Steps to Take (And Questions to Ask) to Develop an ERM Program
Many professionals, including regulators, internal auditors and others, share the misconception that risk management focuses on eliminating all risk, which is contrary to a credit union's organizational objectives and sustainable financial results. This risk/return battle is a cat-and-mouse exercise that burns energy at an alarming rate. But for what benefit and at what cost?
As credit unions, our mission is clear: Do right by our members and assist in their financial well-being in a trusted, financially sound manner. Inherently, that means taking some risks. Our business is built on the fundamental of balancing risk and return, not eliminating or disregarding it altogether. It's something we do very well. But in light of the complexity of today's financial environment, it's time to move to the next level. Enterprise risk management (ERM) is coming fast. Are you prepared?
Already, most large financial and publicly traded institutions are beginning to emphasize ERM and, like a freight train, so are regulators and auditors. While some may disagree, the fact is, they are on the right track. ERM is a philosophically and organizationally adapted methodology for better managing an organization's goals. It limits variances or interruptions (losses, negative product returns, reactionary moves to market disruptions, etc.), and facilitates achieving goals, increasing the likelihood of success. ERM helps you make more profitable capital-deployment decisions by better understanding the risk-versus-return relationships intertwined throughout your organization and inherent in every business decision.
Watching for Pitfalls
ERM means different things to different people and has always been subject to misconceptions. Most notably, it's often seen as too difficult, too complex and too expensive. While that CAN be true, it doesn't HAVE to be. Many organizations - such as large financial institutions, federal agencies and insurance companies - have invested millions of dollars and years of development in extravagant systems, and have performed complex mathematical and quantitative analyses. Although thoughtful analysis is beneficial, it's important to not lose sight of ERM's ultimate goal: enhanced decision making through a solid understanding of organizational risks.
ERM programs must adapt to your culture, as well as your current risk and management processes, without becoming burdensome. If done right, ERM consistently delivers improved financial performance, operational efficiencies, transparency, and reduced risk exposure - and, most importantly, peace of mind. The focus should be on making the program effective, not documenting policies or the fundamentals of integrating ERM systems/technology.
Another significant trap is approaching ERM solely as a compliance function and mindlessly marching through the process using a checklist approach. Many managers (and vendors) try to force ERM into the traditional box of auditing, policies and controls disciplines. Whether it's slick software to link policies and regulations or the "annual enterprise risk assessment" (i.e., the audit), these efforts sorely miss the mark. They tend to focus on traditional control-oriented, reactive practices to identify downside risk, and gaps between policy and procedures. Time, money and effort invested in this way are simply redundant and a wasted expense, given existing risk programs. ERM isn't an audit tool or policy tracker to catch people and departments making mistakes. ERM is a proactive tool to support management in making organization-wide decisions with enhanced understanding of risk and return.
Developing an Effective ERM Program
So, how can you use ERM to your best advantage? Here are some tips:
• Remember, moderation is key. Understand your environment, obtain input from those who know the business best, and develop strategies that keep your goals on track, while minimizing surprises.
• Build a solid foundation. Invest in training, including education on balancing risk and reward; gain organization buy-in; and create the right program structure.
• Seek outside guidance or acquire experienced talent. Your business partner should have a strong grasp on the credit union environment and ERM processes; be able to collaborate with and lead the board, management and staff through the process; and be willing to focus on knowledge transfer, not simply project completion
• Use a maturity model approach. Focus on providing near-term results while building on capabilities. ERM must be developed over time and, like any long-term focus, set interim goals to continuously drive success.
• Ensure that ERM permeates your culture. Value comes from creating a risk-based decision culture and must become part of your institution's overall climate to achieve the highest levels of success.
• Instill ERM in your collective management and decision process. ERM requires changing how you think and make decisions. As such, it's a competitive advantage, not another traditional risk system or set of practices.
• Make sure your program answers these questions:
1) Can management clearly articulate your organization's top 10 to 15 risks using a common scale as measured against earnings and capital?
2) Does your system show the risk interdependencies and proactive risk influencers?
3) Does it facilitate setting and understanding risk-tolerance levels?
4) Does it provide clarity for risk discussions and decisions between operations, management and the board of directors?
5) Does it facilitate open communication organization-wide regarding risk and decision making?
The lessons of the last two years have demonstrated the inherent weaknesses in existing risk programs, as well as renewed sensitivity to earnings and capital surprises. That should provide the impetus to begin building ERM programs within our organizations. If not, regulators and policymakers surely will.
Tony Ferris is a partner in the Rocedale Group, a credit union consulting firm focused on risk, organization performance, and project management processes. For info: www.rochdalegroup.com.