Everyone needs to assess their risks, especially in a post-pandemic environment. Enterprise risk management is a methodology that looks at risk management strategically from the perspective of an entire organization. Implementing an ERM program at a credit union does make good sense.
In this episode of With Flying Colors, Mark Treichel interviews David Seibert, an Enterprise Risk Management Expert, about all things ERM. David is also the President, Owner, and Chief Risk Officer of David Seibert Consulting.
Listen in as they discuss the principles of ERM and why it helps to crystalize strategy efforts. Also, discover why the National Credit Union Administration (NCUA) responds positively to credit unions with a strong ERM structure.
Listen to the podcast here
Enterprise Risk Management (ERM) With Expert David Seibert
I have a special guest that I first connected with recently on LinkedIn. I have the good fortune of chatting with David Seibert, who is an Enterprise Risk Management for credit union expert. David How are you doing?
I'm doing great, Mark. Thank you so much for having me on. I'm looking forward to this.
Enterprise Risk Management is something that comes up with several of my clients as it relates to NCUA examinations. We might be able to speak to that a little bit. The whole concept of Enterprise Risk Management in and of itself is a big discipline. Some credit unions have it. Some credit unions don't. NCUA does not particularly require it.
However, if you go to the guidance that they have out there that they have provided to their examiners, they talk about the fact that credit unions need to assess their risk management and everything short of requiring it, they point out that large credit unions (they don't define what large is) but they talk about the fact that one way you can assess your risks and control your risks is to have an ERM framework, which is why I thought it would be good to chat with you about all things related to Enterprise Risk Management.
You are right about everything you said about the NCUA’s stance on this. I'm looking forward to diving in.
David, in looking a little bit at your resume, I know that in some of your LinkedIn posts, you provide a lot of clarity on this topic. You weren't always an Enterprise Risk Management professional. Could you describe for the audience what led you to risk management?
I'm old enough that there is no way that I could have started in Enterprise Risk Management. You have to be a fairly young person to start in ERM because it is a fairly new discipline relative to everything else we do in business. I did start my career in finance. I started structuring municipal bonds for a small boutique financial advisory firm, but my interests changed to the internet and IT. I became interested in information security.
I did an abrupt career change there and switched over to IT information security. I did that for about twelve years. During that time, I was having to manage my own departments. I was getting more exposure to corporate strategy. I was learning a lot about strategy. Here I was in this risk silo of information security, and I was infatuated with strategy. I was wondering how my risk fits in with the strategy and the overall business plan.
I knew there were other functions at the business, and I wondered how they dealt with strategy. There was a gap there. Towards the end of that twelve-year career, I found Enterprise Risk Management. I noticed that was what filled the gap between your silo risk management functions and corporate strategy. I started studying that for several years.
In 2010, I got my first job doing Enterprise Risk Management at a large credit union in Minnesota. I did that. I have been a lifelong credit union member. I was always a big fan of the credit union movement. I started in Enterprise Risk Management in 2010. I have been doing that for twelve years. I left the credit union after four and a half years, and I have been consulting with the credit unions ever since to help them implement and improve their current program. That is what I have been doing.
If you're in charge of ERM, go out and build relationships with other people at the credit union who are doing risk management.
A lot of times, when I think about different new topics, I always think about the fact that life is a bell curve, and you can plot anything that you want on a bell curve. If you were to plot the different ways to approach ERM, I'm sure there is probably a center part of the bell curve where a lot of people do it this way. You can move to the left. There will be different ways you can approach it to the left, and there will be different ways you could approach it to the right on that bell curve. With all the different ways that ERM could be approached, what is it that you think on how to approach ERM as it relates to when you are working with your clients?
That is an interesting way to look at it with that bell curve. I could list a number of things that are outside, on the tails of those bell curves. Most of us do Enterprise Risk Management where we have at least some interest in risk appetite. There are some factions out there that have complete doubt about whether risk appetite works, and I sometimes have my doubts too. It is an elegant concept but difficult to put into practice.
