Member One Federal Credit Union ($599.3M, Roanoke, VA) began in 1940 as an institution that served the employees of the Norfolk and Western Railway. The 73-year-old cooperative is now the twelfth-largest credit union in Virginia. It serves nearly 70,000 members from two counties, nine cities, and more than 500 SEGs. Tim Rowe led the lending department for 25 years and helped build the credit union’s portfolio from $22 to $385 million. He became the chief risk officer in 2012.
Our enterprise risk management (ERM) program began last year when our CEO, Frank Carter, presented a growth opportunity that used my talents in a new way. I had been the head of lending for 25 years and he wanted me to become the credit union’s first chief risk officer. Consequently, we altered the credit union’s organizational structure. As chief lending officer, I reported to the COO, which is still true of the lending position today. As chief risk officer, however, I report to the CEO. A number of risk officers at other organizations report to the CFO, and the fact I report to the CEO lends importance to the role. Buy in from the CEO is critical to the success of the chief risk officer and risk management program. Moreover, top-level support elevates risk management to the strategic level.
ERM is a positive function of Member One. It helps us focus our strategic plan, look into the future for opportunities, and communicate across the organization. With ERM, we identify and measure the impact of current business risks and assess emerging risks while focusing on our strength and sustainability. It reveals where we stand and therefore where we can go, what we can explore, and where we can expand. It shows us what we have to navigate to make sure we offer as many services to as many members as possible. Ultimately, we want to grow our services profitably and take on as much risk as we can handle while remaining safe and sound. By managing risk, we also reveal opportunity.
Risk Management For Member One
I needed training to bring me up to speed on ERM, so I attended CUES Advanced Risk Management School last fall and finished CUNA’s Credit Union Enterprise Risk Management Expert (CU-ERME) program in December. More recently, I completed NAFCU’s Certified Compliance Officer School and earned NCCO designation.
Our credit union believes in risk management, not risk avoidance. One of my goals is to help everyone from the board and senior management to front-line employees understand there is risk in everything we do. The important thing is to take the time and make the effort to understand and manage it.
Presently, I have no direct reports, which has allowed me the flexibility to move throughout the organization, whether to ask for data or to offer guidance, without the conflict of reviewing my own staff. One of my first activities was to explain to the C-level executives and key managers what ERM is and — equally important — what ERM is not. Fortunately for me, I had worked with our leadership team for a long time and there was a high level of trust among us.
The next thing I wanted to communicate was the fact that I am a resource for them, not someone there to scold or enforce. ERM is not a “gotcha” business. Rather, it is a way of discovering the risks the credit union takes every day, understanding those risks, and managing them holistically.
What we do now is different from in the past. The traditional approach was to look at reports, ratios, and the like. But these were snapshots of the past within separate departments. By comparison, ERM looks across departments and sees the various risks as an enterprise-wide challenge. It is focused on risk measurement in a continuous, ongoing manner. ERM must be part of the credit union’s DNA and not just another activity. This allows the risk manager to dig deeply into the organization and allows all employees to make ERM contributions and discoveries.
Communication and trust are critical to our ERM effort. Exposing risk does not reveal weakness in a leader. I pledge to managers that if there is some inordinate risk in their departments, I will work with them to mitigate it. Such discoveries help us prepare for consequences rather than be surprised by issues that develop. To hold back on discussing and assessing risk is to put the credit union in peril. Meetings lead to discoveries that in turn lead to items to address. Together we work to eliminate any surprises.
Exposing risk does not reveal weakness in a leader.
Questions, of course, are critical. You have to ask the right questions in order to receive meaningful replies. A software program called ERM 365 helps us gather timely, ongoing assessments. The system sends key questions to managers and tells me whether departments are in compliance with a specific topic, or have fulfilled training goals, or are within financially set boundaries and key performance indicators (KPIs). This allows me to quickly gain a pulse of the risk structure across the organization. If any one portion is out of sync with our expectations or strategy, we can address it.
Risks For The Credit Union And The Industry
Member One’s risks are limited on account of our diversity. We are multi-SEG, operate in an area not particularly hammered by falling real estate prices, and are less heavily into mortgages than we are autos and credit cards. We saw the credit crisis as an opportunity to be of service to our members and keep lending, which we did.
We also saw this as a time to examine our assumptions. In terms of risk assessment, we had tended to look at singular events such as what would happen if interest rates rose or real estate values fell. But a more realistic scenario would be negative events coming in a series. So this is what we look out for now, and ERM allows us to better consider what such a series might look like, how it would affect us, and what we could do.
Like at all credit unions, we have multiple risks: interest rate, employee hires, key employee retentions, vendor management, IT security, regulatory compliance, and competitor encroachment to name a few. I believe two of the greatest threats are also somewhat silent: new competitors and technology. These would be Apple, PayPal, smartphones — anything that is beginning to do what credit unions have traditionally done in the past. This relevancy threat from new technology, especially as it attracts the younger generation, is as critical as any risk we are facing.
I encourage credit unions that are considering enterprise risk management to make a start. A modest beginning can set the foundation to build a larger, stronger risk management program and credit union.