WEBVTT NOTE This file was generated by Descript 00:00:08.134 --> 00:00:09.914 Hello, this is Samantha Shares. 00:00:10.363 --> 00:00:16.363 This episode covers NCUA's Supervisor E Letter to Credit Unions Number 13 12 00:00:16.373 --> 00:00:19.203 titled Enterprise Risk Management, or ERM. 00:00:19.653 --> 00:00:23.583 While this guidance was issued in 2013, it is still active and is 00:00:23.583 --> 00:00:26.973 referred to in examinations and examiner discussions with credit 00:00:26.973 --> 00:00:29.463 unions, especially large credit unions. 00:00:29.943 --> 00:00:33.703 The following is an audio version of that advisory and the press release. 00:00:34.193 --> 00:00:37.443 This podcast is educational and is not legal advice. 00:00:37.833 --> 00:00:42.153 We are sponsored by Credit Union Exam Solutions Incorporated, whose team 00:00:42.153 --> 00:00:46.843 has over 240 years of national credit union administration experience. 00:00:47.233 --> 00:00:50.943 We assist our clients with NCUA so they save time and money. 00:00:51.173 --> 00:00:55.173 If you are worried about a recent, upcoming, or in process NCUA 00:00:55.173 --> 00:00:59.023 examination, reach out to learn how they can assist at marktreichel. 00:00:59.053 --> 00:00:59.443 com. 00:00:59.803 --> 00:01:03.843 Also, check out our other podcast called With Flying Colors, where we provide 00:01:03.843 --> 00:01:05.803 tips on how to achieve success with NCUA. 00:01:05.803 --> 00:01:08.103 And now the letter. 00:01:08.513 --> 00:01:12.923 This Supervisor e letter discusses how NCUA views Enterprise Risk 00:01:12.923 --> 00:01:18.533 Management, ERM, as one framework for managing risk, and NCUA's Supervisor 00:01:18.553 --> 00:01:22.653 e expectations with regard to credit unions risk management programs. 00:01:23.058 --> 00:01:26.108 Natural person credit unions are not required to implement 00:01:26.138 --> 00:01:28.138 a formal ERM framework. 00:01:28.538 --> 00:01:32.278 However, credit unions are expected to have sound processes sufficient 00:01:32.288 --> 00:01:35.958 to manage the risk associated with their business model and strategies. 00:01:36.448 --> 00:01:40.508 This supervisor e letter further explains the distinction and outlines 00:01:40.508 --> 00:01:44.358 what examiners should consider when evaluating the overall effectiveness of 00:01:44.358 --> 00:01:46.828 a credit union's risk management program. 00:01:47.268 --> 00:01:47.698 1. 00:01:47.968 --> 00:01:52.753 Introduction This Supervisor e letter provides examiners with an overview of 00:01:52.753 --> 00:01:57.403 the concepts and principles of Enterprise Risk Management, ERM, as drawn from 00:01:57.403 --> 00:01:59.703 contemporary risk management practices. 00:02:00.013 --> 00:02:05.483 It also describes NCUA's Supervisor e perspective on ERM and outlines 00:02:05.483 --> 00:02:11.033 Supervisor e expectations regarding credit unions use of a formal ERM framework. 00:02:11.503 --> 00:02:11.893 2. 00:02:12.463 --> 00:02:15.113 What is Enterprise Risk Management, ERM? 00:02:15.443 --> 00:02:18.993 Enterprise Risk Management is a comprehensive risk optimization 00:02:18.993 --> 00:02:22.563 process that integrates risk management across an organization. 00:02:22.953 --> 00:02:26.533 An organization's board of directors ultimately makes the decision to 00:02:26.533 --> 00:02:31.173 develop and implement an ERM framework, often with the goal of aligning 00:02:31.173 --> 00:02:33.013 risk with strategic objectives. 00:02:33.388 --> 00:02:38.268 ERM is not a process to eliminate risk or to enforce risk limits, but 00:02:38.268 --> 00:02:42.238 rather to encourage organizations to take a broad look at all risk factors, 00:02:42.418 --> 00:02:46.278 understand the interrelationships among those factors, define an acceptable 00:02:46.278 --> 00:02:50.428 level of risk, and continuously monitor functional areas to ensure that the 00:02:50.428 --> 00:02:52.558 defined risk threshold is maintained. 00:02:52.988 --> 00:02:57.158 The Committee of Sponsoring Organizations of the Treadway Commission COSO defines 00:02:57.198 --> 00:03:02.218 ERM as a process that is ongoing and applied throughout an organization. 