WEBVTT

NOTE
This file was generated by Descript 

00:00:00.450 --> 00:00:02.420
Samantha: Hello, this is Samantha Shares.

00:00:03.010 --> 00:00:06.380
This podcast is educational
and is not legal advice.

00:00:07.044 --> 00:00:10.904
Banking agencies have curtailed
issuance of new guidance and regulations

00:00:10.964 --> 00:00:12.474
under the current administration.

00:00:13.044 --> 00:00:16.534
As a result, and to continue providing
our listeners with valuable new

00:00:16.534 --> 00:00:20.164
episodes, we're excited to share
our new initiative and cohost.

00:00:20.624 --> 00:00:24.224
We'll be providing AI-powered summaries
of evergreen episodes from our

00:00:24.224 --> 00:00:26.354
sister podcast With Flying Colors.

00:00:26.844 --> 00:00:30.214
These episodes will highlight the
key points in an easy-to-digest

00:00:30.334 --> 00:00:31.774
eight to twelve minute format.

00:00:32.631 --> 00:00:36.601
We continue to embrace Artificial
Intelligence, and like my voice, these

00:00:36.601 --> 00:00:40.981
new episodes will be introduced by me
and then narrated by our guest AI voice.

00:00:41.521 --> 00:00:45.811
Today, Daniel will discuss 'N C
U A Exam Alert: Risk Management

00:00:45.811 --> 00:00:47.971
Framework Essentials That Pass Exams.'

00:00:48.431 --> 00:00:52.841
This episode is also available on
YouTube in AI video format, so be

00:00:52.841 --> 00:00:54.481
sure to check that out as well!

00:00:54.918 --> 00:00:56.768
Now, here's Daniel with your summary.

00:00:57.231 --> 00:01:01.101
This episode covers risk appetite
and risk management framework.

00:01:01.491 --> 00:01:05.331
The following is an audio
summary of that podcast episode.

00:01:05.721 --> 00:01:10.281
This podcast is educational
and is not legal advice.

00:01:10.641 --> 00:01:15.591
We are sponsored by Credit Union Exam
Solutions Incorporated, whose team

00:01:15.801 --> 00:01:20.961
has over 240 years of National Credit
Union administration experience.

00:01:21.351 --> 00:01:26.421
We assist our clients with NCUA
so they save time and money.

00:01:26.766 --> 00:01:32.016
If you are worried about a recent,
upcoming, or in process NCUA examination.

00:01:32.796 --> 00:01:37.596
Reach out to learn how they can
assist at mark TriCal dt com.

00:01:37.926 --> 00:01:42.606
Also, check out our other podcast
called With Flying Colors, where

00:01:42.606 --> 00:01:49.026
we provide tips on how to achieve
success with NCUA Executive summary.

00:01:49.056 --> 00:01:54.126
In this episode, mark TriCal, Steve
Farrah and Todd Miller discuss the

00:01:54.126 --> 00:01:58.176
essential components of risk management
frameworks for credit unions.

00:01:58.536 --> 00:02:01.176
The conversation covers three main areas.

00:02:01.701 --> 00:02:05.931
First, the importance of risk
culture as the foundation of any

00:02:05.931 --> 00:02:07.791
effective risk management program.

00:02:08.421 --> 00:02:14.391
Second, the development and implementation
of risk appetite statements that scale

00:02:14.601 --> 00:02:17.451
with institution size and complexity.

00:02:18.291 --> 00:02:23.841
And third, the three lines of defense
model that provides oversight and control.

00:02:24.516 --> 00:02:29.406
The experts emphasize that while these
frameworks become more sophisticated as

00:02:29.406 --> 00:02:35.346
credit unions grow, the core principles
apply to institutions of all sizes and

00:02:35.346 --> 00:02:39.246
directly impact NCUA examination outcomes.

00:02:39.576 --> 00:02:42.456
Main topic, one, risk culture.

00:02:43.296 --> 00:02:46.716
The foundation risk culture sits
at the top of the risk management

00:02:46.716 --> 00:02:50.736
pyramid and represents the most
critical element of any framework.

00:02:51.066 --> 00:02:57.216
As Todd Miller explains, you can have the
best policies and organizational charts in

00:02:57.216 --> 00:03:02.736
the world, but without proper risk culture
established by the board and management,

00:03:03.216 --> 00:03:05.616
everything underneath will be ineffective.

