MADISON, Wis. (1/31/14)--The latest edition of Credit Union Directors Newsletter examines questions about risk management systems that may have been raised, rather than answered, in a recent National Credit Union Administration supervisory letter.
The Credit Union National Association's January edition of Directors considers enterprise risk management (ERM), as addressed by the NCUA in a Letter to Federally Insured Credit Union (13-CU-12).
NCUA pointed out that ERM might benefit larger, more complex credit unions and that examiners should make sure credit unions employ a comprehensive risk management approach. This might or might not include a formal ERM program, NCUA said.
To better understand ERM and traditional risk management, Joette Colletts, a senior manager in risk management for CUNA Mutual Group, compared the different approaches.
Traditional risk management encompasses only hazard and transactional (operational) risk exposures. There's no upside or positive outcome for these risks, other than the status quo.
ERM includes all the risks a credit union faces, regardless of source or potential outcome. With ERM, credit unions consider the upside of risk, such as the possibility of outperforming strategic goals.
ERM also removes the NCUA's key risk indicators (credit, interest rate, liquidity, transactional, compliance, strategic and reputational) from individual silos and addresses them as part of the overall strategy.
The ERM process optimizes risk-taking tied to strategic goals, while traditional risk management simply aims to prevent or reduce losses.
For example, ERM would include an assessment of competitive challenges, such as plans by competitors to build new branches within a credit union's market. It would also examine the potential impact of a significant reputational hit, such as a highly publicized data breach or a top executive being prosecuted for embezzlement.
NCUA acknowledges that most credit unions don't have the means for expensive ERM software and other tools used to consolidate and assess this broad swath of information. A basic understanding of how to transcend individual operational risk assessment can increase credit union value.
Risk responsibilities are distributed differently as well. In traditional risk management, the responsibility for managing all of a credit union's operational risk belongs to one department or one individual.
In ERM, the enterprise risk manager (often referred to as the chief risk officer) acts as a facilitator and educator about the ERM process. This person serves as a coach to all the risk owners in the credit union. in fact, all employees are risk managers for functions within their responsibility.
ERM allows information to flow throughout the credit union, avoiding information silos that prevent critical information from reaching key people. The "enterprise" in ERM includes all employees, management, board of directors, committees, members, the community and regulators.
The more employees know about the risks a credit union faces, the more they can participate in finding and executing solutions, and in capitalizing on opportunities, Colletts noted.