WASHINGTON —A credit union’s chief risk officer must have a complete understanding of all risks within the organization, and have a strong voice that won’t be overrun by enthusiasm for lines of business, speaker Bill Nayda told CU Enterprise Risk Management conference attendees at the Washington Capital Hilton on Monday.
Nayda is principal of the Glen Allen, Va.-based Second Pillar Consulting, a risk management firm.
He said that often, a CEO must step up to the plate and take responsibility for risk management, Nayda said. While it may seem that the CFO or internal auditor is the best choice, enterprise risk management encompasses the entire organization.
For example, Nayda said, a CFO tends to focus on his or her expertise in interest rate and liquidity risk, and could overlook operational or reputation risk.
“The CEO owns the risk of the organization,” Nayda told the intimate group of 15 credit union executives representing financial cooperatives from $150 million to $26 billion in assets.
A working enterprise risk management plan should start with a list of the organization’s top five risks. A chief risk officer should expect that the process could become heated, Nayda said, because departments tend to feel their risk is the most urgent, and could see the exercise as an opportunity to overstate risk in an attempt to gain more resources.
All employees are responsible for an effective risk management plan, he said. Management should communicate the top organizational risks to employees, who should understand their role in mitigating risks and know where they can go to share concerns about new or overlooked risks.
At the top, Nayda said, board risk committees are a new trend in risk management. Credit unions can utilize existing committees such as ALCO, but meetings should include specific times to discuss only risks and responses.
Ultimately, a well-defined risk management program should not only drive strategic planning, but also will provide regulators with increased transparency, Nayda said. One participant said his examiner told him the NCUA will focus on enterprise risk management during 2013 exams.