risk landscape with comprehensive risk management practices.

November 27, 2013

Enterprise risk management (ERM) strategies protect credit unions from unforeseen events and boost their bottom lines. From a holistic perspective, these strategies proactively identify, measure, and manage risk.

Implementing an ERM approach can improve a credit union’s risk-return relationship up to 20% in the first year of implementation, says Tony Ferris, managing partner with The Rochdale Group.

More credit unions are adopting ERM cultures, but many credit unions still manage risk in silos—within each department—rather than from a credit union-wide perspective. While this provides some degree of protection, it overlooks the cumulative risk of conflicting or inconsistent departmental decisions.

ERM provides an overarching framework for risk management, rather than managing risk in asset/ liability, investment, security, and other silos, Ferris says, enabling credit unions to see risk in a more meaningful way.

“Much of the risk management today is driven by compliance,” Ferris says. “Credit unions are focused primarily on complying with regulatory requirements, and they overlook the overall risk parameters. But proactive credit unions are using ERM as a strategic asset and looking at the broader implications of the things they’re doing. Most credit unions, however, manage risk well in silos.”


But even the best silo approach has its inadequacies. For example, a credit union might have 40% of its credit in residential mortgages. Someone in the loan department might typically evaluate the risk of these loans. The credit union might consider the 40% level an acceptable risk.

But the credit union’s investment department might have 50% of its investment portfolio in mortgage- backed securities, which could be an acceptable risk for that investment department.

If you take an ERM perspective and consider both portfolios, you’d conclude that the credit union is overexposed to risk in residential mortgages, explains Joe Ghammashi, chief risk officer for Corporate One Federal Credit Union, Columbus, Ohio.

When you take an ERM perspective, you can see how the risks that you didn’t think were connected really are connected, and that helps you see how you might be overexposed to risk in some areas.

“It’s the difference between being proactive and reactive,” says Ferris. “If you identify enterprise risks more quickly than the next guy, you’ll be more successful than the next guy.”

In addition to highlighting overexposure to a particular type of asset, ERM also helps credit union management plan for unforeseen events. “If you don’t have any unforeseen events, then you don’t need it,” quips Ferris.

Doing nothing isn’t recommended because unforeseen events—problems on Wall Street, unexpected regulatory decisions, or natural disasters—are inevitable.

It’s important for all credit union employees to adopt an ERM mindset, says Ghammashi, who was hired in 2005 to develop Corporate One Federal’s ERM practices. “You have to have a culture of risk management,” he says.

That means credit union employees “can look members in the eye and say the credit union used all the tools at its disposal to make sure its decisions were sound and were expected to be profitable,” Ferris says. “You can’t be blind to potential events. ERM helps you identify the potential magnitude of various issues and what to do about them.”

NEXT: What does success look like?

What does success look like?

When Ghammashi started at Corporate One Federal, his goal was to monitor risk from a credit union-wide perspective. “There were no books on the subject, and it wasn’t even on the radar screen for most financial institutions,” he recalls.

“There has to be some assurance of the success of the organization,” Ghammashi says, so his first step was to define what organizational success looks like. For Corporate One Federal, it was to ensure the safety of member organizations’ investments in Corporate One Federal.

Several years earlier, the Treadway Commission’s Committee of Sponsoring Organizations (COSO) developed a document, “Internal Control—Integrated Framework.” COSO subsequently commissioned PriceWaterhouseCoopers to develop the framework into tools managers could use to evaluate and improve ERM practices at their organizations.

Ghammashi used the resulting publication, “Enterprise Risk Management—Integrated Framework” for the basis of Corporate One Federal’s ERM program (click here for the executive summary [pdf]).

The publication defines ERM as: “A process, effected by an enterprise’s board of directors, management, and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that might affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

The framework says that ERM users can expect enhanced risk response decisions, reduced operational surprises and losses, more efficient deployment of capital, and improved ability to identify and act on opportunities.

The enhanced risk response capability proved to be critical for Corporate One Federal during the credit crisis.

