Identifying, measuring, and managing risk effectively is a growing area of focus for credit unions nationwide. Enterprise risk management has been making headlines for years, but last spring’s banking crisis coupled with growing cybersecurity and other concerns are keeping leaders up at night now.
Here, Daniel Tschopp, CPA and senior vice president of enterprise risk management for Logix Federal Credit Union ($9.6B, Valencia, CA), shares his cooperative’s decentralized approach to risk management.
Talk about your role at Logix.
Daniel Tschopp: I started with Logix about a decade ago and began building a risk management practice. Enterprise risk management is a strategic way of looking at various risk categories, and as we built out our ERM framework, I began evangelizing the idea that everyone is a risk manager. If you see something, you need to say something to ensure we’re aware of risk profile changes across the organization.
What other elements are needed for effective risk management?
DT: Other key building blocks include specifying your credit union’s risk appetite, assembling risk management committees, creating dashboards, and conducting regular risk assessments to identify changes in your posture or risk profile. Overall, it took about five years to put that kind of risk management practice in place at Logix.
CU QUICK FACTS
LOGIX FCU
DATA AS OF 12.31.23
HQ: Valencia, CA
ASSETS: $9.6B
MEMBERS: 247,367
BRANCHES: 18
EMPLOYEES:832
NET WORTH: 13.8%
ROA: 0.43%
How has Logix’s risk management evolved?
DT: At first, it was me, myself, and I focusing on risk management, which is typical for many credit unions. There aren’t always resources available, so ERM often becomes a side job for an existing leader. Areas that are most likely already mitigating risks, such as the fraud department, collections, business continuity, or internal audit departments, are tasked with overall risk management. It’s a balancing act for those leading a division to try to build something across the organization to manage risk. Once you hit a certain level of maturity and complexity, leaders typically begin asking for more resources.
For me, that happened about two years ago, when I added two specialists and began looking at the next phase of building a risk management program. That’s the operational risk management (ORM) piece, which translates risks into controls that can directly help mitigate and measure residual risk in dollar values. My team runs both ERM and ORM concurrently, and we’ve pushed accountability down into business units by repeatedly preaching the gospel that risk management is everyone’s job.
What steps did Logix take to spread risk management across the organization?
DT: We created risk management liaisons, so each business unit has a single person who acts as the point person for everything risk related. That includes helping update risk assessments, identifying potential issues, and generally advocating for risk management as the voice of risk in their area. These liaisons are vital and have really spread the duty of thinking about risk into the larger organization.
Can you provide a specific example of how this model works?
DT: Yes. AI, for example, is on everyone’s minds. It could easily be just me or my staff asking the entire organization what risks it might pose, but that’s not efficient. When an integrated risk management framework combines ERM and ORM, you can quickly identify where AI might have an impact. Specifically, you’ll be able to see where it’s already in use and where it might be beneficial or detrimental and then connect the departments that are already using AI with those exploring future use to discuss use cases and best practices.
Did you encounter any roadblocks in convincing others to prioritize risk management?
DT: Of course. We’re a relatively large credit union with almost 900 employees. Turnover can be a big issue, especially after you’ve built relationships and alliances. It takes time to get back to that same level of understanding with a new team member who hasn’t been exposed to the level of risk management preaching as their predecessor. Ultimately, you need all your peers and executive colleagues spreading the same gospel that risk management is everyone’s job. This area is so big that if I try to do it all by myself, I will fail. Fortunately, the tone coming from the very top, our CEO, is very helpful. She spreads the same message that everyone is a risk manager.
How do you maintain communication with your risk management liaisons?
DT: We have biweekly meetings to touch base with our approximately 45 risk management liaisons. In those meetings, we discuss recent changes and ask if there are any developments that stand out. If there are none, we typically share a recent risk scenario and use that as a training opportunity. For example, last week we discussed credit risk and had an underwriting guest speaker share their risk mitigation strategies and how they might have to adjust to address the latest changes.
Quarterly, we have a formal risk management training for our liaisons. This is a refresher for some and a great opportunity for new liaisons to learn what we expect from them as risk ambassadors. The liaisons themselves are typically at the management level, so they have time to focus on risk but are still in tune with the details about what’s going on in the market and with their staff. They understand how processes work and can help us pinpoint any pitfalls.
How do you communicate with senior executives?
DT: For executives, reporting is important, and finding something that is concise but still deep enough to provide relevant information can be challenging. We haven’t found a silver bullet yet but are close. We provide quarterly reporting and recently shifted from meeting quarterly to meeting monthly to take a deeper dive into one risk category on a rotational basis.
Previously, these 45-minute monthly meetings were with senior managers only, but now that we’re approaching $10 billion in assets, we’ve expanded them and created a separate ERM committee that includes board participation.
Reporting is important, but it shouldn’t be a distraction from the discussion about actual current issues. You can have all the dashboards in the world, but at the end of the day the conversations regarding what leads up to the reporting — which might be lagging the market — and the solutions being evaluated or implemented are critical. It takes time for processes to have an effect, so we must be in tune with what’s going on within each risk area and speak regularly with risk owners.
We’ve also done risk huddles where we focus on what keeps each executive up at night. These can be very effective. From them, we defined three current and emerging risks and formalized ongoing monitoring that will help us manage them.
Lastly, sometimes there are really pressing issues, such as dealing with charge-offs, that require a task force to be assembled. This kind of interdisciplinary team complements our risk management approach and happens separately from our regular risk management framework and communications.
Do you have any parting words of wisdom or advice for others?
DT: Don’t lose faith or patience. Making everyone a risk manager is not going to be an overnight process. Networking with larger credit unions that have a more mature risk management framework and have already received validation through examination feedback can be helpful as you look ahead.
There’s no one-size-fits-all tool for managing risk. Vendors often promise the world, so it’s important to know what you need and want in advance. We have a multitude of tools we use, including some built in-house, and each has its own strength.
This interview has been edited and condensed.
Evaluate Strategies And Collaborate With Industry Peers
Callahan Roundtables offer C-suite executives the chance to collaborate with like-minded leaders on upcoming strategies, discuss roadblocks and lessons learned, and connect on industry hot topics. Ready to empower the leaders of your organization? LEARN MORE