00:03:06.006 --> 00:03:10.896
This tone from the top must permeate
throughout the organization, creating

00:03:10.896 --> 00:03:15.486
an environment where staff consciously
consider risk reward decisions

00:03:15.846 --> 00:03:18.216
rather than operating unconsciously.

00:03:18.591 --> 00:03:20.811
Think of it like crossing the street.

00:03:21.321 --> 00:03:25.641
We all practice risk management when
we look both ways, but in financial

00:03:25.641 --> 00:03:30.681
institutions, this needs to be conscious
rather than unconscious behavior.

00:03:31.041 --> 00:03:35.571
Steve Farr notes that when examining
troubled credit unions problems

00:03:35.571 --> 00:03:39.976
can almost always be traced back
to a breakdown in risk culture.

00:03:40.671 --> 00:03:44.691
The culture must encourage staff to
speak up when risks are getting out of

00:03:44.691 --> 00:03:50.151
hand, creating that essential foundation
for everything else to work properly.

00:03:50.541 --> 00:03:55.701
Moving to our second key area,
main topic, two, risk appetite.

00:03:56.031 --> 00:03:57.441
Defining your boundaries.

00:03:57.471 --> 00:04:00.531
Risk appetite statements
vary significantly based on

00:04:00.531 --> 00:04:03.111
institution size and complexity.

00:04:03.531 --> 00:04:07.966
For smaller credit unions, risk
appetite can be expressed informally.

00:04:08.526 --> 00:04:13.146
Through business plans and policy
limits, such as loan policy limits,

00:04:13.506 --> 00:04:19.026
liquidity, policy constraints, and asset
liability management boundaries, as

00:04:19.026 --> 00:04:21.966
institutions grow larger and more complex.

00:04:22.566 --> 00:04:29.376
NCUA expects formal risk appetite
statements that address all seven NCUA

00:04:29.376 --> 00:04:34.866
risk categories with some regulators
adding concentration and model risk.

00:04:35.256 --> 00:04:39.456
The key components include both
qualitative statements about the

00:04:39.456 --> 00:04:43.836
institution's risk philosophy,
and quantitative metrics for

00:04:43.836 --> 00:04:46.086
measuring and monitoring risk.

00:04:46.446 --> 00:04:51.216
Steve Farr emphasizes that risk appetite
should start with capital levels

00:04:51.756 --> 00:04:57.336
as institutions operating near PCA
triggers need conservative appetites.

00:04:57.636 --> 00:05:01.806
While well-capitalized, institutions
can accept more risks, however.

00:05:02.361 --> 00:05:07.251
As demonstrated by the taxi medallion
credit union failures, even institutions

00:05:07.251 --> 00:05:13.731
with capital ratios exceeding 15% couldn't
survive when medallion values dropped from

00:05:13.731 --> 00:05:18.291
$1 million to $100,000 in New York City.

00:05:18.681 --> 00:05:22.851
This shows that extreme
concentration risks can overwhelm

00:05:23.211 --> 00:05:27.771
even strong capital positions when
fundamental business models change.

00:05:28.146 --> 00:05:30.816
Now let's examine our
third critical component.

00:05:31.086 --> 00:05:36.396
Main topic, the three, three lines
of defense, your control structure.

00:05:37.476 --> 00:05:41.436
The three lines of defense
model provides the operational

00:05:41.436 --> 00:05:43.476
framework for risk management.

00:05:43.866 --> 00:05:47.946
The first line consists of frontline
business units, including loan

00:05:47.946 --> 00:05:52.326
officers, tellers and member facing
staff who interact directly with

00:05:52.326 --> 00:05:54.451
members and conduct transactions.

00:05:55.176 --> 00:06:00.036
These employees must understand their
role in risk management and carry out

00:06:00.036 --> 00:06:03.186
operations consistent with board policies.

00:06:03.606 --> 00:06:09.186
The second line of defense typically
seen in larger institutions involves

00:06:09.186 --> 00:06:14.106
a separate risk management department
under a chief risk officer who

00:06:14.106 --> 00:06:18.426
aggregates risks across the organization
and provides independent oversight.

