news.cuna.org/articles/116524-addressing-risk-jointly
Addressing risk jointly

Addressing risk jointly

ERM and internal audit teams complement each other.

August 23, 2019

Consider the relationship between your credit union’s enterprise risk management (ERM) team and the internal audit team. If these two teams work together and share information, not only will they decrease the likelihood of duplicating efforts, they’ll be able to improve your risk management process.

While these two groups may feel threatened by each other’s work, says Scott Hood, strategy, risk, and assurance partner with Rochdale Paragon Group, “their roles are complementary, and they should be working together.”

Hood will address the CUNA Governance, Risk Management, and Compliance Leadership Conference in Nashville Sept. 23-25.

How is the role of ERM expanding?

Scott Hood: Credit unions have been expanding the role of ERM for the last five to six years. Initially, they considered ERM to just include the identification and assessment of the most significant risks in the organization, the enhancement of procedures used to mitigate those risks, and the use of that information in the strategic planning process.

Since then, we’ve seen credit unions expand the role of ERM to include functions such as vendor management, insurance management, product and project risk assessments, and miscellaneous risk assessments, like the BSA risk assessments they complete across their organizations.

Credit unions started with management-level risk management committees, and now we see many credit unions adding board risk committees to ensure visibility and inclusion at the board level.

‘Credit unions have been expanding the role of ERM.’
Scott Hood

How do you integrate the audit and risk functions?

Hood: The best way to do this is by sharing information between the groups. ERM personnel share their risk assessments and descriptions of key responses that mitigate various risks. Internal audit personnel share their findings in reviewing procedures that are supposed to mitigate the various risks.

Both groups then help ensure the organization capitalizes on opportunities to improve risk management processes. The more information they share, the better off both functions will be.

Why is it important that these two functions work together?

Hood: If ERM and internal audit personnel don’t work together, they may duplicate efforts to identify, mitigate, test, and report on risk across the credit union.

What are some tips to follow to ensure a successful ERM program?

Hood: Successful ERM programs all share support from the top. Boards and senior management teams need to create a culture that demonstrates the importance of ERM in the organization.

Don’t put off implementing an ERM program, and remember it doesn’t have to be perfect. Begin taking the first steps and you can improve and expand the process over time to best meet your needs.

Finally, the ERM program won’t achieve maximum effectiveness unless you use it for strategic planning purposes as well as more tactically to mitigate operational risk.