In the middle of that bell curve, there are your enterprise risk assessments. What are our top risks? What are we doing about those? The key risk indicator is one of the most popular offerings and projects I do with credit unions. There is a lot to be done with key risk indicators, and they get underutilized. I'm a big fan of that.
One of the things that sits far outside of the curve is quantitative risk management. I know not many credit unions at all do this. That is recognizing that your drivers of risk and your outcomes of risk are a distribution of outcomes. They are bell curves or some a curve. There is the idea of running a Monte Carlo simulation to figure out what your true risk is, but that is off on the tail side.
The last thing I would say about that is my personal approach to ERM came about in my early days of doing Enterprise Risk Management because as I was doing the activities of ERM, I was always interacting with the corporate strategy. That makes sense to a lot of us because we are all trying to achieve the strategy, and we have to understand our risks to achieve the strategy.
I was interacting a lot with governance. There is the board, the supervisory committee, the management risk management committee, and other committees like ALCO, and lending. Also, governance includes the policies and the control framework. As I was doing ERM, I was always running into strategy and governance. I have this ecosystem. I call it the RGS ecosystem, which is the Risk Governance and Strategy ecosystem. When I work with all my credit unions by default, they are going to get good integration with governance and strategy because that is how I see it. That is my unique perspective on it.
I think you even refer to being the inventor of the RGS strategy. You pointed that out. I was going to ask you what that is, but you took care of that right there.
I decided to say I was the inventor of that because I have received a lot of positive feedback on LinkedIn through my posts about that ecosystem. I thought I should keep moving forward with this concept. I'm going to keep exploring it further and building content around it.
One of the things you mentioned is the key risk indicators. It sounded like all of your clients, when they come into the fold, that is something that you do for them or that you offer them. Is that typically the starting point? If someone comes in, is that when you are going to sit down and brainstorm on ERM, and are they brand new to ERM? Is that a good starting point? Where does the conversation start with the credit union that is new to ERM?
When a credit union is first starting out, even before they would contact someone like me, I would suggest that whoever is in charge of ERM to go out and talk to other people at the credit union who are doing risk management activities. Take an inventory of what is already taking place, build relationships, find out what is working, and build a plan based on that so you don't have to reinvent anything. You are also not burning any bridges. You are building good relationships.
The second thing I would suggest is there are a number of foundational things that you need to put into place before you rush out there and start identifying risks. You need to make sure your governance is in place. Is there a risk policy, and how quickly can you get a risk policy put together? You need that directive from the board saying, “We will do Enterprise Risk Management.”
You want roles and responsibility. Once you identify risk, who is going to do what and what they are responsible for doing. A risk management committee or a management level committee is helpful to build and improve a risk management program. You want that in place. In terms and definitions, it is amazing how people at the same organization can have a completely different understanding of a term than everybody else.
You want to make sure that you get on the same page with terms and definitions because you can have some strange conversations when you are talking about what is a residual risk, what is an inherent risk, and all this stuff. Those are some foundational things I would put into place. When credit unions come to me, and they want to get started, I will do an assessment of what's in place already. I will look at their foundational elements and do a gap analysis there.
From there, there are two paths that credit unions typically will go down. They will either go down the enterprise risk assessment path, which is, “Let's identify our key risks, that top ten list.” That is well known and that is a common route, or key risk indicator. For credit unions that are already good at metrics and service level agreements and that kind of thing, they don't have any concerns about any major risks they are missing out on, key risk indicators can be a fantastic cornerstone for an Enterprise Risk Management program because you can do some reporting that is digestible by the board. You can report different levels of key risk indicators to different levels of the organization. That is a second popular path to go down.
The government's concept, the reporting to the board concept, looking at it from the path I took from the NCUA side of things, the examiners typically are going to be looking at how are they assessing the risk, how is that being reported to the board, what is being reported to the board. There is what the board wants to know, and there is what the board is required to know. Somewhere in between that is what they should know. You sit down with clients or you mentioned going to speak to boards of directors and talking them through this. I'm sure you must have some dialogues that fall into those categories.
