WEBVTT

NOTE
This file was generated by Descript 

00:00:00.100 --> 00:00:01.900
Samantha: Hello, this is Samantha Shares.

00:00:02.370 --> 00:00:06.760
This episode covers N C U Aâs super
visor e letter to credit unions

00:00:06.760 --> 00:00:11.200
number thirteen dash twelve titled
Enterpise Risk Management or E R M.

00:00:11.660 --> 00:00:15.130
While this guidance was issued in
twenty thirteen, it is still active

00:00:15.320 --> 00:00:18.890
and is referred to in examinations
and examiner discussions with credit

00:00:18.890 --> 00:00:21.500
unions, especially large credit unions.

00:00:21.946 --> 00:00:25.686
The following is an audio version of
that advisory and the press release.

00:00:26.196 --> 00:00:29.426
This podcast is educational
and is not legal advice.

00:00:29.846 --> 00:00:33.806
We are sponsored by Credit Union
Exam Solutions Incorporated, whose

00:00:33.806 --> 00:00:36.906
team has over two hundred and
Forty years of National Credit

00:00:36.906 --> 00:00:38.836
Union  Administration experience.

00:00:39.236 --> 00:00:42.896
We assist our clients with N C
U A so they save time and money.

00:00:43.196 --> 00:00:47.136
If you are worried about a recent,
upcoming or in process N C U A

00:00:47.136 --> 00:00:51.456
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.

00:00:51.776 --> 00:00:56.146
Also check out our other podcast called
With Flying Colors where we provide tips

00:00:56.146 --> 00:00:58.706
on how to achieve success with N C U A.

00:00:59.166 --> 00:01:00.056
And now the letter.

00:01:00.464 --> 00:01:04.874
This Super visor e Letter discusses
how N C U A views enterprise risk

00:01:04.874 --> 00:01:10.044
management (E R M) as one framework
for managing risk and N C U A's super

00:01:10.044 --> 00:01:14.724
visor e expectations with regard to
credit unions' risk management programs.

00:01:15.065 --> 00:01:18.115
Natural person credit unions
are not required to implement

00:01:18.115 --> 00:01:20.095
a formal E R M framework.

00:01:20.545 --> 00:01:24.275
However, credit unions are expected
to have sound processes sufficient

00:01:24.275 --> 00:01:27.935
to manage the risk associated with
their business model and strategies.

00:01:28.445 --> 00:01:32.465
This Super visor e Letter further
explains that distinction and outlines

00:01:32.465 --> 00:01:36.395
what examiners should consider when
evaluating the overall effectiveness of

00:01:36.395 --> 00:01:38.835
a credit union's risk management program.

00:01:39.267 --> 00:01:39.737
1.

00:01:39.987 --> 00:01:40.707
Introduction

00:01:41.118 --> 00:01:44.778
This Super visor e Letter provides
examiners with an overview of the

00:01:44.778 --> 00:01:49.358
concepts and principles of enterprise
risk management (E R M) as drawn from

00:01:49.358 --> 00:01:51.698
contemporary risk management practices.

00:01:52.038 --> 00:01:57.808
It also describes N C U A's super visor
e perspective on E R M and outlines super

00:01:57.808 --> 00:02:02.958
visor e expectations regarding credit
unions' use of a formal E R M framework.

00:02:03.477 --> 00:02:03.867
2.

00:02:04.467 --> 00:02:07.087
What is Enterprise Risk
Management (E R M)?

00:02:07.444 --> 00:02:10.964
Enterprise risk management is a
comprehensive risk-optimization

00:02:10.964 --> 00:02:14.554
process that integrates risk
management across an organization.

00:02:14.964 --> 00:02:18.994
An organization's board of directors
ultimately makes the decision to develop

00:02:18.994 --> 00:02:23.144
and implement an E R M framework,
often with the goal of aligning

00:02:23.144 --> 00:02:25.014
risk with strategic objectives.

00:02:25.396 --> 00:02:30.216
E R M is not a process to eliminate
risk or to enforce risk limits, but

00:02:30.216 --> 00:02:34.206
rather to encourage organizations to
take a broad look at all risk factors,

00:02:34.416 --> 00:02:38.236
understand the interrelationships among
those factors, define an acceptable

00:02:38.236 --> 00:02:42.386
level of risk, and continuously monitor
functional areas to ensure that the

00:02:42.386 --> 00:02:44.516
defined risk threshold is maintained.