00:03:02.718 --> 00:03:05.628 Affected by people at every level of an organization. 00:03:06.038 --> 00:03:07.608 Applied in strategy setting. 00:03:08.078 --> 00:03:10.998 Takes an organization level portfolio view of risk. 00:03:11.418 --> 00:03:15.178 Designed to identify potential events that could affect the organization. 00:03:15.278 --> 00:03:18.508 And to manage risk within the organization's risk appetite. 00:03:18.998 --> 00:03:21.928 Able to provide reasonable assurance to an organization's 00:03:21.928 --> 00:03:23.728 management and board of directors. 00:03:23.748 --> 00:03:29.088 And geared to achieve objectives in one or more separate but overlapping categories. 00:03:29.528 --> 00:03:33.488 The enterprise wide aspect of ERM is what differentiates it most 00:03:33.488 --> 00:03:36.688 fundamentally from more traditional risk management approaches. 00:03:37.128 --> 00:03:41.228 Many organizations, including credit unions, traditionally have used internal 00:03:41.238 --> 00:03:45.588 auditors to perform risk assessments and to report their findings to executive 00:03:45.588 --> 00:03:47.528 management and or the audit committee. 00:03:48.038 --> 00:03:52.128 Under this approach, risks are considered and addressed individually, perhaps 00:03:52.128 --> 00:03:56.408 without consideration of the strategic implications these risks may impart or 00:03:56.408 --> 00:03:58.488 how the risks interrelate to one another. 00:03:59.413 --> 00:04:03.583 ERM reduces this silo effect and at the same time ensures ongoing 00:04:03.583 --> 00:04:08.293 communication with relevant stakeholders, board, senior management, audit, etc. 00:04:08.733 --> 00:04:09.163 3. 00:04:09.683 --> 00:04:12.433 Basic components of an ERM framework. 00:04:28.093 --> 00:04:32.813 Credit unions that incorporate ERM into their risk management infrastructure may 00:04:32.813 --> 00:04:37.163 resource the program internally through paid consultants or through a combination 00:04:37.163 --> 00:04:39.423 of outsour ed and internal resources. 00:04:39.423 --> 00:04:44.453 For NCUA does not view any approach as preferable, provided core principles, 00:04:44.453 --> 00:04:48.413 controls, and due diligence are properly established within the organization. 00:04:48.723 --> 00:04:52.623 That said, there are several basic components of an ERM program that 00:04:52.623 --> 00:04:56.093 likely will be evident at any financial institution that pursues 00:04:56.093 --> 00:04:58.513 an ERM approach to managing risk. 00:04:58.733 --> 00:05:02.783 Because examiners are likely to encounter one or more of these components in their 00:05:02.783 --> 00:05:06.923 analysis of a credit union's operations, they should be familiar with them. 00:05:07.368 --> 00:05:11.298 The table on the following page outlines these components as identified in 00:05:11.298 --> 00:05:15.298 the COSO Framework, describes each, and provides positive examples of 00:05:15.298 --> 00:05:19.058 how each component might manifest in a credit union's operations. 00:05:19.518 --> 00:05:24.358 ARM Component Established Risk Culture Description of Established 00:05:24.358 --> 00:05:28.548 Risk Culture This is the tone at the top that sets the basis for how 00:05:28.548 --> 00:05:32.528 risk is viewed and addressed by an organization's stakeholders at all levels. 00:05:33.118 --> 00:05:36.748 The organization should define an enterprise wide philosophy for risk 00:05:36.748 --> 00:05:40.488 management and risk appetite that is grounded in integrity, ethical 00:05:40.488 --> 00:05:44.258 values, and a good grasp of how various stakeholders are affected 00:05:44.258 --> 00:05:45.978 by the organization's decisions. 00:05:46.478 --> 00:05:49.038 Positive example of established risk culture. 00:05:49.468 --> 00:05:53.438 Consistent support for the ERM framework throughout the organization, 00:05:53.618 --> 00:05:56.718 from the chairman's office to staff members on the front lines. 00:05:57.158 --> 00:05:59.028 ERM component clear objectives. 00:05:59.428 --> 00:06:01.208 Description of clear objectives. 