ERM Strategy for Credit Unions

By: William Hord, Vice President of Enterprise Risk Management Services for Quantivate.

When tackling an ERM strategy, your board and management must discuss and articulate your credit union’s risk management attitude and risk appetite. Both need to fully agree on the level of risk that the credit union is willing and able to take in the pursuit of their ERM strategic objectives. In the absence of this understanding, it is difficult for management to achieve the desired results and for the board to effectively fulfill its risk oversight responsibilities.

When your credit union’s management develops a formalized risk management processes, it is possible to successfully act upon risks at an enterprise level- in relationship to the strategic objectives you are seeking to achieve.

When these enterprise level risks are uncovered and openly discussed, management and the board can efficiently determine whether they are in line with their risk appetite.

Since risks for the credit union are always evolving, having an understanding of the most significant risks and their related responses will provide timely and quality risk information across the credit union. In turn, the addition of key risk indicators will help to identify emerging risks that may ultimately impact the achievement of strategic objectives.

When property executed, enterprise risk management will assist executives and boards in strengthening risk management in their credit union. Ultimately, this enhances the board’s risk oversight capabilities and provides a more robust credit union for the membership.

For a deeper dive into questions that credit unions need to know in order to implement an ERM structure strategically and successfully, listen to ERM Strategy for Credit Unions, the last installment of the podcast series, “A 360 View of ERM.”

You can catch up on the previous sessions by listening to them here: Part 1 – Getting Down to the ERM Basics or Part 2 – How to Create a Successful ERM Program.

Logo for Quantivate  Quantivate is the NAFCU Services Preferred Partner for Vendor and Contract Management Software. More educational resources are available

How to Create a Successful ERM Program

By: Bill Hord, Vice President of Enterprise Risk Management Services for Quantivate.

Credit unions seek to accomplish their strategic objectives within the framework of their mission. Once management has determined their strategic objectives, they set about creating strategies to achieve their objectives. Having a solid ERM framework applied in the strategy-setting process allows the credit union to identify and mitigate or accept the risks in pursuit of their objectives.

Utilizing an ERM framework helps the credit union provide reasonable assurance to the board of directors and management related to the achievement of the credit union’s objectives. This assurance is based upon the understanding of risks related to the objectives, and furthermore, that the risks have been reduced to acceptable levels.

Proper use of ERM will assist the credit union by also providing better governance and management processes that ultimately lead to informed risk-based decisions. These decisions and the internal controls in place to help mitigate the risks will reduce the risk associated with achieving the credit union’s objectives and help ensure they are within the stated risk appetite.

In order to create a successful ERM program you should:

  • Determine and utilize the proper risk framework for your credit union
  • Define and prioritize significant risks and identify the weakest critical control
  • Measure risk and controls
  • Complete a risk assessment and build a risk committee

Listen to the full podcast, “How to Create a Successful ERM Program”, for and in-depth discussion about how your credit union can strategically create an ERM program that is set up for success from the very first day of implementation.

During this 25-minute podcast, industry expert Bill Hord, Vice President of Enterprise Risk Management Services for Quantivate, joins Devon Lyon, Director of Education for NAFCU, and breaks down the steps your credit union should take to properly determine, assess, and prepare for risks when evaluating the best ERM program for your organization.

If you missed Part 1- Getting Down to the ERM Basics, you can listen to the  full podcast here.

Logo for Quantivate  Quantivate is the NAFCU Services Preferred Partner for Vendor and Contract Management Software. More educational resources are available at

Getting Down to the ERM Basics

By: Bill Hord, Vice President of Enterprise Risk Management Services for Quantivate.

Most people in the credit union community likely have a basic understanding of Enterprise Risk Management (ERM). But why is it important to the success of your credit union? And more importantly, how do you get started?

Top three things to know about Enterprise Risk Management:

  1. ERM helps credit unions develop strategies to identify the risks and opportunities impacting their strategic objectives.
    • ERM enhances risk response decisions and reduces operational losses by identifying potential risks ahead of time.
  2. ERM helps credit unions mitigate those risks to provide reasonable assurance to the board of directors and management related to achieving their strategic objectives.
    • ERM programs help executive management make better decisions on how risk should be managed and builds confidence with your board and auditors. Having an enhanced risk identification strategy allows your credit union to implement preemptive and proactive practices.
  3. ERM helps credit unions with the alignment of risk appetite and strategy to improve the deployment of capital.
    • A successful ERM program ultimately decreases the number of risk incidents, reduces cost of capital, and increases overall risk awareness at your credit union.

