Please describe Interra’s ERM dashboard.
AP: We built six different dashboards based on the results of the consultant’s ERM risk assessment of the credit union. We enhanced these last year to improve decision-making. Each dashboard is a separate worksheet within a larger Excel document.
We start with a summary, which displays a residual risk heat map that ties in with our top 10 ERM risks along with any high-risk audit or regulatory findings. The summary also identifies risks as well as an action plan and the status of each risk.
We haven't seen a lot of change in our top 10 ERM risks. Many enterprise risks, such as unauthorized access to IT systems, tend to stay on our summary page. However, we continually update our action plans.
See Interra's ERM dashboard at work. Click through the tabs below to see screenshots.
Interra's ERM dashboard includes a summary display with a residual risk heat map that ties in with the credit union's top 10 ERM risks along with any high-risk audit or regulatory findings.
The ERM dashboard also includes a corporate scorecard that provides a graphical display of performance in key metrics.
Each tab in the dashboard includes different graphs and a summary box that bullets out the key risks or measurements in that area, notes anything that is outside of policy, and points out any significant emerging risks.
We also include a corporate scorecard as part of our ERM dashboard. This includes key metrics like membership growth, loan growth, and deposit growth with graphs of each.
We then go through credit risks, ALCO risks, and operational and compliance risks.
Each dashboard includes four different graphs and a summary box that bullets out the key risks or measurements in that area, notes anything that is outside of policy, and points out any significant emerging risks.
Because Quadrant Risk Advistory worked with us to create these, we’re able to maintain and enhance them. For example, if we want to change our measurements or indicators, we can easily modify the dashboard.
How often do you update and share the reports?
AP: We update the ERM risk assessment by business line on an ongoing basis throughout the year. We meet with each department head to review specific risks and discuss changes in process, controls, procedure, etc. We do the same for new services as they are developed.
We update the actual reporting and dashboard quarterly and present that to our ERM committee and board of directors. The ERM committee consists of myself, as chair, our CFO, COO, chief strategy officer, CEO, vice president of IT, and participants from internal audit, fraud, compliance, retail, and consumer lending services.
Instead of developing the ERM program around what a certain software can do, we wanted to build a program that would work for us.
It is a good range of individuals who attend, but only a select few are voting members. We meet monthly to discuss various risks, but update the dashboards only quarterly because those are meant to help us look at longer-term trends and prepare for the future.
Other committees, such as the Loan Committee, are looking at specific risks such as the delinquency rate in more depth every month and acting on a day-to-day basis, if needed.
Has the overall impression of ERM throughout Interra changed?
AP: Yes, and having buy-in from the top-down has been a key driver of that.
In the beginning, not everyone fully understood or saw the value of ERM. That was a challenge initially and took some tough conversations, but now we have a better process in place with clear direction.
One area that is still a challenge to convey is that we must remain forward-looking in our ERM efforts. It is easy to get caught up in looking at the data and trends of the past rather than focusing on what it says about where we are going in the future. That’s why we talk about emerging risks and make sure those are part of our ongoing discussions.
Working with each of the department heads has been critical. We hold individual sessions with them to discuss their specific area, but we also broke our initial training on ERM into different sessions so we could tailor it to various groups, such as the board, executive team, and department leaders.
Now that we’re several years into our program, we want to continue promoting that risk culture throughout the organization. Everyday decisions can impact the larger organization, and we want all our staff to think more cross-functionally across the credit union. This is built into our 2017 strategy.
What advice would you give on how to make ERM more approachable?
AP: Define ERM early on and adopt consistent terminology.
We use the same rating scale and measure risks in all areas against the same standards. This makes it easy for everyone to understand when something is a material risk.
It’s also important to be open to hearing from department heads and staff members. People are often fearful of bringing up something they know is wrong or that might pose a risk because they don’t want to get in trouble or have something look bad on them or their area. Let people know it’s OK to have those discussions and bring forth these items. We found meeting with the department heads separately — without executives in the room — helped remove that barrier.
Lastly, don’t jump into a software relationship too early. Really explore all your options.
This was critical for us and has given us the flexibility to make changes in a cost-effective way as we evolve our program.