00:06:01.593 --> 00:06:07.073 An ERM program encourages management to set clear strategic operations reporting 00:06:07.083 --> 00:06:11.133 and compliance objectives that support and align with the organization's mission 00:06:11.313 --> 00:06:13.533 and are consistent with its risk appetite. 00:06:14.083 --> 00:06:16.223 Positive example of clear objectives. 00:06:16.673 --> 00:06:19.643 Future objectives are reasonably achieved without exceeding a 00:06:19.643 --> 00:06:21.593 predetermined stated risk tolerance. 00:06:22.198 --> 00:06:24.718 ERM component Event Identification. 00:06:25.138 --> 00:06:29.418 The organization has identified internal and external events effecting achievement 00:06:29.428 --> 00:06:33.328 of objectives and has distinguished its risks from its opportunities. 00:06:33.818 --> 00:06:36.248 Positive example of event identification. 00:06:36.768 --> 00:06:41.368 For each uncertainty or potential event, a leading indicator is created 00:06:41.368 --> 00:06:44.988 along with parameters that would trigger a risk management response. 00:06:45.398 --> 00:06:49.223 ERM component risk assessment Description of risk assessment. 00:06:49.663 --> 00:06:53.903 The organization continuously analyzes risk, considering the likelihood and 00:06:53.903 --> 00:06:58.923 impact of various scenarios, and uses the results of the analysis as a basis for. 00:06:59.333 --> 00:07:01.353 Determining how to manage those risks. 00:07:01.833 --> 00:07:03.793 Positive example of risk assessment. 00:07:04.368 --> 00:07:09.258 A risk heat map evolves from manager surveys to determine priority of risks. 00:07:09.678 --> 00:07:11.838 ERM component, risk response. 00:07:12.208 --> 00:07:14.168 Description, risk response. 00:07:14.548 --> 00:07:19.128 Management evaluates possible responses to risks, selects a response avoid, 00:07:19.158 --> 00:07:22.988 accept, reduce, or share risk, and develops a set of actions that 00:07:22.988 --> 00:07:27.048 aligns risks with the organization's risk tolerances and risk appetite. 00:07:27.618 --> 00:07:29.788 Positive examples, risk response. 00:07:30.178 --> 00:07:31.008 Example 1. 00:07:31.468 --> 00:07:35.848 Management identifies the costs and benefits for accepting each type of risk. 00:07:36.248 --> 00:07:37.078 Example 2. 00:07:37.528 --> 00:07:41.368 The most relevant risk information is centralized and reported timely 00:07:41.378 --> 00:07:45.038 in the right form and to the right people in order to make timely and 00:07:45.038 --> 00:07:46.768 effective decisions about risk. 00:07:47.268 --> 00:07:49.728 ERM Component, Control Activities. 00:07:50.108 --> 00:07:52.328 Description, Control Activities. 00:07:52.743 --> 00:07:56.433 A set of policies and procedures that is established and implemented 00:07:56.433 --> 00:08:00.303 to help ensure that an organization effectively responds to risks. 00:08:00.763 --> 00:08:01.903 Positive examples. 00:08:01.933 --> 00:08:03.233 Control activities. 00:08:03.673 --> 00:08:04.513 Example 1. 00:08:04.933 --> 00:08:09.573 Staff understands the differences between risk avoidance risk, reduction, 00:08:09.583 --> 00:08:11.623 risk sharing, and risk acceptance. 00:08:11.993 --> 00:08:12.803 Example 2. 00:08:13.273 --> 00:08:17.583 The senior manager responsible for ERM oversight reports directly to 00:08:17.583 --> 00:08:21.343 the board of directors or a board established committee that will assure 00:08:21.343 --> 00:08:23.423 proper oversight and independence. 00:08:23.793 --> 00:08:24.703 Example 3. 00:08:25.123 --> 00:08:29.913 The ERM program is independent of the risk taking and operational functions. 00:08:30.358 --> 00:08:31.268 IRM Component. 00:08:31.618 --> 00:08:33.328 Information and Communication. 00:08:33.738 --> 00:08:34.508 Description. 00:08:34.858 --> 00:08:36.548 Information and Communication. 00:08:36.978 --> 00:08:40.978 Relevant information is identified, captured, and communicated in a form 00:08:40.978 --> 00:08:45.028 and time frame that enables stakeholders to carry out their responsibilities. 