1

Enterprise Risk Management How Does ERM Apply to your Credit Union?Presented by Louise Hanson, Partner, Moss Adams LLPShannon Haas, Senior Manager, Moss Adams LLP

2

MOSS ADAMS AT A GLANCE

• Full service public accounting firm with assurance, tax, and consulting services for middle-market public and private companies

• Largest accounting firm headquartered in the West and one of the 15 largest in the United States

• 21 offices in California, Arizona, New Mexico, Oregon, Washington and Kansas

• More than 230 partners and over 1,800 staff

• Founded in 1913 and headquartered in Seattle, Washington

• A founding member of Praxity, a global alliance of accounting firms

• We are the 4th largest firm servicing credit unions in the nation (based on assets)

3

TODAY’S DISCUSSION OBJECTIVES

• What is Enterprise Risk Management? – an Overview of ERM

• What is Driving ERM? • ERM & the Regulators• How ERM Can Benefit My Institution• How My Institution Can Build an ERM Strategy:

Implementation Overviewo Phase 1 – Planningo Phase 2 – Implementing the Plano Phase 3 – Refining

• Summary

4

WHAT IS ENTERPRISE RISK MANAGEMENT (“ERM”)?

4

5

QUESTIONS TO PONDER…

• In today’s credit union environment what risks or “watch out fors” would you suggest directors, supervisory committees (or even executive management) focus on?

• What would you be looking for in Board Report packages today?

• Do we understand these issues enough to appropriately report on them in each of our credit unions today?

6

AT THE CORE…

• What is the Nature of Banking?Risk Management

• What should Credit Unions be doing?Intermediate Risks

For Members and Borrowers

• What are Directors Expected to do?Create & Protect Member funds and opportunities

Governance Process and Risk Policies

• How are Risks Portrayed in an Institution?Via Financial StatementsVia Processes

7

ENTERPRISE RISK MANAGEMENT

“The decline and ultimate failure of some great

companies has been a historical fact. But such decline

is not inevitable. Rather, it results when corporate

leaders (CEO’s and directors alike) don’t anticipate and

deal with the long term threats facing their companies.”

Harvard Business Review (5/08), “Leading from the Boardroom”

8

WHAT IS “ENTERPRISE RISK MANAGEMENT”?

“Enterprise risk management (ERM) is a process, effected by

an entity’s board of directors, management and other

personnel, applied in a strategy setting and across the

enterprise, designed to identify potential events that may

affect the entity, and manage risk to be within its risk

appetite, to provide reasonable assurance regarding the

achievement of entity objectives.”

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, (Sept. 2004)

9

WHAT IS ERM?• A structured, consistent, and continuous risk management process

that is applied across the entire organization• Identifies, assesses, prioritizes, and manages the internal and external

risks that impact the organization• Driven by a decision-support process that is aligned with the

management and execution of strategic objectives• Enhanced by the assignment of roles and responsibilities,• reporting and communication,

policies and procedures, andadoption of a risk-based culture Identify &

Assess

Planning & Management

Measure, Monitor &

Report

Business Objectives

10

ENTERPRISE RISK MANAGEMENT“WHAT MIGHT GET IN THE WAY OF MY DUTY TO DELIVER VALUE AND PROTECT THE MEMBERS?”

Risk

Risk Management

Enterprise-Wide Risk Management

The potential that events, expected or unanticipated, may have an adverse impact on capital or earnings.

The employment of systems and processes to manage the critical tradeoff between risk and return in financial decision-making.

The formal mechanism or structure for managing risks across the entire institution on an integrated basis.

11

ENTERPRISE RISK MANAGEMENT (ERM) COMPONENTS

Keys to a good ERM program – must include:

• Risk Identification – What are our key risks? – What level of risk are we willing to allow/accept

(“risk appetite”)?

