Enterprise Risk Management

How Does ERM Apply to

your
Credit Union?
Presented by
Louise Hanson, Partner, Moss Adams LLP
Shannon Haas, Senior Manager, Moss Adams LLP

MOSS ADAMS AT A GLANCE

Full service public accounting firm with

assurance, tax, and consulting services for
middle-market public and private companies

Largest accounting firm headquartered in

the West and one of the 15 largest in the
United States

21 offices in California, Arizona, New Mexico,

Oregon, Washington and Kansas

More than 230 partners and over 1,800 staf

Founded in 1913 and headquartered in

Seattle, Washington

A founding member of Praxity, a global

alliance of accounting firms

We are the 4th largest firm servicing credit

unions in the nation (based on assets)

TODAYS DISCUSSION OBJECTIVES

What is Enterprise Risk Management? an
Overview of ERM
What is Driving ERM?
ERM & the Regulators
How ERM Can Benefit My Institution
How My Institution Can Build an ERM Strategy:
Implementation Overview
o Phase 1 Planning
o Phase 2 Implementing the Plan
o Phase 3 Refining

Summary
3

WHAT IS ENTERPRISE RISK

MANAGEMENT (ERM)?

4
4

QUESTIONS TO PONDER

In todays credit union environment what risks or

watch out fors would you suggest directors,
supervisory committees (or even executive
management) focus on?

What would you be looking for in Board Report

packages today?

Do we understand these issues enough to

appropriately report on them in each of our credit
unions today?

AT THE CORE

What is the Nature of Banking?

Risk Management

What should Credit Unions be doing?

Intermediate Risks
For Members and Borrowers

What are Directors Expected to do?

Create & Protect Member funds and opportunities
Governance Process and Risk Policies

How are Risks Portrayed in an Institution?

Via Financial Statements
Via Processes

ENTERPRISE RISK MANAGEMENT

The decline and ultimate failure of some great
companies has been a historical fact. But such
decline is not inevitable. Rather, it results when
corporate leaders (CEOs and directors alike) dont
anticipate and deal with the long term threats
facing their companies.
Harvard Business Review (5/08), Leading from the Boardroom

WHAT IS ENTERPRISE RISK MANAGEMENT?

Enterprise risk management (ERM) is a process,
efected by an entitys board of directors,
management and other personnel, applied in a
strategy setting and across the enterprise,
designed to identify potential events that may
afect the entity, and manage risk to be within its
risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission,
(Sept. 2004)

WHAT IS ERM?

A structured, consistent, and continuous risk management

process that is applied across the entire organization
Identifies, assesses, prioritizes, and manages the internal
and external risks that impact the organization
Driven by a decision-support process that is aligned with
the management and execution of strategic objectives
Enhanced by the assignment of roles and responsibilities,
reporting and communication,
policies and procedures, and
Measure,
Identify &
&
adoption of a risk-based culture Monitor
Assess
Report
Busines
s
Objectiv
es

Planning &
Management
9

ENTERPRISE RISK MANAGEMENT

WHAT MIGHT GET IN THE WAY OF MY DUTY TO
DELIVER VALUE AND PROTECT THE MEMBERS?

Risk
The potential that events, expected or
unanticipated, may have an adverse impact on
capital or earnings.

Risk Management
The employment of systems and processes to
manage the critical tradeof between risk and
return in financial decision-making.

Enterprise-Wide Risk Management

The formal mechanism or structure for managing
risks across the entire institution on an integrated
basis.
10

ENTERPRISE RISK MANAGEMENT (ERM)

COMPONENTS
Keys to a good ERM program must include:
Risk Identification
What are our key risks?
What level of risk are we willing to allow/accept
(risk appetite)?
Risk Measurement
Risk measurement models (ALM, Credit Stress)
Guidelines and quantification tools (Credit Risk
Classification, Operational and Credit Losses)
11

ENTERPRISE RISK MANAGEMENT (ERM)

COMPONENTS
Risk Control
Policies (Required and Best Practice)
System of risk limitations
Authorities and oversight systems
Risk Monitoring
System of risk reporting key measurements
Board driven assessments (internal and
external audits, monitoring reports)
Management Self assessments
(management generated reporting against
pre-set standards)
12

IN A NUTSHELL

ERM is a process for managing and

controlling risks across an entire
organization, both within and across
business lines and legal entities.

13
13

WHATS DRIVING ERM?

14

WHATS DRIVING ERM?

