Defining Your Appetite [Credit Union Management]
By Swedberg, Jamie | |
Proquest LLC |
A CU board needs to say, strategically, how much risk is too much.
Enterprise risk management can be a particularly operational, nitty-gritty effort at credit unions. So what role should be played by the credit union board of directors, charged with looking at the credit union strategically?
First, the board is, to a great extent, responsible for articulating the mission and brand of the CU- its personality, if you will. So it is uniquely qualified to evaluate the CU's "risk appetite," an essential part of any enterprise risk management program.
"A risk appetite essentially defines how much risk an organization wants to tolerate," explains CUES member
The answer may vary when it comes to different aspects of risk. "We have a statement that says it is the intention of management and the board of directors to fully comply with rules and regulations," continues McDonough. "So with respect to regulatory risk, we have a conservative appetite. And then we have a statement that goes on and says that the credit union recognizes that, in some instances, the state rules are less restrictive than those required for federally chartered institutions. And in many instances, we are deciding to voluntarily comply with the more restrictive standard. So that gives me, as a CEO, a very clear picture of what the board expects of me."
Shared Responsibilities
Another reason the board should be involved in risk management is that it is the collective responsibility of everyone at the organization. It's extremely difficult for any risk management program to succeed unless the organization buys into it at every level. And especially at smaller credit unions, there is a need to spread the duties around.
"I think bigger credit unions may have a staff that's devoted to business continuity planning, and therefore may have people who are familiar with the various standards and regs that affect business continuity management," says McDonough. "But certainly
That sharing of responsibility is articulated clearly in
Risk management is not an abstract thing, even at the board level. It translates into decisions, policies and controls.
Finally, the board can bring a unique viewpoint to the risk management program.
"They bring an outside perspective, since they're not in the credit union all the time," points out
"Our board members are all business executives in other industries, and we have three CPAs on our board, so they bring a lot of expertise to the table, as far as how they run their business," says VP/Compliance and Legal Counsel
Taking Action
ERM is a subset of a CU's organizational resilience or business continuity activities. It's the process of planning, organizing, leading, and controlling the activities of an organization to minimize the effects of risk on the organization's capital and earnings.
McDonough, who has earned an advanced degree in business continuity management, says her board is involved, at the strategic level, with all the different types of risk management the CU does; it is their responsibility, she says. But it has been especially helpful when it comes to ERM. For one thing, it spawned the committee that is in charge of the program.
"The board established an enterprise risk management committee made up of the president and representatives of the supervisory committee, members of the ALCO committee, members of senior management, people from finance, somebody from operations, somebody from IT, and somebody from compliance," she says.
The committee was charged with identifying all known new or emerging risks, whether on or off our balance sheet, and classifying them into one of six categories that we defined: strategic threats, operational threats, financial threats, natural threats, technological threats, and human threats."
Once the committee identified the threats, it created a matrix: On one axis is the probability of each event, on a scale of one to five; and on the other axis, the potential financial impact of each event. By multiplying the ratings from each axis, the CU established a risk score for each event. Then it divided the items, according to their score, into unacceptable, moderate and acceptable risks. Management took the data and created an action plan for mitigating, managing or transferring each of the unacceptable risks.
"The report came back to the board, and the committee and the board determined where we hadn't covered all the different risks," McDonough explains. "For instance, we don't have flood insurance on our building. That came up as a moderate probability, but the potential for loss was so high that it was still ranked in that red area. So the board instructed us, as a management team, to go find out about whether flood insurance would be necessary on our building. We created a bunch of action steps and timelines in which we were going to get those done, and reported back to the board on them on a monthly basis [until] we satisfied all of those requirements.
"Now, this year, we're moving on. The committee meets quarterly to address emerging risks. And now, instead of just looking at the high risks, this year we're taking the time to look at the more moderate risks, and whether there are additional steps we can be taking for some of these things. Then the board holds us accountable for that."
What If?
The board has a much more hands-on role in another kind of risk management activity: scenario planning.
"If you think about risk management in a much broader way- sort of as strategic risk for the organization- [the board can use] scenarios to essentially pressure test the existing financials and the planned strategic initiatives," says Kraus. "If you and I are on the board of a credit union, we might go into a meeting where we've already set up a set of scenarios, and use them to stress test the upcoming strategic plan."
This is a different kind of matrix than the ERM one. In one template Kraus uses for presentations, she creates four scenarios (
The board of First Alliance CU has used a similar method.
"We make scenario planning part of our strategic planning session," says McDonough. "We may take some of the high risk things that we've identified and say, 'What if this happens?""
"One of the strategic risks is the dissolution of
"There is some risk in reaching out to the underserved community in the
Overall, the board's role in strategic risk management is threefold, Kraus says. First, the board should build awareness of the need for risk management in all areas. Second, it should act as a sounding board by pressure-testing policies and initiatives. And third, it should explore options on a grand scale: How can the CU add flexibility so the organization can survive in bad times and thrive in good ones?
When it comes down to it, that's what a board of directors does all the time. Risk management is just a disciplined way of approaching it.
"[The board can use] scenarios to essentially pressure test the existing financials and the planned initiatives."
Resources
Learn more about the services offered via CUES Enterprise Risk Management Powered by Vital Insight at cues.org/erm.
Read free, related articles at cumanagement.org/020112good governance and cumanagement.org/ 02251 !steady steady.
Copyright: | (c) 2012 Credit Union Executives Society |
Wordcount: | 1713 |
Unfinished Business [Credit Union Management]
Crisis Predicted In No-Fault’s Unlimited Coverage
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News