“One of our core activities is to provide investment services to our member credit unions,” Ghammashi says. “Before the financial crisis, we took the credit and interest-rate risk on our balance sheet and passed on the benefits to our members in the form of higher deposit rates. This is no longer possible under new regulations.”

For Corporate One Federal to manage this risk effectively, it put clear limits on concentration in any one investment, any one bond, or any investments from a single issuer. It didn’t matter that the investment was AAA-rated. The critical factor is managing risk to make sure no one investment will wipe out the entire credit union. Similarly, credit unions need to make sure they identify and manage portfolio diversification.

Beyond stress testing, close tracking is another critical factor for ERM. So Corporate One Federal kept an eye on its investments, including its AAA investments, for any anomalies, Ghammashi says. “In hindsight, the bonds we [the financial services industry] thought were AAA really weren’t.”

Ferris adds that it’s not just investments that you should monitor. If a credit union is attempting to increase its return on assets, it must consider the additional risks it will take in advance and monitor them after any changes occur (cost-cutting measures or revenue enhancements) to ensure performance continues as expected. Even third-party call centers can add reputational and other risk that go beyond the operation of the call center itself.

Ferris adds that credit unions do a good job of due diligence before entering into contracts, but the ongoing performance monitoring is sometimes lacking. ERM would help eliminate this oversight.

In 2007, when only subprime mortgages were showing early warning signs, Corporate One Federal monitored bonds against how they were tracking compared with other bonds of the same kind in its portfolio and against the entire universe of bonds. Corporate One Federal also hired an outside firm to stress test the bonds.

“Over time, we identified those bonds with the highest risk,” Ghammashi says. Corporate One Federal divested some bonds and took temporary impairments on others. “We wanted to know early if we had a little problem, a big problem, or a catastrophic problem.”

By closely tracking performance of the bonds, early indications of fraud start to show up in 90 to 120 days, according to Ghammashi. Poor underwriting indications will start to show up in 12 to 18 months. When anomalies first started appearing in mortgage bonds, Corporate One Federal stopped buying any more, even though many continued to carry AAA-ratings.

“We took our lumps the same as everyone else,” says Ghammashi, “but because of prudent investment strategies and appropriate risk management, our members’ capital was never affected.”

NEXT: Getting started

Getting started

Ghammashi offers some recommendations to credit unions planning to deploy an ERM culture: “Ask for help, but be careful and do your due diligence on anyone who helps you,” he advises. “When I first started, I brought in someone who knew what we wanted to accomplish to help me with the training and development of the program. We wanted to assess our risk and what could cause us to fail. Be clear about why you’re doing it. Part of it is to provide an assurance that the credit union will meet its goals.

“Those goals can’t be as general as ‘to serve our members,’ ” continues Ghammashi. “They need to be clearly defined and quantifiable.”

Ferris adds that each credit union must determine what risks it will accept and under what conditions. A credit union might find some risks unacceptable under normal conditions, but it might accept those same risks if it’s taking on a new initiative. Other risks might be acceptable for competitive reasons.

Under each of these scenarios, the credit union must determine its acceptable level of risk. If a credit union wants to increase return on assets or wants to accelerate revenue, it might mean taking on riskier credit. Each credit union needs to decide if the expected additional return or revenue warrants the additional risk.

Embrace the ERM culture

For an ERM culture to take root and grow, a credit union’s board of directors and senior management team must embrace it, says Forest Hayes, vice president and chief risk officer for $1 billion asset Harborstone Credit Union, Lakewood, Wash.

They should be willing to invest in the tools and the personnel (including outside consultants, if needed) to make the ERM program a reality. Boards should be apprised of the credit union’s risk exposure affecting its operating environment and the mitigation activities for managing those material risks.

Ferris also emphasizes that there aren’t any shortcuts to installing and operating an ERM program. It needs to be thorough, not just an effort that pays lip service to ERM while continuing legacy risk management practices.

All processes must be complete and transparent. 

“It takes time, but once you get started on the right track, it will be worth it,” Ghammashi says.