- ENVIRONMENTAL Growing size and organizational structure
Increasing diversity of business lines and
complexity of products
Increasing number of regulations
Increasingly competitive marketplace
ERM can be the key for
how to win

15

WHATS DRIVING ERM

- INSTITUTIONAL Fragmented or silo risk management eforts
fail to recognize interrelationships of risk across
businesses or products

Lack of aggregation of common risks and reporting

fail to keep Board and management informed of
organization-wide risks

Lack of attention to how risks are correlated

fails to identify how loans, securities, businesses, etc.

might be afected by common factors and create large
exposures
16

POST DOWNTURN, ERM IS MORE

IMPORTANT THAN EVER
Bankers, regulators, investors, members and counterparties
will not soon forget the near-collapse in late 2008
So far, the new era in financial services is a very strong
emphasis on safety and risk management
Those who can demonstrate superior risk management will
have a competitive advantage
Greater opportunities in the market due to goodwill from regulators and
investors
More and better members

Key ERM implementation challenges for most credit unions

Culture
Right expertise
Data and Measurement
Transparency/Reporting

17

DRIVERS OF ERM A SUMMARY

Board of Directors
transparency

Demand increased financial disclosure

and

Members as Stakeholders
understands and manages risk

Demand evidence that management

Regulators/Rating Agencies
risk assessment processes

Seek assurance around compliance and

Activists
consciousness

Demand social awareness, safety &

Members as Customers
factors
Peers

environmental

Make decisions based on diferentiating

Comparison with others drives industry-

Competitors

wide practice

Push innovation, drive leadership

18

ENTERPRISE RISK MANAGEMENT

AND THE REGULATORS

19

REGULATORY EXPECTATIONS FOR ERM

ERM STARTS WITH THE FUNDAMENTAL OF STRONG RISK
MANAGEMENT:

Active Board
and Senior
Management
Oversight

Adequate
Policies,
Procedures,
and Limits

Adequate Risk
Measurement,
Monitoring,
and MIS

Comprehensiv
e Internal
Controls

From Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank
Holding Companies (SR95-51 (SUP))

20

NCUA ERM GUIDANCE

NCUA advises an efective system of Enterprise
Risk Management includes consideration of:
Market Condition
Field of Membership
Credit Union Structure
Size
Complexity
Geographic diversity

21

INCREASING EMPHASIS ON ERM

PERSPECTIVE
Basel Committees Core Principles for Effective Banking
Supervision (2006)
Principle 7 Risk management process: Supervisors must be satisfied that
banks and banking groups have in place a comprehensive risk management
process (including Board and senior management oversight) to identify,
evaluate, monitor, and control or mitigate all material risks and to assess
their overall capital adequacy in relation to their risk profile. These processes
should be commensurate with the size and complexity of the organization.

http://www.bis.org/publ/bcbs129.pdf

Principles for Effective Operational Risk Management (2003)

http://www.bis.org/publ/bcbs96.pdf
Principles for Sound Liquidity Risk Management and
Supervision (Sept. 2008) http://www.bis.org/publ/bcbs144.pdf
22

PRINCIPLES OF EFFECTIVE OPERATIONAL RISK

MANAGEMENT (BASEL COMMITTEE ON BANKING SUPERVISION)
1.
2.
3.
4.
5.

Board should approve and periodically review the

Operating Risk Framework.
Board should ensure that Framework is subject to
independent, competent audit staf review.
Senior management responsible for implementation
Process to identify and assess operational risk inherent
in products, activities, processes and systems.
Process to monitor operational risk profiles and material
exposure to losses.

23

PRINCIPLES OF EFFECTIVE OPERATIONAL RISK

MANAGEMENT (BASEL COMMITTEE ON BANKING SUPERVISION)
6.

Policies, processes and procedures should exist to

control and/or mitigate material operational risks.
7. A contingency and business continuity plan should exist.
8. The regulators should require that all banks, regardless
of size, have an efective framework in place to identify,
assess, monitor and control/mitigate material
operational risk as part of an overall approach to risk
management.
9. Regulators should conduct regular, independent
evaluation of banks policies, procedures and practices
related to operational risks.
10. Banks should make sufficient public disclosure to allow
market participants to assess their approach to
operational risk management.
24

IT TAKES 3 TO FLY THIS PLANE

Time &
Activities

Time &
Activities

Audit
Past
Do we do as
we say?

Compliance
Present
Are we in
compliance?

Risk
Future
What can go
wrong?

