Governance Insight
Enterprise Risk Management
June 15, 2011
www.vitalinsight.com
Credit Union ERM – Why we are here

Enterprise Risk Management is becoming top of mind
for many credit unions
- Board/supervisory committee members
- Senior management
- Regulatory examiners
- External auditors
 Credit unions want to more clearly understand:
- The benefits of ERM
- The goals, objectives, and deliverables of ERM
- The most efficient way to implement ERM
Goal for today: Demystify the ERM Process
Introductions – Roberta Rodgers

Vice President, Risk Management, Redstone FCU
•
B.S. Degree, Middle Tennessee State University summa cum laude;
Master’s Degree, Strategic Leadership, Middle Tennessee State
University, in progress; Juris Doctorate Degree, University of
Memphis
•
Located in Huntsville, AL
•
$3 Billion in Assets
•
340,000 members and over 1200 service groups, including Redstone
Arsenal
•
Working to expand by moving into new geographical areas, product
areas, exploring merger opportunities
Introductions – Alan White

Former “Big 4” Executive and Experienced Internal Auditor

Conducted well over 200 risk assessments and control reviews

B.S. (Industrial Engineering), Carnegie Mellon & MBA (Finance), University of
Texas

Founder and CEO, Vital Insight, Inc.
•
Focused on providing cost effective ERM Solutions to Credit Unions
-
Governance Insight software application
-
ERM consulting services from experienced professionals
•
Training and education
•
Risk assessment and evaluation
•
Content and best practices
-
Strong relationships with academic experts and industry associations
-
CUES Exclusive ERM Partner
Selected Credit Union Customers
Webinar Agenda

ERM Principles & Concepts

Goals & Objectives for an ERM Program

ERM Components

Getting Started

Questions and Comments
Webinar Agenda

ERM Principles & Concepts

Goals & Objectives for an ERM Program

ERM Components

Getting Started

Questions and Comments
What is Driving ERM?

Huge changes in the operating environment
Management and Board Challenge
Risks management trends
Competitive
Marketplace
Globalization
Legal
Requirements
Complex Business
Transactions
Short Product Cycles
Explosion of Technology
Management and Board Challenge
Risks management trends
Competitive
Marketplace
Globalization
Legal
Requirements
Complex Business
Transactions
Short Product Cycles
Explosion of Technology
And, they are interconnected – with a cascading impact
What is Driving ERM?

Huge changes in the operating environment
•
Liquidity is becoming volatile
•
Margins are eroding
•
Delinquencies & charge-offs have increased drastically
•
Fee income is steadily becoming more important
•
Restructuring of the Corporates (and the NCUA lawsuit)
•
Regulations are changing
•
GAAP is inadequate and may very likely change
•
IT Risk management requirements will increase
•
Freddie & Fannie (Risk Retention)
•
Proposed tax code changes

Efficiency (output/input) is critical

Less room for errors and surprises – i.e. risk

Regulators are extending risk management requirements
Redstone’s ERM Drivers

Regulators are extending risk management
requirements

Redstone is getting too big to continue working in
silos

The regulatory environment is becoming more
burdensome and affecting more areas of the CU

