By Jeff Owen
Enterprise Risk Management (ERM) is often perceived as a dense, technical discipline best left to specialists. But for a credit union board, ERM should be something very different: a clear, practical framework that helps (1) preserve the value the organization has built over time, while (2) enabling you to confidently create new value for members.
As credit union boards consider their role in the ERM environment, it’s important the process is simple, understandable, and tightly connected to strategy.
From Defense-Only to Value Creation
At its core, enterprise risk management is about two things:
- Value preservation – Protecting the good things you’ve already built: your capital, reputation, operational resilience, and member trust.
- Value creation – Using insight and intelligence from both inside and outside the organization to guide future direction; this means surfacing uncertainty and opportunity early, shining light into the “shadows,” and using risk information to make better strategic decisions.
In alignment with the shift from the old “three lines of defense” to the current “three lines model,” we believe that evolution matters. Credit unions do not exist to play defense; they exist to fulfill a mission. A good ERM program should help you play smart offense, ensuring you’re positioned to take more of the right risks at the right time. This is where an effective ERM program becomes a competition advantage.
The Board’s Role: Oversight, Not Operations
A truly effective board in the ERM space governs; it does not run the day-to-day risk process. The board’s role is to:
- Approve the ERM framework and the risk appetite
- Set the tone and culture for risk- and opportunity-taking from the top
- Receive and challenge meaningful risk reporting, not just dense packets of data
- Hold management accountable for operating within the agreed upon risk appetite and for taking action when risks approach or exceed that appetite
How the board talks about risk, and the kinds of questions it asks, send a powerful signal to the entire organization. If the board is curious, engaged, and insistent on clarity, that culture cascades downward. If ERM is treated as a check-the-box exercise, the organization eventually follows suit.
The ERM Committee and Management’s Role
For most credit unions, an ERM Committee as a management-level committee is generally a good starting point. This committee should be comprised of key operational leaders and be responsible for:
- Overseeing the ERM framework as a whole
- Ensuring internal controls and risk action plans are in place, with clearly defined owners
- Tracking and escalating cross functional risk components
- Preparing concise, decision useful reports to the board
Beneath that, the operational risk owners, line leaders and supervisors, must feel both responsible and safe to escalate concerns. That requires a culture of transparency, where surfacing risk is rewarded rather than avoided.
Risk vs. Audit: Different Roles, Shared Purpose
ERM and audit frequently get conflated, but they serve different purposes:
- ERM works with the business to identify, assess, and manage uncertainty (risk and opportunity) as part of strategy and operations.
- Audit / Supervisory Committee provides assurance: Are we doing what we say we’re doing? Are key controls functioning as intended?
The relationship works best when the two functions:
- Are independent enough to check and challenge one another, yet
- Aligned enough that their stories about the organization’s risk posture are consistent.
Simplicity Over Complexity
A recurring theme we often mention to boards is the need to strive for simplicity.
The risks facing credit unions are inherently complex. The process to identify, assess, manage, and report on them doesn’t have to be.
If the board and executive team cannot clearly explain the top risks in plain language, then the ERM process is not working, regardless of how sophisticated the process and reports look.
A credit union board that truly understands five to ten of its top risks is better governed than one that has documented fifty but understands none. Complexity often creates shadows where issues can hide; simplicity invites transparency and input.
That means the board should not ask, “Did we complete the ERM process?” but rather, “Do we truly understand our risk profile, and what’s being done about it?”
Risk Appetite and Policy: Strategic, Not Procedural
Boards can’t manage what they haven’t defined. That’s why risk appetite is a strategic decision, not a paperwork exercise. It answers the question: How much risk are we willing to pursue in service of our strategic goals?
For risk appetite to matter, it must:
- Be tied to strategy
- Be discussed regularly, not written once and shelved
- Have ‘teeth,’ or clear implications when thresholds are breached
Similarly, the ERM policy should be:
- High level and principles based, not bogged down in procedure
- Clear on scope, objectives, roles, risk categories, and cadence
- Flexible enough to evolve as the program matures
What “Good” Looks Like
In practice, a strong ERM program should include:
- Clearly defined top risks, owners, and prioritization
- Appetite thresholds that signal when action is required
- Emerging risk commentary that looks 1 to 3, even 5 to 10 years ahead
- Action oriented follow up on issues and risk themes
- A coherent story behind data, charts and metrics:
Why do these things matter (what are they telling us)?
Are we within our appetite?
What is management doing about the risks?
How does this affect strategy and operations?
A useful way for the board to structure any risk discussion is around a few simple questions:
- Why are we talking about these risks today? What has changed?
- How do these risks affect our strategy and day-to-day operations?
- Are we within our stated risk appetite? If not, what is management doing about it?
- What trends or themes are we seeing across the organization or industry?
- What does management need from the board to enhance these processes or the board from management to better govern?
If ERM consistently helps answer those questions in clear, plain language, then it is no longer a side process. It becomes part of how the credit union is governed and how it competes – preserving value, creating value, and taking more of the right risks, right when it matters most.
How to Learn More
If you have interest in learning more about how Rochdale can help evolve your credit union’s risk processes to a meaningful component of the board’s governance processes, reach out today – [email protected].
Jeff Owen is Chief Operating Officer at Rochdale.
