Defining Your Appetite [Credit Union Management]

A CU board needs to say, strategically, how much risk is too much.

Enterprise risk management can be a particularly operational, nitty-gritty effort at credit unions. So what role should be played by the credit union board of directors, charged with looking at the credit union strategically?

First, the board is, to a great extent, responsible for articulating the mission and brand of the CU- its personality, if you will. So it is uniquely qualified to evaluate the CU's "risk appetite," an essential part of any enterprise risk management program.

"A risk appetite essentially defines how much risk an organization wants to tolerate," explains CUES member Kelly McDonough, president/CEO of $120 millionFirst Alliance Credit Union (www.firstalliancecu.com), Rochester, Minn. "Essentially, it's 'How comfortable are we as an organization with taking on things that could expose the credit union to loss, or could open up the credit union to great opportunity?' So I think each credit union's CEO needs to have a discussion with its board of directors, to look at some of the elements of risk and say, 'Where do we want to be?'"

The answer may vary when it comes to different aspects of risk. "We have a statement that says it is the intention of management and the board of directors to fully comply with rules and regulations," continues McDonough. "So with respect to regulatory risk, we have a conservative appetite. And then we have a statement that goes on and says that the credit union recognizes that, in some instances, the state rules are less restrictive than those required for federally chartered institutions. And in many instances, we are deciding to voluntarily comply with the more restrictive standard. So that gives me, as a CEO, a very clear picture of what the board expects of me."

Shared Responsibilities

Another reason the board should be involved in risk management is that it is the collective responsibility of everyone at the organization. It's extremely difficult for any risk management program to succeed unless the organization buys into it at every level. And especially at smaller credit unions, there is a need to spread the duties around.

"I think bigger credit unions may have a staff that's devoted to business continuity planning, and therefore may have people who are familiar with the various standards and regs that affect business continuity management," says McDonough. "But certainly $100 million credit unions ... at best, I can get people to do this as a small part of their other responsibilities. I don't have the budget or the time to have somebody do this full time."

That sharing of responsibility is articulated clearly in First Alliance CU's ERM documents. The "roles and responsibilities" section states that among the duties of the CU "family," including the "board of directors, supervisory committee, management, staff, and employees, is the responsibility to measure and control the risks encountered in the normal course of business. Responsibility for assessment and management of risk starts at the top, with the board of directors, committee members, and senior management. Members of the board of directors define the credit union's appetite for risk through the decisions they make, the policies they adopt, and the emphasis they place on appropriate controls."

Risk management is not an abstract thing, even at the board level. It translates into decisions, policies and controls.

Finally, the board can bring a unique viewpoint to the risk management program.

"They bring an outside perspective, since they're not in the credit union all the time," points out Nicole Adams Kraus, principal with Decision Strategies International (www. decisionstrat.com), a Conshohocken, Pa., consulting firm. "I think one of the things they should be tasked with prior to a board meeting is, on a regular basis, reading what's happening in the broader market. What are some of the regulatory trends? And not just in credit unions."

$1.2 billionAmerica's First Federal Credit Union (www.amftrst.org), Birmingham, Ala., is currently working on an ERM program and hopes to have it in place before the end of the year. Its board takes a great interest in compliance, and it was instrumental in making the ERM program part of the strategic plan.

"Our board members are all business executives in other industries, and we have three CPAs on our board, so they bring a lot of expertise to the table, as far as how they run their business," says VP/Compliance and Legal Counsel Alan Stabler, a CUES member. "And they give us their insight on things that they think could help us."

Taking Action

ERM is a subset of a CU's organizational resilience or business continuity activities. It's the process of planning, organizing, leading, and controlling the activities of an organization to minimize the effects of risk on the organization's capital and earnings.

McDonough, who has earned an advanced degree in business continuity management, says her board is involved, at the strategic level, with all the different types of risk management the CU does; it is their responsibility, she says. But it has been especially helpful when it comes to ERM. For one thing, it spawned the committee that is in charge of the program.

"The board established an enterprise risk management committee made up of the president and representatives of the supervisory committee, members of the ALCO committee, members of senior management, people from finance, somebody from operations, somebody from IT, and somebody from compliance," she says.

The committee was charged with identifying all known new or emerging risks, whether on or off our balance sheet, and classifying them into one of six categories that we defined: strategic threats, operational threats, financial threats, natural threats, technological threats, and human threats."

Once the committee identified the threats, it created a matrix: On one axis is the probability of each event, on a scale of one to five; and on the other axis, the potential financial impact of each event. By multiplying the ratings from each axis, the CU established a risk score for each event. Then it divided the items, according to their score, into unacceptable, moderate and acceptable risks. Management took the data and created an action plan for mitigating, managing or transferring each of the unacceptable risks.

"The report came back to the board, and the committee and the board determined where we hadn't covered all the different risks," McDonough explains. "For instance, we don't have flood insurance on our building. That came up as a moderate probability, but the potential for loss was so high that it was still ranked in that red area. So the board instructed us, as a management team, to go find out about whether flood insurance would be necessary on our building. We created a bunch of action steps and timelines in which we were going to get those done, and reported back to the board on them on a monthly basis [until] we satisfied all of those requirements.

"Now, this year, we're moving on. The committee meets quarterly to address emerging risks. And now, instead of just looking at the high risks, this year we're taking the time to look at the more moderate risks, and whether there are additional steps we can be taking for some of these things. Then the board holds us accountable for that."

What If?

The board has a much more hands-on role in another kind of risk management activity: scenario planning.

"If you think about risk management in a much broader way- sort of as strategic risk for the organization- [the board can use] scenarios to essentially pressure test the existing financials and the planned strategic initiatives," says Kraus. "If you and I are on the board of a credit union, we might go into a meeting where we've already set up a set of scenarios, and use them to stress test the upcoming strategic plan."

This is a different kind of matrix than the ERM one. In one template Kraus uses for presentations, she creates four scenarios (A, B, C, and D) based on all the possible combinations of a good or bad financial market and a good or bad societal attitude toward financial institutions. With these, a board can score its strategic initiatives according to their performance in each of the scenarios. This allows them to assess the robustness of each line item, and predict the bottom-line impact of these initiatives.

The board of First Alliance CU has used a similar method.

"We make scenario planning part of our strategic planning session," says McDonough. "We may take some of the high risk things that we've identified and say, 'What if this happens?""

"One of the strategic risks is the dissolution of Freddie Mac and Fannie Mae. When we were doing our strategic planning, this was identified as a high risk. It's one we don't have a lot of control over. But what would be the impact on our organization if that happened? How would that change what we need to do operationally? Those are ways that understanding our risk comes back into the strategic planning session.

"There is some risk in reaching out to the underserved community in the Rochester area," she says. "But we can do a scenario plan. What would happen? What would the operational impact be? What resources would we need if we decided to go down this path, and how might we benefit from taking this risk?"

Overall, the board's role in strategic risk management is threefold, Kraus says. First, the board should build awareness of the need for risk management in all areas. Second, it should act as a sounding board by pressure-testing policies and initiatives. And third, it should explore options on a grand scale: How can the CU add flexibility so the organization can survive in bad times and thrive in good ones?

When it comes down to it, that's what a board of directors does all the time. Risk management is just a disciplined way of approaching it.

"[The board can use] scenarios to essentially pressure test the existing financials and the planned initiatives."

Nicole Adams Kraus

Resources

Learn more about the services offered via CUES Enterprise Risk Management Powered by Vital Insight at cues.org/erm.

Read free, related articles at cumanagement.org/020112good governance and cumanagement.org/ 02251 !steady steady.

Jamie Swedberg is a freelance writer based in Georgia.