Risk Manager looks thru the cockpit window to identify and assess
current threats and future risks to the flight path and plane, and glances
at the gauges for reassurance

Compliance Manager assists the pilot in maintaining the proper flight

path and plane operating procedures by using the manual and FAA
regulations

Auditor uses the cockpit gauges and controls to inform the pilot of how
the plane is operating relative to its predetermined flight path
25

IN SUMMARY
Boards of Directors/Supervisory Committees are responsible for
ensuring that their credit unions are managed in a safe and
sound manner. (This hasnt changed)
In todays environment (and increasingly in the future), safety an
soundness means that risks need to be well-managed given the
credit unions risk environment and business model.
You need to be able to answer Yes to this regulator question:
Do you have a program that appropriately identifies emerging
risks in a timely manner?
Therefore:

Safety/Soundness = Risk Management

Consequently, the foundation for modern Corporate Governance
is Enterprise Risk Management.
26

BENEFITS OF ERM

27

ORGANIZATIONAL GOALS OF ERM

Protect/Enhance Members funds and
opportunities
Link Strategy and Risk Profile
Recognize and Manage integrated/cross
organizational risks
Enhance Risk Based Decisions
Capital Management/Preservation
Seize Opportunities
Disciplined Culture
For a director/committee member, do these
sound familiar?
28

BENEFITS OF ENTERPRISE RISK

MANAGEMENT
Enhances integrated decision-making better deal with the risk from
growth, mergers, new products, etc.
Better align risk and strategy.
Framework for identifying enhance return opportunities improved risk
mitigation.
Improve deployment of capital resources allocating capital to business
areas to achieve superior risk returns (RAROC).
Credibility and confidence in governance and risk management
members, regulators, external auditors.
Anticipate risk seize opportunities/minimizing cost.
Improved understanding and management of interactions and
interrelationships between risks.
Clear accountability and ownership of risk.
Regulatory compliance with safety and soundness guidelines, foundation
for a strong internal control environment.
29

BENEFITS OF ENTERPRISE RISK

MANAGEMENT (CONTINUED)
All the previous positively impact:

Protection of capital.
Enhancement of earnings.
Reduction of losses (Fraud, Credit, Operational).
Greater efficiency in process flows.
Better defined/more efficient internal audit programs.
Better understanding of efect of market movements.

30

WHAT WE ARE OBSERVING: INDUSTRY

ERM THEMES SO FAR FOR 2012+
ERM
Managing an acquisition (valuation, financial integration, change in risk profile,
culture, data integration, etc.)
Model validation
Incentive programs that incorporate risk and are better aligned with organizational
performance

Compliance and regulatory

Regulatory reform outcomes
Stress testing
Compliance: fair lending, BSA, AML

Credit
Provision and reserve going forward
Growing the loan portfolio
Diversifying away from risk concentrations in the portfolio

Market Risk
The investments portfolio understanding the risks going forward
Interest rate risk management
31

BUILDING AN ERM STRATEGY:

IMPLEMENTATION OVERVIEW

32

ERM IMPLEMENTATION PHASES

Detective
controls and
processes

Compliance
and
Prevention

Preventative
Controls and
processes

Proactive
planning and
improvement

RM
E
c
gi
e
t
a
Str

Operating
Performance

Enhanced
Member Benefits

GRADUAL EVOLUTION OF THE PROCESS

33

DEVELOPING ERM CAPABILITIES IS AN

EVOLUTION, NOT AN EVENT

Add Capabilities as Risk/Complexity are Added

34

LETS DO A QUICK SELF ASSESSMENT

Go to the separate handout
Complete the Risk Oversight Self
Assessment survey
There are no right or wrong answers
Try to objectively answer each question for a credit
union you have in mind

35

SELF ASSESSMENT - IMPLICATIONS

Q 1-12 Q 13-28 Implications
Yes No Lots of focus on strategic planning,
but few risk management
processes

lots of risks,

Yes Yes Strategic planning and risk management

are
reasonably integrated and organization
making great ERM progress
No Yes Few perceived strategic risks but
on ERM processes
No No Few perceived risks, but no system to be
identify risks-opportunities

overspending

sure or to

36

LINKING ERM TO STRATEGY

Maturity
Level

Hig
h

Lo
w

Risk
appetite
articulat
ed

Strategic Integration

Risk vs. Return

Optimization
Risk
Management
Risk
Measurement
Loss
Minimization
Compliance/Monito
ring

Tim
e

37

ERM STRENGTHENING FOCUS ON

STRATEGIC RISK EXPOSURES
Risk
Metrics?

Risk
Drivers

Risk
Metrics?

Risk
Drivers

Risk
Metrics?