I'm pleased with the level of risk management interest and knowledge by the boards I have worked with. That is very good to report. I do like to get their take on it as early as I can and their sentiment and what they want. If I feel there is a gap there, I will take that opportunity to suggest other things they ought to be doing and what they ought to be looking at.
You nailed it, Mark, as far as what they should be doing. They need to have an understanding of how risk is managed at the credit union and have faith that it is managed properly so they can trust the reporting. They need to look at the reporting and make sure that the risks that the credit union is taking are in line with their risk appetite and what they want to achieve, and how they represent the membership. Those are the two main things that I like to talk to boards about.
Getting the board sentiment and their take on risk management along with senior management, what the culture of the organization is, what is the decision framework, and how do they make decisions? Is it consensus-based? Is it decentralized? Is it hierarchical? A lot of these things come into play. I work with all sorts of credit unions, but I need to discover that before I dig in.
I can see that in the culture. You mentioned building trust, building bridges, and getting the groups together. You started on the IT side, which has its own associated risks, and you mitigated those risks. You wanted to move beyond that and get into the strategy of the other areas. Let's say you are out there, and you have got the CFO, IT person and HR. Each one of those is a wheel on the operations of the credit union.
However, there also can be some turf issues . This is my program. This is how I mitigate my risk. When you are setting up what the board wants and potentially a committee, who ends up on the committee? Who ends up not being on the committee? It’s all those dynamics. I'm sure you help credit unions to decide on those fun things.
A risk management committee or a management level committee is helpful in building and improving a risk management program.
Those dynamics all come into play. I'm happy to say that does not turn into an issue. Most credit unions are easy to work with. They figure out who should be on the committee. Roles and responsibilities, documenting those in your policy, and getting that stuff laid down and in writing helps that out. The process of doing that gets people's differences of opinion to eventually align.
If you go about it the right way and bring people into the fold at the right speed and with the right intentions, you get to the right outcome. There is some skill involved in doing that. You mentioned these different functions like HR and IT, they have their way of doing risk. Another way to look at it is they also have a bias toward how big their cog is in the wheel.
With HR, nothing happens without people. We all know that. HR has got that big stick like, “We’ve got to have people. IT is like, “Let's talk about this. Everything runs on systems. I need to have this secure.” It is interesting to understand their viewpoint when it comes to how they fit into the strategy, as well as how should we mitigate my risks? That soft side of Enterprise Risk Management is where the excitement is and the fun. The technical side of building spreadsheets and things like that is just routine stuff.
Looking at the journey that I took at NCUA. I’m starting as an examiner on the mission side of the operation, but I spent three years as a deputy executive director, and eight years as the executive director. It wasn't until I served as the deputy executive director that I was directly supervising the support portions for the mission.
You are looking at the definition of support. It holds you up. It is the foundation. There would be those discussions at NCUA relative to the people, to the dollars, needing to get a new software system up and running so we can do the exam program quickly, yet, you want to make sure that you can't get attacked behind the scenes. You need to give the chief information officer enough money to protect, create and build that moat. The mission can become irrelevant if you don't have that foundation in place. I get that, and the fact that you have an ERM policy, and you form the committee can lead to a better conversation around everything that leads or doesn't lead to risk and then how to control that.
I do believe in Enterprise Risk Management and the supporting governance, policies, roles, responsibilities, definitions and capabilities to manage risk at the organization. Everything you talked about is more difficult. It is difficult without those things in place. You are right. If you have those in place, you have a committee, you have a place to have the conversations, and you bring those people together and have those conversations, it makes a big difference.
It makes it easier to talk about risk and get to a consensus. The tools help you get to a consensus. There are a lot of those hidden things about Enterprise Risk Management that people don't think about, but it has a lot of benefits. Another benefit is when you implement an Enterprise Risk Management program at a credit union, you almost immediately improve your strategy management process.
What is our strategy? What are the things we have to do well to achieve this strategy? The fact that you are always assessing risk relative to what we are trying to achieve, meaning you are talking about the strategy, immediately has an impact on the quality of the strategy. I love that outcome too. It is pretty impressive.