00:02:44.994 --> 00:02:48.614
The Committee of Sponsoring Organizations
of the Treadway Commission (COSO)

00:02:48.614 --> 00:02:51.394
defines E R M as a process that is:

00:02:51.846 --> 00:02:54.246
â¢	ongoing and applied
throughout an organization,

00:02:54.732 --> 00:02:57.612
â¢	effected by people at every
level of an organization,

00:02:58.050 --> 00:02:59.610
â¢	applied in strategy setting,

00:03:00.072 --> 00:03:02.962
â¢	takes an organization-level
portfolio view of risk,

00:03:03.432 --> 00:03:07.202
â¢	designed to identify potential events
that could affect the organization

00:03:07.292 --> 00:03:10.452
and to manage risk within the
organization's risk appetite,

00:03:11.020 --> 00:03:14.540
â¢	able to provide reasonable assurance
to an organization's management

00:03:14.540 --> 00:03:16.040
and board of directors, and

00:03:16.524 --> 00:03:21.064
â¢	geared to achieve objectives in one or
more separate but overlapping categories.

00:03:21.519 --> 00:03:25.479
The enterprise-wide aspect of E R
M is what differentiates it most

00:03:25.479 --> 00:03:28.679
fundamentally from more traditional
risk management approaches.

00:03:29.119 --> 00:03:33.209
Many organizations, including credit
unions, traditionally have used internal

00:03:33.239 --> 00:03:37.539
auditors to perform risk assessments and
to report their findings to executive

00:03:37.539 --> 00:03:39.479
management and/or the Audit Committee.

00:03:40.029 --> 00:03:44.099
Under this approach, risks are considered
and addressed individually, perhaps

00:03:44.099 --> 00:03:48.369
without consideration of the strategic
implications these risks may impart or

00:03:48.369 --> 00:03:50.439
how the risks interrelate to one another.

00:03:50.899 --> 00:03:55.559
E R M reduces this silo effect and,
at the same time, ensures ongoing

00:03:55.559 --> 00:04:00.249
communication with relevant stakeholders
(board, senior management, audit, etc.).

00:04:00.663 --> 00:04:01.133
3.

00:04:01.693 --> 00:04:04.423
Basic components of an E R M framework

00:04:04.807 --> 00:04:08.007
There is no "off-the-shelf'
solution for organizations seeking

00:04:08.007 --> 00:04:12.007
to launch an effective enterpriseÂ­
wide approach to risk management.

00:04:12.007 --> 00:04:16.007
Rather, organizations can meet their
specific needs with various tailored

00:04:16.007 --> 00:04:20.007
approaches that take into account their
complexity, resources, and expertise.

00:04:20.087 --> 00:04:24.777
Credit unions that incorporate E R M into
their risk management infrastructure may

00:04:24.777 --> 00:04:29.197
resource the program internally, through
paid consultants, or through a combination

00:04:29.197 --> 00:04:31.537
of outsoure:ed and internal resources.

00:04:32.017 --> 00:04:36.407
N C U A does not view any approach as
preferable, provided core principles,

00:04:36.407 --> 00:04:40.377
controls, and due diligence are properly
established within the organization.

00:04:40.727 --> 00:04:44.407
That said, there are several basic
components of an E R M program

00:04:44.437 --> 00:04:48.087
that likely will be evident at any
financial institution that pursues

00:04:48.087 --> 00:04:50.507
an E R M approach to managing risk.

00:04:50.737 --> 00:04:54.787
Because examiners are likely to encounter
one or more of these components in their

00:04:54.787 --> 00:04:58.957
analysis of a credit union's operations,
they should be familiar with them.

00:04:59.372 --> 00:05:03.282
The table on the following page outlines
these components (as identified in

00:05:03.282 --> 00:05:07.242
the COSO framework), describes each,
and provides positive examples of

00:05:07.242 --> 00:05:11.042
how each component might manifest
in a credit union's operations.

00:05:11.510 --> 00:05:12.350
ERM Component:

00:05:12.836 --> 00:05:14.526
Established "Risk Culture"

00:05:14.988 --> 00:05:17.078
Description of Established Risk Culture.

00:05:17.550 --> 00:05:21.400
This is the "tone at the top" that
sets the basis for how risk is viewed

00:05:21.400 --> 00:05:24.650
and addressed by an organization's
stakeholders at all levels.

00:05:25.120 --> 00:05:28.700
The organization should define an
enterprise-wide philosophy for risk

00:05:28.700 --> 00:05:32.450
management and risk appetite that
is grounded in integrity, ethical

00:05:32.450 --> 00:05:36.220
values, and a good grasp of how
various stakeholders are affected

00:05:36.220 --> 00:05:37.970
by the organization's decisions.