Risk
Drivers

Risk
Metrics?

Risk
Drivers

Risk
Metrics?

Risk
Drivers

Increased
Loan Yield
(Rate &
Volume)

Noninterest
Income
Products
Reduce
Head Count

Increase
d
Revenue
s

Profitabil
ity

Expense
Savings

Other Cost
Savings
Measures
Vendor Mgmt.
38

THE MOSS ADAMS PHASES TO ERM

IMPLEMENTATION
STEP 1 PLANNING (a.k.a., putting your best foot forward,
knowing the process isnt going to be perfect because its a
new area of focus, and every institution is unique)
STEP 2 IMPLEMENTING (a.k.a., executing on your plan,
making slight adjustments as needed; saving significant
revisions to the process for the refining stage)
STEP 3 REFINING (a.k.a., fixing what needs to be fixed
and/or what wasnt addressed after implementing your plan)
A simple 3-step process for getting your ERM program off
the ground

39

ERM IMPLEMENTATION PHASE 1 PLANNING

40

BUILDING YOUR ERM ROADMAP/

IMPLEMENTATION PLAN: STEP #1 PLANNING
A.

Gain Board/Committee/Executive level of support - Tone at the

Top might be the single biggest factor in being successful at
implementing; start to build consensus/ buy-in
B. Revisit/review your strategic plan the ERM vision s/b aligned with
your organizations size/complexity
C. Start thinking about how you are going to identify (and categorize)
risk
TIPS:

Define plan owners, roles and responsibilities for execution, timelines, resource
alignment
Prioritize key tasks look for up-front, early wins
Utilize existing management structures
Think about existing organizational design/structure
Other: degree of alignment with finance, specific control tools, etc?
Start to build consensus among key internal and external parties (including
regulators*)
Preliminary risk assessment work on the completeness of the risks inventory
Look for risk concentrations
41
Understand managements current risk activities functions, controls, what is
tracked, who does it, etc.?

TONE AT THE TOP & CULTURE

Its that CULTURE thing!!
Mutual Expectations, Respect, Reliance
Model the Standard
Legally: Duty of Loyalty and Care
Business Judgment
Disclosure / Transparency
Open Communications, Debate
Brainstorm risks at various management levels what risk is coming around the corner?
Welcome the Messenger
Welcome Dumb Questions
Draft Policies
42

ERM POLICY
Policy Statement
Purpose/objectives
o
o
o
o

Integrated mgmt of risk

Governance of risk oversight
Independent review and monitoring
Best practice risk control

Responsibilities
o
o
o
o
o
o
o
o

Board of Directors
Supervisory Committee
Board Risk Committee
Management Risk Committee
CEO
CRO
Internal Auditor
Department Heads

Risk Metrics and tools

Risk Assessments
Measures
Controls & Monitoring
Risk Response
Communication &
Reporting
Policy Exceptions

Risk Categories
ERM Process
Policy Guidelines/Limits
43

ERM CHARTER
Purpose/Objectives Board/Committee delegation
to:
Identify and Manage risks
Adhere to policies

Committee Members and Chair

Chief Risk Officer direct report

Meetings

Full Board reporting

Duties and responsibilities

Supervisory Committee interaction
Oversight of Management Risk Committees

Performance Evaluation
Committee Resources

44

ERM IS A SHARED RESPONSIBILITY:

TYPICAL ROLES/NEEDS
Board of Directors
-Governance
-Reputational Risk
-Board Training

CEO/COO

CRO (Larger)
-ERM Roadmap
-Policies/Limits/Appetite
-Risk Quantification
-Dashboards

-Business Risk
-Execution Risk
-Strategy/Mergers

CFO
-Internal Controls
-Economic Capital
-Performance
Measurement

Functional Risk Managers/Delegated

Responsibilities:
-Credit Risk
- Market Risk
- Interest Rate Risk
- Operational Risk
-Compliance Risk
- Technology Risk
-Etc.

45

A VISION FOR ERM IS FUNDAMENTALLY

LINKED TO STRATEGIC GOALS FOR YOUR
ORGANIZATION
What are your core competencies? What is your market? What
does your credit union want to be? Who are your members?
What are your return goals?
(Risk vs. Reward = Credit & IRR; Capital Adequacy; Regulatory;
Fraud; Other?)
Identify Risks to your credit union What risks do you take-on to
generate these returns? Focus on key risks.

Credit risks in lending?

Credit risks in your investments portfolio?
Market risks through interest rates?
Market risks through your investments portfolio?
Operational risks through providing processing/cash management services?
Compliance risks in highly regulated markets?
Other?

