ERM Effectiveness and Efficiency

December 2016: Vol 39 No 12
by Vincent Hui

They're not mutually exclusive, as these examples show.

people push cubes while someone moves past pushing a sphereOftentimes, credit union leaders bemoan the volume of resources—both people and dollars—spent on risk management with limited visibility of what benefits, if any, this spend is creating. This allocation of resources is not done just for compliance, but also for such things as information security, vendor management and business continuity.

Asked why they have not been able to better manage these costs, credit unions often answer, “We’re afraid if we don’t invest, something bad will happen.” Credit unions want to achieve maximum risk management effectiveness, but in reality many are practicing risk elimination or not managing the right risks in the first place.

Effective risk management and efficient risk management are not mutually exclusive concepts. The key to success is taking a risk-based approach. This includes a clear and focused understanding of what is most important in the risks the credit union is looking to manage, tying the level of effort to clearly defined targeted outcomes, monitoring the risks and allowing for the possibility of making adjustments.

Interestingly, this type of risk-based approach to performing risk management is already in use in many credit unions. It’s often used to define internal audit’s annual audit plan as well as to focus credit portfolio oversight via risk ratings. However, this approach is often not extended to other risk areas where such analysis could better inform the right balance between efficiency and effectiveness.

The following examples illustrate how a risk-based approach can enable CUs to better manage their investments without compromising on risk. We’ll look at vendor management and patch management in this print article. For a discussion of how to manage the risk associated with complying with the Financial Accounting Standards Board’s current expected credit loss rule, see cues.org/1116cfofocus.

Vendor Management

Almost all CUs have a vendor management process in place that includes risk-rating vendors and doing regular vendor reviews. However, the relatively few high-risk vendors that your CU is managing are also simultaneously being managed by a thousand other CUs. This is colossally inefficient considering that thousands of peer institutions are looking at the same documents and coming to the same conclusions. Yes, the compliance “box” needs to be checked, but how effective are these activities in managing risk?

The focus should go beyond managing compliance risk to include the strategic risk inherent in CUs’ vendor relationships. Defining and managing strategic risk requires that CUs know the nature of their vendor relationships, how much they spend on vendors, and the underlying drivers of the vendors’ business (e.g., value proposition, the businesses they are in, their main competitors).

CUs collect and analyze a lot of due diligence data, but what is often lacking are key performance indicators in such areas as service quality, timeliness of delivery, price and effectiveness. Putting these KPIs in place can be done with minimal additional resources/efforts. For example:

  • Include questions about vendor satisfaction in existing employee surveys.
  • Find out what other customers of the same vendor think when employees go to conferences—particularly user conferences.
  • Cultivate business involvement in vendor interactions to ensure business value and risk management objectives are achieved in each vendor relationship—i.e., enhanced service levels and improved utilization.

CUs can move beyond the typical vendor risk management program by seeking to improve the return on investment from all third-party relationships. With a similar level of time and effort as today, CUs will get more value from their efforts by going beyond dealing with “check the box” compliance risk to including more emphasis on strategic risk.

Patch Management

One of the most daunting challenges in information security is the utilization of patch management solutions to protect systems against vulnerabilities. Every device connected to a credit union’s network is aging, and software is in a constant state of degradation. Patch management helps keep life in these products as well as protect them from compromising vulnerabilities.

The typical patch management solution consists of two pieces of technology—one to find the vulnerabilities and another to “patch” them—plus humans to operate both systems.

Networks can contain thousands of devices, such as switches, PCs, servers and mobile devices. When tasked to “patch” all of these systems, a CU’s first reaction may be to purchase technology to identify all the vulnerabilities and patch all of the systems at once. This “swinging for the fence” approach (a.k.a. risk elimination) can cost a lot and seldom provides a consistent track record of success. Imagine rolling out a patch to all systems only to discover it has broken a critical application. (You do have a sound testing environment, right?)

So, how can credit unions improve the cost effectiveness of patch management without compromising security?

Take a look at your latest Gramm-Leach-Bliley Act assessment. Did you receive a risk threat classification model/matrix? This report should break down your major applications/systems and risk-rate them appropriately. Using this document as a starting point, thousands of systems can be reduced to smaller focus areas. Instead of remediating every device on the network, ensure that high risk systems are patched. Once completed, the next group can be addressed. Repeat this process until all systems and devices are addressed.

By properly staging patching based on risk, credit unions can better manage their IT resources and reduce risk by preventing unintended negative consequences.

As mentioned earlier in this article, credit unions also need to manage the risks associated with the 2019/2020 deadline for implementation of the Financial Accounting Standards Board’s current expected credit loss standard, CECL. For more on this, see cues.org/1116cfofocus.

Looking Forward

Investments in risk management can have a positive ROI if the credit union goes beyond the “check the box” mentality and puts more focus on defining the risks that are most important and the strong business practices required to measure and monitor them. There are three areas that credit union executives should explore when presented with the “opportunity” to invest in risk management:

1. Leverage required compliance spend to create value (which is the flip side of risk). What is the full range of risks that this investment can attack? Which of those risks have the biggest impact on the credit union’s ability to serve members? For example, if you are going to spend the resources on vendor management, make sure you are focused on the strategic risks (and opportunities) that really drive value.

2.  Let required compliance force functional improvements. What business practices can the credit union improve the effectiveness/maturity of, especially if the spending is viewed as “required”? What benefits can be identified and achieved? How can the credit union avoid the “no benefits expected as it is a required investment” scenario when trying to justify spending?

3. Look at execution alternatives. How will changing the pace of execution (and related spend) change the credit union’s risk profile? Is the risk profile acceptable when compared to the resource cost? Is the proposed execution approach about risk elimination? If so, is that in an area already identified as one of zero risk tolerance?

The intent of these questions is not to block investment in risk management but to make sure the credit union’s precious capital is used wisely to maximize the benefit to the credit union and its membership.

Vincent Hui is a senior director with CUES Supplier member and strategic provider for ERM and technology services Cornerstone Advisors, Scottsdale, Ariz. Hui thanks Cornerstone’s Steve Carroll, Joel Pruis and Todd Stringer for their contributions to this article.

Carroll is director/business continuity, Pruis a senior director and Stringer director of IS services.