Director - Enterprise Risk Management

Director Of Enterprise Risk Management

The Director of Enterprise Risk Management ("ERM") is responsible for developing, implementing, and overseeing the credit union's enterprise-wide risk management program across a complex, nationwide financial institution with $9 billion in assets. This position involves managing and mitigating risk across all organizational departments and channels. This role provides strategic and operational leadership of enterprise risk functions, including physical security, vendor and third-party risk management, business continuity and disaster recovery, emergency preparedness, operational risk assessments, risk scoring methodologies, and enterprise tabletop exercises.

The Director of ERM partners closely with executive leadership, business units and regulators to identify, assess, mitigate, and monitor risks that could impact the organization's operations, reputation, members, employees, or strategic objectives.

This position requires a proactive leader who can build scalable enterprise risk management frameworks while supporting innovation, growth, and operational resilience across a geographically dispersed organization.

Duties & Responsibilities

Enterprise Risk Management

• Lead and administer the credit union's enterprise risk management framework, including risk identification, assessment, mitigation, monitoring, continual improvement, and reporting activities.
• Develop and maintain enterprise risk methodologies, risk scoring models, risk appetite metrics, and key risk indicators (KRIs).
• Coordinate enterprise-wide risk assessments, ensure risks are appropriately documented, tracked, and monitor risk metrics to ensure timely escalation and containment of concerns.
• Monitor and assess the impact of enterprise risks, ensuring effective risk identification, prioritization, and mitigation strategies are in place across all organizational functions, creating a unified approach to risk management throughout the credit union.
• Oversee swift triage, containment, and resolution efforts across cross-functional teams.
• Lead root-cause investigations and lessons learned when incidents occur.
• Manage remediation, recommend and validate risk reduction actions and monitor for effectiveness.
• Provide strategic guidance and data-backed reports, dashboards, and presentations for executive leadership ensuring they are informed of the emerging risks, risk mitigation strategies, and the overall risk landscape.
• Assess risks associated with strategic objectives and key initiatives, ensuring informed decision-making by integrating risk analysis into planning processes and confirming that all credit union initiatives are supported by thorough, data-driven risk assessments.
• Stay ahead of emerging risk trends, evaluate new technologies, and ensure that enterprise risk management frameworks remain agile to address evolving threats, safeguarding the credit union's reputation, and financial stability.
• Support executive leadership in defining and refining the credit union's risk appetite and tolerance, ensuring that risk management practices align with the credit union's mission, vision, and business objectives.
• Promote a strong culture of risk awareness and accountability throughout the organization by collaborating with department heads across the organization to integrate risk management practices into operational processes, ensuring consistency, accuracy, and compliance throughout the credit union's operations.

Business Continuity, Disaster Recovery & Emergency Management

• Oversee the credit union's business continuity, disaster recovery, and emergency preparedness programs.
• Lead and maintain the enterprise Business Impact Analysis (BIA) program to identify critical processes, recovery time objectives, recovery point objectives, and resource dependencies.
• Ensure disaster recovery and business continuity plans are maintained, tested, and updated regularly.
• Coordinate and facilitate enterprise-wide tabletop exercises, incident simulations, and continuity testing.
• Lead response coordination during operational disruptions, emergencies, or crisis events.
• Assess and monitor third-party and vendor business continuity capabilities to ensure resilience across critical external dependencies.
• Partner with Information Security, Facilities, Operations, and executive leadership to strengthen organizational resilience.
• Establish and track recovery priorities and service restoration timelines to minimize operational and member impact during disruptions.
• Provide reporting and insights to executive leadership on continuity risks, testing results, gaps, and remediation progress.

Vendor & Third-Party Risk Management

• Direct the third-party/vendor risk management program, including risk assessments, due diligence, contract review coordination, ongoing monitoring, and issue remediation.
• Assess and validate vendors' information security, business continuity, and disaster recovery capabilities to ensure resilience of outsourced services.
• Establish and maintain a risk-tiering framework to classify vendors based on criticality, inherent risk, and impact to operations and member services.
• Ensure vendor oversight activities align with applicable regulatory guidance, company policies, and industry best practices.
• Track, escalate, and report third-party risks, control gaps, and remediation efforts to executive leadership and governance committees.
• Collaborate with Legal, Procurement, Compliance, Information Security, and business owners regarding vendor governance and risk mitigation.
• Monitor critical vendors and concentration risks affecting business operations.
• Drive continuous improvement of the vendor risk management program by incorporating regulatory updates, industry best practices, and lessons learned.

Physical Security

• Provide strategic oversight of the enterprise physical security program, including policies, standards, and risk governance for all locations nationwide.
• Lead and develop physical security leadership and staff, ensuring appropriate staffing models, capabilities, and performance aligned with organizational risk tolerance and regulatory expectations.
• Oversee the effectiveness of physical security controls, including access management, surveillance, alarm systems, and incident response programs, ensuring risks are identified, prioritized, and addressed.
• Oversee access governance, including role-based access, periodic reviews, and segregation of duties, to ensure appropriate controls over physical entry points.
• Ensure compliance with applicable regulatory requirements and industry standards related to physical security, workplace safety, and facility protection.
• Monitor and analyze physical security incidents, trends, and threat intelligence to proactively address emerging risks and enhance defensive strategies.
• Coordinate with third-party security vendors and service providers to ensure consistent service delivery, performance standards, and risk management across all locations.
• Partner with Facilities, Operations, Human Resources, and executive leadership to support employee and member safety, workplace security, and incident preparedness across the organization.
• Establish and maintain crisis management and workplace safety frameworks, including escalation protocols, response playbooks, and post-incident review processes to promote continuous improvement.

Governance & Regulatory Coordination

• Support regulatory examinations, audits, and independent reviews related to enterprise risk functions.
• Maintain awareness of evolving regulatory expectations impacting enterprise risk management and operational resilience.
• Assist in developing policies, procedures, and governance standards related to risk management functions.
• Coordinate with organizational departments to ensure alignment across risk disciplines.

Leadership & Strategic Planning

• Lead, mentor, and develop risk management personnel and cross-functional teams.
• Build scalable risk management processes suitable for a growing and increasingly complex financial institution.
• Participate in strategic initiatives, mergers, acquisitions, and organizational projects from a risk management perspective.
• Serve as a trusted advisor to executive leadership regarding operational and strategic risk matters.
• Performs other duties as assigned.

Requirements

Required Knowledge, Skills & Abilities:

• Strong understanding of enterprise risk management frameworks and operational resilience principles.
• Ability to balance risk mitigation with strategic and operational objectives.
• Excellent leadership, analytical, communication, presentation, project management, and organizational skills.
• Ability to influence and drive accountability across business units without direct authority.
• Strong business acumen with the ability to translate complex risk concepts into actionable insights for executive leadership.
• Strong knowledge of NCUA regulations, FFIEC expectations, and financial institution risk management practices.
• Proficiency in developing and leveraging metrics, dashboard, and reporting to support risk-informed decision-making.
• Strong problem-solving and decision-making capabilities under pressure.
• Ability to manage multiple complex initiatives simultaneously.
• High level of professionalism, discretion, and judgment.
• Strategic thinker with operational discipline.
• Collaborative and solutions-oriented leadership style.
• Ability to thrive in a fast-paced, evolving regulatory and operational environment.
• Professional presence with the ability to communicate effectively with stakeholders, with regulators and executive leadership and collaborate effectively across all organizational levels.