How much of each risk type will you take on? Is your level of risk
appropriate given your return goals (risk appetite)? Do you have
sufficient capital and liquidity to support these risks?
46

ERM RISK COMPONENTS

Credit Risk and Market Risk are typically called financial risks return
and risk are usually directly correlated here
Greater risk will lead to higher returns in the long run, but will also result
in significantly greater earnings volatility and require much more capital.
A risk appetite is needed to decide how much risk and what types of risk
are appropriate
Operational Risks can also be financial risks, but the risk/return
relationship can be very diferent
Some operational risks such as regulatory and compliance concerns are
not related to returns, only protection against future loss or are a cost
of doing business
Fee-based businesses such as payment processing are operational-risk
driven businesses with a direct relation to returns
Regardless of the risk type, ERM practices can enable management and
the board to:
Develop a consolidated view of their risk profile across all risk types and
understand hot spots
Measure risk exposure using quantitative and qualitative methods
Set a risk appetite and manage to it

47

REGULATORY RISK CATEGORIES

(RISKS EXAMPLE 1)
NCUA Risk
Categories

Fed Risk
Categories

FHLB Risk
Categories

Credit Risk

Credit Risk

Credit Risk

Interest Rate
Risk

Market Risk

Market Risk

Liquidity Risk

Liquidity Risk

Operational
Risk

Operational
Risk

Legal risk

Business Risk

Liquidity Risk
Transaction
Risk
Compliance
Risk
Strategic Risk
Reputation Risk

Reputational
Risk

48

REGULATORY CAPITAL RULES HAVE CREATED A

FRAMEWORK FOR CLASSIFICATION OF RISK TYPES
(RISKS EXAMPLE 2)
Risk Type

Credit Risk

Definition

Loss due to a borrowers inability to meet its financial

obligations

Loss due to change in borrowers credit quality

Market Risk

Loss due to change in market value of traded positions

Loss due to impact of changes in cost to close accrual
positions (primarily interest rate risk)

Operational Risk

Loss resulting from inadequate or failed internal process,

people and systems, or from external events. The definition
includes legal risk. The definition does not include strategic
or reputational risks.

49

MANY INSTITUTIONS HAVE ADOPTED THESE

DEFINITIONS FOR A FUNCTIONAL ERM STRUCTURE
(RISKS EXAMPLE 2.1)

Enterprise Risk Management Functional

Structure (Not Organizational Structure)
Credit Risk

Market Risk

Commercial

Change in Fair Value

Retail

Interest Rate Risk

Counterparty

Currency Risk
Liquidity Risk

Operational Risk

Compliance Risk
Int. and Ext. Fraud
Business Process Failure
HR
Litigation
Data Security
Technology/Systems
Natural Disaster
Etc.

Other Risk Category Possibilities: Business, Strategic, Concentrations,

Reputation, etc.
50

ERM IMPLEMENTATION PHASE 2IMPLEMENTING THE PLAN

51
51

BUILDING YOUR ERM

ROADMAP/IMPLEMENTATION PLAN:
STEP #2 IMPLEMENTING
A.

Identify and prioritize the RISKS

- Keep it to the TOP 5 for in-depth Board reporting
- Additional risks can be identified and listed, but dont take
away the focus from the Top 5

B.

Simultaneously adopt a preliminary risk framework and

conceptualize simple reporting

C.

Identify gaps in the process and start to analyze (but dont let
them slow you down!)

TIPS:

Identify strengths and weaknesses in existing risk management function

Re-align existing capabilities with where you need to get to
Scope: risk controls, information technology, culture, expertise, policies, risk
quantification, reporting/transparency

52
52

ERM IMPLEMENTATION THINK ABOUT

RISK AWARENESS
Difficult process 3 levels of risk awareness

Known You lend money to various parties and

someone isnt going to pay (credit risk)

Unknown, but knowable e.g., flood or other

natural disaster that isnt unusual for the area.

Unknown, unknowable would not ever know in

advance, but is there a plan I can have if something
takes me out of what I do?

This helps you to think beyond the everyday risks.

53
53

FOCUS ON KEY ENTERPRISE RISKS

Risk issues that are most significant and
deserve attention of executive management
and the Board.
Issues identified through the risk assessment
process within each functional risk area.
Escalated to upper levels with mitigation and
action plans presented.

54
54

ERM IMPLEMENTATION RISK

ASSESSMENT
Ask each Board member:
With our credit unions business model in mind, what are the Top 5
emerging risks:
1.
2.
3.
4.
5.