• Risk Measurement– Risk measurement models (ALM, Credit Stress)– Guidelines and quantification tools (Credit Risk

Classification, Operational and Credit Losses)

12

ENTERPRISE RISK MANAGEMENT (ERM) COMPONENTS

• Risk Control– Policies (Required and Best Practice)– System of risk limitations– Authorities and oversight systems

• Risk Monitoring– System of risk reporting – key measurements

Board driven assessments (internal and external audits, monitoring reports)

Management Self assessments (management generated reporting against pre-set standards)

13

IN A NUTSHELL…

ERM is a process for managing and

controlling risks across an entire

organization, both within and across

business lines and legal entities.

13

14

WHAT’S DRIVING ERM?

15

WHAT’S DRIVING ERM?- ENVIRONMENTAL -

• Growing size and organizational structure

• Increasing diversity of business lines and complexity of products

• Increasing number of regulations

• Increasingly competitive marketplace

ERM can be the key for how to win

16

WHAT’S DRIVING ERM - INSTITUTIONAL -

• Fragmented or “silo” risk management efforts– fail to recognize interrelationships of risk across businesses or

products

• Lack of aggregation of common risks and reporting– fail to keep Board and management informed of organization-wide

risks

• Lack of attention to how risks are correlated– fails to identify how loans, securities, businesses, etc. might be

affected by common factors and create large exposures

17

POST DOWNTURN, ERM IS MOREIMPORTANT THAN EVER • Bankers, regulators, investors, members and counterparties will not soon

forget the near-collapse in late 2008

• So far, the new era in financial services is a very strong emphasis on safety and risk management

• Those who can demonstrate superior risk management will have a competitive advantage– Greater opportunities in the market due to goodwill from regulators and investors– More and better members

• Key ERM implementation challenges for most credit unions– Culture– Right expertise– Data and Measurement– Transparency/Reporting

18

DRIVERS OF ERM – A SUMMARY

Board of Directors • Demand increased financial disclosure and transparency

Members as Stakeholders • Demand evidence that management understands and manages risk

Regulators/Rating Agencies • Seek assurance around compliance and risk assessment processes

Activists • Demand social awareness, safety & environmental consciousness

Members as Customers • Make decisions based on differentiating factors

Peers • Comparison with others drives industry-wide practice

Competitors • Push innovation, drive leadership

19

ENTERPRISE RISK MANAGEMENT AND THE REGULATORS

20

REGULATORY EXPECTATIONS FOR ERMERM STARTS WITH THE FUNDAMENTAL OF STRONG RISK MANAGEMENT:

From “Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies” (SR95-51 (SUP))

Active Board and Senior

Management Oversight

Adequate Policies, Procedures, and

Limits

Adequate Risk Measurement,

Monitoring, and MIS

Comprehensive Internal Controls

21

NCUA ERM GUIDANCE

NCUA advises an effective system of Enterprise Risk Management includes consideration of:

• Market Condition• Field of Membership• Credit Union Structure

– Size– Complexity– Geographic diversity

22

INCREASING EMPHASIS ON ERM PERSPECTIVE

Basel Committee’s Core Principles for Effective Banking Supervision (2006)

Principle 7 – Risk management process: “Supervisors must be satisfied that banks and banking groups have in place a comprehensive risk management process (including Board and senior management oversight) to identify, evaluate, monitor, and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile. These processes should be commensurate with the size and complexity of the organization.” http://www.bis.org/publ/bcbs129.pdf

Principles for Effective Operational Risk Management (2003) http://www.bis.org/publ/bcbs96.pdf

Principles for Sound Liquidity Risk Management and Supervision (Sept. 2008) http://www.bis.org/publ/bcbs144.pdf

23

PRINCIPLES OF EFFECTIVE OPERATIONAL RISK

MANAGEMENT (BASEL COMMITTEE ON BANKING SUPERVISION)

1. Board should approve and periodically review the Operating Risk Framework.

2. Board should ensure that Framework is subject to independent, competent audit staff review.

3. Senior management responsible for implementation4. Process to identify and assess operational risk inherent in

products, activities, processes and systems.5. Process to monitor operational risk profiles and material exposure

to losses.

