NCUA's Supervisory Letter on Enterprise Risk Management
Samantha: Hello, this is Samantha Shares.
This episode covers N C U Aâs super
visor e letter to credit unions
number thirteen dash twelve titled
Enterpise Risk Management or E R M.
While this guidance was issued in
twenty thirteen, it is still active
and is referred to in examinations
and examiner discussions with credit
unions, especially large credit unions.
The following is an audio version of
that advisory and the press release.
This podcast is educational
and is not legal advice.
We are sponsored by Credit Union
Exam Solutions Incorporated, whose
team has over two hundred and
Forty years of National Credit
Union Administration experience.
We assist our clients with N C
U A so they save time and money.
If you are worried about a recent,
upcoming or in process N C U A
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.
Also check out our other podcast called
With Flying Colors where we provide tips
on how to achieve success with N C U A.
And now the letter.
This Super visor e Letter discusses
how N C U A views enterprise risk
management (E R M) as one framework
for managing risk and N C U A's super
visor e expectations with regard to
credit unions' risk management programs.
Natural person credit unions
are not required to implement
a formal E R M framework.
However, credit unions are expected
to have sound processes sufficient
to manage the risk associated with
their business model and strategies.
This Super visor e Letter further
explains that distinction and outlines
what examiners should consider when
evaluating the overall effectiveness of
a credit union's risk management program.
1.
Introduction
This Super visor e Letter provides
examiners with an overview of the
concepts and principles of enterprise
risk management (E R M) as drawn from
contemporary risk management practices.
It also describes N C U A's super visor
e perspective on E R M and outlines super
visor e expectations regarding credit
unions' use of a formal E R M framework.
2.
What is Enterprise Risk
Management (E R M)?
Enterprise risk management is a
comprehensive risk-optimization
process that integrates risk
management across an organization.
An organization's board of directors
ultimately makes the decision to develop
and implement an E R M framework,
often with the goal of aligning
risk with strategic objectives.
E R M is not a process to eliminate
risk or to enforce risk limits, but
rather to encourage organizations to
take a broad look at all risk factors,
understand the interrelationships among
those factors, define an acceptable
level of risk, and continuously monitor
functional areas to ensure that the
defined risk threshold is maintained.
The Committee of Sponsoring Organizations
of the Treadway Commission (COSO)
defines E R M as a process that is:
⢠ongoing and applied
throughout an organization,
⢠effected by people at every
level of an organization,
⢠applied in strategy setting,
⢠takes an organization-level
portfolio view of risk,
⢠designed to identify potential events
that could affect the organization
and to manage risk within the
organization's risk appetite,
⢠able to provide reasonable assurance
to an organization's management
and board of directors, and
⢠geared to achieve objectives in one or
more separate but overlapping categories.
The enterprise-wide aspect of E R
M is what differentiates it most
fundamentally from more traditional
risk management approaches.
Many organizations, including credit
unions, traditionally have used internal
auditors to perform risk assessments and
to report their findings to executive
management and/or the Audit Committee.
Under this approach, risks are considered
and addressed individually, perhaps
without consideration of the strategic
implications these risks may impart or
how the risks interrelate to one another.
E R M reduces this silo effect and,
at the same time, ensures ongoing
communication with relevant stakeholders
(board, senior management, audit, etc.).
3.
Basic components of an E R M framework
There is no "off-the-shelf'
solution for organizations seeking
to launch an effective enterpriseÂ
wide approach to risk management.
Rather, organizations can meet their
specific needs with various tailored
approaches that take into account their
complexity, resources, and expertise.
Credit unions that incorporate E R M into
their risk management infrastructure may
resource the program internally, through
paid consultants, or through a combination
of outsoure:ed and internal resources.
N C U A does not view any approach as
preferable, provided core principles,
controls, and due diligence are properly
established within the organization.
That said, there are several basic
components of an E R M program
that likely will be evident at any
financial institution that pursues
an E R M approach to managing risk.
Because examiners are likely to encounter
one or more of these components in their
analysis of a credit union's operations,
they should be familiar with them.
The table on the following page outlines
these components (as identified in
the COSO framework), describes each,
and provides positive examples of
how each component might manifest
in a credit union's operations.
ERM Component:
Established "Risk Culture"
Description of Established Risk Culture.
This is the "tone at the top" that
sets the basis for how risk is viewed
and addressed by an organization's
stakeholders at all levels.
The organization should define an
enterprise-wide philosophy for risk
management and risk appetite that
is grounded in integrity, ethical
values, and a good grasp of how
various stakeholders are affected
by the organization's decisions.
Positive Example of
Established Risk Culture:
Consistent support for the E R M
framework throughout the organization,
from the Chairman's office to
staff members on the front lines.
ERM Component Clear Objectives:
Description of Clear Objectives:
An E R M program encourages management
to set clear strategic, operations,
reporting, and compliance objectives
that support and align with the
organization's mission and are
consistent with its risk appetite.
Positive Example of Clear Objectives:
Future objectives are reasonably
achieved without exceeding a
predetrmined, stated risk tolerance.
ERM Component: Event Identification
The organization has identified internal
and external events affecting achievement
of objectives and has distinguished
its risks from its opportunities.
Positive Example of event Identification:
For each uncertainty or potential
event, a "leading indicator" is created
along with parameters that would
trigger a risk management response.
ERM Component Risk Assessment
Description of Risk Assessment
The organization continuously analyzes
risk, considering the likelihood and
impact of various scenarios, and uses the
results of the analysis as a basis for
determining how to manage those risks.