_________________________________________
_________________________________________
_________________________________________
_________________________________________
_________________________________________

Ask Management the same question. Will the results be similar?

How often does the Board and Senior Management engage in explicit
discussions about risk?
Reminder: Addressing risk in an advanced ERM process becomes strategic
instead of defensive

55
55

RISK ASSESSMENT (CONTINUED)

For identified risk events:
What is the time frame to consider?
How likely is the event to occur?
What would be the impact?
On financial goals (cash flow, capital,
reported earnings)
On operational goals
On reputation/brand
Inherent vs. residual risks?
56
56

ONE COMPLICATION: INHERENT VS.

RESIDUAL RISK
What risks are we assessing?
Ignore response to start: tendency to over value
controls 100% under control red flag; nothing is
foolproof.
Inherent risk: Risk to an entity in the absence of
any actions management might take to alter either
the risks likelihood or impact
Residual Risk: Risk that remains after management
responds to the risk identified
Back to some risk assessment examples.
57

RISK CATEGORIES WITHIN ERM

(RISKS EXAMPLE #3)
Strategic

Credit

Interest Rate

Liquidity

Product Ofering
Merger &
Acquisition
Competition
Revenue Growth
Profitability
Capital

Payment Default
Loan
Concentration
Loan Quality
Collateral
Valuation

Interest Rates
Yield Curve
Investment
Volatility
Foreign
Exchange

Funding Sources
On/of Balance
Sheet
Contingency

Reputation

Operational

Compliance

Image & Branding

Employee
Relations
Customer
Relations
Regulatory
Relations
Public Relations
Shareholder
Relations

ID Theft & Fraud

Security & Privacy
Business
Continuity
Physical Security
Vendors
Process Errors
Financial
Reporting

Consumer
Member
Business
Fiduciary
Money
Laundering

Legal
Employment Law
Contracts
Intellectual
Property
Litigation

58

ABC INSTITUTION
SIMPLE ENTERPRISE RISK ASSESSMENT
EXAMPLE (RISKS EXAMPLE #4).

59

RISK MANAGEMENT CONTINUUM

Strategic

Reactive
Lack of Board or senior
management emphasis
on risk
No common risk lingo
Stove-pipe risk
management
Ad hoc approach
Missing coverage of
Most companies
risk areas

Aware

Proactive board and

senior management
involvement

Some board and

senior management
support

Risk managed and

assessed across
entire organization

Risk leader identified

Common language
and approach used
and understood

Periodic risk profiling

Key risks defined in
common vocabulary
Recognized need for
ERM

straddle

Real-time analysis of
risk portfolio (realtime KRIs)

Goal

Recognized need for

ERM
60

RISK ASSESSMENT CYCLE

*Report;
reassess
risks &
ratings

Identify risk
& controls

*Shows a
snapshot of
the pulse of
enterprise risk
management
at a-glance
Assess
exposures
and control
efectiveness

Board of
Directors

Risk
Assessm
ent
Determine
corrective
action(s)

Management
Certification

*Record testing
scope, conclusion
and
recommendation(s)

Test Controls

*Track
Project &
Task
priority,
status, due
dates, hours

61

GOVERNANCE AND MANAGEMENT STRUCTURE

RISK VIEW
Risk
Categor
ies
Board
of
Director
s
Risk
Managem
ent
Policies
Senior
Managem
ent
Committe
Senior
es
Managem
ent
Officers

Credi
t Risk

Interes
Interes
tt Rate
Rate
Risk
Risk

Liquidit
Liquidit
y
y Risk
Risk

Board
Board
Credit
Credit
Committ
Committ
ee
ee

Finance
Finance
Committee
Committee

Credit
Credit
Polity
Polity

Funds
Funds
Management
Management
Policy
Policy

Operati
onal
Risk

Informati
Informati
on
on
Technolog
Technolog
y
y Risk
Risk

Supervisory
Supervisory
Committee
Committee

Operati
Operati
onal
onal
Risk
Risk
Policy
Policy

IT
IT
Policies
Policies

Technolog
Technolog
y Steering
Steering
y
Committe
Committe
e
e

Chief
Chief
Informati
Informati
on
on Officer
Officer

Executiv
Executiv
e
e Loan
Loan
Committ
Committ
ee
ee

ALCO
ALCO

Security
Security &
&
Cont. Plan
Plan
Cont.
& Mgt.
Mgt.
&
Committe
Committe
es
es

