Enterprise Risk Management — Where to Start
strategy
Once a credit union has decided that an enterprise risk management (ERM) process is necessary, where should they start? Like all processes, it should be important to note that change is not immediate and neither are results. ERM is not only a shift in how an organization identifies and approaches risk, but also a shift in how every level of the organization perceives risk. Before implementation, credit unions need to establish realistic expectations for ERM.
Where to start
- Gain buy-in from the leadership and board
- Every large change at a credit union should ideally be discussed and approved at the top. After all, the board and management will play a large role in risk management, and ERM inherently affects the culture of an organization. Buy-in is oftentimes the biggest factor in how successful an ERM vision is.
- Review the strategic plan
- ERM is always linked to an organization’s strategic plan, and the vision for ERM should be one that complements and informs the strategic plan.
- Identify risks
- Conduct a simple risk assessment: what are known, unknown but knowable, or unknown but unknowable risks? What does the board think the greatest risks to the credit union are? How much of a priority are these risks? Are these risks inherent or residual?
- Draft reporting structure
- What does the reporting structure look like? Draft a simple, top-level summary of risks, the timeframe and likelihood of those risks occurring, policies and prepared response actions, as well as how these policies can be improved.
- Define the credit union’s risk appetite
- What are qualitative and quantitative ways to define risk? What is the credit union’s current risk profile and risk capacity? What is the amount of risk that the credit union is willing to take on?
- Determine who is taking the lead on ERM
- Hiring on or promoting a chief risk officer is not always the best choice for every credit union, but someone needs to spearhead the ERM initiative and gather the necessary information, resources and support for the process.

Smaller credit unions may not face the same amount of risks as larger institutions, so there may not be a dedicated risk management team or department in place. Smaller institutions have to delicately balance staff resources and cost, with most of their efforts going towards making sure they are meeting minimum regulatory compliance requirements related to risk. As such, they may not have the luxury of taking a step back and evaluation risk across their organization at a holistic level.
Fortunately, with the assistance of modern, automated technology, smaller credit unions may be able to use tools to shore up their risk blind spots. Enterprise risk management software may be an affordable, convenient way for budget-tight credit unions to upgrade their risk management processes.
« Return to "Trends"