Positive Example of Risk Assessment
A risk "heat map" evolves from manager
surveys to determine priority of risks.
ERM Component: Risk Response
Description: Risk Response
Management evaluates possible responses
to risks, selects a response (avoid,
accept, reduce, or share risk),
and develops a set of actions that
aligns risks with the organization's
risk tolerances and risk appetite.
Positive Examples: Risk Response
Example one:
Management identifies the costs and
benefits for accepting each type of risk.
Example two:
The most relevant risk information
is centralized and reported timely,
in the right form, and to the right
people in order to make timely
and effective decisions about risk
ERM Component: Control Activities
Description: Control Activities
A set of policies and procedures
that is established and implemented
to help ensure that an organization
effectively responds to risks.
Positive Examples: Control Activities
Example one:
Staff understands the differences
between risk avoidance, risk
reduction, risk sharing,
and risk acceptance.
Example two:
The senior manager responsible for
E R M oversight reports directly to
the board of directors or a board-
established committee that will assure
proper oversight and independence.
Example three:
The E R M program is independent of the
risk-taking and operational functions.
ERM Component: Information
and Communication
Description: Information
and Communication:
Relevant information is identified,
captured, and communicated in a form
and timeframe that enable stakeholders
to carry out their responsibilities.
Key information about strategy and
decisions is communicated clearly and
broadly throughout an organization
Positive Examples:
Information and Communication
Example one:
All personnel receive a clear message
from top management that E R M
responsibilities are taken seriously.
Example two:
A robust and reliable
reporting regimen is evident
ERM Component: Monitoring
Description: Monitoring
The organization monitors-through
ongoing management activities
and/or separate evaluations-the
entirety of risk management and
makes modifications as necessary
Positive Example: Monitoring
Management reports performance
versus established risk limits
4.
N C U A's super visor e perspective
Core E R M principles can be integrated
into the overall strategic planning
and organizational risk-management
infrastructure of credit unions of
all sizes and risk levels, and N
C U A encourages credit unions to
consider the benefits of doing so.
However, implementing a formal
E R M framework requires a
significant investment in
management, expertise, and systems.
N C U A recognizes that most credit
unions do not possess the size,
depth of resources, or range and
level of risk exposures to warrant
the significant investment necessary
to implement such a program.
Thus, N C U A requires that only
corporate credit unions develop
and follow a formal E R M policy.
E R M is not a regulatory requirement
for natural person credit unions.
When examining smaller, less complex
natural person credit unions, examiners
should ensure the risk management
framework is sufficient to manage
the major risks present in the credit
union's business strategy and objectives,
understanding it needs to reflect
a reasonable cost-benefit balance.
In large, complex natural person credit
unions, examiners should ensure the
credit union employs a comprehensive
risk management approach, which may or
may not include a formal E R M program.
While any weaknesses in a large credit
union's risk management processes will
be addressed as super visor e concerns,
examiners will not require credit
unions to adopt a formal E R M program.
More details about N C U A's super
visor e expectations with regard to risk
management programs are provided below.
5.
Addressing risk management in examinations
Part of the examiner's role is to gauge
the effectiveness of all risk management
programs against the identified and
perceived risk posture of the credit
union, the capability and commitment
of management toward a culture of risk
management, and the financial strength
of the credit union in relation to
individual and collective risk exposures.
In all cases, examiners are expected
to take a risk-based approach to
evaluating a credit union's risk
management processes by considering:
⢠the credit union's risk posture, risk
appetite, and risk management strategies;
⢠the depth and breadth of potential
exposures including the types of products
and services offered by the credit union;
⢠the strategic objectives and operational
policies, procedures, and controls
in relation to potential exposures;
⢠concentrations of risk;
⢠risk-mitigating factors;
⢠capability and resources of management;
⢠current and historical
performance management; and
⢠the financial strength of the credit union
in relation to assets and activities.
Examiners are expected to employ
the "total analysis process,"
which involves a comprehensive
(enterprise-wide) risk assessment.
This requires examiners to evaluate
the range of risks and level of
exposures, both financial and
nonfinancial, to determine whether
exposures are reasonable in relation
to operational controls, decision
support systems, policies, procedures,
internal controls, and capital.
Risks are then evaluated
individually and collectively.
Finally, examiners measure
that risk in relation to CAMEL
and the seven risk factors.
Examiners are expected to address
poorly managed or excessive risk by
addressing the underlying operational,
strategic, and managerial deficiencies
leading to unacceptable exposure.
A DOR may be issued outlining underlying
areas of unacceptable risk for which
management does not have an adequate
identification, measurement, monitoring,
control, and reporting structure.
N C U A views the absence of an
adequate risk management framework
(E R M or otherwise) consistent with
an institution's size, diversity,
and depth of risk exposures as a
failure in sound corporate governance,
and expects examiners to take
appropriate action consistent with
the severity of the deficiency.
6.
Conclusion
E R M is a broadly defined and
evolving concept that, at its core,
presents potential benefits to
larger, more complex credit unions.
Natural person credit unions are
encouraged to explore how E R M
might benefit their organization,
but are not required by regulation
or super visor e expectation to
implement a formal E R M process.
Examiners are encouraged to familiarize
themselves with the concept and basic
components of E R M to aid in their
evaluation of a credit union's ability
to identify, measure, monitor, and
control (i.e., manage) existing and
potential risks in their operations.
This concludes the Letter to credit
unions on the super visor e letter
on Enterprise Risk Management.
If your Credit union could use assistance
with your exam, reach out to Mark Treichel
on LinkedIn, or at mark Treichel dot com.
This is Samantha Shares and
we Thank you for listening.
