A successful enterprise risk management (ERM) program requires the board, senior leadership team, and committees to work together to identify and mitigate an organization’s risks by ensuring processes are in place and are followed correctly.
“An ERM program won’t achieve maximum effectiveness unless you use it for strategic planning purposes as well as more tactically to mitigate operational risks,” says Scott Hood, strategy, risk, and assurance partner with Rochdale Paragon Group.
Q: What role do boards, the supervisory committee, and internal audit personnel play with ERM?
A: Boards play a key role in supporting an effective risk management culture throughout the credit union. They do this by establishing an ERM policy, asking for information on the organization’s largest risks, ensuring the ERM process includes the right groups throughout the organization, and using the information in setting strategy.
Internal audit personnel and the supervisory committee participate in the ERM process by validating that the credit union’s processes for mitigating risks function properly and result in the targeted residual risk benefits.
Q: Which group plays the biggest role in this?
A: ERM is an important source of information the board uses to understand the organization’s key risks and the processes the credit union uses to mitigate those risks. It provides the board with confidence that management is taking the steps necessary to manage the credit union’s overall risk.
Also, the board uses ERM information in setting and evaluating strategies, and ensuring initiatives are within the credit union’s risk appetite.
The supervisory committee oversees the testing and analysis that internal audit personnel conduct. That testing is critical to ensure the credit union’s responses to mitigate risk are working as anticipated. Internal audit work also provides confidence to the board and management that risk management processes are appropriate and effective.
The supervisory committee oversees the internal audit work.
Q: How can the three groups work together?
A: The board and supervisory committee should nurture a culture that supports effective risk management processes by setting the tone at the top of the organization, demonstrating interest in risk management activities, and securing adequate resources for effective risk management.
These groups need to lead by example that they value the risk management and internal audit activities, and benefit from the work of ERM and internal audit personnel.
Internal audit has always performed risk assessments as part of their work in identifying processes
to review. ERM personnel now also conduct slightly different risk assessments that go beyond the traditional internal audit assessments by, for example, identifying risks or achieving strategic objectives and opportunity cost exposures.
It’s probably not realistic or even desirable for internal audit personnel to stop doing their risk
assessment work. But they should use the ERM risk assessments to supplement their risk assessments in identifying the organization’s key risks.
Then they should feed their findings back to ERM personnel so ERM can update the credit union’s risk profile and understand the changes in procedures that need to occur.