Risk Management Components

A prudent credit union’s risk management program is specific and adequate to address the principal risks inherent in its operations and product offerings. A sound risk management program consists of:

• Leadership oversight

• Policies, procedures, and tolerances

• Risk monitoring and MIS

• Internal controls

The ideal risk management program and oversight function is sufficiently independent of the business units to segregate duties and avoid conflicts of interest.

A prudent credit union’s risk management processes are commensurate with its size, complexity, financial condition, and risk profile. Large or complex credit unions are best served by risk management processes that are sufficient to address the full range of risks inherent in their business practices.

Leadership Oversight

A risk management program defines the key roles and responsibilities that are part of the risk governance framework. The ideal risk management program addresses the following key roles:

• Board of Directors

• Chief Executive Officer

• Chief Risk Executive

• Chief Audit Executive

Board of Directors

The board of directors’ primary role in the risk management process is general oversight. This includes:

• Establishing the strategic direction of the credit union

• Instituting risk culture expectations

• Approving a risk governance framework and proper policies

• Monitoring and, if necessary, challenging leadership on the credit union’s activities

A primary duty of the board of directors is to ensure the credit union develops and implements an effective risk governance framework. This includes setting the credit union’s risk appetite, capital adequacy requirements for operating at that level of risk, and oversight of the risk management program. Accordingly, the board of directors approves the institution’s overall strategic plan, capital plans, information security program, business continuity plan, and other significant risk management and operating policies and procedures. Along with significant policies for managing risk and capital, the board of directors approves a written risk appetite statement to establish thresholds for executive managements’ decisions around risk.

For effective oversight, the board of directors will have a balance of skills, knowledge, and experience to understand the risk exposure of activities in which the credit union is involved. Further, the board of directors ensures the executive management team can implement the credit union’s strategies and policies and is operating within approved risk tolerances and limits.

In providing active oversight, the board of directors challenges decisions made by the executive management team that could cause the credit union’s risk profile to exceed its risk appetite or jeopardize its safety and soundness.

Chief Executive Officer

The CEO’s role is to operate the credit union within the risk parameters and appetite approved by the board of directors to achieve strategic and business plan objectives. This means implementing strategies set by the board of directors in a manner that controls risks and complies with board-approved policies, including adhering to governance and risk appetite expectations, laws, regulations, and other supervisory requirements.

The CEO sets the tone for the credit union’s risk culture and holds staff accountable for their role in the risk management process. They work with the board of directors to develop the credit union’s strategic plan and implement the plan all within the board’s risk appetite. The CEO may also oversee the day-to-day activities of the CAE and CRE .

Executive-level staff are important in the risk management process. Ideally, a credit union’s executive-level staff understand all activities under their purview; enforce and manage appropriate policies, controls, and risk monitoring systems; and delineate accountability and lines of authority. Executive management is responsible for establishing a culture that supports:

• Transparency in identifying risks inherent to the credit union’s products, services, and practices

• Compliance with a board-approved risk governance framework and related processes designed by the risk oversight committee and/or appointed committee

• Effective internal controls that mitigate identified risks

• Independent and unbiased challenge of various aspects of the entire risk management process

Chief Risk Executive

The CRE leads a risk oversight unit and is placed immediately below the CEO in a credit union’s organizational structure. CREs coordinate activities of all risk oversight functions to provide an aggregated view of all material risks, both operational and financial, to the CEO and the board of directors or the board of director’s risk committee.

Chief Audit Executive

The CAE leads internal audit and is immediately below the CEO in a credit union’s organizational structure. The CAE reports to the supervisory committee.

Policies, Procedures and Tolerances

A credit union’s risk management program sets specific, prudent tolerances on the principal types of risk relevant to its activities. Risk tolerances:

• Are tailored to each credit union’s operations, products, and services

• Provide meaningful guidance to leadership and delineate between inherent and residual risks

• May be expressed as inherent risk levels or residual risk after management mitigation

Although a credit union’s board of directors approves the institution’s overall business strategy and policies, the executive management team adheres to the policies and develops and implements operational and tactical policies, procedures, and standards that address risks arising from business activities. Policies and procedures for executive management-level employees align with the risk limits and tolerances set forth by the board of directors.

The leadership team develops policies and procedures to address the credit union’s material areas of risk, and makes modifications, when necessary, to respond to significant changes in activities or business conditions. Examiners review the credit union’s policies and procedures that address its significant activities and risks to determine if they were written with sufficient detail to address the type and complexity of operations.

Risk Monitoring and Management Information Systems

Ideally, a credit union has risk monitoring and MIS in place to provide executive management and the board of directors with timely information and a clear understanding of the credit union’s business activities and risk exposures. Look for risk monitoring and an MIS with sophistication commensurate with the scale, complexity, and diversity of the credit union’s operations. Effective MIS collect, aggregate, and transform data into relevant data sets and risk reporting. Leadership uses this reporting to inform credit union policies and strategies and to monitor compliance with board-approved risk tolerances.

Information and risk management systems provide an aggregated view of risks relevant to the duties and responsibilities of business unit managers, executive management, and the board of directors. The credit union’s information and risk management systems require frequent monitoring and testing by an independent control function, and by both internal and external auditors, to validate the integrity of information used to oversee compliance with policies and limits. Large and complex credit unions with strong risk management have reporting and monitoring systems that aggregate risks across all business lines and activities.

Internal Controls

An effective internal control structure is critical for managing risks and operating a credit union safely and soundly. Executive management is responsible for establishing and maintaining an effective system of controls that enforces official lines of authority and segregates duties.

Adequate segregation of duties is a fundamental element of a sound risk management and internal control system. Failure to implement and maintain an adequate risk governance framework can constitute an unsafe and unsound practice and possibly lead to material losses or otherwise compromise the integrity of the credit union’s internal controls.

Ideally, a credit union’s risk oversight and internal audit functions have unrestricted access to the board of directors, or its designated committee, to report risk assessments, findings, and recommendations. These functions are independent from business unit management and, when necessary, the CEO. This unrestricted access to the board of directors is critical to the integrity of the risk governance framework.

In carrying out their responsibilities within the risk governance framework, business units, risk oversight, and internal audit may engage services of external experts to assist them. This expertise may supplement internal expertise and provide perspective on industry practices. For example, credit union staff may not have enough expertise in information technology, so the credit union might engage a third party to perform the review. However, a prudent credit union will not permit an organizational unit to delegate its responsibilities under the risk governance framework to an external party.

Last updated on August 23, 2022.