00:08:45.438 --> 00:08:49.548 Key information about strategy and decisions is communicated clearly and 00:08:49.548 --> 00:08:51.298 broadly throughout an organization. 00:08:51.778 --> 00:08:52.918 Positive examples. 00:08:53.198 --> 00:08:54.858 Information and Communication. 00:08:55.328 --> 00:08:56.128 Example 1. 00:08:56.658 --> 00:09:00.738 All personnel receive a clear message from top management that ERM 00:09:00.748 --> 00:09:02.948 responsibilities are taken seriously. 00:09:03.378 --> 00:09:04.198 Example 2. 00:09:04.688 --> 00:09:07.818 A robust and reliable reporting regimen is evident. 00:09:08.248 --> 00:09:09.158 ERM component. 00:09:09.368 --> 00:09:10.058 Monitoring. 00:09:10.508 --> 00:09:11.238 Description. 00:09:11.438 --> 00:09:12.158 Monitoring. 00:09:12.568 --> 00:09:15.898 The organization monitors, through ongoing management activities 00:09:15.918 --> 00:09:19.698 and or separate evaluations, the entirety of risk management and 00:09:19.698 --> 00:09:21.648 makes modifications as necessary. 00:09:22.228 --> 00:09:23.328 Positive example. 00:09:23.568 --> 00:09:24.288 Monitoring. 00:09:24.718 --> 00:09:28.388 Management reports performance versus established risk limits. 00:09:28.768 --> 00:09:28.978 4. 00:09:30.388 --> 00:09:32.478 NCUA's Supervisor ePerspective. 00:09:33.008 --> 00:09:37.508 Core ERM principles can be integrated into the overall strategic planning 00:09:37.518 --> 00:09:40.908 and organizational risk management infrastructure of credit unions 00:09:40.908 --> 00:09:45.498 of all sizes and risk levels, and NCUA encourages credit unions to 00:09:45.498 --> 00:09:47.398 consider the benefits of doing so. 00:09:47.788 --> 00:09:51.478 However, implementing a formal ERM framework requires requires 00:09:51.478 --> 00:09:55.048 a significant investment in management, expertise, and systems. 00:09:55.718 --> 00:10:00.888 NCUA recognizes that most credit unions do not possess the size, depth of resources, 00:10:00.898 --> 00:10:04.808 or range and level of risk exposures to warrant the significant investment 00:10:04.818 --> 00:10:07.008 necessary to implement such a program. 00:10:07.448 --> 00:10:11.128 Thus, NCUA requires that only corporate credit unions develop 00:10:11.318 --> 00:10:13.738 and follow a formal ERM policy. 00:10:14.128 --> 00:10:18.658 ERM is not a regulatory requirement for natural person credit unions. 00:10:19.083 --> 00:10:23.963 When examining smaller, less complex natural person credit unions, examiners 00:10:23.963 --> 00:10:27.283 should ensure the risk management framework is sufficient to manage 00:10:27.283 --> 00:10:31.373 the major risks present in the credit union's business strategy and objectives, 00:10:31.653 --> 00:10:35.363 understanding it needs to reflect a reasonable cost benefit balance. 00:10:35.783 --> 00:10:40.203 In large, complex, natural person credit unions, examiners should ensure the 00:10:40.203 --> 00:10:44.443 credit union employs a comprehensive risk management approach, which may or 00:10:44.443 --> 00:10:47.063 may not include a formal ERM program. 00:10:47.383 --> 00:10:51.613 While any weaknesses in a large credit union's risk management processes will 00:10:51.613 --> 00:10:56.123 be addressed as supervisor e concerns, examiners will not require credit 00:10:56.123 --> 00:10:59.013 unions to adopt a formal ERM program. 00:10:59.518 --> 00:11:04.518 More details about NCUA's Supervisor eExpectations with regard to risk 00:11:04.548 --> 00:11:06.778 management programs are provided below. 00:11:07.308 --> 00:11:07.798 5. 00:11:08.358 --> 00:11:13.398 Addressing Risk Management in Examinations Part of the examiner's role is to gauge 00:11:13.398 --> 00:11:17.428 the effectiveness of all risk management programs against the identified and 00:11:17.428 --> 00:11:21.518 perceived risk posture of the credit union, the capability and commitment 00:11:21.518 --> 00:11:25.508 of management toward a culture of risk management, and the financial strength 00:11:25.528 --> 00:11:29.848 of the credit union in relation to individual and collective risk exposures. 