A lot of different things going on in the world. Post-pandemic is different than things were pre-pandemic. Whether that is remote work or the fact that you and I are looking at each other on a video conference, NCUA does a big part of their exams and starts going back on site. That was driven to a great extent by the pandemic. What is your takeaway relative to Enterprise Risk Management post-pandemic? Was there an a-ha moment or has Enterprise Risk Management moved in a particular manner because of where the world is at now?
We have certainly gone through a lot of change. I do believe that Enterprise Risk Management programs at credit unions are getting much more attention. I'm seeing that now. A lot of the individuals who are working in Enterprise Risk Management played a powerful role in the changes necessary to accommodate work from home.
They were charged with, “Let's figure out how we are going to do this. How are we going to make our IT infrastructure secure? Let's work with IT on this. Let's assess that risk. Let's decide when we can close a branch, when we can open a branch, and what is our mask policy.” ERM was involved in all of these things. That has elevated the status. Since then, there have been many changes in society now. Because everybody is working from home and because of the Russia-Ukraine thing, the cyber risk continues to be a high risk on everybody's radar.
This whole Great Resignation in staffing is a big challenge. That is a risk they are dealing with. There is climate change and ESG. Even given the pandemic, that is getting big in the news. I do talk to credit unions. I have started talking about that internally and how to deal with that. ERM is picking up all that diversity and inclusion. It is an important topic credit unions are diving into. Prior to the pandemic, you would call it your baseline, but post-pandemic now, there are a lot of changes going on that are elevating the need for Enterprise Risk Management and the need to improve it and be more effective. That's how I would summarize post-pandemic ERM at credit unions.
Even as you were describing that on the front end, those credit unions that had ERM in place when the pandemic hit knew where they were going to have those tough conversations. When should we open the branch? What are we going to do relative to masks? When do we have to close the masks? How do we deal with the legal risk versus the operational risk of having to get the doors open to being able to serve your members? There is no doubt in my mind that those that had that in place had that structure and probably had a running head start, as opposed to those that were doing it business as usual without that framework.
Those credit unions with ERM in place already had the experience of talking about a lot of these topics because there are scenario planning and business continuity. People are already talking about those things as they conduct Enterprise Risk Management activities. It was leveraging that in a real-world situation and enacting it.
This is not a tabletop exercise this time.
You’re right, this is no longer a tabletop exercise and by the way, a pandemic won't last two weeks.
Back in March 2020, on a call with all of NCUA staff, I shut down NCUA as the executive director for two weeks. We had push back on the call. People at that juncture thought it was an overreaction. It wasn't until several months ago that NCUA started giving examiners the option to go back on site. Some credit unions are receptive to it and all that. It has been an interesting couple of years. Speaking of NCUA, how does NCUA come into play during your consulting engagements with credit unions?
There are a few credit unions that will contact me because the NCUA was on site. They suggested that the credit union improve their risk management capabilities. That is typically how it is worded. They won't come right out and mention Enterprise Risk Management. Sometimes they do, but they know they need to improve Enterprise Risk Management. That is sometimes the lead-in for me to be contacted.
For those credit unions that already do Enterprise Risk Management, a lot of the exams are happy with the fact that they have Enterprise Risk Management. They don't get any further feedback. I have the pleasure of hearing about credit unions that are doing Enterprise Risk Management, but they don't have any concerns from the NCUA. They still might contact me because there is a specific part of ERM they want to implement, and they realize they don't have maybe the skill set or the time to get it done. It has nothing to do with NCUA.
I do believe that the examiners look highly upon Enterprise Risk Management programs. I remember myself. I think it was year two of me being in ERM at the credit union. The examiner sat down with me in a conference room. He looked at me and said, “It looks like you have done all my work for me.” I thought, “This is great.” That is starting off right on the right foot.
When you implement an ERM program at a credit union, you almost immediately improve your strategy management process.