Chief
Chief
Credit
Credit
Officer
Officer

Chief
Chief Financial
Financial
Officer
Officer

Senior
Senior
Operatio
Operatio
ns
ns
Officer
Officer

Huma
n
Capit
al
Ethics
Ethics
Committ
Committ
ee
ee

Human
Human
Capital
Capital
Risk
Risk
Policy
Policy
HR/
HR/
CompenCompensation
sation
Committe
Committe
e
e

SVP,
SVP,
Human
Human
Resourc
Resourc
es
es

Complianc
Complianc
e
e Risk
Risk

Legal
Risk

BSA/Compliance
BSA/Compliance
Committee
Committee

Complianc
Complianc
e Program
Program
e

Legal
Legal
Policy
Policy

Management
Management
Committee
Committee

Director
Director
of
of
Regulato
Regulato
ry
ry Risk
Risk
Mgt.
Mgt.

Legal
Legal
Direct
Direct
or
or

Strateg
Strateg
ic
ic Risk
Risk

Reputati
Reputati
on
on
Risk
Risk

Strategic
Strategic Planning
Planning
Committee
Committee

Strategi
Strategi
c
c Risk
Risk
Policy
Policy

Reputati
Reputati
on
on Risk
Risk
Policy
Policy

ERM

Supervisory
Supervisory
Committee
Committee

ERM
ERM
Policy
Policy

Internal
Internal
Audit
Audit
Charter
Charter

Management
Management
Committee
Committee

Enterprise
Enterprise Risk
Risk
Management
Management
Committee
Committee

Chief
Chief Risk
Risk Officer
Officer

Chief
Chief Risk
Risk Officer
Officer

*Supervisory Committee sole committee composed of strictly

outside individuals
62

ASSESSED RISK REPORTING: RISK

MAPPING
Heat Maps are a valuable tool for
communicating/reporting risks
Chart both likelihood/probability and
severity/impact

63

HEAT MAP PORTRAYAL OF INHERENT

RISKS
9

Mitigate
d

Impact
(Severit
y)

Mitigation
Risk
Not

1
10
3
8

Marginal
Mitigatio
n

5
Sufficien
t/
Acceptab
le

Risk
1.
2.
3.
4.
5.

Event:
---------------------

Likelihood
(Probability of
Occurrence)
64

ERM IMPLEMENTATION PHASE 3 REFINING

65

BUILDING YOUR ERM ROADMAP/IMPLEMENTATION

PLAN: STEP #3 REFINING
A.

Plan for Remediation of Gaps/Execution

What are you doing to address the immediate risks? (Whats the risk response
Tolerate, Terminate, Transfer, or Treat?)
What controls will be in place going forward to monitor the risks?
Develop recommendations to remediate gaps
What Key Risk Identifiers (KRIs) have you identified (or intend to indentify) going
forward?
Cement consensus, buy-in among key parties
Further define plan owners, roles and responsibilities for execution, timelines,
resource alignment
Memorialize project plan

B.

Enhance Definition of Risk Appetite for credit union

Quantifying risk

C.

Enhance Reporting
What will reporting to executive management and the Board look like going
forward?
Ongoing monitoring of implementation progress with board-level accountability
66
Benchmark vs. industry leaders in this area as well as peers

SELF EVALUATION APPROACH FOR

IDENTIFYING GAPS TO REMEDIATE
Organize subject-matter experts in each of the
credit unions risk categories and at the ERM
level.
Facilitate a discussion of the credit unions risk
categories.
Comprehensive evaluation of credit unions risk
management processes.
Prepare detailed report with findings,
observations and recommendations in respective
risk categories.
Major conclusions and recommendations to
create final report.
Recommendations/Action Plan/Implementation
Management Risk Comm.
67

ELEMENTS OF RISK APPETITE

Existing
Risk Profile

The existing level and distribution of

risks across risk categories (e.g.
financial risk, market risk, operational
risk, reputation risk, etc.

