I recently wrote in an article on risk management by directors that not everything could be predicted.
I received a comment that "the essence of risk management … involves the management of all assumptions made in the planning and operating of a business."
I responded that "a risk matrix should look at all possible risks and prioritise them for likelihood and consequence."
The issue is how a risk management policy and a risk matrix can be made effective.
For example, the ANZ Review Committee report on the bank's dealings with Opes Prime concluded that there was a failure to report relevant issues to the Chief Executive Officer and Board: the gravity of the issues relating to the Equity Finance business should have been, but were not, properly brought to the attention of the Chief Executive Officer and Board.
It appears that the loan was not identified as a risk. Or if it was, it was not properly measured or it was regarded as within ANZ's risk "appetite". In any case, there was a failure to define risk.
It all depends on how risks are defined. And then what controls are put in place.
Which risks are acceptable? Which risks are not? Until that decision is made, there is ineffective risk management.
This process is often explored as part of a Board's strategic planning. The Board needs to be involved in the process of identifying the risks that might affect your credit union, especially unacceptable reputational and financial risks.