1. ERM is meant to be implemented in phases.

Risk management takes time to implement, and that's a good thing. It gives your credit union the chance to build thoughtfully and make adjustments along the way, paving the way for quicker implementation down the road as you expand your efforts.

One of the great things about ERM is that it's a cumulative activity. More information makes for a stronger program, but even building out just the first phase of the program has a measurable impact on risk management at your credit union. Whether it's compliance, IT security, or corporate governance, each building block of risk management will help make your institution stronger and more resilient.

The key is to pick an area and begin. 

2. Risk management is all about strategy – even when deciding where to start.

There are two recommended approaches for building out a risk management program at a credit union to choose from:

• Identify a strategic goal or initiative and start there. When starting with the goal in mind, begin by identifying all the objectives and hurdles. What do you need to do? What might stand to prevent that from happening?

• Tackle the highest inherent risk(s) first. Inherent risk exists when there are no safeguards or controls to prevent it.

Either approach will help you "right size" your credit union's risk management. Often it makes the most sense to start with a strategic goal or initiative and then define inherent risk.

Regardless of your approach, your credit union will need to gather and update existing risk assessments to identify the greatest inherent risks and their mitigating controls.

Risk management empowers your credit union to assess threats and evaluate opportunities. That lets you better understand the significance of risk, how well it's controlled, and what, if anything, needs to be done to better manage it.

Initiating risk management efforts in areas of high inherent risk has two major benefits. First, by breaking off a piece you're making risk management more manageable. Second, it maximizes your risk management return on investment (ROI) by directing you to remediate risks that could have a major impact on your credit union.

While it's tempting to start with something small and easy, it's smarter to choose an area that will have a measurable impact on your risk profile. 

3. Risk assessments are all about data. 

Inherent risk is best understood with current data that are both relevant and quantifiable. Whether it's the auditor or examiner feedback, data security vulnerabilities, key risk indicators like data analytics suggesting a fair lending issue, a trend in customer complaints, or reports from human resources about difficulties attracting or retaining employees, there is no shortage of data to draw from.

Use this information to identify and prioritize areas with the greatest inherent risk. Then identify the controls that help mitigate the risks. 

4. The control process is always evolving.

Once you've identified inherent risk and their mitigating controls, the next step is to identify key controls. Key controls are defined as controls that are automated or expected to prevent risk.

Develop a schedule of who will assess controls and when. The good news is that because ERM encompasses so many areas, some of those controls may have already been reviewed by other functions, such as vendor management. These pre-existing reviews can be re-used if they are up-to-date.

Adjust your control assessment cycle as you go. Over time you'll find ways to make the process more effective and efficient as you gain a better understanding of how well it works with other areas of risk management, including business continuity and compliance.

Another best practice is creating key performance indicators (KPIs) to measure risk (and whether you are within your institution's risk tolerance) and progress toward strategic goals.   

5. The further you go, the easier it gets.

Once you've tackled your biggest areas of inherent risk, address other, less critical areas of risk. Not only will the process go faster with experience, it will also make the existing program stronger and more effective by building on what's already there.

As you build out the program and expand into different areas, your institution will expand its view of risk, giving the board and management more insights to make informed strategic decisions.

ERM is a journey, not a destination. Don't put off building out an ERM program because it seems too cumbersome. While the program won't be fully built in a day, or even a year, your credit union will reap the rewards along the way.

Michael Carpenter is vice president of risk management at Ncontracts, the leading provider of risk and compliance management solutions to the financial services industry. An indispensable risk management, compliance, and vendor management resource, he is an advocate of building stronger, more proactive and more resilient institutions. Prior to joining Ncontracts, Mr. Carpenter served as the vice president of risk management at several banks and credit unions. His broad base of industry knowledge is the result of building and running programs—including director training and reporting, compliance management, information security, BSA/AML, among others—at both small community financial institutions and larger institutions such as KeyBank and Chase Bank. He is a veteran of the U.S. Army.