CUNA Resources
news.cuna.org/articles/116321-risk-management-when-it-really-matters

Risk Management When It Really Matters

July 22, 2019

Commander Dana De Coster is a member of the elite Navy SEALs. He has completed multiple combat tours in Iraq and the Pacific Command, has provided support to the FBI’s Counter Terrorism Division, and served as the Operations Officer for the first-ever SEAL-led Combined Joint Special Operations Task Force in Baghdad. There, he orchestrated the counterattack to take back Ramadi from ISIS control across seven different coalition commands, setting the stage to retake Mosul.

Commander De Coster is currently the Operations Officer for the Naval Special Warfare Center, overseeing all operations of the NSW’s two training commands. He recently spoke at CUNA/Rochdale Paragon Group’s second annual GRC Conference in San Diego, where he provided information about how the Navy “attacks” risk, including examples from a real-world operation carried out under his command.

The most fundamental principle underscoring the SEALs’ approach to managing operational risk is that they play to win. This is an important strategic consideration for any organization, including credit unions, but for the SEALs, it’s a matter of life and death.

The SEALs consider three components in assessing the risk of an operation:

  • Risk to mission: the various risks that could result in disruption of the mission and objectives not being achieved
  • Risk to force: the risks to personnel and equipment such as ships, planes, etc.
  • Risk of not acting: second-, third- and fourth-order effects that might result from not acting at present due to the risks to mission and force

The risk of not acting is a key consideration. This risk is weighed against the various risks associated with an operation. The planners may not have all the information needed to ensure operational success, or may not be able to fully mitigate those other risks, but what is the risk of not acting? Will the opportunity to carry out a given operation present itself again (e.g., will the location of a particular target be known again in the future)? This consideration requires what CDR De Coster calls “operational patience” – we may need to accept that the current risks outweigh the risk of not acting now, or vice versa.

Information related to these risks is used to develop a matrix that considers the potential severity and probability of each risk (either to mission or to force), and specific controls and mitigation strategies are identified. This is analogous to Rochdale Paragon Group’s approach to assessing risk by identifying and quantifying the impact (severity), likelihood (probability) and mitigation of a broad spectrum of risks facing the credit union.

In addressing risk mitigation, CDR De Coster spoke to the SEALs’ tenacious preparation. “We don’t do runs (drills) until we get it right, we do runs until we don’t get it wrong.” This preparation is vital in ensuring the success of life-and-death missions. Incorporating it into credit unions’ preparation for emerging risks could also mean the difference between success and failure, for example in executing core system conversions or rolling out new products and services. The lesson is to not just test and prepare until we get it right once, but to continue testing and preparation until we don’t get it wrong, under any scenario.

Using risk to mission, risk to force and the risk of not acting as the basis for risk assessment and mitigation planning, the SEALs “attack” risk using two categories of tools: the Formal and the Informal. The Formal tools include:

  • Operational Risk Matrix: this is the matrix developed from the assessment of each risk’s severity, probability and mitigation as described above, and results in the residual risk of the operation, much as the assessment of impact, likelihood and mitigation for a credit union’s risks results in the overall residual risk of the credit union (residual risk is the risk remaining after mitigation). The SEALs apply this methodology to assessing all of the things that could go wrong with the operation.
  • Directives: these are analogous to the policies and procedures that guide credit union personnel’s activities. They represent the rules that personnel must follow to ensure the success of the operation.
  • Curriculum: analogous to the training that helps ensure credit union personnel have the knowledge they need to execute their duties, the curriculum ensures that operational and support personnel understand the objectives and risks associated with the operation, and have the specific training necessary to ensure the operation’s success.

CDR De Coster emphasized that the Informal tools used in attacking risk are more important than the Formal tools. They include:

  • Speed: the ability to deploy and operate rapidly ensures that you remain ahead of your competition. This is also true for credit unions.
  • Tenacity: the drive to stick with the mission until success is achieved is critical in seeing the mission through to completion. CDR De Coster noted the importance of a “can do” attitude, seeing nothing as insurmountable, in reducing the likelihood that unexpected risks that may arise interfere with success. Again, this is vital for credit unions as well.
  • People: having the right personnel is perhaps the most critical element of all. The right people will have the discipline, speed and tenacity to ensure success, supported by directives, training and an understanding of the risks to be faced. In addition, the best personnel can overcome unexpected obstacles, and know when to deviate from directives (within acceptable tolerances) in order to make sure the operation succeeds in the face of the unknown.

