Enterprise Risk Management: NCUA's Supervisory Letter
Hello, this is Samantha Shares.
This episode covers NCUA's Supervisor
E Letter to Credit Unions Number 13 12
titled Enterprise Risk Management, or ERM.
While this guidance was issued in
2013, it is still active and is
referred to in examinations and
examiner discussions with credit
unions, especially large credit unions.
The following is an audio version of
that advisory and the press release.
This podcast is educational
and is not legal advice.
We are sponsored by Credit Union Exam
Solutions Incorporated, whose team
has over 240 years of national credit
union administration experience.
We assist our clients with NCUA
so they save time and money.
If you are worried about a recent,
upcoming, or in process NCUA
examination, reach out to learn how
they can assist at marktreichel.
com.
Also, check out our other podcast called
With Flying Colors, where we provide
tips on how to achieve success with NCUA.
And now the letter.
This Supervisor e letter discusses
how NCUA views Enterprise Risk
Management, ERM, as one framework for
managing risk, and NCUA's Supervisor
e expectations with regard to credit
unions risk management programs.
Natural person credit unions
are not required to implement
a formal ERM framework.
However, credit unions are expected
to have sound processes sufficient
to manage the risk associated with
their business model and strategies.
This supervisor e letter further
explains the distinction and outlines
what examiners should consider when
evaluating the overall effectiveness of
a credit union's risk management program.
1.
Introduction This Supervisor e letter
provides examiners with an overview of
the concepts and principles of Enterprise
Risk Management, ERM, as drawn from
contemporary risk management practices.
It also describes NCUA's Supervisor
e perspective on ERM and outlines
Supervisor e expectations regarding credit
unions use of a formal ERM framework.
2.
What is Enterprise Risk Management, ERM?
Enterprise Risk Management is a
comprehensive risk optimization
process that integrates risk
management across an organization.
An organization's board of directors
ultimately makes the decision to
develop and implement an ERM framework,
often with the goal of aligning
risk with strategic objectives.
ERM is not a process to eliminate
risk or to enforce risk limits, but
rather to encourage organizations to
take a broad look at all risk factors,
understand the interrelationships among
those factors, define an acceptable
level of risk, and continuously monitor
functional areas to ensure that the
defined risk threshold is maintained.
The Committee of Sponsoring Organizations
of the Treadway Commission COSO defines
ERM as a process that is ongoing and
applied throughout an organization.
Affected by people at every
level of an organization.
Applied in strategy setting.
Takes an organization level
portfolio view of risk.
Designed to identify potential events
that could affect the organization.
And to manage risk within the
organization's risk appetite.
Able to provide reasonable
assurance to an organization's
management and board of directors.
And geared to achieve objectives in one or
more separate but overlapping categories.
The enterprise wide aspect of ERM
is what differentiates it most
fundamentally from more traditional
risk management approaches.
Many organizations, including credit
unions, traditionally have used internal
auditors to perform risk assessments and
to report their findings to executive
management and or the audit committee.
Under this approach, risks are considered
and addressed individually, perhaps
without consideration of the strategic
implications these risks may impart or
how the risks interrelate to one another.
ERM reduces this silo effect and
at the same time ensures ongoing
communication with relevant stakeholders,
board, senior management, audit, etc.
3.
Basic components of an ERM framework.
Credit unions that incorporate ERM into
their risk management infrastructure may
resource the program internally through
paid consultants or through a combination
of outsour ed and internal resources.
For NCUA does not view any approach as
preferable, provided core principles,
controls, and due diligence are properly
established within the organization.
That said, there are several basic
components of an ERM program that
likely will be evident at any
financial institution that pursues
an ERM approach to managing risk.
Because examiners are likely to encounter
one or more of these components in their
analysis of a credit union's operations,
they should be familiar with them.
The table on the following page outlines
these components as identified in
the COSO Framework, describes each,
and provides positive examples of
how each component might manifest
in a credit union's operations.
ARM Component Established Risk
Culture Description of Established
Risk Culture This is the tone at
the top that sets the basis for how
risk is viewed and addressed by an
organization's stakeholders at all levels.
The organization should define an
enterprise wide philosophy for risk
management and risk appetite that
is grounded in integrity, ethical
values, and a good grasp of how
various stakeholders are affected
by the organization's decisions.
Positive example of
established risk culture.
Consistent support for the ERM
framework throughout the organization,
from the chairman's office to
staff members on the front lines.
ERM component clear objectives.
Description of clear objectives.
An ERM program encourages management to
set clear strategic operations reporting
and compliance objectives that support
and align with the organization's mission
and are consistent with its risk appetite.
Positive example of clear objectives.
Future objectives are reasonably
achieved without exceeding a
predetermined stated risk tolerance.
ERM component Event Identification.
The organization has identified internal
and external events effecting achievement
of objectives and has distinguished
its risks from its opportunities.
Positive example of event identification.
For each uncertainty or potential
event, a leading indicator is created
along with parameters that would
trigger a risk management response.
ERM component risk assessment
Description of risk assessment.
The organization continuously analyzes
risk, considering the likelihood and
impact of various scenarios, and uses the
results of the analysis as a basis for.
Determining how to manage those risks.
Positive example of risk assessment.
A risk heat map evolves from manager
surveys to determine priority of risks.
ERM component, risk response.
Description, risk response.
Management evaluates possible responses
to risks, selects a response avoid,
accept, reduce, or share risk,
and develops a set of actions that
aligns risks with the organization's
risk tolerances and risk appetite.
