WASHINGTON — Risk management used to rely upon a silo approach, with managers or committees managing risks only within their designated areas of responsibility, enterprise risk management consultant Marcus Faust told CUERM trainees Oct. 2 at the Capital Hilton.
Faust works for RP Financial, an Arlington, Va.-based financial services consulting firm.
However, successful ERM governance must expand beyond the silo structure, facilitating communication across risk taking functions and consider the interrelationship of risks, he said.
Each credit union’s risk governance structure depends upon its size and complexity, Faust told the intimate group of 15 credit union executives representing financial cooperatives from $150 million to $26 billion in assets.
Large, complex institutions will require dedicated resources, which usually means at least one full-time risk officer. Smaller credit unions can assign the risk officer role to someone who wears more than one hat. However, regardless of size, ERM must maintain a sense of independence, and the designated risk chief must carry some political weight, which means the risk officer must have a direct line to the board.
“But, we’re not talking about a whistleblower because it should never come to that,” he said.
Instructor Bill Nayda, who presented the basics of ERM on Oct. 1, agreed with Faust that a credit union’s chief risk officer must have a complete understanding of all risks within the organization and have a strong voice that won’t be overrun by enthusiasm for lines of business.
Oftentimes, that means the CEO must step up to the place and take responsibility for risk management, Nayda said. While it may seem that the CFO or internal auditor is the best choice, enterprise risk management encompasses the entire organization. For example, Nayda said, a CFO tends to focus on his or her expertise in interest rate and liquidity risk, and could overlook operational or reputation risk.
“The CEO owns the risk of the organization,” Nayda
According to Faust, properly structured ERM governance should include a board ERM committee, a management ERM committee, and a designated Chief Risk Officer. The board committee births the process, overseeing the ERM framework, establishing the comprehensive risk strategy and policy statements, and conducting the annual performance evaluation of the risk officer, which keeps the position independent of the CEO and other senior managers, he said.
Board ERM committees should include risk representatives from other committees, such as the credit committee, and will invite both risk averse directors as well as directors that push their credit unions to adopt new products and strategies.
Nayda also said board risk committees are a new trend in risk management. Credit unions can utilize existing committees such as ALCO, but meetings should include specific times to discuss only risks and responses.
The management ERM committee, which Faust described as the working risk committee, assists the chief risk officer in identifying and assessing material risks. Setting up a management ERM committee also helps to instill a culture of risk management throughout the credit union, he added.
Nayda agreed that management should communicate top organizational risks to employees, and added employees should understand their role in mitigating risks and know where they can go to share concerns about new or overlooked risks without fear of reprimand.
Faust instructed the group about proper committee charters and policy statements and concluded his session with a list of challenges for credit unions developing ERM programs. Those include a lack of board support, which often stems from a lack of education on the topic.