Mitigation Practices Help CUs Manage Risks

Have a risk-mitigation plan, a process, and a team in place before you need them.

April 1, 2011

Burgeoning regulations. Underwater real estate loans. Electronic database invasions.

These are some of the most prominent risk areas facing financial institutions in an increasingly complex industry. Three credit unions describe their mitigation strategies.

A robust system

Debra Schwartz, president/CEO of $2.1 billion asset Mission Federal Credit Union, San Diego, says it’s hard to name one risk that’s greatest for her credit union. “We take a very comprehensive view of risk,” she explains.

“Certainly regulatory changes are a huge concern for all credit unions. There are so many unknowns—what will happen with debit card interchange income and what will be the effects of the new financial regulatory agency?” she wonders. “There are also economic concerns related to continued fallout from the housing market crisis. The ‘sand states’ were hit especially hard.”

Risk mitigation is part of Mission Federal’s DNA, she adds. “We consider risk as part of reviewing contracts—the risk of entering or not entering into them—and as part of every project.”

The credit union has an outstanding enterprise risk management department and a robust enterprise risk management system, notes Schwartz. “We do an annual review of all significant business functions and risk-rate them. We provide this information to our board and it forms the foundation of our audits.” Senior management reviews the findings, she says, and the business owners are responsible for coming up with strategies to mitigate risks in their areas of responsibility.

The amount of time that senior management, the full-time enterprise risk manager, and staff spend on risk management varies. “It depends on what’s happening,” says Schwartz. “While we have separate enterprise risk meetings, it’s also part of everything we do. There are times when we spend a lot of time resolving risk issues, and other times when we don’t.”

Her best risk-mitigation advice for other credit unions: Have a plan, a process, and a team in place before you need them. “The credit union world is changing so rapidly it can be a little daunting,” she says. “A plan helps you prioritize risks. And it takes a team to have a comprehensive approach—all leaders of the organization have to participate.”

A nimble CU

Economic risks due to the recession and the real estate crisis are among the biggest risks facing $410 million asset First Credit Union, Chandler, Ariz. The credit union added a chief lending and risk officer a couple of years ago who’s responsible for setting risk-management policies and managing overall risk. This helps keep certain areas of risk in the forefront, says Jay Curtis, president/CEO.

“For example, secured real estate loans were typically less risky compared with unsecured loans. But when the economy took a downturn, some housing values fell 50% here,” he explains. “It became a riskier loan pool, and we did ‘what-if’ scenario planning to determine the concentration of capital or net worth we wanted in particular portfolios.”

The credit union analyzed its loans and stratified them by credit score. “Even if a member is current on a home equity loan, we might get a notice from the institution holding the member’s first mortgage that the home was being foreclosed,” says Curtis. “When we monitor credit scores, any deteri­oration can be an early indicator that prompts us to reach out and help our members.”

When the recession began, Curtis and his team viewed the economic risk as longer-term, perhaps lasting until 2013. “Rather than making ancillary changes to get by, we reduced our operating expenses by $5 million over the past several years.

“We closed a couple of unprofitable branches, which was a very difficult decision,” he adds. In hindsight, the credit union is pleased with the impact the savings has had in preserving capital. The credit union leveraged access through shared branching, along with online and mobile banking, and members understood.

These actions made the credit union more nimble and able to react faster to regulatory changes. “Supposedly, the Dodd-Frank Act won’t affect us because we’re under $10 billion in assets, but we don’t know if that will be true,” says Curtis. “We have to assume it will have an impact and prepare for it,” he adds, instead of having it happen and then trying to adjust.

Expense reductions also will help offset any lost fee income due to regulatory changes. “It puts us on a stronger footing as the economy improves,” he says. “With the decline in real estate values, recovery in our region will be slower, but we’re seeing glimmers of improvement.”

Ongoing oversight

Larry Wilson, president/CEO of $1.9 billion asset Coastal Federal Credit Union, Raleigh, N.C., says the electronic arena, particularly the loss of member data, is his credit union’s most serious risk area. “That’s one thing that can cause havoc, and we spend a lot of resources protecting our member database,” he says.

Wilson estimates his staff documents about 2,500 online attempts daily to invade Coastal Federal’s systems. “That’s not unusual for an organization our size. It’s a risk common to any organization that has a database with personal information,” he says. “And so far, we’ve been able to fend off the attempts.”

The credit union also perceives a potential risk of merchants allowing their credit card databases to be compromised. “Merchants should retain only enough information to collect receivables. But in many cases, they keep more cardholder information and retain it longer than they’re supposed to,” Wilson says. “Any compromise to our members’ information forces us to reissue cards.”

Outside consultants conduct annual enterprise-wide risk assessments of Coastal Federal’s systems and operations. “In some areas—the information technology (IT) department and plastic cards—we do assessments more frequently, with additional testing and controls,” he says. “We think it’s justified. There’s a much higher risk of electronic invasions than of burglary and physical security.” And electronic invasions are harder to control, he adds.

The IT staff provides ongoing oversight, including evaluating new hardware and software that can defend against emerging threats. The credit union also provides staff and member education about good security habits and practices.

“Between training, losses, and litigation, we spend about 8% to 12% of staff time on risk management,” Wilson estimates. “In financial terms, it’s probably 10% to 12% of operating costs.”

He recommends vigilance. “Don’t overlook any evidence, no matter how slight, that there’s a security issue. Spend what’s necessary to control the risk. Technology is a tool we can’t live without, but we have to control it.”