This rating reflects the capabilities of the board of directors and management, in their respective roles, to identify, measure, monitor, and control the risks of a credit union’s activities and to operate a credit union in a safe, sound, and efficient manner, and in compliance with applicable laws and regulations.
Generally, directors need not be actively involved in day-to-day operations; however, they provide clear guidance that establishes acceptable risk exposure levels through appropriate policies, procedures, and practices. Senior management develops and implements policies, procedures, and practices that translate the board’s goals, objectives, and risk limits into prudent operating standards.
Management practices need to address the seven risk categories and other risks commensurate with the nature and scope of a credit union’s activities. Sound management practices are demonstrated by active board of directors and management oversight; competent personnel; adequate policies, processes, and controls taking into consideration the size and sophistication of the credit union; maintenance of an appropriate audit program and internal control environment; and effective risk monitoring and management information systems.
This rating reflects the board’s and management’s ability as it applies to all aspects of the credit union’s operations as well as other financial service activities in which the credit union is involved.
The ability of management to respond to changing business conditions, or initiating new activities or products, is an important factor in evaluating a credit union’s overall risk profile and the level of supervisory attention warranted. For this reason, the management component is given special consideration when assigning the composite rating.
The capability and performance of management and the board of directors is also rated based upon, but not limited to, an assessment of the following evaluation factors:
-
Corporate governance
-
Strategic planning
-
Internal controls
-
Other management issues
Corporate Governance
The board of directors and management have a fiduciary responsibility to the credit union’s members to maintain high standards of professional conduct, including but not limited to:
-
Appropriateness of compensation policies. Management compensation policies are supported. The board sets performance standards for senior management and uses an effective formal evaluation process, complete with documentation.
-
Avoidance of conflict of interest. Appropriate policies and procedures for avoidance of conflicts of interest and management of potential conflicts of interest are in place.
-
Professional ethics and behavior. The board of directors and management do not use the credit union for unauthorized or inappropriate personal gain. Credit union property is not used for anything other than authorized activities. Management acts ethically and impartially in carrying out appropriate credit union policies and procedures.
Strategic Planning
Strategic planning involves a systematic process to develop a long-term vision for the credit union. The strategic plan incorporates all areas of a credit union's operations and sets broad goals that inform sound decisions. The strategic plan identifies risks and threats to the organization and outlines methods to address them.
As part of the strategic planning process, prudent credit unions develop a business plan for the next one or two years. The board of directors reviews and approves the business plan, including a budget, in the context of its consistency with the credit union's strategic plan. The business plan is evaluated against the strategic plan to determine if the two are consistent. Examiners assess how the plan is implemented. Strategic plans are unique to and reflective of the individual credit union.
Information systems and technology are included as an integral part of the credit union’s strategic plan. Examiners assess the credit union’s risk analysis, policies, and oversight of this area based on the size and complexity of the credit union and the type and volume of e-commerce systems and services offered. Examiners consider the criticality of e-commerce systems and services in their assessment of the overall information security and technology plan.
Internal Controls
Internal controls play a crucial role in controlling a credit union's risks. Effective internal controls provide safeguards against system malfunctions, errors in judgment, and fraud. Without proper internal controls, management will not be able to identify and track the credit union’s exposure to risk. Controls are also essential to ensure operating units are acting within the parameters established by the board of directors and senior management.
The following aspects of internal controls deserve special attention:
| Topic | Notes |
|---|---|
| Information systems | Effective controls support the integrity, security, and privacy of information contained on the credit union’s computer systems. |
| Segregation of duties | A prudent credit union has adequate segregation of duties in every area of operation. Segregation of duties may be limited by the number of employees in smaller credit unions. |
| Audit program | Audit functions and processes are commensurate with the credit union’s size, sophistication, and risk. The program is independent, reporting to the supervisory committee without conflict or interference from management. An annual audit plan examines risk areas and prioritizes the areas of greatest risk. Reports are issued to management for comment and action and forwarded to the board of directors with management's response. Follow-up of any unresolved issues is essential and these activities are covered in subsequent reports. |
| Recordkeeping | The credit union’s books are kept in accordance with well-established accounting principles. A credit union's records and accounts reflect its actual financial condition and accurate results of operations. Records are current and provide an audit trail. The audit trail includes sufficient documentation to follow a transaction from its inception through to its completion. Subsidiary records are kept in balance with general ledger control figures. |
| Protection of physical assets | A principal method of safeguarding assets is to limit access to authorized personnel. Protection of assets can be accomplished by developing operating policies and procedures for cash control, joint custody (dual control), teller operations, and physical security of the computer. |
| Education of staff | Credit union staff and volunteers are thoroughly trained in specific daily operations. The training program is tailored to meet management needs and includes cross-training programs for office staff. Certain risks are mitigated when the credit union can maintain continuity of operations and service to members. |
Other Management Issues
Other key factors considered when assessing the management of a credit union follow. The order of these factors does not signify a level of importance.
-
Policies and procedures covering each area of the credit union’s operations are written, board approved, and followed
-
Budget performance is compared against actual performance
-
Systems that measure and monitor risk are effective
-
Risk-taking practices and methods of control are sufficient to mitigate concerns
-
Risk management is integrated with planning and decision-making
-
Management is responsive to examination and audit suggestions, recommendations, or requirements
-
Operations comply with laws and regulations1
-
The products and services offered are appropriate for the credit union’s size and management experience
-
Market penetration
-
Rate structure
-
Disaster preparedness planning is appropriate for continuity of operations
-
Succession plans are in place for key management positions
Management Ratings
| Rating | Description |
| 1 | Indicates sound performance by management and the board of directors. Includes sound risk management practices relative to the credit union’s size complexity, and risk profile. All significant risks are consistently and effectively identified, measured, monitored, and controlled. Management and the board have demonstrated the ability to promptly and successfully address existing and potential problems and risks. |
| 2 | Indicates satisfactory management and board practices relative to the credit union’s size, complexity, and risk profile. In general, significant risks are effectively identified, measured, monitored, and controlled. Management and the board demonstrate the ability to promptly and successfully address existing and potential problems and risks. Minor weaknesses may exist but are not material. |
| 3 | Indicates management and board performance that needs improvement or risk management practices that are less than satisfactory given the nature of the credit union’s activities. Problems and significant risks may be inadequately identified, measured, monitored, and controlled. The capabilities of management or the board of directors may be insufficient for the type, size, or condition of the institution. |
| 4 | Indicates deficient management and board performance or risk management practices that are inadequate considering the nature of the credit union’s activities. The level of problems and risk exposure is excessive. Problems and significant risks are inadequately identified, measured, monitored, or controlled and require immediate action by the board and management to preserve the soundness of the institution. Replacing or strengthening the board may be necessary. |
| 5 | Indicates critically deficient management and board performance or risk management practices. Management and the board of directors have not demonstrated the ability to correct problems and implement appropriate risk management practices. Problems and significant risks are inadequately measured, monitored, or controlled and now threaten the continued viability of the institution. Replacing or strengthening management or the board of directors is necessary. |
Last updated April 29, 2022
