NCUA issued Letter to Credit Unions 13-CU-12 in November, to clarify the agency’s supervisory expectations regarding enterprise risk management (ERM) systems.
ERM is a “comprehensive risk-optimization process that integrates risk management across an organization.”
Traditional approaches address each risk seperately, sometimes without consideration of how these risks may impart or interrelate to one another. ERM reduces this “silo effect,” at the same time ensuring ongoing communication with relevant stakeholders (board, senior management, audit, etc).
ERM is not a regulatory requirement for natural person credit unions (only corporate credit unions are required to have a formal ERM policy in place).
But credit unions of all sizes and risk levels can integrate core ERM principles into their overall strategic planning and organizational risk-management programs.
NCUA encourages credit unions to consider the benefits. In all cases, examiners take a risk-based approach when evaluating a credit union’s risk management processes by considering:
The credit union’s risk exposure, risk appetite, and risk-management strategies;
The depth and breadth of potential exposures, including the types of products and services offered by the credit union;
The strategic objectives and operational policies, procedures, and controls in relation to potential exposures;
Concentration of risk;
Capability and resources of management;
Current and historical performance of management; and,
The financial strength of the credit union in relation to assets and activities.
Examiners evaluate the range of risks and exposures, both financial and nonfinancial, to determine if they’re reasonable in relation to operational controls, decision support systems, policies, procedures, internal controls, and capital.