Strategic goals are becoming bigger and require
an enterprise-wide view

It’s the right thing to do
What is Risk?
The possibility of an event occurring that will have an
impact on the achievement of objectives.
A Prerequisite to any risk discussion in an
organization:
You must know
……the organization’s objectives
Risk is measured in terms of impact and likelihood.
The Institute of Internal Auditors (IIA)
Traditional Risk Management Approach
Strategic
Market
Risks
Operations
Risks
Finance
Risks
Human
Capital
Risks
IT Risks
Legal
Risks
“Silo” or “Stove-Pipe” Risk Management
Reputation
Risks
ERM Brings Risks Together
Valuation Creation and Preservation
Enterprise Focus on Risks
Strategic
Market
Risks
Operations
Risks
Finance
Risks
Human
Capital
Risks
IT Risks
Legal
Risks
Reputation
Risks
Key Message:
Senior Management is facilitating the aggregation and interactions of
those risk exposures to evolve from Risk Management to Risk Intelligence
Rewarded Versus Unrewarded Risks
 Rewarded Risks (Opportunities to take risk)
• Risks that are expected to bring some benefit if properly managed
• Interest Rate Risk
• Credit Risk
• Liquidity Risk
• Strategic Risks
 Unrewarded
•
•
•
•
•
Risks
Those for which there is only a downside
Transaction Risk
Compliance Risks
Reputation Risk
Financial Reporting (Accounting) Risk
Maintaining a Balanced Focus on Risk
Creating Value
•Senior Management ERM Agenda
•Board and Supervisory Committee Oversight
Increasing ERM
Program Focus
•Reputation Risk
STRATEGIC
RISKS
EXECUTION
RISKS
•Executive Risk (Ethics, Integrity, Judgment)
•SWOT (risk review) with strategic planning
• Credit, Market Risk Management Processes
• Operational Risk Focus
• Risk Analysis Techniques
OPERATIONS & COMPLIANCE
RISKS
• Procedures, Controls, Insurance
• Business Area Risk Reviews
• Key Risk Indicators
• Early-warning Signals
Protecting
Assets
 The ERM program should help the organization to maintain a balanced focus on value
creation (rewarded risk taking) as well as value protection (unrewarded risk mitigation).
Risk Appetite

Risk Appetite is target risk level you are willing to accept in pursuit of
member value
 Managing and profiting from calculated risk is what financial services
organizations do
 Risk management practices, risk appetite, strategy and capital are
inextricably linked
 Management and the Board should engage in a specific dialogue around
the follow questions:
• How much risk are you willing to accept?
• Are you taking enough risk to achieve the return/reward it is expecting?
• Do you understand the combined effects of the risks it is taking?
• How much of your capital can be put at risk at any one time?
• How much risk are you willing to take with its existing assets at any one
time?
• How much risk are you willing to take to achieve future growth at any
one time?
Risk Management Principles

State your objectives

Identify most critical areas of risk (risk
assessment)
• Keep
in mind that you may (have) not have
seen the impact yet!

Gather and analyze the relevant data

Exercise sound judgment, ethics & integrity

Identify potential root causes (WCGW)

Determine best response

Document and train

Monitor, audit, and assure (and measure)
Risk Management Principles

State your objectives

Identify most critical areas of risk (risk
assessment)
•
Keep in mind that you may not have
seen the impact yet!

Gather and analyze the relevant data

Exercise sound judgment, ethics &
integrity

Identify potential root causes (WCGW)

Determine best response

Document and train

Monitor, audit, and assure (and
measure)
Assess
Risk
Manage
Risk
Webinar Agenda

ERM Principles & Concepts

Goals & Objectives for an ERM Program

ERM Components

Getting Started

Questions and Comments
What is ERM supposed to do?
•
•
•
•
•
•
Quickly identify emerging risks and problem areas
before they escalate and cause serious harm
Reduce the incidence of serious negative surprises
that undermine stakeholder confidence
Enable the organization to more effectively take
advantage of opportunities
Reduce response time for emerging risks
Demonstrate to stakeholders that reasonable risk
management processes are in place
Provide an efficient way to link business objectives,
risks, mitigation strategies, residual risks, and
procedural process documentation
What is ERM NOT supposed to do?
•
Be just one more audit
• Be just one more compliance exercise
• Be done by ONLY audit or risk
management
-
•
Risk management is part of the decision
making process
Prevent healthy risk taking
-
A good risk manager is a good risk taker
“Too much rigor creates rigor mortis!”
Redstone’s ERM Objectives