Risk
Capacity

The Maximum risk a firm may bear

and remain solvent

Risk
Tolerance

Acceptable levels of variations an

entity is willing to accept around
specific objectives

Desired
Level of
Risk

What is the Desired risk / return level

Determinati
on of Risk
Appetite
(the amount of
risk an entity is
willing to accept
in the pursuit of
value)

68

WAYS TO DEFINE RISK APPETITE

Quantitative

Clearly defined measure

Can be cascaded to
business units
For example, loss of capital
or degree of volatility in
earnings

Qualitative

Not all risks can be

accurately/credibly measured
For example, risk of damage to
reputation

Zero Tolerance

A subset which can be very

clearly defined
For example, loss of life or
violation of laws
69

CREATE AN IDEAL ROSTER OF RISK

REPORTS
EXAMPLES:
A high-level summary of the top risks for the enterprise
as a whole; broken down by operating unit, geographic
locations, product group, etc., along with significant gaps
in risk management capabilities
Report of emerging issues or risks that warrant immediate
attention
Summary of risk events, e.g., significant exceptions
versus policies or established limits
Summary of significant changes in key variables beyond
managements control (e.g. interest rates, exchange
rates, etc.) and the efect on earnings, cash flows, capital,
and the business plan.
Summary of the status of improvement initiatives
70

SOME EXAMPLES OF EXTERNAL KEY

RISK INDICATORS
Industry and Competitor
Trends
Number of Competitors
New product or service
announcements
Pricing Trends
Risk events realized by
competitors
Shifts in customer tastes/trends

Supply Chain Issues

Financial health of
suppliers
Risk events at suppliers
Pricing trends

Economic Trends

Liquidity/Capital Markets

Unemployment
forecasts
Consumer spending
trends
Trade and foreign
policy

Interest rate trends/forecasts

Credit spreads in debt and credit
markets
Stock market trends and forecasts

Regulatory Changes
Anticipated changes in tax
policy
New
regulations/restrictions
Changes in key political
offices

71

SOME EXAMPLES OF INTERNAL KEY

RISK INDICATORS
Business Operations

Information Technology

Disasters, outages, disruption

Transactions, output
Help desk metrics
Sales volume, failed deals
Security metrics
Operational performance issues
Project metrics
Supply chain/logistics
IT incidents/investigations,
complaints
IT audit issues

Human Resources

Accounting/Finance

Turnover
Headcount
Corporate training:
policies, procedures,
ethics
Vacancies
Sick days
Disciplinary actions

Adjustments
Unsubstantiated balances
Missed deadlines
Write-ofs

Compliance
State of controls
Regulatory
inquiries/investigations
Litigation cases
Discovery requests

Audit
High-risk issues/material
weak.
Past-due audit issues

72

KEY RISK INDICATORS GUIDANCE FOR DEVELOPING

YOUR ERM DASHBOARD (THE METRIC/DATA IS)
Based on established practices or benchmarks

Developed consistently across the organization

Provide an unambiguous and intuitive view of the
highlighted risk
Allow for measurable comparisons across time and
business units
Provide opportunities to access the performance of risk owners on a
timely basis

Consumes resources efficiently (not overly burdensome to

get the info)

Loan Delinquencies
Portfolio Stress Tests
Interest Rate Thresholds
Profitability Goals
Regulatory Concerns

Information Security Incidents

IT Changes
New Products
Failed Customer Interactions
Business Continuity Tests

Operational Losses
Process Errors
Policy Exceptions
Audit Issues
Staf Turnover
73

RISK REPORT EXAMPLE (KRI REPORT)

74

IN SUMMARY

75

NO ERM AT YOUR CREDIT UNION?

Its happening already
this is the business of banking
Start simply
joint Board/Committee and Management
adventure
Focus on Business and Regulators
how to use it to improve processes and
performance
a continuous improvement perspective
76

GREAT DUMB QUESTIONS

What happens if?

Seems like that market iscould that impact us?
I heard aboutdo we have risk exposure here?
Does our policy explain what to do if?
Who is responsible for making sure we dont?
Do we have a limit on?
What does our strategic plan say about?
Do you think senior management knows how the
Board feels about that risk?
Are there any other Board members who didnt
understand that; Im not clear about?
Has anyone around here read the COSO template for
risk management?
77

RECOMMENDATIONS FOR ERM

Develop ERM Policy

Define Risk categories, roles,
Measure, monitor, and reports

Develop ERM Committee Charter

Define members, roles, scope, reporting
relationship to other committees

Publish ERM Board Packet

Key risk indicators (KRI) dashboard
ALCO, Credit, Compliance, Operational Risk
summaries

78

RECOMMENDATIONS FOR ERM

Prepare a glossary for risk, compliance, audit

Arrange all risk, compliance, audit, regulatory

activities on a calendar

Common terminology is part of culture

change and education

Show the full scope of ERM activities

Use a standard set of risk categories

Assess and monitor these exposures and

tolerances across business units
79

QUESTIONS?

Louise Hanson
425-303-3037
louise.hanson@mossadams.com
Shannon Haas
415-677-8314
shannon.haas@mossadams.com

80