6 keys to an effective risk management program

5 keys to an effective risk management program

Creating a structure, defining roles, and ensuring independence are key to adapting to an uncertain future.

September 25, 2020

While no one can predict the future, boards and credit union management teams can take steps to identify and manage risks that will give the credit union better odds at being successful in an uncertain future.

“Managing risk is critical to the credit union’s success. It is at the heart of strategic performance. The ability to proactively identify and understand the rapidly evolving challenges ahead allows the organization to pivot and seize new opportunities or avoid head-on problems,” says Tony Ferris, CEO of Rochdale Paragon Group.

“Increasing competition and environmental uncertainty  has given rise to skepticism on whether or not our organizations are sufficiently prepared to manage within these fluid environments. Is the risk function capable of being able to lay out the uncertainties and help decision makers define where we go?”

History is littered with companies who poorly managed risk causing strategic blindness, poor strategic bets, reputational debacles, and even internal mismanagement and fraud. The pursuit of any opportunity is always accompanied by an element of risk. How effectively we deal with these risks ultimately defines the extent of our success.

Ferris discussed the board and supervisory committee’s roles in a risk management program during the CUNA Governance, Risk Management & Compliance Leadership Virtual Conference.

Ferris cites five keys to an effective risk management program:

1. Structure/Roles. Assign a formal and clear set of expectations and objectives to key stakeholders which include the board, CEO, and risk officer. Board oversight is central to its fiduciary role and facilitates increased perspective and ability to oversee strategy and the overall risk position of the organization. A risk committee can alleviate full board workload while enhancing the risk capabilities through more pointed and in-depth discussions.

The CEO must have risk management as a defined expectation as the actions and decisions taken will invariably determine the ongoing success of the organization while maintaining the expected level of risk in running the credit union.

There are clear and distinct roles and objectives for each stakeholder and therefore an effective program is contingent upon how effectively the board and management work together in managing risks, Ferris says.

Tony Ferris

2. Engagement. The adage of, culture eats strategy for lunch, is as true in risk management as anywhere. A strong culture that sets an expectation of transparency, critical thinking, and critical risk-based reporting ensures a focused and active approach which will produce real organizational value.

As part of this, the organization must be comfortable in challenging assumptions, seeking diverse opinions, and in dealing with uncertainties. Governing or managing without proactive and quantitative data leaves decision makers with little to rely upon except intuition and experience. Combining that experience with valuable insight is where great decisions are made.

Real and appropriate engagement is one of the toughest characteristics of a strong organization. Asking challenging questions is hard because they can feel distrustful or challenge our feelings of inadequacies on topics for which we are not well versed. This is especially true when looking at board and management engagement.

Governance requirements, however, are increasing and the board must demonstrate and prove it is exercising “credible challenge” to strategic decisions. This means that the board is actively engaged, asks thoughtful questions, and exercises independent judgement.

Without an agreed set of rules and a supporting culture, organizational strategy and decision making will always be hindered, Ferris says.

3. Program understanding. Board and management members must understand the risk program’s objectives along with the concepts of risk which allows for a deep understanding of linkage to strategy and risk-reward trade-offs. This requires a thorough understanding of risk management and your program’s methodology so that information can be appropriately interpreted, and program effectiveness can be ensured.

Board and management must look to instill specific skillsets through training and recruitment. Overly simplistic programs, such as high, medium, and low, offer no real insight into the magnitude or likelihood of events and provide little assistance in strategic decision making. Only through business and dollar quantification can we see actionable information, Ferris says.

You must be able to answer the question of whether your program provides the necessary intelligence to make proactive and measured strategic decisions and provides reasonable assurance in the safeguarding of assets and member interests. If you cannot confidently answer affirmatively, then you do not have a viable program, instead you have wasted activity and busy work, Ferris says.

4. Strategy and performance focus. Efforts should focus on mission-critical risks that can influence strategic execution and long-term viability. The credit union needs to implement appropriate reporting measures and require risk managers to provide information that is focused  on the credit union’s objectives, Ferris says.

The very essence of risk management is to deploy capital and resources effectively and quickly to potential opportunities and events that affect organizational performance. You are not trying to capture every conceivable and size of risk. Rather, focus on what truly matters. Do not get caught in the weeds.

“Risk is about one thing: our ability to define our strategy and accomplish our goals,” Ferris says.

5. Independence. A risk program features three functions: risk taking, risk oversight, and risk assurance.

Risk taking is the responsibility of the business units. They determine the level of risk, act on it, and leverage the risk to carry out their duties.

Risk oversight challenges the risk-taking function to provide an independent assessment and objective view of the level of risk taken in pursuit of goals individually and collectively.

Risk assurance is the organization’s “value protection system,” Ferris says, and the responsibility of the audit or supervisory committee. Risk assurance opines on the effectiveness of controls and the adherence to established policies and stated risk appetite levels.

“At the heart of each of these functional areas you have a defined, central set of objectives that are different from each other,” Ferris says. “Be sure they detail who is responsible for those activities, where collaboration takes place, and what it looks like.”

With everybody clear on objectives and expectations, you will generate increased collaboration and a stronger risk stance.

► Visit CUNA News for more conference coverage. Learn more about the CUNA Governance, Risk Management, and Compliance Leadership Virtual Conference at

Hackers leverage COVID-19 for cybercrime