24

PRINCIPLES OF EFFECTIVE OPERATIONAL RISK

MANAGEMENT (BASEL COMMITTEE ON BANKING SUPERVISION)

6. Policies, processes and procedures should exist to control and/or mitigate material operational risks.

7. A contingency and business continuity plan should exist.8. The regulators should require that all banks, regardless of size,

have an effective framework in place to identify, assess, monitor and control/mitigate material operational risk as part of an overall approach to risk management.

9. Regulators should conduct regular, independent evaluation of bank’s policies, procedures and practices related to operational risks.

10. Banks should make sufficient public disclosure to allow market participants to assess their approach to operational risk management.

25

IT TAKES 3 TO FLY THIS PLANE

• Risk Manager – looks thru the cockpit window to identify and assess current threats and future risks to the flight path and plane, and glances at the gauges for reassurance

• Compliance Manager – assists the pilot in maintaining the proper flight path and plane operating procedures by using the manual and FAA regulations

• Auditor – uses the cockpit gauges and controls to inform the pilot of how the plane is operating relative to its predetermined flight path

Time & Activities

Time & Activities

Audit Compliance RiskPast

Do we do aswe say?

PresentAre we in

compliance?

FutureWhat can go

wrong?

26

IN SUMMARY

• Boards of Directors/Supervisory Committees are responsible for ensuring that their credit unions are managed in a safe and sound manner. (This hasn’t changed)

• In today’s environment (and increasingly in the future), safety an soundness means that risks need to be well-managed given the credit unions’ risk environment and business model.

• You need to be able to answer “Yes” to this regulator question: “Do you have a program that appropriately identifies emerging risks in a timely manner?”

• Therefore:

Safety/Soundness = Risk Management

Consequently, the foundation for modern Corporate Governance is Enterprise Risk Management.

27

BENEFITS OF ERM

28

ORGANIZATIONAL GOALS OF ERM

• Protect/Enhance Members’ funds and opportunities• Link Strategy and Risk Profile• Recognize and Manage integrated/cross

organizational risks• Enhance Risk Based Decisions• Capital Management/Preservation• Seize Opportunities• Disciplined Culture

For a director/committee member, do these sound familiar?

29

BENEFITS OF ENTERPRISE RISK MANAGEMENT

• Enhances integrated decision-making better deal with the risk from growth, mergers, new products, etc.

• Better align risk and strategy.• Framework for identifying enhance return opportunities – improved risk mitigation.• Improve deployment of capital resources – allocating capital to business areas to

achieve superior risk returns (RAROC).• Credibility and confidence in governance and risk management – members,

regulators, external auditors.• Anticipate risk – seize opportunities/minimizing cost.• Improved understanding and management of interactions and interrelationships

between risks.• Clear accountability and ownership of risk.• Regulatory compliance with safety and soundness guidelines, foundation for a

strong internal control environment.

30

BENEFITS OF ENTERPRISE RISK MANAGEMENT (CONTINUED…)

All the previous positively impact: • Protection of capital.• Enhancement of earnings.• Reduction of losses (Fraud, Credit, Operational).• Greater efficiency in process flows.• Better defined/more efficient internal audit programs.• Better understanding of effect of market movements.

31

WHAT WE ARE OBSERVING: INDUSTRY ERM THEMES SO FAR FOR 2012+

• ERM– Managing an acquisition (valuation, financial integration, change in risk profile, culture, data

integration, etc.)– Model validation– Incentive programs that incorporate risk and are better aligned with organizational performance

• Compliance and regulatory– Regulatory reform outcomes– Stress testing– Compliance: fair lending, BSA, AML

• Credit– Provision and reserve going forward– Growing the loan portfolio– Diversifying away from risk concentrations in the portfolio

• Market Risk– The investments portfolio – understanding the risks going forward– Interest rate risk management