Positive examples, risk response.
Example 1.
Management identifies the costs and
benefits for accepting each type of risk.
Example 2.
The most relevant risk information
is centralized and reported timely
in the right form and to the right
people in order to make timely and
effective decisions about risk.
ERM Component, Control Activities.
Description, Control Activities.
A set of policies and procedures
that is established and implemented
to help ensure that an organization
effectively responds to risks.
Positive examples.
Control activities.
Example 1.
Staff understands the differences
between risk avoidance risk, reduction,
risk sharing, and risk acceptance.
Example 2.
The senior manager responsible for
ERM oversight reports directly to
the board of directors or a board
established committee that will assure
proper oversight and independence.
Example 3.
The ERM program is independent of the
risk taking and operational functions.
IRM Component.
Information and Communication.
Description.
Information and Communication.
Relevant information is identified,
captured, and communicated in a form
and time frame that enables stakeholders
to carry out their responsibilities.
Key information about strategy and
decisions is communicated clearly and
broadly throughout an organization.
Positive examples.
Information and Communication.
Example 1.
All personnel receive a clear
message from top management that ERM
responsibilities are taken seriously.
Example 2.
A robust and reliable
reporting regimen is evident.
ERM component.
Monitoring.
Description.
Monitoring.
The organization monitors, through
ongoing management activities
and or separate evaluations, the
entirety of risk management and
makes modifications as necessary.
Positive example.
Monitoring.
Management reports performance
versus established risk limits.
4.
NCUA's Supervisor ePerspective.
Core ERM principles can be integrated
into the overall strategic planning
and organizational risk management
infrastructure of credit unions
of all sizes and risk levels, and
NCUA encourages credit unions to
consider the benefits of doing so.
However, implementing a formal
ERM framework requires requires
a significant investment in
management, expertise, and systems.
NCUA recognizes that most credit unions do
not possess the size, depth of resources,
or range and level of risk exposures
to warrant the significant investment
necessary to implement such a program.
Thus, NCUA requires that only
corporate credit unions develop
and follow a formal ERM policy.
ERM is not a regulatory requirement
for natural person credit unions.
When examining smaller, less complex
natural person credit unions, examiners
should ensure the risk management
framework is sufficient to manage
the major risks present in the credit
union's business strategy and objectives,
understanding it needs to reflect
a reasonable cost benefit balance.
In large, complex, natural person credit
unions, examiners should ensure the
credit union employs a comprehensive
risk management approach, which may or
may not include a formal ERM program.
While any weaknesses in a large credit
union's risk management processes will
be addressed as supervisor e concerns,
examiners will not require credit
unions to adopt a formal ERM program.
More details about NCUA's Supervisor
eExpectations with regard to risk
management programs are provided below.
5.
Addressing Risk Management in Examinations
Part of the examiner's role is to gauge
the effectiveness of all risk management
programs against the identified and
perceived risk posture of the credit
union, the capability and commitment
of management toward a culture of risk
management, and the financial strength
of the credit union in relation to
individual and collective risk exposures.
In all cases, examiners are expected to
take a risk based approach to evaluating
a credit union's risk management
processes by considering the credit
union's risk posture, risk appetite, and
risk management strategies, the depth
and breadth of potential exposures,
including the types of products and
services offered by the credit union.
The Strategic Objectives and
Operational Policies, Procedures,
and Controls in Relation to Potential
Exposures, Concentrations of Risk,
Risk Mitigating Factors, Capability
and Resources of Management.
Current and historical performance
management and the financial
strength of the credit union in
relation to assets and activities.
Examiners are expected to employ
the total analysis process,
which involves a comprehensive
enterprise wide risk assessment.
This requires examiners to evaluate
the range of risks and level of
exposures, both financial and non
financial, to determine whether
exposures are reasonable in relation
to operational controls, decision
support systems, policies, procedures,
internal controls, and capital.
Risks are then evaluated
individually and collectively.
Finally, examiners measure
that risk in relation to CAMEL
and the seven risk factors.
Examiners are expected to address
poorly managed or excessive risk by
addressing the underlying operational,
strategic, and managerial deficiencies
leading to unacceptable exposure.
A DOOR may be issued outlining
underlying areas of unacceptable
risk for which management does not
have an adequate identification,
measurement, or assessment.
Monitoring, control,
and reporting structure.
NCU views the absence of an adequate risk
management framework, ERM, or otherwise
consistent with an institution's size,
diversity, and depth of risk exposures
as a failure in sound corporate
governance and expects examiners to
take appropriate action consistent
with the severity of the deficiency.
Six.
Conclusion.
ERM is a broadly defined and
evolving concept that, at its core,
presents potential benefits to
larger, more complex credit unions.
Natural Person Credit Unions are
encouraged to explore how ERM
might benefit their organization,
but are not required by regulation
or supervisor e expectation to
implement a formal ERM process.
Examiners are encouraged to
familiarize themselves with the
concept and basic components of
ERM to aid in their evaluation of a
credit union's ability to identify,
measure, monitor, and control, i.
e., manage existing and potential
risks in their operations.
This concludes the letter to credit
unions on the Supervisor e letter
on Enterprise Risk Management.
If your credit union could use assistance
with your exam, reach out to Mark
Treichel on LinkedIn or at marktreichel.
com.
This is Samantha Shares and
we thank you for listening.
