How to Create an ERM Report That Tells a Story

Picture yourself, for a moment, back in kindergarten. You were just learning how to read with short sentences and lots of pictures. Over the years, throughout the rest of your school career and into adulthood, the stories evolved from two and three-word sentences accompanied by lots of illustrations to long paragraphs with more abstract thoughts and…well, those pictures are gone!

Perhaps the formats of the stories we read now are different, but the goal is still the same…to tell a story and gain an understanding of what the author is trying to tell you. You may not even realize it, but the same is true of your credit union enterprise risk management (ERM) report.

Ah, yes, that periodic snapshot of your organization’s risk position isn’t just a necessity characterized by a retelling of the detailed minutia of your risk appetite, potential threats and mitigation strategies. At least, not if you don’t want it to be. The truth is, what it can be – no matter how routine it may seem – is a story that tells the true tale of your credit union (the main character, or the protagonist) and your risks (the villains, or the antagonists). To your institution and your audience – your senior management team, your risk committee, your board of directors – this story is significant, which also makes the content and how you frame it just as important.

So, let’s break it down. Let’s take a typical ERM report and turn it into a story that proves interesting to read, educational to your main players (aka, your decision makers) and integral to the success of your credit union.

Report Structure & Information

A traditional story structure contains five parts: exposition, rising action, climax, falling action and conclusion/dénouement. Although an ERM report isn’t a traditional story, it can still follow this same five part structure. Here’s how it translates to include all the things your ERM report must address:

  1. Exposition – This is where all of your report’s contextual information can reside, as it’s the first section your board/management will see. This is where you should include three major pieces that define your credit union’s stance on risk: risk appetite statement, risk language and key indicators.
  • Risk appetite statement: This is where you clearly define the amount and characteristics of risk that are acceptable to your organization. It takes into consideration your credit union’s core values, policies and strategies, member needs and risk capacity as defined by distinct metrics. For example, your risk appetite may include a metric that says your credit union can accept up to two percent of check fraud cases on an annual basis where processing exceeds $3 million.
  • Risk language: In order for your board members, management team and other risk stakeholders to understand the report, you should provide an overview of key terms, acronyms and specific language that are important to the foundation of the report. This is an imperativepiece of the report because it prevents miscommunication or misunderstanding among your decision makers.
  • Key indicators: Most organizations have specific key performance indicators (KPIs) for the overall organization, but it’s also helpful to have key risk indicators (KRIs), specifically for the ERM report. Both KPIs and KRIs are good to share in the ERM report, but KRIs will provide a baseline for your risk management goals and objectives. They are a crucial part of the ERM report, as they will guide your strategies for prioritizing and addressing risk.
  1. Rising action – This can be an overview of your most recent risk assessment. How was the assessment conducted? Who were the people or organizations involved, particularly if you employ a third party to perform your assessment? What methods were used to obtain the risk assessment information and results? What systems, networks and additional factors did you include in the risk assessment? These are all pieces of information that will lead up to the next part, and really the most important part, of your report.
  2. Climax – This is the pinnacle of your report because it will highlight the most pressing risks to your credit union found during the risk assessment. These risks should be as detailed as possible so that your audience understands the explicit and imminent threats to your operations, finances, regulations and compliance, reputation, cybersecurity and so on. The number of risks you include can vary and is up to the owners of your ERM tasks, but make sure to find that “Goldilocks” spot – don’t include too little and don’t include too much. You want to portray a clear picture of the most serious risks to your credit union, so if you leave information out, that can be detrimental to your risk posture because you may be unprepared for what’s to come. On the other hand, too many risks can be overwhelming to your board and management team, so much so that they can’t properly prioritize or address the risks. Here’s a tip for this part of your report: one risk is likely to impact another and creates a domino effect, so determine which risks are the most crucial to mitigate right away to prevent more risks from spreading.
  3. Falling action – In a traditional story, this is where the intensity from the climax starts to calm and loose ends are tied up. In your ERM report, though, this is where you’ll share ideas and strategies for mitigating the risks laid out in the previous section. Start with prioritization of the risks, then create recommendations for solutions to those risks and provide detailed descriptions of the resources (people, funding, technology, etc.) needed to complete the mitigation strategies. These are critical pieces of the report and should be well thought out because they will set forth a path of action for your decision makers.
  4. Conclusion/Dénouement – Summarize the overall report and outline the risks and mitigations. These key takeaways from the report are more important than you might think, as they can provide a quick synopsis for reference when the time comes for board members and management to come up with solutions.

More to the Story?

The conclusion of your report must be the end of the story, right? Not quite! There is always more to the story. Here are a few reminders to keep on hand so that your ERM report tells a story that is effective and holistic in helping your board, management and risk committee make informed decisions.

  • Frequency: How often does this story need to be told? In other words, how often do you create and share your ERM report? Is it better to do it annually, quarterly, bi-monthly, monthly? The choice is up to your credit union and should be based on your risk management needs.
  • Quality AND Quantity: Both quality and quantity matter when it comes to your risk report. The more detailed you can be in describing your risks and mitigation strategies, the better off you’ll be. That means including numbers from data, statistics pertinent to the industry and current events and calculations in determining risk. As far as quality is concerned, provide real-life examples, case studies and anecdotes where necessary to paint the best picture you possibly can for your audience. And, most importantly, be sure that all of these components are reliable. Accurate information is a must.
  • Audience Matters: Know your audience. Take into account the strategic goals of your institution and the preferences of your board members, senior staff and risk committee when creating your ERM report because you’ll ultimately need their buy-in. Your decision makers set forth certain goals for your credit union – you know, those KPIs and KRIs we talked about earlier. They want to know their risk management staff is creating a report which is aligned with that mission and is recommending solutions which are actually attainable. When everyone is on the same page, you’ll be in a better position to take action against potential risks.

The moral of the story is this…your ERM report is a critical piece of your risk management operations. With that in mind, don’t think of it as just a report. Give it the life and the level of significance it deserves to share the story of your credit union’s true risk management position. The story will resonate with your decision makers and provide better insights that they need to tackle the many risks credit unions face every day.

The End!


Belinda Mumma is Vizo Financial's enterprise risk management coordinator. She has over 12 years of experience implementing and maintaining vendor management and vendor due diligence software. During her career, she also has been responsible for policy and legal review processes; implementing, directing and maintaining enterprise risk management software; and implementing and maintaining audit and exam findings software.