Risk Governance Framework

Sound risk management begins with a strong governance framework. A goal of the risk governance framework is to provide the board of directors and executive management with independent, transparent, and objective risk analysis. This analysis facilitates discussions and gives leadership supporting data to make informed choices about the type or level of acceptable risk and effectively challenge decisions.

An ideal risk governance framework is thoroughly documented, and:

  • Is designed and overseen by a risk management function or department independent of risk-taking business units

  • Is approved by the board of directors or a risk committee representative of the board of directors

  • Includes delegations of authority from the board of directors to management committees and executive officers

  • Establishes a system of consistent and repeatable metrics to measure and manage risks

  • Establishes risk tolerances for material business lines and operational activities commensurate with the size, complexity, capital strength, and stability of the credit union

  • Is reviewed to update the risk governance framework as often as needed to address improvements in industry risk management practices and changes in the credit union’s risk profile caused by emerging risks, its strategic plans, or other internal and external factors

  • Defines roles and responsibilities for business units, risk management oversight, and internal audit

  • Segregates risk taking, risk oversight, and internal control assessment responsibilities through the risk management program

Prudent credit unions incorporate the essential elements of a risk governance framework to assess enterprise risk and foster effective challenge of risk assessments at all levels of the organization. For more information, see NCUA’s Capital Planning and Stress Testing Resources website.

While the principles of risk governance are the same regardless of the credit union, a credit union’s size, complexity, and financial condition determine the development, implementation, and continuous improvement of the risk management framework.

The risk governance framework instituted by individual credit unions may vary. Look for a risk governance framework that establishes risk oversight independent of risk taking and allows for effective challenge.

The sample risk governance framework illustrated below shows a reporting structure that allows for independence and enables horizontal and vertical challenge.

Sample Risk Governance Framework

Graphic shows the relationship between the board of directors, senior management, and the three lines of defense against risk

Board of Directors—An effective board of directors oversees two board level committees: a risk committee and an audit or supervisory committee.

Risk Committee—An executive level risk officer oversees an independent risk oversight function and reports directly to the board’s risk committee, which is separate from any risk-taking business unit.

Audit or Supervisory Committee—An audit executive oversees internal audit and reports directly to this committee. This executive is separate from any risk-taking business unit as well as from the risk management function.

Last updated on August 23, 2022.