I don't think that reaction from examiners is all that uncommon. They come in and look at what the ERM programs have put together for reporting, what they are sharing with the board, how identified risks have responded, and how that is working for them. They have positive things to say about it. My interaction with NCUA and their interaction with other credit unions is light now. So far, it has been good.
Your take on that mirrors what I have seen as a consultant and what my expectations were when I was at NCUA. They stop short of requiring it. That is mostly so that someone can decide based on their size and resources, whether or not it is appropriate. For anybody of any substantial size, I'm not going to pick a number, it is a good way to frame your risks. The NCUA exam is all about risks.
If you have this structure that explains it, you are going to get NCUA to say, “You have done my job for me.” Anytime an examiner makes that statement, you know that they are going to be there less frequently most likely, and your CAMEL score is going to be a little bit better. While NCUA has stopped short of saying it's required, there is no doubt in my mind that they look positively on credit unions that have invested in it. It is a wise investment relative to the risk.
One more thing on this since you mentioned that even small credit unions are implementing Enterprise Risk Management. That does happen. As a side note, I'm starting my own podcast around credit union Enterprise Risk Management. It is called ERM Perspectives. I interview credit union ERM practitioners every week and get their input.
One of my guests on the program was a CEO of a credit union because she is the ERM person. She runs ERM and chairs the risk management committee at the credit union. It falls on her, and she is happy to do it. Even small credit unions and the CEO can be in charge of Enterprise Risk Management. To your point, I think the NCUA would look positively on the fact that there is a program in place of that credit union.
One of the things that led me to want to do this show was the ability to talk about what is in my head after thirty three years at NCUA and talk to my team members. In a lot of my episodes, I interviewed team members who helped me when I went out and consulted. In reality, it is a way to give back to the credit union community and have these discussions where people can listen, where they may never even contemplate calling me and saying, “Mark, how can you help me directly?”
The fact that the opportunity to educate on that is out there, I enjoy doing that. I can see your podcast is going to do exactly that same thing. They might not be able to afford to bring in someone to do it. By listening to it, they are going to pick up some key concepts which may lead them to draft that policy and have that conversation with the board, which is going to put the credit union in a better place.
I'm doing this because no one else is doing this for Enterprise Risk Management for credit unions. There is a gap there that needs to be filled. The guests I've had so far are sharing things on how they do risk appetite, how they are reporting to the board, and how they are using key risk indicators. You are getting the inside scoop from each and every one of them on what they are doing.
The CEO, who is running her Enterprise Risk Management program, she follows the NCUA guideline, NCUA examination rules, and what the NCUA is doing. That is her baseline for building ERM. She also uses the call report heavily. She is leveraging some tools that are already out there. I thought that was great learning. Everybody can learn from listening to these podcasts. I'm looking forward to getting mine published. They are not published yet but I'm close.
I look forward to hearing them. As we get close to wrapping up here, David, any questions I should have asked? Any last thoughts you like to make relative to the concept of Enterprise Risk Management?
This has been a great conversation, Mark. We can stop here. I don't have anything else to add. You have done a great job of asking questions, and it was a lot of fun. Thank you.
It was fun and I do enjoy these. This one was fun in particular. Maybe that is the Minnesota connection that we haven't mentioned here, but we both have a long history in Minnesota.
I appreciate that connection. That was cool to find that out. I'm glad we made that connection.
If someone wants to reach out to you to see how you can assist them, what would be the best way for them to reach you?
David, thank you for your time.
Thank you, Mark.
I want to thank everybody for their time. I have no doubt you will enjoy this episode. I look forward to having you check out our future episodes.
LinkedIn - David Seibert
About David Seibert
As a former Vice President of Enterprise Risk Management at my own credit union, I lived the challenges and rewards first hand:
How do I build an ERM program from the ground up?
How do I construct my credit union's risk profile?
What's the best risk identification method for different areas of the credit union?
What's the best risk assessment method for a given risk type?
And ultimately, the joy of witnessing improved decision-making as a result of your ERM program's efforts.
Now I work with risk managers, management teams, and boards, helping them deliver their credit union strategy through optimized Enterprise Risk Management.