CDR De Coster noted a couple of pitfalls that can threaten operational success. One is the unrecognized accumulation of risk; i.e., the compounding of risks that appear to be sufficiently mitigated individually, but when taken together, could produce an unacceptable overall level of risk. This underscores the importance of assessing risk enterprise-wide.

The other potential pitfall is performing with good outcomes: being lulled by past successes into not adequately preparing for future operations or developing contingency plans. He noted that just because one operation goes well, it’s still critical to prepare and develop contingency plans for future operations.

CDR De Coster presented a “Risk Management Learning Loop.” This uses the lessons learned from an operation to inform future mission planning. The steps in this loop are as follows:

  • Mission Planning: formal planning for the mission to be undertaken, incorporating the risk assessment and formal and informal tools described above. This key step includes determining personnel needs (numbers, roles and skills), support needs (air, ground, communications, etc.) and other important considerations.
  • Actions-On: this step represents informal information gathering as the mission begins and initial actions are taken (e.g., landing at the mission site and assessing the situation on the ground).
  • Hot Wash: both formal and informal, this step is an initial debrief taken at the mission’s conclusion. It addresses the questions of what worked and what didn’t, providing important feedback for future planning.
  • Operational Summary Report: this is a formal feedback step based on the Hot Wash provided to higher levels of command, and might be analogous to a Risk Management Committee (RMCO), executive management, or board report at a credit union.
  • After-Action Reports: another formal feedback step, these reports incorporate feedback from the Operational Summary Report, and are shared with all Naval Special Warfare commands and units. The credit union analogy here might be reporting on key findings to operational and support business units.
  • These steps and the feedback obtained from them loop back into future Mission Planning.

Finally, CDR De Coster set forth four risk management principles that guide the SEALs’ approach to attacking risk:

  1. Accept risks if the benefits outweigh the costs. Like the military, credit unions are in the business of taking risks. As financial intermediaries, credit unions intermediate risks on their members’ behalf that the members cannot or will not assume for themselves. If the benefits outweigh the costs, risks should be accepted.
  2. Accept no unnecessary risks. CDR De Coster emphasized that we should ask ourselves, “Are we doing this because we can, or because we should?” This principle can help credit unions avoid potentially disastrous outcomes and the unnecessary waste of resources, and ensure the maximum benefit to members.
  3. Anticipate and manage risk by planning. By using the risk assessment methodology and Risk Management Learning Loop described above, credit unions can minimize the unknown and better prepare for any eventuality.
  4. Make risk decisions at the proper level. In many cases, this means decisions will be made at the board and senior management level. However, success will often require delegating risk decisions to the “boots on the ground:” operational management and personnel.

Below are ten key takeaways for credit unions from CDR De Coster’s presentation:

  • Assess the impact, likelihood and mitigation of all material risks facing the credit union, and use that information to determine the overall residual risk of each exposure and the credit union overall.
  • Use the risk assessment to determine whether the risk of not acting outweighs the risk of acting now. Incorporate “operational patience” into the credit union’s culture for such instances.
  • Don’t just prepare until you get it right, prepare until you don’t get it wrong.
  • Ensure that, in addition to a robust risk assessment, you have the directives (policies) and curriculum (training) in place to provide confidence in the ability to meet the credit union’s objectives.
  • At the same time, develop the speed, tenacity and personnel strengths to ensure success. As you acquire and develop talent, consider the ability to overcome obstacles and understand when to deviate from established norms, within acceptable tolerances, such that success is ensured even when things go awry.
  • Assess risk holistically and enterprise-wide to avoid the unrecognized accumulation of risks. Taking relatively more risk in some areas will likely require taking less risk in others. Successful enterprise risk management requires balance and alignment of risks.
  • Develop contingency plans, and don’t be placated by past successes. Continue to prepare for each new challenge with the same tenacity.
  • Use past experiences, or “lessons learned,” to inform preparation for future initiatives. Develop a formal framework for incorporating that feedback into the planning process.
  • Apply the four risk management principles: accept risks if the benefits outweigh the costs; accept no unnecessary risks; anticipate and manage risk by planning; and make risk decisions at the proper level.
  • Finally, and most importantly, recognize that you are playing to win.

For more insights into governance, risk management and compliance, join us at the 2019 CUNA Governance, Risk Management and Compliance Leadership Conference, September 23-25, 2019 in Nashville.