Credit union enterprise risk management programs to date largely have focused on operational internal controls, but proper ERM goes farther than that. Among other things, it also must consider a credit union's risk appetite. The importance of risk appetite has multiplied in light of several developments, such as the opening up of credit union charters to a greater variety of members and the scrutiny by examiners of how credit unions define their risk appetites. If a credit union has not defined its risk appetite, it has not identified the amount of risk it is willing and able to assume. Credit unions can follow a four-step road map to help incorporate risk appetite, tolerance and limits in their ERM structure.
The Risk Appetite Road Map
The following four steps can help credit unions define their risk appetites.
Recommended For You
1. Confirm the credit union's strategy and strategic objectives. As indicated in the FSB's definition, risk appetite should align with a credit union's strategy and strategic objectives. Executives invest substantial time to develop a strategy and devise objectives that will get them there. For example, the goal to "be the credit union of choice for the community served" might have strategic objectives such as achieving X% market share and X% asset growth, and offering current innovative products while maintaining a member satisfaction score of X or greater. Determining the necessary steps helps accomplish those objectives. Often, though, no one other than the executive is aware of these plans. An understanding of the plans is indispensable when defining risk appetite.
2. Assess the risks associated with the strategic objectives, given the credit union's risk universe. Once the objectives and their requisite steps are identified, a credit union must identify and assess the risks for each objective – typical regulatory risks include credit, market, liquidity, operational, legal, compliance, interest rate, reputational, external and strategic risks. Depending on its circumstances, however, a credit union's risk universe could go beyond these regulatory risks. For example, a credit union that does extensive outsourcing might have significant third-party risk. A credit union with a growth strategy might be very concerned with member retention risk.
Of course, an ERM program cannot target every potential risk in a credit union's risk universe. A credit union should identify its top 10 to 12 risks, including the relevant regulatory risks and several that are more specific to the institution's particular circumstances.
3. Define and articulate the credit union's risk appetite, tolerance and limits. A risk appetite statement details a credit union's risk appetite and risk tolerance. The FSB describes it as the aggregate level and types of risk that the credit union is willing to accept or avoid in order to achieve its business objectives. The statement might include qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It also should address more difficult-to-quantify risks, such as reputation risks, money laundering and unethical practices. Examiners will review the risk appetite statement to determine whether the credit union understands the risks associated with its objectives, has articulated those risks and is quantifying them.
The Committee of Sponsoring Organizations of the Treadway Commission has stressed the importance of effective communication and monitoring in risk appetite statements. For risk appetite to be applied effectively, the statement must be specific so that it can be shared, measured and monitored by management. Risk appetite might be expressed, depending on complexity, as:
- An overall, broad risk statement (for example, "assume risks that the credit union can manage in order to optimize returns" or "balance risk and reward against the impact and cost of managing risks for the credit union");
- A risk appetite for each line of business or major product; or
- A risk appetite for each category of risk.
Note that defining a risk appetite statement is not a one-time process. A credit union's risk appetite and statement should be revised as needed to account for changing business and economic conditions, evolving strategic priorities and changing competitive conditions.
4. Establish, track and report key risk indicators (KRIs) aligned with risk appetite, tolerance and limits. KRIs are metrics the credit union has selected to use to get an early signal of increasing risk exposures and trigger further investigation and follow-up to manage the risk more effectively. They should reflect the institution's risk appetite and risk tolerance and satisfy the SMART criteria (specific, measurable, actionable, reported and time-based). For example, if a credit union has determined that its residential mortgage loans should not exceed a certain amount of capital, a relevant KRI would be the amount of residential loan dollars that have been originated year to date. KRI data should be collected on a regular basis.
Spread the Word
The board of directors should not go through the process of defining risk appetite in isolation. While it approves the credit union's risk appetite and risk tolerance – and the business lines set the risk limits – the defined risk appetite must be communicated to managers, supervisors and those on the front line so they understand how they fit into the bigger picture. This process can go a long way toward enhancing ERM and effectively communicating critical information throughout the organization.
Eileen M. Iles, CPA, CIA, CCSA is a Partner at Crowe Horwath. She can be reached at 630-575-4376 or [email protected].
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