32

BUILDING AN ERM STRATEGY: IMPLEMENTATION OVERVIEW

33

ERM IMPLEMENTATION PHASES

Detective controls and

processes

Preventative Controls and

processes

Proactive planning and improvement

Strategic ERM

Compliance and Prevention

Operating Performance

Enhanced Member Benefits

GRADUAL EVOLUTION OF THE PROCESS

34

EARLY INTERMEDIATE ADVANCED

• Minimal credit grading

• No portfolio analysis

• No operational risk measurement

• ROA as return measure

• Some risk quantification combined with seasoned judgment

• Operational and market risk in early stages

• Efffective regulatory and investor relations

• Some RAROC calculations

• An integrated risk management perspective

• Granular risk quantification

• Portfolio analytics

• Active portfolio management function

• Full RAROC across credit union

DEVELOPING ERM CAPABILITIES IS AN EVOLUTION, NOT AN EVENT

Add Capabilities as Risk/Complexity are Added

35

LET’S DO A QUICK SELF ASSESSMENT

• Go to the separate handout

• Complete the “Risk Oversight Self Assessment” survey

– There are no right or wrong answers

– Try to objectively answer each question for a credit union you have in mind

36

SELF ASSESSMENT - IMPLICATIONS

Q 1-12 Q 13-28 ImplicationsYes No Lots of focus on strategic planning,

lots of risks, but few risk management processes

Yes Yes Strategic planning and risk management are reasonably integrated and organization

making great ERM progress

No Yes Few perceived strategic risks but overspending on ERM processes

No No Few perceived risks, but no system to be sure or to identify risks-opportunities

37

LINKING ERM TO STRATEGY

Strategic Integration

Risk vs. Return Optimization

Risk Management

Risk Measurement

Loss Minimization

Compliance/Monitoring

Mat

urity

Lev

el

High

Low

Time

Risk appetite

articulated

38

ERM – STRENGTHENING FOCUS ON STRATEGIC RISK EXPOSURES

Profitability

Increased Revenues

Expense Savings

Increased Loan Yield (Rate &

Volume)

Non-interest Income

Products

Reduce Head Count

Other Cost Savings

Measures – Vendor Mgmt.

Risk Drivers

Risk Drivers

Risk Drivers

Risk Drivers

Risk Drivers

Risk Metrics?

Risk Metrics?

Risk Metrics?

Risk Metrics?

Risk Metrics?

39

THE MOSS ADAMS PHASES TO ERM IMPLEMENTATION

• STEP 1 – PLANNING – (a.k.a., “putting your best foot forward, knowing the process isn’t going to be perfect because it’s a new area of focus, and every institution is unique”)

• STEP 2 – IMPLEMENTING – (a.k.a., “executing on your plan, making slight adjustments as needed; saving significant revisions to the process for the “refining” stage”)

• STEP 3 – REFINING – (a.k.a., “fixing what needs to be fixed and/or what wasn’t addressed after implementing your plan”)

A simple 3-step process for getting your ERM program off the ground

40

ERM IMPLEMENTATION PHASE 1 - PLANNING

41

BUILDING YOUR ERM ROADMAP/ IMPLEMENTATION PLAN: STEP #1 – PLANNING

A. Gain Board/Committee/Executive level of support - “Tone at the Top” might be the single biggest factor in being successful at implementing; start to build consensus/ buy-in

B. Revisit/review your strategic plan – the ERM vision s/b aligned with your organization’s size/complexity

C. Start thinking about how you are going to identify (and categorize) risk TIPS: • Define plan owners, roles and responsibilities for execution, timelines, resource alignment• Prioritize key tasks – look for up-front, early wins• Utilize existing management structures• Think about existing organizational design/structure• Other: degree of alignment with finance, specific control tools, etc?• Start to build consensus among key internal and external parties (including regulators*)• Preliminary risk assessment – work on the “completeness” of the risks inventory• Look for risk concentrations• Understand management’s current risk activities – functions, controls, what is tracked, who

does it, etc.?

