ERM Assessments...Who is Responsible?

Another year, more assessments. Despite the burdensome reputation they often carry, assessments are a necessary part of any enterprise risk management (ERM) program, because they identify risks and vulnerabilities early on. Think of them as you would an annual checkup to the doctor or a preventive screening – quiet and less than glamorous, but vital tasks designed to catch issues before they become a serious problem.

Not only do ERM assessments help your credit union make decisions that are ultimately healthier for your institution from a risk perspective, but they can help you avoid costly and damaging emergencies.

But that’s not the real challenge, is it? You know that assessments are important – it’s the difficulty of determining who should be responsible for them, how to properly train people to understand their role in an assessment and how to ensure they receive the regulatory seal of approval that is far more tedious than the actual process.

Who Owns the Task of ERM Assessments?

ERM assessments are designed to understand your credit union’s posture and help your management team and board of directors make informed decisions, but who possesses the knowledge to carry them out?

That’s where the expertise of your risk team comes in. ERM assessments are generally left to the chief risk officer, enterprise risk management director and/or even a group of risk employees. These are the people who understand:

• Regulatory and compliance requirements that pertain to examiner expectations, governance, third-party risk, etc.
• Risk assessment practices and methodologies, including inherent vs. residual risks, scoring techniques, risk aggregation, etc.
• Risk appetite and frameworks that show how actual risk is interpreted against the credit union’s risk thresholds.
• Stress testing and risk prevention to evaluate how risks evolve in various situations and under high pressure conditions.
• Assessment tools and software that guide the process and house data.
• Reporting and presentation of findings to ensure clarity, transparency and actionable results when given to decision-makers and regulators.

But the reality is that while members of the risk team take responsibility for the assessment process – including data collection, documentation, etc. – all parties within the organization play a contributing role. The risk committee is there for oversight, product owners and department leaders share their operational insights and, finally, management and the board make decisions based on the assessment’s results. With that in mind, it’s hard to say that any one person or team “owns” ERM assessments, because it requires cooperation across the organization.

Internal Parties: What Staff Should Know

Business risk isn’t just something your ERM/risk team needs to know – it’s a necessity for staff at all levels. Risks are ever evolving, so it’s important that staff and board members are aware of emerging risks and regulatory updates and how they impact their roles.

They should be knowledgeable about the specifics of their jobs, like risk within their products and services, as well as the systems and software they use. At the same time, they should be trained to look at risk in a holistic way to better understand how risks occur across departments and how their business functions interact with others throughout the credit union. This can be done through security awareness training, annual compliance and additional regulatory training and tabletop and data recovery exercises.

When all employees understand the importance of proactive risk management, the more engaged they will be, resulting in a smoother assessment process.

External Parties: What Regulators Want to See

While many internal parties play a role in ERM assessments, another side to be considered are the external parties – the regulators. After all, assessments aren’t simply a formality of checking off boxes – they give governing bodies insight into your credit union’s “health record,” so to speak. More specifically, they’re looking to see how risk is built into the institution’s operations and decision-making process.

As such, they look for clear documentation with easily identifiable asset and information trails, strategic frameworks that account for risk objectives and resource allocation and monitoring policies that ensure ongoing tracking of potential risks.

Assessing Emerging Risks

In addition to fundamental business risks, such as compliance and vendor risk, ERM assessments must be future-facing. With new technologies gaining a foothold in financial operations and regulatory requirements that continue to expand, credit unions must be aware of emerging challenges:

• Cyber Risk – Cyber threats aren’t new, but they continue to grow and become more sophisticated. Ransomware, social engineering and third-party risks can lead to operational, financial, data and reputational consequences.
• Economic Instability – Risks to your credit union’s balance sheet grow as uncertainty continues to plague the economy. It’s difficult to know how to position your lending and investment portfolio or adjust for changing member behavior with the ebbs and flows we’ve seen in terms of market performance, interest rate volatility, inflation, etc.
• Artificial Intelligence (AI) – Oh, the double-edged sword of AI. While it can simplify tasks and spit out data in a matter of seconds, it can also impose biases, expose credit union data and produce inaccurate information, especially if it isn’t governed properly.
• Geopolitical Tensions – Tariffs, sanctions and supply chain disruptions are only some of the ways geopolitical tensions have impacted credit unions in recent years. Economic conditions and even greater cyber crime can result from tensions, and credit unions must continue to monitor these situations.
• Credit Risk – Delinquencies and incomes eaten away by inflation are rising concerns for credit unions, particularly in terms of lending practices. Stress testing and thoughtful underwriting are critical to minimizing risk in this area.
• Skilled Workers – Future success is dependent upon succession planning and maintaining a skilled labor force. A gap in skills or knowledge could pose reputational risk to a credit union later on down the line.
• Regulatory Changes and Priorities – This is not a new concept for credit unions, but regulatory changes and shifting priorities mean that risk and compliance teams must be agile and aware. With cybersecurity, fraud and even consumer protection regulations evolving rapidly, we must continue to monitor changes, keep a proactive mindset and build flexibility into risk frameworks.

It’s Not Just About Ownership…It’s About Overall Risk Readiness

Effective ERM doesn’t live in a spreadsheet or a database – it lives in the ownership of every individual involved in the risk management process, from your risk team that understands the nuances of assessments to your board and management who use the results to guide strategic decisions, not to mention the regulators who are looking for evidence of risk readiness. By defining the roles of each person involved in the assessment and engaging them throughout the process, you can ensure that risk insights are properly documented, understood and acted upon in a way that promotes overall credit union health, stability and resilience.

Belinda Mumma is Vizo Financial's enterprise risk management director. She has many years of experience implementing and maintaining vendor management and vendor due diligence software. During her career, she also has been responsible for policy and legal review processes; implementing, directing and maintaining enterprise risk management software; and implementing and maintaining audit and exam findings software.