Wednesday, 30 September 2020 20:59

Enterprise Risk Management… Twenty Years and Counting

Written by
Rate this item
(0 votes)

*GUEST POST* We asked Karen McBride MBA, ORMP to share some of her insights about enterprise risk management for co-operatives and credit unions.

If you think about it, co-operatives were created to reduce the risk that individuals would not survive lean times and harsh conditions. By working together, people discovered creative ways to pool their time, money, and talent to not only help each other survive, but eventually thrive to build communities, social systems, and nations. This powerful process continues to this day – the transformational power of co-operatives is especially evident in developing countries.  

Once launched, credit unions and co-ops quickly got busy managing the risks that could damage their bottom line or threaten their survival – risks such as theft, fraud, credit losses, and damage from fire or natural disaster. Up until about twenty years ago, risks such as these were largely regarded as individual events. 

The idea was risk could and should be understood and managed as a portfolio morphed into this thing we call Enterprise Risk Management (ERM) as the 90’s drew to a close. The failure of Barings Bank in 1995 followed by an ever-increasing litany of corporate failures and frauds set off a growing concern about the ability of regulatory andgovernance bodies to deal with increasingly sophisticated banking and investment techniques. Regulators around the world got to work on rigorous reform of corporate governance and the concept of ERM emerged as a tool to help boards and senior management better understand what was actually going on in their organizations. 

I was handed the risk “gig” just as OSFI issued their first risk based supervisory framework in late 1999. I recall wondering how big or small it should be - many credit union managers told me they were just fine as they were and had no intention of doing anything at all. Still, a few of us rolled up our sleeves and began to build risk inventories, frameworks, and reporting. The Australia/ New Zealand Risk Management Standard provided the best reference at the time and, by the way, laid the foundation for the subsequent and current work on the ISO 31000 and the COSO Risk Management Frameworks.

The overall premise of what can feel like a lot of fuss is actually pretty simple – identify risks and their interdependencies in order to help decision makers take action to improve the likelihood the organization will succeed in achieving its goals. The trick is to keep the focus on risks that matter – those that are big enough or pervasive enough to impact the success or failure of the company. It is important to scale the program to fit the organization. Over the years, I received numerous calls about risk programs mired in a sea of detail – a closer look revealed that these organizations had hundreds of risks in their risk register but, at a portfolio level, nobody understood what they meant or knew what to do about them. As a result, their CEO and board had become testy and impatient and the risk team was starting over!

In case you are starting out or starting over, here are a few foundational tips and tricks from my twenty years as a risk professional: 

  1. First of all, and despite the progress made through risk guidelines such as ISO 31000 and COSO, accept that ERM is not accounting and there is no one standard. By all means read them – but you know your business better than anyone so be creative and design something that fits your industry and particular business model.
    Before you dive in to develop (or redevelop) your risk program, take a step back to consider the nature and purpose of your particular organization: 

    • Why do you exist? What is necessary to continue to exist? Go beyond the obvious because although It is certainly true coops and credit unions exist to serve the needs of members, they need a solid bottom line to survive and thrive!

    • Who and what are your regulatory bodies? What guidance, standards, and limits have they issued for corporate governance and oversight and management of risk? For example, credit unions are subject to regulatory standards and strict limits for capital and liquidity. What does WOCCU say to co-ops? By the way, I found it helpful to also review guidance across a broad range of sectors and industries. If you are a provincially regulated credit union, what do Basel and OSFI say? It is also helpful to look at governing legislation along with your bylaws and policy.

    • What keeps your business afloat? Follow the money trail before you design your risk program! What lines of business generate most of your revenue and how are your other lines of business and overhead funded? 

    • What external forces put pressure on you? For example, to what degree do interest rates and economic cycles impact your success? What about competition, legislation, and emerging technology and innovation? Follow the people trail too – why do members choose you and why do they go to your competitors?  What about changing consumer behaviours?

    • What is your strategy? How is it brought to life in your annual plan? What do you need to deliver on your goals and what threatens your ability to get there?

           Take the time to answer these questions and you will discover the right scale and focus for your risk program and have a solid start on your risk register. 

  1. Risk makers and risk takers must be accountable for their risks.
    Avoid the trap of allowing the addition of a risk program to blur accountability for decision making and action. ERM should not disrupt the line authority already in place and accountability for managing risks needs to stay with line authority for the particular function. For example, treasury must manage risks related to creating profit from investments, store managers must manage risks related to customer experience, staffing, inventory, and shop lifting… etc. 

  2. The function of ERM is to draw the attention of decision makers to existing and emerging risk conditions and the relationships of the various risks within the risk portfolio.
    How simple or complex the ERM program should be depends on the complexity of your business and the risks that matter to its success. ERM should seek to understand what decisions board, executive, and line managers must make and then structure risk programs and information to help them succeed. By the way, when time and money permit, an organization wide operational risk program can further extend this at the employee level. 

  3. Visibility matters - ERM staff need to be able to garner the respect and attention of the organization and its Board.
    Burying the role and function too far down in the organization will result in a token program – which in the end just wastes money and dooms the program to failure.

  4. And finally, be careful not to make your program bigger than it needs to be to enhance the success of the organization.
    Allowing it to become too big or too detailed not only leads to confusion about what needs attention and who needs to act but also unnecessarily draws resources away from serving members and generating bottom line. 

In a nutshell, know your organization and the risks that matter to your success, take care not to blur existing lines of accountability, build your program to suit your size and complexity, and keep it as simple as possible while meeting the needs of your organization.   

This is blog post has focused on the foundation. Much more could be said about tools, methods, and techniques such as control self-assessment structures, risk appetite and policy frameworks, risk dialogue, and risk reporting - but those are topics for another day. In the meantime, I leave you with the thought that recognizing and responding to changing conditions is key to sustainable success…and that risk management plays an important role in the process. 


Change creates opportunity...

Opportunity creates risk...

Optimized risk creates shareholder value. (Karen McBride)


BIO: Karen McBride is a risk professional and retired executive with more than 40 years in the financial services industry. She currently operates Risk Lens Consulting and has designed and implemented risk programs for the credit union sector, including a volunteer residency of one year in the country of Malawi. An enthusiastic “co-operator”, she and her husband also spearheaded the launch of a SACCO (financial co-operative) for the Malawi Police Service and currently work with a Malawian partner to provide sustainable support to more than forty orphans and disadvantaged children in Likuni Village, Malawi.  



The information provided through the Saskatchewan Co-operative Association blog and website is for general informational purposes only. This blog/website should not be used as a substitute for professional or legal advice. All information provided on the website and blog is provided in good faith, however, we make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability or completeness of any information on the site. Under no circumstance shall we have any liability to you for any loss or damage of any kind incurred as a result of the use of the site or blog or reliance on any information provided on the site or blog. Your use of the site or blog and your reliance on any information on the site or blog is solely at your own risk.

This site may contain links to other websites or content belonging to or originating from third parties. Such external links are not investigated, monitored, or checked for accuracy, adequacy, validity, reliability, availability or completeness by us. We do not warrant, endorse, guarantee, or assume responsibility for the accuracy or reliability of any information offered by third party websites linked through the site or blog. 

Last modified on Friday, 23 October 2020 19:57