Huge changes in the operating environment

Allows the CU to make well-informed decisions

Reduces surprises; prepares us for the worst case
scenario

Ensures all areas have been considered – do things
right the first time

Opportunities for healthy risk taking are not
overlooked

Identify gaps and overkill in processes and
procedures
Webinar Agenda

ERM Principles & Concepts

Goals & Objectives for an ERM Program

ERM Components

Getting Started

Questions and Comments
Enterprise Risk Management Components
Operations Risk
• Risk that operations are
not designed or
executed effectively
• Includes NCUA
categories Transaction,
Compliance, and Credit
risk
• Also includes Fraud,
Accounting, IT
• Managed through
effective business
processes and controls
• Requires prioritization of
efforts and activities to
manage effectively
Financial Risk
• Relates to risk that is
present in the credit
union’s investments and
loan portfolio
• Includes NCUA categories
Interest Rate and Liquidity
• Also includes
concentration and
accounting risk
• Usually managed through
the ALM process and
includes executive and
board level involvement
• Subjectivity of
assumptions underlying
financial models
Strategic Risk
• Relates to “macro” risks,
strategic decisions,
economic trends and
planning
• Includes NCUA categories
of Strategic and
Reputation Risk (also IT)
• Typically managed through
the Strategic Planning
process
• Identify relevant risk
scenarios and develop
plans for addressing them
• All significant strategic
risks should be managed
due to large impact
Enterprise Risk Management Components
Operations Risk
• Risk that operations are
not designed or
executed effectively
• Includes NCUA
categories Transaction,
Compliance, and Credit
risk
• Also includes Fraud,
Accounting, IT
• Managed through
effective business
processes and controls
• Requires prioritization of
efforts and activities to
managed effectively
Financial Risk
• Relates to risk that is
present in the credit
union’s investments and
loan portfolio
• Includes NCUA categories
Interest Rate and Liquidity
• Also includes
concentration and
accounting risk
• Usually managed through
the ALM process and
includes executive and
board level involvement
• Subjectivity of
assumptions underlying
financial models
Strategic Risk
• Relates to “macro” risks,
strategic decisions,
economic trends and
planning
• Includes NCUA categories
of Strategic and
Reputation Risk (also IT)
• Managed through the
Strategic Planning process
• Identified four primary risk
scenarios and developed
plans for addressing them
• All significant strategic
risks should be managed
due to large impact
Financial Risk Management Components
Liquidity
Interest Rate
Accounting
Financial Risk Management Components
Interest Rate
•Loan pricing (risk based
pricing)
•Investment yields
•Duration
•Typically managed through
ALM process at the
executive & board level
•Ratio analysis & modeling
are key components
– Should include scenario
analysis and shocks
– Beware geeks bearing
formulas (like VAR)
Financial Risk Management Components
•Basic cash management
– Budgeting &
forecasting
– Contract renewals and
vendor management
– Seasonality analysis
– Should include
scenario analysis
•Be cognizant of NCUA
requirements
•Heavily linked to
strategic risk!
Liquidity
Financial Risk Management Components
•Important for monitoring and measuring ratios
•Allowance for loan loss is incredibly subjective
•Should include scenario analysis
•Should not be “outsourced”
– Do not assume that accounting risk is
managed just because the audit or
regulatory exam is clean
Accounting
Financial Risk Management Components
Liquidity
Interest Rate
Concentration Risk
Accounting
Financial Risk Management Components
Concentration Risk
•Hottest NCUA risk category
– Supervisory Letter Issued
– “A risk concentration is any single exposure
or group of exposures with the potential to
produce losses large enough (relative to
capital, total assets, or overall risk level) to
threaten a financial institution’s health or
ability to maintain its core operations.”
•Many credit unions are over-concentrated in
cash (may increase need for fees)
•No set guidelines for establishing limits have
been communicated
•Three key phases for concentration risk:
– Policy setting
– Initial analysis and remediation
– On-going monitoring
Redstone’s Financial Risk Plan

Asset Liability Policy

Asset-Liability Committee meets monthly

Monthly review of interest rate risk, liquidity risk,
investment strategy

Monitor key ratios: net worth, delinquency, chargeoffs, ROA

Monitor long-term asset ratio

Quarterly qualitative review

CFO establishes annually how much risk the CU can
take with BOD based on worst case scenarios using
NCUA’s 7 risk categories

