news.cuna.org/articles/117030-erm-what-gets-measured-gets-managed
Drew Smith

ERM: ‘What gets measured gets managed’

Tailor reports for specific audiences to get the best results.

December 11, 2019

A critical component to any enterprise risk management (ERM) program is reporting the results.

Providing an update on the ERM program and what has been accomplished allows the ERM culture to continually be fostered at the credit union. It also supports board oversight, reinforces key ERM concepts, and demonstrates the organization’s commitment to ERM.

“What gets measured gets managed,” says Drew Smith, a business and risk consultant with Rochdale Paragon Group.

Smith discussed ERM and the advantages it provides to credit unions but focused on reporting ERM results during a breakout session at the 2019 CUNA Supervisory Committee and Internal Audit Conference Tuesday in Las Vegas.

Depending on the audience that is reviewing the report, the content that should be included in the ERM report varies:

  • The board wants a report that includes high-level information that allows them to minimize future surprises and better leverage risks. Include information on compliance, oversight, and strategy, including top residual risks, biggest risk changes, capital adequacy, and external factors, Smith says.
  • Executives require a report that includes more detailed information that allows them to improve communication and products. They want comprehensive coverage with details on large risks, including breakdowns of residual risks by department or business area.
  • The risk management committee needs a detailed, comprehensive report that allows them to complete strong action planning. They need information on risk identification, tracking, and appetite, including the residual risk breakdowns.
  • Staff need reports that are focused on their business area to allow them to understand the risks and develop responses in order to become more efficient.

When crafting the report, Smith says there are several things to keep thing mind.

Each report should have a summary of the ERM process and goals and a summary of the organization’s overall risk profile. In addition to the current risk profile, include how that profile has changed in recent months and what caused the changes.

“Looking at the top risks, they don’t really change,” he says. “But having an understanding of why they changed makes the report much more effective.”

Consider using quantitative and qualitative metrics in the report so readers can understand the ERM profile not only from an ERM perspective, but also from the credit union’s financial perspective. Include a discussion of external economic factors that contribute to the changes in the risk profile and a section that shows how the credit union’s activities are adhering to the organization’s established risk appetite.