BY RINI FREDETTE
Is your credit union fully aware of its risk environment? The more informed you are of potential risks within your CU, the less likely you’ll expose yourself to harm. An Enterprise Risk Management solution helps you cover all the bases. Read on for a rundown of ERM benefits to reap and pitfalls to avoid along the way.
A more risk-informed company is better able to protect itself. The collection and analysis of a company’s risk environment keeps it aware of potential hazards now and in the future. The recent highly publicized revelations about unauthorized account openings by staff members at a large national bank remind us of the benefits of an experienced and empowered Enterprise Risk Management (ERM) practice.
Benefits of a Strong ERM Function
The proper implementation and application of ERM practices carry numerous benefits to multiple stakeholders in the organization, including its client credit unions and their members.
- A company’s strategic plan, for example, can introduce new elements of risk beyond those presented in the context of day-to-day tactical operations. ERM can identify potential risk in the strategic plan and can develop the appropriate mitigation processes to help maintain an acceptable level of risk exposure. It can also ensure the successful execution of the company’s strategic objectives.
- Similarly, an ERM discipline is critical to informing the decisions a company makes with respect to its investments in infrastructure and technology. A regimen of ERM oversight on mission-critical business plans and due diligence activities can be invaluable when evaluating the merits of particular investment ideas.
- Another benefit of a formal and highly visible ERM function is the heightened awareness it generates among employees about the role they individually play in defending the enterprise against risk. The combination of employee training on risks that are specific to the business and proactive monitoring of the work environment by all staff for anomalies or suspicious behavior can lead to early detection and avoidance of risk. A broadly promoted “See something, say something” campaign can empower an entire army of employees to take an active role in protecting the organization from potential harm.
- Credit union partners of an organization that is committed to a world-class ERM practice benefit from higher levels of security around the data they entrust to the organization. They also enjoy the increased focus the enterprise places on regulatory compliance that, when missing, can negatively impact the organization and its clients.
Factors that Drive Success in ERM
Many risk management processes start by identifying and assessing risks. But companies may first want to begin by better understanding their risk appetite, which is the aggregate amount of risk they are willing to accept in the execution of their business strategy. Think of appetite as the guardrails guiding a company along the road to achieving its objectives. Such guideposts are based on balanced risk taken in alignment with executive leadership’s preferences. Companies can more effectively identify, manage and monitor risks to their particular strategy when employees understand how their daily activities are related to and aligned with that appetite.
The structure and strategy of your risk organization should take three lines of defense into account:
- Risk Owners – Operational Management – A significant risk component here is the technology and protocols in place to guard your company’s (and your clients’) data from cyberattacks. Managing risk at the first line of defense requires a team of “risk champions” who are mid-level leaders and subject matter experts throughout an organization. Their areas of specialization include but are not limited to IT, finance and accounting, sales and account management, operations, product management and legal.
- Risk Oversight – Risk Management, Compliance & Risk Committees – A strong ERM team – which often also includes functions such as fraud investigations, business continuity, vendor governance and regulatory compliance, along with the executive leadership team and risk committees – benefits the company through its ability to leverage and share risk information. This open awareness and free exchange of knowledge among team members helps expose issues and vulnerabilities in processes. It also aids in identifying new potential and emerging risks across the entire taxonomy of corporate risk. Risk committees help ensure the proper risk governance framework is in place while also meeting regulatory guidance, but there really is no “one size fits all” solution. Make sure to choose a suitable model of oversight that is appropriate for your company size and the types and magnitudes of risks involved.
- Risk Assurance – An internal audit function provides senior management with comprehensive risk assurance from an independent perspective. Internal audit provides assurance of the effectiveness of governance, risk management and internal controls.
Seven Common ERM Pitfalls to Avoid
The CEB Risk Management Leadership Council is a valuable resource for fraud and risk managers in any organization and industry. The Council notes seven potential potholes to avoid when designing and executing your ERM plan:
- Misalignment with executives and the Board – Ensure you are addressing the top concerns of the executive team and the Board.
- Assuming support will trickle down – Make sure to get buy-in from the business units.
- Being too process oriented – Be sure to communicate the value ERM has brought the organization to avoid the perception of just checking the box.
- Conflicting risk processes – Leverage any effective risk processes that are already in place before implementing new or different ones that may create confusion in the organization.
- Reporting too many risks – It is impossible to consider each and every risk, so focus your energy and resources on the most critical threats.
- Striving for greatness too soon – Developing an effective ERM program that is embraced by the organization takes time. Maturity doesn’t happen as quickly as you think it should.
- Failing to timely track actual risk events – Timely tracking of actual risk events allows ERM to:
- Compare the actual risk measures (e.g., impact, probability, velocity and preparedness/responsiveness) to previous estimates of those measures and gather valuable insight from that analysis.
- Add value by informing management of the cause and effect of the risk event, including a recommended solution for preventing reoccurrence.
- Provide current risk information to management, improving the quality and speed of decision-making.
Risk is a restless creature that never sleeps. In most any organization, risk is an inescapable reality, but it is one that can be most clearly understood and mitigated through careful planning and continual vigilance.
As senior vice president and enterprise risk officer, Rini Fredette provides the overall leadership, vision and direction for assessing, analyzing and holistically managing risk across PSCU’s organization. Rini leads the company’s initiatives to develop processes that effectively manage risk within PSCU’s tolerance thresholds and that tightly align with PSCU’s strategic objectives. Rini’s primary responsibilities include enterprise risk management, internal audit, vendor management, compliance governance, business continuity & life safety, and investigations & corporate fraud.