Enterprise Risk Management Catalyst Corporate Credit Union 2012 Economic Forum October 23, 2012 1
Your Speaker David A. Reed Attorney at Law email@example.com (703) 675-9578 Reed & Jolly, PLLC Fairfax, VA
The contents of this presentation are intended to provide you with a general understanding of the subject matter. However, it is not intended to provide legal, accounting, or other professional advice and should not be relied on as such.
What is Enterprise Risk Management? Enterprise risk management is a process implemented by an entity’s board of directors, management and other personnel applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and to manage risk to be within the entity’s risk appetite to provide reasonable assurance regarding the achievement of entity objectives. (ERM Integrated Framework, COSO, September 2004)
Risk Management Process Source: Federal Reserve Board
The NCUA has stated repeatedly that the #1 cause of credit union failures is ineffective risk management.
“NCUA is committed to proactively addressing safety and soundness problems at credit unions,” concluded Chairman Matz. “NCUA will continue to build on its current enforcement efforts in requiring credit unions to promptly correct problems at the earliest possible time. Consistent with GAO’s findings, NCUA will also continue to take steps to strengthen the effectiveness of our enforcement program, striving to develop new predictive PCA measures that identify emerging problems earlier and better protect the Share Insurance Fund from losses.” NCUA Press Release1/4/2012 What’s to Worry About?
Different Viewpoints • What an examiner may view as unacceptable risk, the credit union executive will more than likely view as a sound business strategy. • The higher the risk the higher the reward.
What About Risk? • Risk is NOT a dirty word. It is a known element of our operations. • Risk assessments are an essential management and regulatory tool • Risk is a simple game • Identify it • Categorize it • Deal with it!
What Could Possibly Go Wrong? • Loan demand • Litigation • Regulation • Competition • Natural disaster • Pandemics • Zombies • Taxation • Interest rates • EU collapse • Consumer fads • Fraud • UFO • Expenses • Staffing • Technology
7 Major Risk Categories • Credit • Interest Rate • Liquidity • Transaction • Compliance • Strategic • Reputation
The Three R’s Risk Recognition and Reaction
ERM Goals & Benefits • Measurement of risk at all levels • Assign accountability and responsibility • Understanding the interdependency of organizational risks • Managing business partner relationships • Managed risk brings lower costs • Improve confidence in operational and financial integrity • Keeps the credit union on course
Getting Started • Traditionally, credit unions have approached risk management in a fragmented and inconsistent manner. • An enterprise view of risk management is more likely to bring consistency in identification and control of risk across the enterprise. • Risk management itself is not a new discipline, but the concept of measuring and controlling risk across the organization is. This broad and coordinated view of risk management is what ERM is all about.
Risk Management Team • Harness the expertise of your operational leaders to showcase your compliance, risk management and sound business strategies. • Experience reveals that the examiners are increasingly likely to engage more members of your staff during the process. • To keep the process organized, choose one person as the central point of access, but allow your inside experts to explain your individual operational strategies to the examiner.
It All Starts Here The risk assessment should be considered the foundation of a risk management program. Without a comprehensive risk analysis of its business, it is highly unlikely that a credit union can design an effective program well suited to manage the risks of that particular institution.
AIRES Questionnaires • Automated Integrated Regulatory Examination Software • They are the audit questions the examiner will use during the examination for each operational area • Great resource for planning and preparation
Wash, Rinse, Repeat … • Risk assessments are a dynamic process and should be a regular component of a broader risk management strategy. • Needs to be reviewed and revised (if necessary) regularly.
Developing an ERM Approach Develop process to identify, assess and manage significant risks to strategic objectives Establish and define roles and responsibilities Establish centralized risk management area to: facilitate enterprise risk management perform aggregate risk analysis develop and provide reports and reporting tools Engage all business areas
The Next Step • Once it is understood through our Enterprise-wide Risk Assessment process how the credit union’s business processes and compliance areas rank in terms of potential risk, management can begin the process of allocating/budgeting available resources (internal audit and co-sourcing) to the areas of greatest potential risk. • Such resources should be directed to conducting “focused risk assessments” of specific business processes and compliance areas with the objectives of: 1) Evaluating the controls design 2) Testing the effectiveness of controls
Mission Develop and implement risk management strategy, policies, methodologies and governance Serve as a forum for risk related discussions Responsibilities Periodically review the risk profile of the credit union’s most significant risks Vet and address risk-related issues at committee meetings Make risk-related recommendations Evaluate effectiveness of risk infrastructure Ensure risk owners are designated on a timely basis for all significant risks Governance – Risk Policy Committee
FRBC Risk Assessment Map Source: Federal Reserve Board
Possible Risk Responses • Mitigate/reduce the risk. Through the implementation of controls, risks can be reduced to an acceptable level. (e.g., strong loan underwriting and dealer management controls for indirect lending) • Avoid the risk. This involves making the appropriate business decisions so that the risk is not taken. It means saying no to something, whether a new vendor, product, system, or relationship. (e.g., funding a large scale commercial development project) • Accept the risk. There is always an option to accept the risk – to view it as the cost of doing business. Further, some risks need to be taken and cannot be cost effectively mitigated or transferred. (e.g., risk-based lending) • Transfer/insure the risk. This means establishing an agreement, securitization or some sort of insurance that transfers the risk to a third party. (e.g., participation loans sold)
Risk Assessment & Response Response (Reduce, Share, Accept, Avoid) Identification of Significant Vulnerabilities Assessment of Inherent Severity (Impact/ Likelihood) Control Assessment (Effective/ Efficient) Gap Analysis (Current Degree of Mitigation) Residual Risk Severity (Impact/ Likelihood) Action Plan Monitoring Defined Risk Indicators and Thresholds Source: Federal Reserve Board
Basic Rule It is NOT enough to just do it anymore, you must document it. What does your risk management system look like?