For more on Getting Down to the ERM Basics, join industry expert Bill Hord, Vice President of Enterprise Risk Management Services for Quantivate, for an insightful podcast. He sits down with Devon Lyon, Director of Education for NAFCU, for a high-level overview of enterprise risk management. Bill covers the ins and outs of what ERM is, what success looks like, and how to manage the ERM process. Listen to the  full podcast here.

Become a Vendor Assessment Jedi Using the NIST Cybersecurity Framework

Written by Randy Lindberg, Founder and Managing Partner with Rivial Security (A Quantivate Partner)

Computer bound with chain and padlockThere are some ordinary steps that you can take to assess vendor due diligence. But, you don’t want to be ordinary…

To be a Vendor Assessment Jedi, use the NIST Cybersecurity Framework, you must!

Vendor due diligence is the process of ensuring that the use of external IT service providers and other vendors does not create unacceptable potential for business disruption or negative impact on business performance.

To accomplish the objective of vendor due diligence, your credit union needs to:

  • Gather company details such as ownership specifics, company size, products offered, and location
  • Understand the company’s financial position, or rather, is this vendor financially stable enough to service your needs for at least 1 to 2 years
  • Know if the vendor will live up to their promises in terms of reputation via BBB ratings, CFPB complaints, and reference checks
  • Know how well the vendor is going to protect your data

Vendors that provide IT Services have additional due diligence requirements, your credit union needs to:

  • Make sure that contract language includes information on the right to audit, data security measures, and data ownership
  • Define specific security considerations and incident response procedures. Additionally, for cloud-based IT service there are additional data security questions that need answers (cloud-based IT service that the NIST 800-145 definition is referred to in FFIEC guidance1)

Ultimately, your credit union, as the entity responsible for assessing vendor due diligence, must understand the vendor’s cybersecurity stance. How do you determine a vendor’s cybersecurity position? You can request an audit of their security controls, which typically comes back in the form of an SSAE 16 report.

SSAE  stands for “Statement on Standards for Attestation Engagements.” The SSAE 16 is delivered in the form of Service Organization Controls (SOC) reports. There are several report types, but the two most common and important are:

  • SOC 1 Type 2, which reports on the design and effectiveness of internal controls over financial reporting; and
  • SOC 2 Type 2, which reports on the design and effectiveness of “trust service principles” such as security, confidentiality, and availability.

In most cases, the SOC 2 Type 2 is the best report for assessing cybersecurity. The SOC 1 report, however, is the most commonly used report. Not all SSAE 16 reports are the same because there is discretion as to which and how many of the five (5) trust services principles are actually examined and reported on during a SOC 2 engagement. You have to dig into some details to understand what is being reported.

For example, if an IT Service Provider has a SOC audit performed on their corporate network, but outsources application development and data center hosting, you’ll essentially be left with a meaningless document.

The ordinary steps used to perform a SSAE 16 review are:

  • Pinpoint findings without adequate management responses
  • Provide complementary user entity controls to system owner and/or IT

But, you want to be extraordinary. By using the NIST Cybersecurity Framework in the following way, you can become a Vendor Assessment Jedi:

  • Review the description of the vendor’s system addressed in the SSAE 16 report
  • Search for “subservice” to find the section where subservice organizations (i.e., any businesses that your vendor contracts with/outsources) are described
  • Use function, category, or subcategory (depending on your technical expertise and comfort level) to ensure control objectives are covered

NIST Cybersecurity Framework Core Example

NIST Cybersecurity Framework Core Example

Using the partial image above, you could search through the SSAE 16 report in a structured manner using the Framework as a guide.

If you use the “subcategory” component of the Framework, you would check the vendor’s report for a control objective that outlines “Response plans incorporate lessons learned” (as highlighted in the example above) or something very similar. If there is sufficient content in the report, you can mark that subcategory is ‘in place’ in your vendor cybersecurity assessment tracking documentation.

Using the NIST Cybersecurity Framework, in this way, to walk through vendor security audit reports provides a useful and efficient method to review vendor security controls.

To learn more about using the NIST Cybersecurity Framework to ensure proper vendor due diligence, register for the upcoming webinar, “Assessing Vendors Using the NIST Cybersecurity Framework,” presented by Randy Lindberg and Dan Banning, Director of Marketing at Quantivate.

Here are some additional resources for you to reference in the process of becoming a Vendor Assessment Jedi at your credit union:

Quantivate Logo
Quantivate is the NAFCU Services Preferred Partner for Vendor and Contract Management. Quantivate partners with Rivial Security to deliver cost-effective data security solutions that enable organizations to protect sensitive data, comply with industry standards, and gain a competitive advantage. Additional educational resources and contact information can be found at