Why You Need ERM in Your Strategic Planningstrategy
An enterprise risk management (ERM) process not only informs strategic planning, but also takes into account risks to and from the strategic plan itself. By combining ERM with strategic planning processes, credit unions can create strategies that are not only resilient, but also proactive in nature — as plans and objectives are created with potential obstacles in mind.
Three types of risk in a strategic plan:
- Risks that adjust the strategic plan
- These are usually the risks recognized before the development of a strategic plan and can lead to adjustments to objectives before the plan is finalized.
- Risks to the strategic plan
- These are risks that endanger an element of the strategic plan, possibly preventing objectives from being completed.
- Risks from the strategic plan
- These are risks that arise from the strategic plan itself, including when new objectives result in unintended consequences.
How credit unions can use ERM to inform their strategic planning
- Build resilient strategies
- Resilience is the capability to respond quickly and effectively to an evolving environment — words to live by for any modern organization. Building resilience into a strategic plan requires that leaders understand current and future risks, understand the scenarios in which those risks can affect their organization, and then draft strategies that not only anticipate those risks, but are also adaptable.
- Increase awareness of risks as well as opportunity
- ERM is not solely focused on downside risk, but also works to increase awareness of possible opportunities, which could in turn affect a strategic plan. Credit unions should consider how their current risk assessment process deals with:
- Identifying risk
- Communicating risk
- Developing mitigation responses
- Risk ownership and roles
- Normalizing risk tolerance
- Combine risk awareness with planning sessions
- The risk assessment process is a cyclical one. Risks must be identified and analyzed before preparing mitigation plans. Then credit unions can formulate a strategic plan around that risk.
Roles and responsibilities
ERM is a process shared between the Board of Directors and management, so credit unions need a clear distinction between what each group is responsible for. The lack of clear role definitions can lead to cases of miscommunication.
Is a CRO needed?
Many companies now prefer the establishment of a chief risk officer (CRO) over, or in addition to, a risk committee, signifying a formal integration of risk management into the c-suite. Chief risk officers take the lead in carrying out processes that mitigate operational risks — which can include anything from compliance to business continuity, IT security, adapting to market volatility, fraud and auditing. Chief risk officers are sometimes referred to as “change agents” because of the large impact they may have in the direction of a credit union. Perhaps most importantly, it is the duty of the chief risk officer to create a culture of risk awareness at all levels of the organization.
Division of roles
- Develops the infrastructure and processes for ERM, including new hires
- Oversees implementation of ERM
- Determines risk tolerance
- Breaks risks into sub-categories and assigns to internal stakeholders
- Reports key information to the board, including both current and future risks
- Monitors and manages risk responses
- Scans the environment for emerging trends and brings them to the attention of management
- Approves the acceptance of risks
- Creates governance policies and processes that suit the credit union’s risk tolerance
- Increases risk awareness
Of course, not all credit unions can justify opening a new c-suite position or find it effective. In many cases, the responsibilities of a chief risk officer are distributed across operational areas along with the compliance department. Risk committees are also becoming more common, and some credit unions are finding that board engagement provides a more holistic approach to risk management.« Return to "Trends"