Credit unions today deal with greater complexity in the business environment and face a variety of risks arising from rapid changes in technology, volatile economic conditions and increasing regulatory compliance requirements. Strategic initiatives must be achieved while managing daily risks including interest rate, liquidity, credit and cybersecurity. Traditionally, many of these risks have been addressed in a siloed environment with little cross-functional consideration when assessing the impact on the organization as a whole, including its strategy.

Enterprise risk management (ERM) is the intersection of risk and strategy. Today, most risk functions typically focus more on risk mitigation rather than risk management; in other words, the focus is on “what can go wrong.” Risk management can be considered the proverbial “Debbie Downers” in discussions on strategic ideas and initiatives. ERM does not tell leadership what they can’t do, but rather how to be smarter about the risks taken when strategies are implemented.

It is important to understand that ERM is NOT a function or department; a listing of risks; just internal controls; a checklist; or designed only for large organizations. ERM does allow any size organization to benchmark current risk management practices and determine where they can drive more value from their strategy.

What is ERM?

ERM is a comprehensive entity-wide approach to identifying and managing risk. There are many ways ERM can be interpreted, but the most widely accepted definition comes from the Committee of Sponsoring Organizations (COSO).

ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

The National Credit Union Administration (NCUA) looks to ERM to help credit unions put in place risk-optimization processes that seek to accomplish:

  • Encouraging credit unions to take a broad look at all risk factors.
  • Help credit unions understand the interrelationships among those factors.
  • Define acceptable risks.
  • Continuously monitor functional areas to ensure risk thresholds are maintained.

The goal is not to eliminate risk or to enforce risk limits, rather develop a holistic, portfolio view of the most significant risks to achieve the credit union’s most important objectives. The enterprise-wide aspect of ERM is what differentiates it most fundamentally from more traditional risk-management approaches. It reduces the silo effect of considering and addressing risks individually without considering the strategic implications.

Components of ERM

Based on the COSO ERM framework, there are a set of principles organized into five interrelated components:

  1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for ERM. Culture pertains to ethical values, desired behaviors and understanding of risk in the entity.
  2. Strategy and Objective-Setting: ERM, strategy and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing and responding to risk.
  3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
  4. Review and Revision: By reviewing entity performance, an organization can consider how well the ERM components are functioning over time and in light of substantial changes, and what revisions are needed.
  5. Information, Communication and Reporting: ERM requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down and across the organization.

The Players in ERM

Ultimately, the Board of Directors and CEO are accountable for managing risks while achieving strategic initiatives and organizational goals, however, that doesn’t mean other credit union personnel don’t play a role in an effective ERM framework. It takes coordination and cooperation from everyone in the credit union. Some of the other key players include:

  • Senior management
  • Department management
  • Support functions
  • Risk management
  • Internal audit
  • Compliance

The Benefits

With an ERM program in place, credit unions often will have both qualitative and quantitative benefits, such as:

  • Increasing strategic opportunities for the credit union by considering the positive and negative aspects of risk. Better decision making to deal with risks associated with opportunities such as new products, markets and mergers.
  • Identifying and managing risks that impact many parts of the credit union. Better entity-wide understanding of regulations that impact multiple areas of operations, such as the Bank Secrecy Act.
  • Enhanced risk awareness and establish timely responses, which helps to reduce surprises, minimize costs, avoid losses and take advantage of opportunities. Identifying risks associated with a new lending program in conjunction with the growth opportunity and financial performance objectives.
  • Reducing the volatility of performance, which helps minimize disruption and maximize opportunities. Understanding the credit risk implications of entering a new market with significant growth opportunities.
  • Improve deployment of financial and talent resources by allowing management to assess resource needs and prioritize allocation with risks in mind. Staffing levels and financial resources allocated for training while striving to deliver world class member service with minimal complaints.
  • Improve response to accelerating pace of change and organizational resiliency. Can anyone say 2020?

Forward Thinking

Risk management is an integral component of every credit union’s financial performance, operations and culture, but is often implemented as simply risk mitigation rather than as part of strategic opportunity. ERM is an important part of how a credit union will prosper through these volatile times.  Regardless of the size of a credit union, each must drive an effective response to change with agility and cohesiveness, while maintaining high levels of trust between the Board, management, employees, members and regulators.

Because current NCUA regulations only require corporate credit unions to implement a formal ERM framework, many natural-person credit unions have forgone putting this in place due to lack of resources, assumed costs, range of risk exposure or limited understanding of ERM. However, the absence of an adequate risk-management framework (ERM or otherwise) consistent with an institution’s size, diversity and depth of risk exposures can be seen as a deficiency in sound corporate governance resulting in regulatory scrutiny and action. If you need assistance implementing an ERM framework within your institution, look to Doeren Mayhew’s advisors for assistance. Contact us today to learn more.


By Alexas Crossman, CIA – Internal Audit Supervisor, Doeren Mayhew and Greg Lambert, CIA, CFSA, CTGA, NCCO – Senior Internal Audit Manager, Doeren Mayhew