42

TONE AT THE TOP & CULTURE

• It’s that CULTURE thing!!• Mutual Expectations, Respect, Reliance• Model the Standard

Legally: Duty of Loyalty and CareBusiness JudgmentDisclosure / Transparency

• Open Communications, Debate• Brainstorm risks at various management levels - what risk

is coming around the corner? • Welcome the Messenger• Welcome Dumb Questions• Draft Policies

43

ERM POLICY

• Policy Statement• Purpose/objectives

o Integrated mgmt of risko Governance of risk oversighto Independent review and monitoringo Best practice risk control

• Responsibilitieso Board of Directorso Supervisory Committeeo Board Risk Committeeo Management Risk Committeeo CEOo CROo Internal Auditoro Department Heads

• Risk Categories• ERM Process• Policy Guidelines/Limits

• Risk Metrics and tools– Risk Assessments– Measures

• Controls & Monitoring• Risk Response• Communication &

Reporting• Policy Exceptions

44

ERM CHARTER

• Purpose/Objectives – Board/Committee delegation to:Identify and Manage risksAdhere to policies

• Committee Members and ChairChief Risk Officer direct report

• MeetingsFull Board reporting

• Duties and responsibilitiesSupervisory Committee interactionOversight of Management Risk Committees

• Performance Evaluation• Committee Resources

45

ERM IS A SHARED RESPONSIBILITY: TYPICAL ROLES/NEEDS

Board of Directors -Governance-Reputational Risk-Board Training

CEO/COO -Business Risk-Execution Risk-Strategy/Mergers

CFO-Internal Controls-Economic Capital-Performance Measurement

CRO (Larger) -ERM Roadmap-Policies/Limits/Appetite-Risk Quantification-Dashboards

Functional Risk Managers/Delegated Responsibilities:

-Credit Risk- Market Risk- Interest Rate Risk- Operational Risk-Compliance Risk- Technology Risk-Etc.

46

A VISION FOR ERM IS FUNDAMENTALLY LINKED TO STRATEGIC GOALS FOR YOUR ORGANIZATION • What are your core competencies? What is your market? What does your credit

union want to be? Who are your members?• What are your return goals?

• (Risk vs. Reward = Credit & IRR; Capital Adequacy; Regulatory; Fraud; Other?)

• Identify Risks to your credit union – What risks do you take-on to generate these returns? Focus on “key” risks. – Credit risks in lending? – Credit risks in your investments portfolio?– Market risks through interest rates?– Market risks through your investments portfolio?– Operational risks through providing processing/cash management services?– Compliance risks in highly regulated markets?– Other?

• How much of each risk type will you take on? Is your level of risk appropriate given your return goals (risk appetite)? Do you have sufficient capital and liquidity to support these risks?

47

ERM RISK COMPONENTS• Credit Risk and Market Risk are typically called ‘financial risks’ – return and risk are

usually directly correlated here

• Greater risk will lead to higher returns in the long run, but will also result in significantly greater earnings volatility and require much more capital. A risk appetite is needed to decide how much risk and what types of risk are appropriate

• Operational Risks can also be financial risks, but the risk/return relationship can be very different – Some operational risks such as regulatory and compliance concerns are not related

to returns, only protection against future loss or are a cost of doing business– Fee-based businesses such as payment processing are operational-risk driven

businesses with a direct relation to returns

• Regardless of the risk type, ERM practices can enable management and the board to:– Develop a consolidated view of their risk profile across all risk types and understand

hot spots– Measure risk exposure using quantitative and qualitative methods– Set a risk appetite and manage to it– Better understand where returns are generated

48

REGULATORY RISK CATEGORIES (RISKS EXAMPLE 1)

NCUA Risk Categories

Credit Risk

Interest Rate Risk

Liquidity Risk

Transaction Risk

Compliance Risk

Strategic Risk

Reputation Risk

Fed Risk Categories

Credit Risk

Market Risk

Liquidity Risk

Operational Risk

Legal risk

Reputational Risk

FHLB Risk Categories

Credit Risk

Market Risk

Liquidity Risk

Operational Risk

Business Risk

49

REGULATORY CAPITAL RULES HAVE CREATED A FRAMEWORK FOR CLASSIFICATION OF RISK TYPES (RISKS EXAMPLE 2)

Risk Type Definition

Credit Risk Loss due to a borrower’s inability to meet its financial obligations

Loss due to change in borrower’s credit quality

Market Risk Loss due to change in market value of traded positions

Loss due to impact of changes in cost to close accrual positions (primarily interest rate risk)

Operational Risk Loss resulting from inadequate or failed internal process, people and systems, or from external events. The definition includes legal risk. The definition does not include strategic or reputational risks.

