Six Common ERM Mistakes [Credit Union Management]

Chief operations officers must avoid these pitfalls when implementing enterprise risk management.

Enterprise risk management is one of the biggest buzzwords in the credit union movement today. But many organizations struggle to implement ERM for a variety of reasons, ranging from staffing to performance measurements to costs.

As philosopher Georges Santayana said, "Those that do not study history are doomed to repeat it." Over the past few years, I have helped more than 50 credit unions with their ERM efforts. Before that, I provided ERM consulting at organizations ranging from Fortune 50 technology companies to small community banks. Despite differences in size, industry, structure and objectives, organizations seem to face the same challenges and make the same mistakes again and again when implementing ERM. In the pages that follow, I will share some of these mistakes and some lessons I've learned.

Mistake Number ?: Misunderstanding the goal and scale of ERM.

This may seem simple, but misunderstanding ERM s goals and deliverables is by far the most common mistake organizations make. Often, this happens when ERM was recommended (or demanded) by a regulator or auditor without clear guidance. The management team's natural reaction is to hope to satisfy the regulator by building something "ERM -like" with a minimum of effort and cost. This is not an unreasonable reaction, and I fully understand it.

But if the goals of ERM are not well understood, the program will not receive sufficient resources, may often have several "false starts," and will most likely lose momentum. As a result, the program's progress will rarely satisfy those who have demanded it. Worse yet, little value will be realized or perceived because there was a fundamental lack of understanding of the program goals at the outset.

What is the goal of ERM? Simply put, ERM's goal is to understand and manage the uncertainty involved in making decisions and operating the business.

Worthwhile managers know that to be successful and drive results, they must manage money, people, technology, partners, projects and customers. High performing managers also manage uncertainty by identifying potential surprises that could destroy profitabilitythen preventing them, preparing for them, or avoiding them altogether.

That means sometimes plans will change or be refined based on the new information you have gathered. In fact, fair measurements for ERM might be: "How many strategic mistakes have we avoided by doing some basic risk analysis?" or "How many errors did we root out of a given project?" Those are tough things to measure, but hopefully they give you a better idea of why the organization is undertaking ERM in the first place.

Mistake Number 2: Inappropriate reporting structure.

Inevitably, the question of staffing will come up. Should the program report to the chief operating officer, the CFO, or should there be a VP/risk management? I have seen credit unions succeed and fail with each of these structures, so clearly there is no perfect answer.

It seems credit unions with assets over $750 million typically have a dedicated person for risk management. ERM is still a relatively new concept, so most credit unions have a lot of latitude in structure. I usually recommend that the credit union simply ask the executive with the most interest and best skills for the job to lead ERM.

But there is one mistake that must be avoided. ERM should not be "given" to internal audit or compliance, nor should it be completely outsourced. Making these mistakes is dangerous to the program's success.

Internal audit has a very specific role to play related to, but not the same as, managing risk. Internal audit is meant to give the board and supervisory committee an effective way to obtain assurance that business activities are being conducted in accordance with set policies and guidelines. Internal audit should be as independent from management as practicable and should not make operational or strategic decisions. Risk management is part of management, makes decisions, and implements them.

Having compliance handle the risk management function is also dangerous. Regulations are rarely focused on the most current risks. For example, the Federal Financial Institutions Examination Council required an online banking risk assessment by Dec. 31, 201 1. But online banking has been popular for years. In addition, the objectives of compliance are rarely the same as the credit union's objectives. Rarely, if ever, have I heard of an examiner recommending faster growth, more lending products, or upgrades to member-facing technology.

Credit unions also need to consider whether it is better to tackle the job in house or to use a consultant. A consultant can be used to provide specific information or guidance, but cannot provide a silver bullet to completely build ERM for you. If you hire a consultant, use a speciahst, not a firm that has simply "added on" ERM to its service offerings. But even if you choose to hire a consultant, you will need someone dedicated internally to drive the program as well.

Mistake Number 3: Managing all types of risks with the same methods.

Many credit unions attempt to use the same risk management method regardless of the type of risk. The National Credit Union Administration has defined seven categories of risk But for most CUs, I find these categories to be incomplete and unwieldy. As a result, I tend to divide risks into three categories: operational (transaction, some credit, most compliance), financial (interest rate, liquidity, some credit, some compliance), and strategic (strategic, reputation, some credit). Risks can also be from internal or external sources.