00:06:18.951 --> 00:06:22.791
The third line is the internal
audit function, which tests

00:06:22.791 --> 00:06:27.741
internal controls and verifies
that systems work as intended.

00:06:28.131 --> 00:06:32.151
Todd Miller notes that smaller credit
unions often operate effectively

00:06:32.511 --> 00:06:34.521
with just two lines of defense.

00:06:34.941 --> 00:06:38.361
Combining the first line with
internal audit oversight.

00:06:38.901 --> 00:06:44.091
While institutions crossing one to
$3 billion typically add the second

00:06:44.091 --> 00:06:45.801
line risk management function.

00:06:46.131 --> 00:06:51.411
It's important to note that NCUA
sometimes over reaches by trying to

00:06:51.411 --> 00:06:55.491
dictate whether chief risk officers
should have voting rights on committees

00:06:55.761 --> 00:06:58.551
or veto or author over decisions.

00:06:59.331 --> 00:07:02.451
These are management decisions
that should align with your

00:07:02.451 --> 00:07:05.211
institution's size and complexity.

00:07:05.571 --> 00:07:07.431
Key questions for your board.

00:07:08.376 --> 00:07:12.636
Before we discuss exam impacts,
consider these essential questions

00:07:12.726 --> 00:07:14.256
for your next board meeting.

00:07:14.616 --> 00:07:19.296
First, can you clearly articulate
your institution's risk appetite

00:07:19.536 --> 00:07:21.636
in both words and numbers?

00:07:21.996 --> 00:07:25.986
Second, do you have appropriate
limits in place and consequences

00:07:26.256 --> 00:07:27.756
when those limits are breached?

00:07:28.176 --> 00:07:31.626
Third, does your staff feel
comfortable raising concerns

00:07:31.656 --> 00:07:33.576
about increasing risk levels?

00:07:33.966 --> 00:07:37.176
Fourth, are you managing risks in silos?

00:07:37.731 --> 00:07:42.351
Or do you have a way to see the big
picture across your entire institution?

00:07:42.741 --> 00:07:47.271
And finally, does your risk management
sophistication truly match your

00:07:47.271 --> 00:07:49.851
credit union size and complexity?

00:07:50.361 --> 00:07:53.811
Or are you either over
engineering or under preparing?

00:07:54.306 --> 00:07:58.686
These questions can help guide meaningful
board discussions about your risk

00:07:58.686 --> 00:08:02.616
framework, NCUA exam impact and takeaways.

00:08:02.886 --> 00:08:06.336
These risk management framework
concepts directly affect your

00:08:06.336 --> 00:08:09.576
NCUA examination in several ways.

00:08:09.906 --> 00:08:15.066
First, examiners consistently look for
concentration risk limits supported by

00:08:15.066 --> 00:08:20.016
capital analysis, particularly in larger
organizations where stress testing

00:08:20.016 --> 00:08:22.146
may be required to justify limits.

00:08:22.476 --> 00:08:23.016
Second.

00:08:23.556 --> 00:08:27.426
NCUA expects action plans
when institutions approach

00:08:27.426 --> 00:08:29.646
or exceed established limits.

00:08:29.946 --> 00:08:34.896
And failure to address limit breaches
can result in examination criticism.

00:08:35.376 --> 00:08:39.096
Third, the sophistication of your
risk management program should

00:08:39.096 --> 00:08:44.136
match your institution's size and
complexity, but examiners sometimes

00:08:44.136 --> 00:08:49.536
inappropriately apply large institution
standards to smaller credit unions.

00:08:49.866 --> 00:08:53.706
Fourth, proper documentation of
risk appetite, whether formal

00:08:54.246 --> 00:08:57.696
or embedded in existing policies
demonstrates to examiners.

00:08:58.246 --> 00:09:01.336
Management consciously
considers risk decisions.

00:09:01.666 --> 00:09:05.896
Finally, having effective lines of
defense with proper independence and

00:09:05.896 --> 00:09:10.966
adequate resources shows examiners
that your institution has appropriate

00:09:10.996 --> 00:09:14.326
oversight and control mechanisms in place.

00:09:14.716 --> 00:09:19.546
If your credit union could use assistance
with your exam, reach out to Mark

00:09:19.546 --> 00:09:23.956
Tril on LinkedIn or@marktril.com.