50

MANY INSTITUTIONS HAVE ADOPTED THESE DEFINITIONS FOR A FUNCTIONAL ERM STRUCTURE (RISKS EXAMPLE 2.1)

Credit Risk

Enterprise Risk Management Functional Structure (Not Organizational Structure)

Market Risk Operational Risk

Compliance Risk Int. and Ext. FraudBusiness Process FailureHRLitigationData SecurityTechnology/SystemsNatural DisasterEtc.

Change in Fair Value

Interest Rate Risk

Currency Risk

Liquidity Risk

Commercial

Retail

Counterparty

Other Risk Category Possibilities: Business, Strategic, Concentrations, Reputation, etc.

51

ERM IMPLEMENTATION PHASE 2- IMPLEMENTING THE PLAN

51

52

BUILDING YOUR ERM ROADMAP/IMPLEMENTATION PLAN: STEP #2 – IMPLEMENTING

A. Identify and prioritize the RISKS- Keep it to the “TOP 5” for in-depth Board reporting - Additional risks can be identified and listed, but don’t take away the

focus from the Top 5

B. Simultaneously adopt a preliminary risk framework and conceptualize simple reporting

C. Identify gaps in the process and start to analyze (but don’t let them slow you down!)

TIPS: • Identify strengths and weaknesses in existing risk management function• Re-align existing capabilities with where you need to get to• Scope: risk controls, information technology, culture, expertise, policies, risk quantification,

reporting/transparency 52

53

ERM IMPLEMENTATION – THINK ABOUT “RISK AWARENESS”

53

Difficult process – 3 levels of risk awareness

• Known – You lend money to various parties and someone isn’t going to pay (credit risk)

• Unknown, but knowable – e.g., flood or other natural disaster that isn’t unusual for the area.

• Unknown, unknowable – would not ever know in advance, but is there a plan I can have if “something” takes me out of what I do?

This helps you to think beyond the everyday risks.

54

FOCUS ON KEY ENTERPRISE RISKS

• Risk issues that are most significant and deserve attention of executive management and the Board.

• Issues identified through the risk assessment process within each functional risk area.

• Escalated to upper levels with mitigation and action plans presented.

54

55

ERM IMPLEMENTATION – RISK ASSESSMENT

Ask each Board member:

“With our credit union’s business model in mind, what are the Top 5 emerging risks:”

1. _________________________________________2. _________________________________________3. _________________________________________4. _________________________________________5. _________________________________________

Ask Management the same question. Will the results be similar?

How often does the Board and Senior Management engage in explicit discussions about risk?

Reminder: Addressing risk in an advanced ERM process becomes strategic instead of defensive 55

56

RISK ASSESSMENT (CONTINUED)…

• For identified risk events:– What is the time frame to consider?– How likely is the event to occur?– What would be the impact?

• On financial goals (cash flow, capital, reported earnings)

• On operational goals• On reputation/brand

– Inherent vs. residual risks?

56

57

ONE COMPLICATION: INHERENT VS. RESIDUAL RISK

• What risks are we assessing?– Ignore response to start: tendency to over value controls

“100% under control” – red flag; nothing is foolproof.– Inherent risk: Risk to an entity in the absence of any actions

management might take to alter either the risk’s likelihood or impact

– Residual Risk: Risk that remains after management responds to the risk identified

Back to some risk assessment examples….