The most common mistakes are either using process controls (segregation of duties, access rights, documented procedures) to manage all types of risks, or using financial risk techniques (data models, industry benchmarking) to manage operational risks. Clearly, operational risks should not be managed using financial risk management tools and vice versa. And neither of these tool sets is effective for managing strategic risk.

Mistake Number 4: Ineffective measurements.

Bill Hewitt of Hewlett Packard is widely believed to have coined the phrase "You cannot manage what you cannot measure." Regardless of who first said those words, the concept is as true about ERM as it is about any other initiative. In fact, effective risk metrics are the best way credit unions have for reducing the impact of many risks (most risk management focuses on prevention). Effective metrics serve as "early warning signs" that allow you to realize when risks are imminent and take action to reduce the damage quickly.

Organizations that do this well also assign thresholds for each metric and build required action plans to be executed when metrics fall outside of acceptable bounds. In some cases, this can be integrated with existing performance metrics or balanced scorecard measurements.

Mistake Number 5: Over reliance on models.

A mistake many organizations make is to believe all the risk in the enterprise can be represented by a single, dollar-denominated number. The thinking goes that if we can identify all the events that might impact us, we can also assess their probability in percentage terms and their impact in dollar terms. Simply multiplying the probability percentage times the dollar impact gives an expected value for the risk. If the expected values of all risks are summed, then a total risk number is calculated. And in theory, we can add math that analyzes the interconnectedness of these risks to take into account the belief that if Risk A occurs, Risk ? is more likely or has a greater impact.

This method is often used to analyze financial risks (interest rate changes, etc.) with varying degrees of success. But it is not appropriate for analyzing operational or strategic risks (see Mistake Number 3, above). I'll leave a discussion of the statistics for another article, but the simple fact is that probabilities and dollar value estimates of operational risks are highly subjective and easily manipulated. Often when the "total risk" seems to be getting outside of the risk appetite, the estimates are simply changed.

In addition, the numbers of intertwined scenarios increase exponentially as risks are added to the model. In fact, 20 interconnected risks create over a million combinations. Truly understanding those interconnections is nearly impossible. Finally, most organizations simply do not have the time, resources and skill sets to collect and monitor all this data in real time.

This means all this effort and analysis is done to create what basically amounts to a made-up number. And of course, relying on that number could lead to a false sense of security. The large investment banks learned this lesson the hard way late in 2008 when they relied on their highly sophisticated, yet clearly flawed, "value at risk" models.

As discussed above, efforts would be better spent identifying a set of key risks to the enterprise, and building simple metrics to monitor them. The power of this approach is that it spends more time on actively managing risk and less time on trying to identify a total (but ultimately subjective) number that represents the amount of risk in the organization.

Mistake Number 6: Poor project management and program measurement.

I have found that basic project management is often lacking from ERM programs. Rarely are there set milestones, including clearly defined deliverables. This makes it almost impossible to ensure accountability or to measure program results.

In fact, many organizations (not just credit unions) do not have strong project management skills as a whole. If successful project completion has been elusive within your credit union, ERM can actually provide an opportunity to build some of those competencies. One credit union I worked with had a "strategic services" group that included risk management, project, process, and strategic planning (a group that only included two professionals). These skills often overlap, so this structure can work well.

ERM is new to most organizations, and challenges are to be expected. But most of the challenges can be overcome by knowing them ahead of time, learning from the experiences of other organizations, and applying sound management principles. Every ERM failure I have witnessed can be traced to one (or more) of the mistakes here. I hope these lessons can increase the odds of success in your ERM efforts and help you to use ERM as a powerful management tool.

Despite differences in size, industry, structure and objectives, organizations seem to face the same challenges and make the same mistakes again and again when implementing ERM.

Resources

Read a free article by Vital Insight at cumanagement.org/03Hsteady steady. Read another free article, "Beyond Crossing Ts" about how risk management takes precedence over confirming compliance atcumanagement. org/1 0 Ubeyondcrossingts.

Also read a free white pa per from Vital Insight, "Using Enterprise Risk Management to Protect Assets, Avoid Mistakes, Provide Oversight and Increase Competitiveness," at cues.org/ ermwhitepaper.

Have your board watch the videos "Managing Risk While Avoiding Micromanagement" and "Enterprise Risk Management" on the Center for Credit Union Board Excellence. Sign up fora 30-day free trial at myccube.org.

Learn more about CUES Enterprise Risk Management powered by Vital Insight at cues.org/erm.

Alan White is president/CEO of Vital Insight (www.vitalinsight.com), CUES' partner in CUES Enterprise Risk Management, Powered by Vital Insight, cues.org/erm.