Planning, budgeting, forecasting, follow-up
Enterprise Risk Management Components
Operations Risk
• Risk that operations are
not designed or
executed effectively
• Includes NCUA
categories Transaction,
Compliance, and Credit
risk
• Also includes Fraud,
Accounting, IT
• Managed through
effective business
processes and controls
• Requires prioritization of
efforts and activities to
managed effectively
Financial Risk
• Relates to risk that is
present in the credit
union’s investments and
loan portfolio
• Includes NCUA categories
Interest Rate and Liquidity
• Also includes
concentration and
accounting risk
• Usually managed through
the ALM process and
includes executive and
board level involvement
• Subjectivity of
assumptions underlying
financial models
Strategic Risk
• Relates to “macro” risks,
strategic decisions,
economic trends and
planning
• Includes NCUA categories
of Strategic and
Reputation Risk (also IT)
• Managed through the
Strategic Planning process
• Identified four primary risk
scenarios and developed
plans for addressing them
• All significant strategic
risks should be managed
due to large impact
Two Step Process
Enterprise Risk Assessment
& Prioritization (“Top
Down”)
Detailed Process Level Risk
Analysis (“Deep Dives”)
Two Step Process
Enterprise Risk Assessment
& Prioritization (“Top
Down”)
Scope
Detailed Process Level Risk
Analysis (“Deep Dives”)
Scrutiny
Redstone’s Operational Risk Plan

Conducted EWRA

Conducting initial deep dives on all high risk areas

Forming a Risk Management business unit
responsible for implementing operational risk plan

By end of 2012 will have conducted a deep dive in
every business unit

Establish annual schedule for risk assessments

Consult with business units on new projects

Monthly reporting to the BOD
EWRA Concepts

The Enterprise Wide Risk Assessment is used to
identify, evaluate, and prioritize operational risk hot
spots

Financial and strategic risks are not typically
evaluated in this assessment

Goal is to identify areas that require further analysis
by process owners, internal audit, etc.
Identifying Risk Events

An item that is uncertain, can happen in the future,
and has an impact on objectives

Assigned scores for likelihood and impact

During the initial phase Risk should be analyzed as
though there were no controls (inherent risk)
•
Example: “In the payroll process, there is a risk
that the right people are paid the wrong rates”
•
“Or that the wrong people are paid the right
rates”

Risks are usually identified by logic and analysis
(intuition)

But data can be used to identify holes as well
Risk Response

Accept
•
Risks that fall within the organization’s risk appetite and/or
that do not significantly threaten the organization’s
business objectives can be accepted
-

Transfer (Reassign)
•

Typically done through insurance
Mitigate
•

Laziness or apathy cannot be the default
Risks that cannot be accepted or realistically transferred
should be mitigated through the use of control measures
Remaining risk is “residual risk”
•
Most common mistake by organizations is an attempt to
immediately determine “residual risk”
Enterprise Risk Management Components
Operations Risk
• Risk that operations are
not designed or
executed effectively
• Includes NCUA
categories Transaction,
Compliance, and Credit
risk
• Also includes Fraud,
Accounting, IT
• Managed through
effective business
processes and controls
• Requires prioritization of
efforts and activities to
managed effectively
Financial Risk
• Relates to risk that is
present in the credit
union’s investments and
loan portfolio
• Includes NCUA categories
Interest Rate and Liquidity
• Also includes
concentration and
accounting risk
• Usually managed through
the ALM process and
includes executive and
board level involvement
• Subjectivity of
assumptions underlying
financial models
Strategic Risk
• Relates to “macro” risks,
strategic decisions,
economic trends and
planning
• Includes NCUA categories
of Strategic and
Reputation Risk (also IT)
• Managed through the
Strategic Planning process
• Identified four primary risk
scenarios and developed
plans for addressing them
• All significant strategic
risks should be managed
due to large impact
Risk Drivers on Value
Fortune 1000 companies that lost > 25% stockholder value in one month…
30
Customer
Demand Shortfall
25
20
15
10
Competition
Cost Overruns
Accounting Irregularities
Management Ineffectiveness
Supply Chain Issues
M&A Problems
Products
Pricing
Loss Customer
Macroeconomics
Commodity Prices
Interest Rates
Regulatory
R&D
Delays
5
0
Lawsuit
Natural
Disasters
Supplier
Strategic
Operational
Financial
Hazard
Source: Marsh/Mercer; used with permission
Strategic Risk Challenges