58

RISK CATEGORIES WITHIN ERM (RISKS EXAMPLE #3)

Strategic Credit Interest Rate Liquidity

Product OfferingMerger & Acquisition

CompetitionRevenue Growth

ProfitabilityCapital

Payment DefaultLoan Concentration

Loan QualityCollateral Valuation

Interest RatesYield Curve

Investment VolatilityForeign Exchange

Funding SourcesOn/off Balance Sheet

Contingency

LegalComplianceOperationalReputation

Image & BrandingEmployee RelationsCustomer RelationsRegulatory Relations

Public RelationsShareholder Relations

ID Theft & FraudSecurity & Privacy

Business ContinuityPhysical Security

VendorsProcess Errors

Financial Reporting

ConsumerMember Business

FiduciaryMoney Laundering

Employment LawContracts

Intellectual PropertyLitigation

59

ABC INSTITUTIONSIMPLE ENTERPRISE RISK ASSESSMENT EXAMPLE (RISKS EXAMPLE #4).

Operatons

Reporting

Compliance

Safeguard of Asse

ts

Risk Im

pact (AVG.)

Vulnerability

Control E

nvironment

Control M

onitorin

g

Risk Lik

elihood (A

VG.)

Inherent Risk

(Impact x

Vulnerability)

Residual R

isk (ri

sk after contro

ls)

(Impact x

Likelih

ood)

Test?

Residual R

isk

RiskTeste

d?

Risk Unive

rse

PRIOR YEARLoans Lns 5 5 4 3 4.25 5 2 2 3.00 21.25 H 12.75 M Yes (I/A) 20.00 H Yes

ALLL ALLL 4 3 4 5 4.00 5 3 2 3.25 20.00 H 13.00 M - 19.00 H Yes

Investments Inv 3 4 3 3 3.25 4 2 3 3.25 13.00 M 10.56 M - 16.00 M -

Deposits Dep 5 5 4 3 4.25 2 1 2 1.75 8.50 L 7.44 L - 9.00 M -Internet Banking IntBk 5 4 3 4 4.00 4 2 3 2.75 16.00 H 11.00 M Yes (I/A) 12.00 L -

Debit Cards Debit 4 3 3 4 3.50 4 2 4 3.25 14.00 H 11.38 M - 13.00 M -

ACH ACH 3 3 3 3 3.00 2 2 3 2.50 6.00 L 7.50 L - 5.00 M YesWire Transfers Wires 3 2 4 4 3.25 3 1 3 2.50 9.75 M 8.13 L Yes (I/A) 8.00 H -Debit Cards 4 3 3 4 3.50 3 1 2 2.00 10.50 M 7.00 LItem Proc., Br Cap IP 3 2 2 3 2.50 2 1 3 2.25 5.00 L 5.63 L - 4.00 H -

General Ledger GL 4 4 3 4 3.75 4 2 3 2.75 15.00 H 10.31 M - 11.00 H -

ALM/IRR ALM 4 4 4 3 3.75 4 3 3 3.50 15.00 H 13.13 M Yes (Ext.) 16.00 H -

AVP, Punch & Disb AP 4 3 3 74 3.50 3 2 3 2.75 10.50 M 9.63 M - 10.00 M -

EDP EDP 5 3 4 3 3.75 3 1 2 2.25 11.25 M 8.44 L - 12.00 M -

BSA BSA 5 3 5 4 4.25 4 1 3 2.75 17.00 H 11.69 M - 16.00 H -Compliance Comp 4 3 4 4 3.75 3 1 2 2.00 11.25 M 7.50 L Yes (Ext.) 12.00 M -

Collections Coll 4 2 3 2 2.75 3 2 3 2.75 8.25 L 7.56 L - - - -

Impact Risk Likelihood (vVulnerability/Control) From To RiskNegligible 1 Remote / Excellent 1 8.99 Low