00:05:38.473 --> 00:05:40.993
Positive Example of
Established Risk Culture:

00:05:41.478 --> 00:05:45.378
Consistent support for the E R M
framework throughout the organization,

00:05:45.618 --> 00:05:48.708
from the Chairman's office to
staff members on the front lines.

00:05:49.161 --> 00:05:51.001
ERM Component Clear Objectives:

00:05:51.431 --> 00:05:53.171
Description of Clear  Objectives:

00:05:53.607 --> 00:05:58.487
An E R M program encourages management
to set clear strategic, operations,

00:05:58.487 --> 00:06:01.857
reporting, and compliance objectives
that support and align with the

00:06:01.857 --> 00:06:05.457
organization's mission and are
consistent with its risk appetite.

00:06:06.052 --> 00:06:08.192
Positive Example of Clear Objectives:

00:06:08.596 --> 00:06:11.606
Future objectives are reasonably
achieved without exceeding a

00:06:11.636 --> 00:06:13.786
predetrmined, stated risk tolerance.

00:06:14.202 --> 00:06:16.662
ERM Component: Event Identification

00:06:17.106 --> 00:06:21.406
The organization has identified internal
and external events affecting achievement

00:06:21.406 --> 00:06:25.306
of objectives and has distinguished
its risks from its opportunities.

00:06:25.800 --> 00:06:28.210
Positive Example of event Identification:

00:06:28.768 --> 00:06:33.348
For each uncertainty or potential
event, a "leading indicator" is created

00:06:33.348 --> 00:06:36.978
along with parameters that would
trigger a risk management response.

00:06:37.410 --> 00:06:39.060
ERM Component Risk Assessment

00:06:39.566 --> 00:06:41.226
Description of Risk Assessment

00:06:41.666 --> 00:06:45.866
The organization continuously analyzes
risk, considering the likelihood and

00:06:45.866 --> 00:06:50.876
impact of various scenarios, and uses the
results of the analysis as a basis for

00:06:51.339 --> 00:06:53.349
determining how to manage those risks.

00:06:53.824 --> 00:06:55.794
Positive Example of Risk Assessment

00:06:56.368 --> 00:07:01.218
A risk "heat map" evolves from manager
surveys to determine priority of risks.

00:07:01.678 --> 00:07:03.828
ERM Component:  Risk Response

00:07:04.214 --> 00:07:06.134
Description:  Risk Response

00:07:06.536 --> 00:07:11.186
Management evaluates possible responses
to risks, selects a response (avoid,

00:07:11.186 --> 00:07:14.966
accept, reduce, or share risk),
and develops a set of actions that

00:07:14.966 --> 00:07:18.996
aligns risks with the organization's
risk tolerances and risk appetite.

00:07:19.598 --> 00:07:21.768
Positive Examples:  Risk Response

00:07:22.186 --> 00:07:23.026
Example one:

00:07:23.464 --> 00:07:27.794
Management identifies the costs and
benefits for accepting each type of risk.

00:07:28.247 --> 00:07:29.077
Example two:

00:07:29.524 --> 00:07:33.354
The most relevant risk information
is centralized and reported timely,

00:07:33.384 --> 00:07:36.904
in the right form, and to the right
people in order to make timely

00:07:36.904 --> 00:07:38.754
and effective decisions about risk

00:07:39.278 --> 00:07:41.698
ERM Component:  Control Activities

00:07:42.098 --> 00:07:44.288
Description:  Control Activities

00:07:44.737 --> 00:07:48.417
A set of policies and procedures
that is established and implemented

00:07:48.417 --> 00:07:52.297
to help ensure that an organization
effectively responds to risks.

00:07:52.744 --> 00:07:55.174
Positive Examples:  Control Activities

00:07:55.678 --> 00:07:56.518
Example one:

00:07:56.905 --> 00:08:00.385
Staff understands the differences
between risk avoidance, risk

00:08:00.824 --> 00:08:03.614
reduction, risk sharing,
and risk acceptance.

00:08:04.002 --> 00:08:04.802
Example two:

00:08:05.279 --> 00:08:09.569
The senior manager responsible for
E R M oversight reports directly to

00:08:09.569 --> 00:08:13.309
the board of directors or a board-
established committee that will assure

00:08:13.309 --> 00:08:15.409
proper oversight and independence.

00:08:15.800 --> 00:08:16.680
Example three:

00:08:17.125 --> 00:08:21.955
The E R M program is independent of the
risk-taking and operational functions.