Difficult to identify
•
Requires creativity and forward thinking
•
Some are outside of our control
Nearly impossible to quantify
•
Requires effective estimations and judgment
•
Most should be actively managed anyway
Hard to monitor
•
Metrics and action items are not obvious

There is rarely one “right answer” to any risk

Solutions can often create new risks

Extended timeline means they can change
•
Three huge risks of any project that lasts more than one year
(technology, environment, people)
Many Overlook Risk of Committing to Wrong Strategy
Range of
Uncertainty
Time
Strategies Built
Today
Performance Observed
Over Time
Adapted from The Strategy Paradox, by Michael Raynor
Strategic Risk Identification

Start with external strategic risks
• New Regulations
• Changes to Asset Prices
• Strategic Partner Plans & Viability
- Corporate Credit Unions
- Fannie & Freddie
• Interest Rate Changes
• Economy and Employment
• New Competitors
• Lost Competitors when Local/Regional Banks Fail
- May increase your volume – are you ready?
Typical Internal Strategic Risks










Executive Integrity & Ethics
Loss or compromise of member data
Inability to identify and develop new/effective products &
services
Insufficient access to capital
Inability to manage credit risk
Reputation is not maintained/perception of insufficient financial
soundness
Lack of adequate resources
Inability to grow/scale to meet market requirements
Inability to attract and retain qualified personnel
And many others….
Strategic Risk Options

Accept

Avoid

Transfer (Insure/Hedge/Outsource)

Aggressively Manage
•
Operationalize (but this will create operational risk)
•
Monitor & Respond
•
Develop “Real Options”
•
Influence
Redstone’s Strategic Risk Plan

Developed strategic objectives

Identify risks associated with each objective –
scenario planning

Determine level of acceptable risk and risk
mitigation strategies for each objective

Utilize forecasting model to tie strategic risk
plan to financial risk plan

Monthly reporting to BOD with a detailed
annual review to make the program more
visible
Webinar Agenda

ERM Principles & Concepts

Goals & Objectives for an ERM Program

ERM Components

Getting Started

Questions and Comments
Define Roles & Responsibilities

Risk Management

Executives & Managers

Board of Directors

Auditors & Supervisory Committee
ERM Champion

Establish the ERM Terminology

Provide Guidance, Quality Assurance & Project
Management

Communicate & Demonstrate the Value of ERM

Measure the Progress of the Program

Adjust Plans based on Lessons Learned
Our First Steps at Redstone

Research ERM models

Define what ERM means for RFCU

Find a partner (Vital Insight) to assist with
development and implementation

Educate the Board; Executive Staff; Management

Conduct EWRA and determine where deep dives
were needed
Vital Insight Services for Different Needs
Risk and Objectives
VI Services
Financial Risk
Concentration Risk Assessment
ALM Policy Review or Development
Strategic Risk
Risk Profile
Strategic Risk Assessment & Scenario
Analysis
Operations Risk
Enterprise Wide Risk Assessment
Functional Risk Assessments (“Deep
Dives”)
Education & Change
Management
VI Academy Training Sessions
ERM Fitness Check
Mentoring & Quality Assurance
Questions
Roberta Rodgers
Vice President, Risk Management
rrodgers@redfcu.org
256-722-3707
Alan White
President & CEO
alan@vitalinsight.com
512-547-5034