ERM Is Everyone's Responsibility
A study released last year—Risk Management for Nonprofits—raised quite a storm in some circles. While the particular risks faced by the charitable sector are often different than those in the credit union community, the study has, nonetheless, been an effective catalyst for raising awareness about the need to have a board-level conversation about risk and risk management.
I’ve mentioned before that we have the good fortune of conducting governance assessments for credit unions throughout the United States. Only about a third of the CU boards we’ve assessed describe their ability to identify risk as “very effective,” and an even smaller group of them say they’re “very effective” at mitigating those risks once they’re identified. From a governance point of view, this is a pretty significant finding. And one that demands attention.
For many CUs, discussions of risk begin and end with financial matters—interest rate risk, loan loss risk, fraud risk, etc. But is that enough? Aren’t there other risks that organizations face? And, what is risk, anyway? The authors of the Wyman/SeaChange study define risk as “unexpected events and factors that can have a material impact on an organization’s finances, operations, reputation, viability and ability to pursue its mission.” While the definition comes from a study on the charitable nonprofit sector, we think it’s a pretty good place to start in terms of framing the concept of risk for credit union board and committee members. But, let’s look a bit deeper, as some credit unions have begun to do.
We are thinking about enterprise risk management, which is not just the responsibility of your board, management, board committees, a risk specialist, your external auditor or even an internal auditor. Yes, each has a role in understanding and managing risk. We’d also suggest that your supervisory or audit committee should play even greater role than typically given them. (Read more about the expanded role of the supervisory committee in “Supervisory Committees Function Well’ and “Internal Watchdog, Plus …”
The Committee of Sponsoring Organizations of the Treadway Commission is a voluntary, private-sector organization dedicated to guiding executive management and governance participants towards more effective, efficient and ethical business operations. It defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
Are you doing all that you can, as credit union leaders, “to provide reasonable assurance regarding the achievement of entity objectives?” To get you started, consider these 10 steps:
1.Ensure that your board assumes its full governance role, including not only its legal duties, but formal and informal governance responsibilities. With the rapid pace of change and the many threats facing CUs oday, it’s imperative that your board understands that it must play a vital role.
2.Formally task your supervisory or audit committee with ERM. Ensure that your committee is on the leading edge of today’s best practice of going beyond simply conducting an audit. Consistent with board policies, management will still conduct the operational work. It's the committee’s role to ensure it is being done regularly and effectively.
3.Be sure you have the right people, in the right seats, to support effective ERM. Identify the best people from among your volunteers and staff.
4.Develop an explicit risk tolerance statement that indicates the level of risk your credit union is willing to take. Once your board has assumed its duties in this area, this should be one of its first tasks. Be sure to constructively partner with your CEO and his or her management team, as well as members of your supervisory or audit committee.
5.Develop a list of key risks and include brief scenario planning to address them. We had one credit union client that was housed in the World Trade Center on Sept. 11. It lost nearly everyone and everything on that day, but within a day, it was up and operating at a remote location in New Jersey.
6.Scan your credit union’s internal and external risks in your annual strategic planning. Make sure key risks are identified and considered.
7.Include financial benchmarking in your annual scan. Review your financial reports and projections and compare your position to similarly-situated organizations.
8.Set appropriate financial targets to support your risk tolerance statements, as well as your scenario planning. Once you have reviewed your financial benchmarking data, develop a plan to address any risks therein.
9.Put your plan and reports in writing. Be sure that your perceived risks, opportunities and scenario planning is shared broadly with the board, supervisory or audit committee, and appropriate members of the management team.
10.Update your plan on a regular basis. Be sure to revisit your risk tolerance statement, financial benchmarking, scenario planning and your ERM plan annually. We don’t need to tell you that the environment is changing rapidly, and that means your risks are likely evolving, too. Be sure that you’re on top of them and ready to pivot. It’s fundamental to your responsibilities as leaders of your credit union. Your members are counting on you.
Michael Daigneault, CCD, is CEO of Quantum Governance L3C, Vienna, Va., CUES’ strategic provider for governance services. Daigneault has more than 30 years of experience in the field of governance, management, strategy, planning and facilitation, and served as an executive in residence at CUES’ Governance Leadership Institute. Jennie Boden serves as the firm’s managing director of strategic relationships and a senior consultant. She has 25 years of experience in the national nonprofit sector and served as the chief staff officer for two nonprofits before coming to Quantum Governance.