Why comprehensive—rather than compliance-focused—ERM matters to your CU.
United Airlines’ recent experience with removing that now-famous passenger from one of its flights is a perfect example of the value of taking a sound, comprehensive approach to enterprise risk management. Having a big-picture risk management plan won’t prevent negative events from occurring, but will help a company respond appropriately.
In removing the passenger, United successfully reduced its operational risk, but created an unexpected and huge reputational risk. The trade-offs between the two kinds of risk had not been well thought out.
United isn’t alone in failing to think about the interplay between different kinds of risk. Many organizations, including credit unions, don’t recognize this important category of “integrated” risk.
In fact, credit unions that do a good job with ERM balance risk and return across all seven of the National Credit Union Administration’s risk categories (credit, interest rate, liquidity, transactional, compliance, strategic and reputation) plus integrated risk. Here’s an example of integrated risk in a credit union: If a loan portfolio goes bad, the credit union deals with more than just those borrowers. The portfolio’s failure can bring interest rate risk into play and the potential for asset/liability mismatch; it can impact strategic risk if the CU can’t invest as much anymore; and it can create reputation risk if it impacts the credit union’s overall financial health or if affected members talk badly about the CU in the marketplace.
In addition to neglecting to think about integrated risk, credit unions’ ERM efforts suffer from their frequent belief in two key myths, which I’ll now dispel.
Myth #1: Doing ERM well means having more compliance, more controls and more overhead.
The thinking goes something like this: “If we check off all the boxes regulators require, dot every i and cross every t, we’re appropriately managing risk.” But in fact, credit unions operating under a compliance-focused approach leave themselves open to not having the best possible business practices. If you design and implement your processes well, you will have checked off the compliance boxes, too.
Myth #2: ERM means eliminating risk.
Risk management in many credit unions, consciously or unconsciously, equates to risk elimination. Getting rid of risk entirely is both not possible and not desirable. As long as you have people doing work, you’ll have human error, even with the best training. Take lending, for example. No one consciously makes bad loans, and sometimes good loans go bad. The only way to avoid making bad loans is to not make any loans at all. That’s no way to run a credit union (and no way to meet member needs). You have to take on some risk to generate revenue and fuel growth. ERM helps organizations define, understand and accept the appropriate risk trade-offs.
Comprehensive ERM is good for credit unions. Proactively addressing all eight risk categories creates opportunities for risk managers to add value to their organizations and earn a seat at the strategy table. That’s exciting and challenging from a business impact and professional growth perspective, and much more valuable than amped up compliance.
Vincent Hui, senior director, CUES Supplier member and strategic provider Cornerstone Investment Advisors, Inc., Scottsdale, Ariz., specializes in strategic planning and risk management practices. As an instructor at CUES School of Enterprise Risk ManagementTM, he enjoys helping credit unions discover the potential of a broad, balanced approach to ERM.