Enterprise Risk Management

Supervisory Letter No. 13-12, Enterprise Risk Management (ERM), discusses how NCUA views ERM as one framework for managing risk and the NCUA’s supervisory expectations regarding credit union risk management programs. Although a formal ERM framework is only required for corporate credit unions, all large or complex credit unions benefit from establishing and maintaining sufficient processes and a governing framework to manage risk.

ERM is widely utilized to centralize oversight of the risk management function, thus enabling consistent risk communication and aggregation within and across risk types. This establishes a holistic view of institution-wide risk for the credit union’s leadership team.

Additionally, a formalized and centralized risk management function like ERM allows cross-disciplinary teams to identify and assess risk from multiple perspectives and determine interrelationships between risk types and risk behaviors across lines of business. This practice may save the credit union money by reducing losses and identifying opportunities to increase efficiency.

ERM is a process that is:

  • Effected by people at every level of the credit union

  • Applied in strategy setting and across the enterprise

  • Designed to identify potential events that may affect the entity

ERM manages risks in alignment with a credit union’s risk appetite to provide reasonable assurance regarding the achievement of entity objectives.

A review of the ERM concept provides important insights into how large, complex credit unions can benefit from its adoption. It does not have to be called ERM to be effective if the credit union’s program achieves the overarching objectives of the approach.

Historically, credit unions applied risk management practices in a silo, with each department conducting its own risk assessment for its line(s) of business. Under that approach, risk assessments were often completed independently of other departments, even though multiple departments may engage in activities contributing to a specific risk.

A credit union with effective risk management aggregates and evaluates risks holistically across the institution and avoids a silo approach. This typically results in more formal and centralized risk management practices.

While ERM frameworks can vary widely, they typically involve people, rules, and tools. This means a credit union establishes defined responsibilities for individuals (people), repeatable processes (rules), and the appropriate level of technology (tools) to identify and mitigate risk.

The enterprise aspect of ERM is what most differentiates it from tactical management of risk. Many organizations, including credit unions, have used internal auditors to perform risk assessments and to report their findings to executive management and/or the supervisory committee. Under this approach, risks are considered and addressed individually, potentially without consideration of the strategic implications these risks may impart or how the risks interrelate to one another. ERM reduces this silo effect by overseeing business line risk management, aggregating business unit risk positions, and reporting, and facilitating ongoing communication with relevant stakeholders.

Last updated on August 23, 2022.