00:08:22.378 --> 00:08:25.278
ERM Component: Information
and Communication

00:08:25.739 --> 00:08:28.569
Description: Information
and Communication:

00:08:28.979 --> 00:08:32.959
Relevant information is identified,
captured, and communicated in a form

00:08:32.959 --> 00:08:37.029
and timeframe that enable stakeholders
to carry out their responsibilities.

00:08:37.419 --> 00:08:41.509
Key information about strategy and
decisions is communicated clearly and

00:08:41.509 --> 00:08:43.259
broadly throughout an organization

00:08:43.760 --> 00:08:46.870
Positive Examples:
Information and Communication

00:08:47.332 --> 00:08:48.152
Example one:

00:08:48.649 --> 00:08:52.729
All personnel receive a clear message
from top management that E R M

00:08:52.729 --> 00:08:54.909
responsibilities are taken seriously.

00:08:55.378 --> 00:08:56.198
Example two:

00:08:56.685 --> 00:08:59.805
A robust and reliable
reporting regimen is evident

00:09:00.239 --> 00:09:02.039
ERM Component:  Monitoring

00:09:02.508 --> 00:09:04.198
Description:  Monitoring

00:09:04.545 --> 00:09:07.915
The organization monitors-through
ongoing management activities

00:09:07.915 --> 00:09:11.675
and/or separate evaluations-the
entirety of risk management and

00:09:11.675 --> 00:09:13.685
makes modifications as necessary

00:09:14.221 --> 00:09:16.281
Positive Example:  Monitoring

00:09:16.707 --> 00:09:20.337
Management reports performance
versus established risk limits

00:09:20.808 --> 00:09:21.178
4.

00:09:21.778 --> 00:09:24.448
N C U A's super visor e perspective

00:09:24.977 --> 00:09:29.477
Core E R M principles can be integrated
into the overall strategic planning

00:09:29.477 --> 00:09:33.017
and organizational risk-management
infrastructure of credit unions of

00:09:33.017 --> 00:09:37.467
all sizes and risk levels, and N
C U A encourages credit unions to

00:09:37.467 --> 00:09:39.377
consider the benefits of doing so.

00:09:39.787 --> 00:09:43.497
However, implementing a formal
E R M framework requires a

00:09:43.497 --> 00:09:47.037
significant investment in
management, expertise, and systems.

00:09:47.544 --> 00:09:51.634
N C U A recognizes that most credit
unions do not possess the size,

00:09:51.694 --> 00:09:55.594
depth of resources, or range and
level of risk exposures to warrant

00:09:55.594 --> 00:09:58.974
the significant investment necessary
to implement such a program.

00:09:59.444 --> 00:10:03.134
Thus, N C U A requires that only
corporate credit unions develop

00:10:03.324 --> 00:10:05.704
and follow a formal E R M policy.

00:10:06.134 --> 00:10:10.674
E R M is not a regulatory requirement
for natural person credit unions.

00:10:11.075 --> 00:10:15.905
When examining smaller, less complex
natural person credit unions, examiners

00:10:15.905 --> 00:10:19.235
should ensure the risk management
framework is sufficient to manage

00:10:19.235 --> 00:10:23.355
the major risks present in the credit
union's business strategy and objectives,

00:10:23.635 --> 00:10:27.415
understanding it needs to reflect
a reasonable cost-benefit balance.

00:10:27.805 --> 00:10:32.155
In large, complex natural person credit
unions, examiners should ensure the

00:10:32.155 --> 00:10:36.415
credit union employs a comprehensive
risk management approach, which may or

00:10:36.415 --> 00:10:39.065
may not include a formal E R M program.

00:10:39.405 --> 00:10:43.555
While any weaknesses in a large credit
union's risk management processes will

00:10:43.555 --> 00:10:48.055
be addressed as super visor e concerns,
examiners will not require credit

00:10:48.055 --> 00:10:51.035
unions to adopt a formal E R M program.

00:10:51.511 --> 00:10:56.541
More details about N C U A's super
visor e expectations with regard to risk

00:10:56.541 --> 00:10:58.711
management programs are provided below.

00:10:59.372 --> 00:10:59.712
5.

00:11:00.382 --> 00:11:02.882
Addressing risk management in examinations

00:11:03.334 --> 00:11:07.474
Part of the examiner's role is to gauge
the effectiveness of all risk management

00:11:07.474 --> 00:11:11.184
programs against the identified and
perceived risk posture of the credit

00:11:11.184 --> 00:11:15.394
union, the capability and commitment
of management toward a culture of risk

00:11:15.394 --> 00:11:19.284
management, and the financial strength
of the credit union in relation to

00:11:19.314 --> 00:11:21.854
individual and collective risk exposures.

