Educational Employees Credit Union ($2.1B, Fresno, CA)was chartered during the Great Depression as a credit union in Fresno, CA. It serves more than 200,000 members across 10 counties in the Central San Joaquin Valley. Its governance is composed of a board of directors and a separately elected, non-overlapping supervisory committee that hires an outside auditor. Dick Ashjian, senior vice president of risk management, joined EECU in 1987.
I started the internal audit department at Educational Employees Credit Union in 1987. In those days, people were not aware of and did not give much thought to internal auditing. We’ve come a long way.
The internal auditing process didn’t change much for almost 20 years. In about 2005, I began to look at what bigger banks were doing. I had come to this credit union from a bank, and I knew they spent resources looking forward. It was inevitable that some things they were doing would eventually find their way to the credit union community. Some of the big banks at this time were looking at operational risk as well as risk to their entire infrastructure. I began talking to our supervisory committee and CEO about evolving what we were doing and transitioning from an internal audit to a risk management culture. We asked ourselves: What belongs under a risk management umbrella? Our answer included such things as compliance, corporate security, loss prevention, and corporate insurance. This exercise helped us form our risk management group. We were looking at the rudiments of enterprise risk management (ERM) before the term had wide coinage and before the fiscal crisis of 2008. We focused the ensuing years on building a foundation for the group and identifying roles and responsibilities. ERM was still in the distance as a concept.
Engaging staff in some of these new ideas, having them work with us but without feeling overwhelmed, and threading these ideas into the credit union efficiently was a challenge. We had to re-orient business-line managers to the notion that they owned risk management of their processes and that risk was inherent in these activities. We knew this was not going to happen overnight.
The troubles of 2008 and the following years accelerated this, and other elements under the umbrella were magnified: vendor management, for example, and information security. New urgencies were pressed upon us. Some consultants touted software as a solution, but my feeling was we had to start with people. My slogan was “people- process-technology,” in that order. We had to start with people and the organization’s culture. Weaving effective risk management into the credit union would be a process of slow maturation and evolution rather than some quick overhaul. Like many, the credit union had managed its risks well over the years, but the industry was under fire and expectations were changing.
So we began lots of dialogue. We established discipline, and we examined the resources with which we might apply ERM ideas efficiently. We brought in new technology tools throughout the organization to enhance our risk analytics, and we invested in training.
We brought in a third-party consultant for an independent voice and to provide ERM training to the board, the supervisory committee, and 50 senior managers. This third party helped us along quite a bit.
Risk Management Today
Recently I have started the rudiments of what I call a six-point ERM implementation roadmap. Everyone’s roadmap can be different, but here is what I decided to work on over three years:
Project plan and framework.
Risk education and identification.
Risk analysis and evaluation.
Risk treatment and communication throughout the organization.
Communication and consultation with and among staff.
Monitoring and review.
If I can do these reasonably well we will have come a long way at embedding the notions of ERM into the EECU culture.
To help that roadmap along, we are developing risk champions, people who understand what we are trying to do as an organization. We put them into teams that view their work as an opportunity to learn more about the organization, its strategic objectives, and how risk management links to those objectives. Because we bring together people who have not been previously exposed to formal risk management principles, these people go back to their departments and share what they have learned. Consequently, it’s not just my voice talking about risk management. Slowly, the concepts are working their way into the EECU culture.
Compared with the past, our risk management is far more formalized. Previously, we talked about risk around a table and informally. Now, we have a disciplined and documented process. We also have a risk committee. Different credit unions have different models; ours has four members: the CFO and the SVP of risk management plus one person each from the board and the supervisory committee. To help with the committee’s oversight, we can also bring in another employee to shed light on any one aspect of risk.
As SVP of risk management, I report directly to the CEO. Certain groups report to me, namely people involved in business continuity, compliance, corporate insurance, security, and loss prevention. There is an organizational dotted line between me and internal audit, which reports directly to the supervisory committee.
More Value Added
We had to overcome the traditional view of risk as being limited to only operations. We needed to become more aware of the enterprise risks across the organization. We also wanted to look at the upside of risks and opportunities to take good risks. Here is where strategy is linked to risk analysis and risk management. Traditionally, credit unions have not been accustomed to dealing with strategic risk management, but this is a direction worth pursuing.
ERM also adds value by helping with the management component of exams. Examiners want to see that a credit union is trying to accumulate and learn from risk intelligence. They want to see if the board is regularly reviewing and discussing risk, even if through committees, as part of their oversight responsibilities. We are working on maturing all of these elements at EECU, and it is helping propel us into the future.
My advice for other credit unions: If you take too much of a bite right away, it can be overwhelming both for the risk management program and for the organization. Get started and chip away at it. You’ll get there.