00:11:30.258 --> 00:11:34.938 In all cases, examiners are expected to take a risk based approach to evaluating 00:11:34.938 --> 00:11:39.138 a credit union's risk management processes by considering the credit 00:11:39.168 --> 00:11:44.298 union's risk posture, risk appetite, and risk management strategies, the depth 00:11:44.298 --> 00:11:47.888 and breadth of potential exposures, including the types of products and 00:11:47.888 --> 00:11:49.958 services offered by the credit union. 00:11:50.433 --> 00:11:54.023 The Strategic Objectives and Operational Policies, Procedures, 00:11:54.033 --> 00:11:58.653 and Controls in Relation to Potential Exposures, Concentrations of Risk, 00:11:59.113 --> 00:12:03.153 Risk Mitigating Factors, Capability and Resources of Management. 00:12:03.863 --> 00:12:07.573 Current and historical performance management and the financial 00:12:07.573 --> 00:12:11.213 strength of the credit union in relation to assets and activities. 00:12:11.603 --> 00:12:15.213 Examiners are expected to employ the total analysis process, 00:12:15.503 --> 00:12:18.763 which involves a comprehensive enterprise wide risk assessment. 00:12:19.333 --> 00:12:22.933 This requires examiners to evaluate the range of risks and level of 00:12:22.933 --> 00:12:26.683 exposures, both financial and non financial, to determine whether 00:12:26.683 --> 00:12:30.723 exposures are reasonable in relation to operational controls, decision 00:12:30.723 --> 00:12:35.083 support systems, policies, procedures, internal controls, and capital. 00:12:35.563 --> 00:12:38.743 Risks are then evaluated individually and collectively. 00:12:39.203 --> 00:12:42.503 Finally, examiners measure that risk in relation to CAMEL 00:12:42.533 --> 00:12:43.963 and the seven risk factors. 00:12:44.458 --> 00:12:48.598 Examiners are expected to address poorly managed or excessive risk by 00:12:48.598 --> 00:12:52.828 addressing the underlying operational, strategic, and managerial deficiencies 00:12:52.828 --> 00:12:54.758 leading to unacceptable exposure. 00:12:55.158 --> 00:12:58.888 A DOOR may be issued outlining underlying areas of unacceptable 00:12:58.888 --> 00:13:02.538 risk for which management does not have an adequate identification, 00:13:02.578 --> 00:13:03.173 measurement, or assessment. 00:13:03.243 --> 00:13:05.763 Monitoring, control, and reporting structure. 00:13:06.213 --> 00:13:11.723 NCU views the absence of an adequate risk management framework, ERM, or otherwise 00:13:11.723 --> 00:13:16.203 consistent with an institution's size, diversity, and depth of risk exposures 00:13:16.243 --> 00:13:20.003 as a failure in sound corporate governance and expects examiners to 00:13:20.003 --> 00:13:23.633 take appropriate action consistent with the severity of the deficiency. 00:13:24.033 --> 00:13:24.633 Six. 00:13:24.983 --> 00:13:25.643 Conclusion. 00:13:26.568 --> 00:13:30.288 ERM is a broadly defined and evolving concept that, at its core, 00:13:30.298 --> 00:13:34.208 presents potential benefits to larger, more complex credit unions. 00:13:34.668 --> 00:13:38.508 Natural Person Credit Unions are encouraged to explore how ERM 00:13:38.518 --> 00:13:42.278 might benefit their organization, but are not required by regulation 00:13:42.288 --> 00:13:46.868 or supervisor e expectation to implement a formal ERM process. 00:13:47.068 --> 00:13:49.828 Examiners are encouraged to familiarize themselves with the 00:13:49.828 --> 00:13:54.148 concept and basic components of ERM to aid in their evaluation of a 00:13:54.148 --> 00:13:58.328 credit union's ability to identify, measure, monitor, and control, i. 00:13:58.368 --> 00:14:01.918 e., manage existing and potential risks in their operations. 00:14:02.323 --> 00:14:06.113 This concludes the letter to credit unions on the Supervisor e letter 00:14:06.113 --> 00:14:07.823 on Enterprise Risk Management. 00:14:08.273 --> 00:14:12.093 If your credit union could use assistance with your exam, reach out to Mark 00:14:12.103 --> 00:14:14.573 Treichel on LinkedIn or at marktreichel. 00:14:14.603 --> 00:14:15.043 com. 00:14:15.553 --> 00:14:18.163 This is Samantha Shares and we thank you for listening.