NCUA Exam Alert: Risk Management Framework Essentials That Pass Exams
Samantha: Hello, this is Samantha Shares.
This podcast is educational
and is not legal advice.
Banking agencies have curtailed
issuance of new guidance and regulations
under the current administration.
As a result, and to continue providing
our listeners with valuable new
episodes, we're excited to share
our new initiative and cohost.
We'll be providing AI-powered summaries
of evergreen episodes from our
sister podcast With Flying Colors.
These episodes will highlight the
key points in an easy-to-digest
eight to twelve minute format.
We continue to embrace Artificial
Intelligence, and like my voice, these
new episodes will be introduced by me
and then narrated by our guest AI voice.
Today, Daniel will discuss 'N C
U A Exam Alert: Risk Management
Framework Essentials That Pass Exams.'
This episode is also available on
YouTube in AI video format, so be
sure to check that out as well!
Now, here's Daniel with your summary.
This episode covers risk appetite
and risk management framework.
The following is an audio
summary of that podcast episode.
This podcast is educational
and is not legal advice.
We are sponsored by Credit Union Exam
Solutions Incorporated, whose team
has over 240 years of National Credit
Union administration experience.
We assist our clients with NCUA
so they save time and money.
If you are worried about a recent,
upcoming, or in process NCUA examination.
Reach out to learn how they can
assist at mark TriCal dt com.
Also, check out our other podcast
called With Flying Colors, where
we provide tips on how to achieve
success with NCUA Executive summary.
In this episode, mark TriCal, Steve
Farrah and Todd Miller discuss the
essential components of risk management
frameworks for credit unions.
The conversation covers three main areas.
First, the importance of risk
culture as the foundation of any
effective risk management program.
Second, the development and implementation
of risk appetite statements that scale
with institution size and complexity.
And third, the three lines of defense
model that provides oversight and control.
The experts emphasize that while these
frameworks become more sophisticated as
credit unions grow, the core principles
apply to institutions of all sizes and
directly impact NCUA examination outcomes.
Main topic, one, risk culture.
The foundation risk culture sits
at the top of the risk management
pyramid and represents the most
critical element of any framework.
As Todd Miller explains, you can have the
best policies and organizational charts in
the world, but without proper risk culture
established by the board and management,
everything underneath will be ineffective.
This tone from the top must permeate
throughout the organization, creating
an environment where staff consciously
consider risk reward decisions
rather than operating unconsciously.
Think of it like crossing the street.
We all practice risk management when
we look both ways, but in financial
institutions, this needs to be conscious
rather than unconscious behavior.
Steve Farr notes that when examining
troubled credit unions problems
can almost always be traced back
to a breakdown in risk culture.
The culture must encourage staff to
speak up when risks are getting out of
hand, creating that essential foundation
for everything else to work properly.
Moving to our second key area,
main topic, two, risk appetite.
Defining your boundaries.
Risk appetite statements
vary significantly based on
institution size and complexity.
For smaller credit unions, risk
appetite can be expressed informally.
Through business plans and policy
limits, such as loan policy limits,
liquidity, policy constraints, and asset
liability management boundaries, as
institutions grow larger and more complex.
NCUA expects formal risk appetite
statements that address all seven NCUA
risk categories with some regulators
adding concentration and model risk.
The key components include both
qualitative statements about the
institution's risk philosophy,
and quantitative metrics for
measuring and monitoring risk.
Steve Farr emphasizes that risk appetite
should start with capital levels
as institutions operating near PCA
triggers need conservative appetites.
While well-capitalized, institutions
can accept more risks, however.
As demonstrated by the taxi medallion
credit union failures, even institutions
with capital ratios exceeding 15% couldn't
survive when medallion values dropped from
$1 million to $100,000 in New York City.
This shows that extreme
concentration risks can overwhelm
even strong capital positions when
fundamental business models change.
Now let's examine our
third critical component.
Main topic, the three, three lines
of defense, your control structure.
The three lines of defense
model provides the operational
framework for risk management.
The first line consists of frontline
business units, including loan
officers, tellers and member facing
staff who interact directly with
members and conduct transactions.
These employees must understand their
role in risk management and carry out
operations consistent with board policies.
The second line of defense typically
seen in larger institutions involves
a separate risk management department
under a chief risk officer who
aggregates risks across the organization
and provides independent oversight.
The third line is the internal
audit function, which tests
internal controls and verifies
that systems work as intended.
Todd Miller notes that smaller credit
unions often operate effectively
with just two lines of defense.
Combining the first line with
internal audit oversight.
While institutions crossing one to
$3 billion typically add the second
line risk management function.
It's important to note that NCUA
sometimes over reaches by trying to
dictate whether chief risk officers
should have voting rights on committees
or veto or author over decisions.
These are management decisions
that should align with your
institution's size and complexity.
Key questions for your board.
Before we discuss exam impacts,
consider these essential questions
for your next board meeting.
First, can you clearly articulate
your institution's risk appetite
in both words and numbers?
Second, do you have appropriate
limits in place and consequences
when those limits are breached?
Third, does your staff feel
comfortable raising concerns
about increasing risk levels?
Fourth, are you managing risks in silos?
Or do you have a way to see the big
picture across your entire institution?
And finally, does your risk management
sophistication truly match your
credit union size and complexity?
Or are you either over
engineering or under preparing?
These questions can help guide meaningful
board discussions about your risk
framework, NCUA exam impact and takeaways.
These risk management framework
concepts directly affect your
NCUA examination in several ways.
First, examiners consistently look for
concentration risk limits supported by
capital analysis, particularly in larger
organizations where stress testing
may be required to justify limits.
Second.
NCUA expects action plans
when institutions approach
or exceed established limits.
And failure to address limit breaches
can result in examination criticism.
Third, the sophistication of your
risk management program should
match your institution's size and
complexity, but examiners sometimes
inappropriately apply large institution
standards to smaller credit unions.
Fourth, proper documentation of
risk appetite, whether formal
or embedded in existing policies
demonstrates to examiners.
Management consciously
considers risk decisions.
Finally, having effective lines of
defense with proper independence and
adequate resources shows examiners
that your institution has appropriate
oversight and control mechanisms in place.
If your credit union could use assistance
with your exam, reach out to Mark
Tril on LinkedIn or@marktril.com.
