2023-2024 Tax Planning Guide
Winning Back-Office Strategies to Boost Your Business Agility
VIEWpoint Issue 1 | 2023
A Refresher on the Trust Fund Recovery Penalty for Business Owner...
Valuations Can Help Business Owners Plan for the Future
SBA Lenders: Beware of BSA
Credit unions today deal with greater complexity in the business environment and face a variety of risks arising from rapid changes in technology, volatile economic conditions and increasing regulatory compliance requirements. Strategic initiatives must be achieved while managing daily risks including interest rate, liquidity, credit and cybersecurity. Traditionally, many of these risks have been addressed in a siloed environment with little cross-functional consideration when assessing the impact on the organization as a whole, including its strategy.
Enterprise risk management (ERM) is the intersection of risk and strategy. Today, most risk functions typically focus more on risk mitigation rather than risk management; in other words, the focus is on “what can go wrong.” Risk management can be considered the proverbial “Debbie Downers” in discussions on strategic ideas and initiatives. ERM does not tell leadership what they can’t do, but rather how to be smarter about the risks taken when strategies are implemented.
It is important to understand that ERM is NOT a function or department; a listing of risks; just internal controls; a checklist; or designed only for large organizations. ERM does allow any size organization to benchmark current risk management practices and determine where they can drive more value from their strategy.
ERM is a comprehensive entity-wide approach to identifying and managing risk. There are many ways ERM can be interpreted, but the most widely accepted definition comes from the Committee of Sponsoring Organizations (COSO).
“ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
The National Credit Union Administration (NCUA) looks to ERM to help credit unions put in place risk-optimization processes that seek to accomplish:
The goal is not to eliminate risk or to enforce risk limits, rather develop a holistic, portfolio view of the most significant risks to achieve the credit union’s most important objectives. The enterprise-wide aspect of ERM is what differentiates it most fundamentally from more traditional risk-management approaches. It reduces the silo effect of considering and addressing risks individually without considering the strategic implications.
Based on the COSO ERM framework, there are a set of principles organized into five interrelated components:
Ultimately, the Board of Directors and CEO are accountable for managing risks while achieving strategic initiatives and organizational goals, however, that doesn’t mean other credit union personnel don’t play a role in an effective ERM framework. It takes coordination and cooperation from everyone in the credit union. Some of the other key players include:
With an ERM program in place, credit unions often will have both qualitative and quantitative benefits, such as:
Risk management is an integral component of every credit union’s financial performance, operations and culture, but is often implemented as simply risk mitigation rather than as part of strategic opportunity. ERM is an important part of how a credit union will prosper through these volatile times. Regardless of the size of a credit union, each must drive an effective response to change with agility and cohesiveness, while maintaining high levels of trust between the Board, management, employees, members and regulators.
Because current NCUA regulations only require corporate credit unions to implement a formal ERM framework, many natural-person credit unions have forgone putting this in place due to lack of resources, assumed costs, range of risk exposure or limited understanding of ERM. However, the absence of an adequate risk-management framework (ERM or otherwise) consistent with an institution’s size, diversity and depth of risk exposures can be seen as a deficiency in sound corporate governance resulting in regulatory scrutiny and action. If you need assistance implementing an ERM framework within your institution, look to Doeren Mayhew’s advisors for assistance. Contact us today to learn more.
By Alexas Crossman, CIA – Internal Audit Supervisor, Doeren Mayhew and Greg Lambert, CIA, CFSA, CTGA, NCCO – Senior Internal Audit Manager, Doeren Mayhew
This publication is distributed for informational purposes only, with the understanding that Doeren Mayhew is not rendering legal, accounting, or other professional opinions on specific facts for matters, and, accordingly, assumes no liability whatsoever in connection with its use. Should the reader have any questions regarding any of the news articles, it is recommended that a Doeren Mayhew representative be contacted.
A quick registration is required to view our resources.
You will only be asked to do this one time (unless you don't save your browser cookies).