What’s behind credit unions’ and regulators’ relatively recent interest in enterprise risk management (ERM)?
Huge changes in credit unions’ operating environment in the past 15 years, says Alan White, founder and president, Vital Insights.
Liquidity is becoming more volatile, he says. “You must know your capital position as you plan five years ahead.”
Margins are eroding, and credit unions now rely more on fee income. “And information technology (IT) risk management requirements will only increase,” he says.
White shares four ERM lessons:
Lesson No. 1
Understand the goals of ERM—many organizations don’t. It’s not simply an IT risk management issue or an asset-concentration risk issue. Those are just parts of the whole.
Risk is the possibility of an event occurring that will affect your credit union’s ability to achieve its objectives. A prerequisite to any risk discussion in an organization is that you must know your credit union’s goals and objectives.
Risk management is managing the uncertainty side of performance. It’s supposed to quickly identify emerging risks and problem areas before they escalate and cause serious harm.
In addition, ERM should:
Lesson No. 2
Understand the process backward and forward. White suggests this risk assessment process:
Lesson No. 3
Don’t simply replicate the internal audit function. Internal audit is supposed to be independent of management, while ERM is an integral part of management. Internal audit is built on evaluations and recommendations, while ERM is built on decisions and implementation.
Lesson No. 4
Different types of risk require different management methods. “We all know this intuitively, but most risk management plans rarely address this,” White says. Most credit unions align risk management with NCUA’s strategic and financial risk categories: strategic, reputation, credit, interest rate, and liquidity. But White says you must also consider operational risks such as fraud, IT, and accounting.
White spoke during the 2013 CUNA CFO Council Conference in Phoenix.