As a risk management professional who advocates Enterprise Wide Risk Management (EWRM), I get a lot of questions about what EWRM is. I have a story I like to tell that really speaks to the meaning of EWRM. It involves a piece of wooded land that I own in a very rural area of the South.
One day I was standing by the road surveying the property and one of my neighbors drove up to say hello. He asked what I was doing and I explained that I was surveying the land because I was considering erecting a small fence around it. He looked puzzled and then asked why I would want to do that. I actually thought that it was a silly question, but being neighborly, I explained that I wanted to put a fence around the property to keep bad people out. And then...I got my own moment of Zen. My neighbor laughed out loud and said, "Joe, fences only keep good people out. The bad people are going to come in anyway."
As a risk manager, I knew immediately he was right. I was looking at the situation from a "compliance" standpoint. I thought if I put up a fence that strangers would "comply" by not entering the property. But I really wasn't considering the risk associated with their intent, the idea that they may not comply, or even the likelihood that someone would go onto the property in the first place. Had I used an EWRM approach to this situation, I would have recognized that the chance of someone coming onto my property was small; the fence I had envisioned (the control) to keep bad people out would most likely be ineffective; and, the fence may actually have had the opposite effect of my intent by keeping good people, like my neighbor, out instead.
This story illustrates an important point about EWRM. A good EWRM program is not designed solely to meet compliance standards, although it will do that. It's really designed to provide a reasonable assurance that an organization will achieve its stated goals. In the example above, my goal was to keep bad people out. However, my strategy of building the fence not only didn't meet the goal, it also may have had unintended negative consequences.
A good EWRM program takes into consideration intent. In the case of a credit union, the intent is the vision and mission; however, during the EWRM process, we also examine the goals and tactics used to realize them as well. EWRM then ensures that all risks taken in the pursuit of our vision and mission are being accurately identified and measured and are in compliance with the risk appetite set by the board of directors.
An EWRM program also ensures direct communication with the board, as it is the board that has the responsibility of accepting risks on the credit union's behalf. But EWRM isn't just for the board and senior management. Everyone in the credit union, in some way, is a risk manager of his or her own sphere of influence. From the teller who puts holds on high-dollar deposited items to the new account representative who checks identification on potential members, everyone in the credit union is involved in EWRM. Many people make the mistake of thinking that the designated enterprise risk manager is the one who owns risk, but actually the risk manager's responsibility is to oversee the identification and assessment of risks by the business owners, as well as the reporting of these risk assessments to the board of directors.
Finally, there is a lot of confusion about the difference between EWRM and regulatory compliance. EWRM is not just something to make the regulators happy--it's a process to help minimize surprises that might keep the credit union from achieving its goals. It's about mapping out the processes you do everyday as you fulfill your credit union's mission, and then assessing and managing any associated risks and reporting them appropriately. Compliance, on the other hand, is about making sure that things are being done per a prescribed policy or procedure. Put simply, EWRM will help you decide how, when and if you should build a fence and compliance will tell you if anyone crosses it.