Supervisory committees and internal auditors must readjust from a purely operational focus and take a strategic view of the credit union’s risk, says Tony Ferris, CEO of Rochdale Paragon Group, a CUNA strategic partner.
Committee members should ask questions such as:
“In the past, audit’s sole responsibility has been protecting value,” says Ferris, who addressed CUNA’s Supervisory Committee and Internal Audit Conference. “How do we start to look at audit and supervisory as more than this backstop that signs off on financials? How do we move into value creation?”
Ferris advises these groups to fight the initial urge to cite the text-message-era acronym NIMJD—"not in my job description"—because the supervisory committee and internal auditors bring a valuable perspective that can form a more intelligent organization.
“It’s one of the most underutilized areas we have, and also is an area that sees literally everything in the organization,” Ferris says. “Auditors have opinions, but they don’t always share those opinions. If you have ideas that will improve the credit union, why [wouldn't] senior management and the board ask you about that?”
This transformation does, however, present legitimate concerns, such as:
►Increased scrutiny and turf protection. Supervisory committee members and auditors must come to a new understanding with credit union personnel about their heightened involvement, as they will have to ask more questions.
►Challenges to objectivity and independence. Staying at arm’s length from the board and senior management can become more difficult with an increasingly intertwined relationship.
►Strain on resources. The practical matters of staffing and time as it pertains to the scope of the audit begs the question, where does it end?
But Ferris believes supervisory committee and auditors can surmount these obstacles so long as all sides understand those groups’ marching orders.
“Your role isn’t to define risk, it’s to understand risk and make sure the intentions of the board are being followed through upon—that the risk practice is being done in an effective manner,” Ferris said.
According to Ferris, new core duties stemming from a strategic and consultative focus include:
►Determining whether the credit union's risk process is effective. The credit union should have an auditable policy on risk management.
►Confirming the organization reports on key risks and understands those risks.
Look at whether the board and management use the risk report to make decisions. Alter the report if it’s not effective in its current form.
►Evaluating whether the credit union consistently applies its stated risk appetite across all functions.
“That’s the hardest one,” Ferris says, “because many credit unions haven’t officially decided their risk appetite, let alone ascertained whether they’re staying true to it.”
Ferris advises credit union supervisory committee members and internal auditors to consider the appropriateness of a second tier of duties:
►Facilitating risk identification. It’s not your role to decide whether the board and management take good or bad risks, but you should advise on the proper reporting of those risks.
►Coordinating ERM activities. Many credit unions report enterprise risk management (ERM) through the audit function, which Ferris doesn’t favor except in organizations with a chief risk officer who can segment responsibilities.
Absent that job role, the supervisory committee must decide whether to take on that role or defer to management.
“You should understand risk and get processes in place, but don’t own risk,” Ferris says. “Management always owns risk. Otherwise we run into independence issues."
►Educating the board on the risk associated with its strategies. “That’s not been your typical role. Sitting in strategy sessions is not something where you’ve typically been involved,” Ferris says. “But that's a role you’ll take on more and more, to provide an outsider’s input.”