00:11:22.279 --> 00:11:26.239
In all cases, examiners are expected
to take a risk-based approach to

00:11:26.239 --> 00:11:30.269
evaluating a credit union's risk
management processes by considering:

00:11:30.710 --> 00:11:35.380
â¢	the credit union's risk posture, risk
appetite, and risk management strategies;

00:11:35.803 --> 00:11:39.723
â¢		the depth and breadth of potential
exposures including the types of products

00:11:39.723 --> 00:11:42.033
and services offered by the credit union;

00:11:42.434 --> 00:11:46.724
â¢	the strategic objectives and operational
policies, procedures, and controls

00:11:46.724 --> 00:11:48.744
in relation to potential exposures;

00:11:49.223 --> 00:11:50.583
â¢	concentrations of risk;

00:11:51.117 --> 00:11:52.677
â¢	risk-mitigating factors;

00:11:53.124 --> 00:11:55.264
â¢	capability and resources of management;

00:11:55.857 --> 00:11:58.427
â¢	current and historical
performance management; and

00:11:58.907 --> 00:12:03.207
â¢	the financial strength of the credit union
in relation to assets and activities.

00:12:03.622 --> 00:12:07.172
Examiners are expected to employ
the "total analysis process,"

00:12:07.512 --> 00:12:10.762
which involves a comprehensive
(enterprise-wide) risk assessment.

00:12:11.332 --> 00:12:14.902
This requires examiners to evaluate
the range of risks and level of

00:12:14.902 --> 00:12:18.662
exposures, both financial and
nonfinancial, to determine whether

00:12:18.662 --> 00:12:22.692
exposures are reasonable in relation
to operational controls, decision

00:12:22.692 --> 00:12:27.042
support systems, policies, procedures,
internal controls, and capital.

00:12:27.562 --> 00:12:30.702
Risks are then evaluated
individually and collectively.

00:12:31.172 --> 00:12:34.502
Finally, examiners measure
that risk in relation to CAMEL

00:12:34.502 --> 00:12:36.032
and the seven risk factors.

00:12:36.457 --> 00:12:40.587
Examiners are expected to address
poorly managed or excessive risk by

00:12:40.587 --> 00:12:44.797
addressing the underlying operational,
strategic, and managerial deficiencies

00:12:44.797 --> 00:12:46.717
leading to unacceptable exposure.

00:12:47.167 --> 00:12:51.777
A DOR may be issued outlining underlying
areas of unacceptable risk for which

00:12:51.777 --> 00:12:55.857
management does not have an adequate
identification, measurement, monitoring,

00:12:55.857 --> 00:12:57.717
control, and reporting structure.

00:12:58.271 --> 00:13:01.981
N C U A views the absence of an
adequate risk management framework

00:13:02.071 --> 00:13:06.521
(E R M or otherwise) consistent with
an institution's size, diversity,

00:13:06.521 --> 00:13:10.331
and depth of risk exposures as a
failure in sound corporate governance,

00:13:10.661 --> 00:13:13.991
and expects examiners to take
appropriate action consistent with

00:13:13.991 --> 00:13:15.561
the severity of the deficiency.

00:13:16.029 --> 00:13:16.589
6.

00:13:16.979 --> 00:13:17.719
Conclusion

00:13:18.089 --> 00:13:22.269
E R M is a broadly defined and
evolving concept that, at its core,

00:13:22.299 --> 00:13:26.269
presents potential benefits to
larger, more complex credit unions.

00:13:26.679 --> 00:13:30.459
Natural person credit unions are
encouraged to explore how E R M

00:13:30.459 --> 00:13:34.249
might benefit their organization,
but are not required by regulation

00:13:34.249 --> 00:13:38.849
or super visor e expectation to
implement a formal E R M process.

00:13:39.079 --> 00:13:42.999
Examiners are encouraged to familiarize
themselves with the concept and basic

00:13:42.999 --> 00:13:47.369
components of E R M to aid in their
evaluation of a credit union's ability

00:13:47.369 --> 00:13:51.799
to identify, measure, monitor, and
control (i.e., manage) existing and

00:13:51.799 --> 00:13:53.939
potential risks in their operations.

00:13:54.283 --> 00:13:58.093
This concludes the Letter to credit
unions on the super visor e letter

00:13:58.093 --> 00:13:59.793
on Enterprise Risk Management.

00:14:00.278 --> 00:14:04.318
If your Credit union could use assistance
with your exam, reach out to Mark Treichel

00:14:04.318 --> 00:14:07.028
on LinkedIn, or at mark Treichel dot com.

00:14:07.548 --> 00:14:10.158
This is Samantha Shares and
we Thank you for listening.