Low 2 Unlikely / Good 9 13.99 ModModerate 3 Possible / Fair 14 25.00 High

High 4 Probable / Needs ImprovementExtreme 5 Certain / Does Not Exist

PRIOR YEAR

60

RISK MANAGEMENT CONTINUUM

Reactive• Lack of Board or senior

management emphasis on risk

• No common risk lingo• Stove-pipe risk management• Ad hoc approach• Missing coverage of risk

areas

Aware

• Some board and senior management support

• Risk leader identified

• Periodic risk profiling

• Key risks defined in common vocabulary

• Recognized need for ERM

Strategic

• Proactive board and senior management involvement

• Risk managed and assessed across entire organization

• Common language and approach used and understood

• Real-time analysis of risk portfolio (real-time KRIs)

• Recognized need for ERM

Most companies straddle Goal

61

RISK ASSESSMENT CYCLE

Identify risk & controls

Assess exposures and control

effectiveness

Determine corrective action(s)

Test Controls

Management Certification

Board of Directors

Risk Assessment

*Report; reassess risks

& ratings

*Track Project & Task priority,

status, due dates, hours

*Record testing scope, conclusion and

recommendation(s)

*Shows a snapshot of the

pulse of enterprise risk

management at –a-glance

62

GOVERNANCE AND MANAGEMENT STRUCTURERISK VIEW

Credit Risk

Interest Rate Risk

Liquidity Risk

Operational Risk

Information Technology

Risk

Human Capital

Compliance Risk

Legal Risk

Strategic Risk

Reputation Risk

Board Credit

Committee

Credit Polity

Executive Loan

Committee

Chief Credit Officer

Finance Committee

Funds Management Policy

ALCO

Chief Financial Officer

Supervisory Committee

Operational Risk Policy

IT Policies

Security & Cont. Plan &

Mgt. Committees

Technology Steering

Committee

Senior Operations

Officer

Chief Information

Officer

Ethics Committee

Human Capital

Risk Policy

HR/Compen-

sation Committee

SVP, Human

Resources

BSA/ComplianceCommittee

Compliance Program

Legal Policy

Management Committee

Director of Regulatory Risk Mgt.

Legal Director

Strategic Planning Committee

Strategic Risk

Policy

Reputation Risk Policy

Management Committee

Chief Risk Officer

ERM

Supervisory Committee

ERM Policy

Internal Audit

Charter

Enterprise Risk Management

Committee

Chief Risk Officer

Risk Categories

Board of Directors

Risk Management

Policies

Senior Management Committees

Senior Management

Officers

*Supervisory Committee sole committee composed of strictly outside individuals

63

ASSESSED RISK REPORTING: RISK MAPPING

• Heat Maps are a valuable tool for communicating/reporting risks• Chart both likelihood/probability and severity/impact

64

HEAT MAP PORTRAYAL OF INHERENT RISKS

Impact(Severity)

Likelihood (Probability of Occurrence)

9

10

6

5

1

2 4

7

38

Mitigation Risk

Not Mitigated

Marginal Mitigation

Sufficient/Acceptable

Risk Event:1. -----2. -----3. -----4. -----5. -----

65

ERM IMPLEMENTATION PHASE 3 - REFINING

66

BUILDING YOUR ERM ROADMAP/IMPLEMENTATION PLAN: STEP #3 – REFINING

A. Plan for Remediation of Gaps/Execution• What are you doing to address the immediate risks? (What’s the risk response – Tolerate,

Terminate, Transfer, or Treat?)• What controls will be in place going forward to monitor the risks? • Develop recommendations to remediate gaps• What Key Risk Identifiers (KRI’s) have you identified (or intend to indentify) going forward?• Cement consensus, buy-in among key parties• Further define plan owners, roles and responsibilities for execution, timelines, resource

alignment• Memorialize project plan

B. Enhance Definition of “Risk Appetite” for credit union• Quantifying risk

C. Enhance Reporting• What will reporting to executive management and the Board look like going forward? • Ongoing monitoring of implementation progress with board-level accountability• Benchmark vs. industry leaders in this area as well as peers

67

SELF EVALUATION APPROACH FOR IDENTIFYING GAPS TO REMEDIATE

• Organize subject-matter experts in each of the credit union’s risk categories and at the ERM level.– Facilitate a discussion of the credit union’s risk

categories.• Comprehensive evaluation of credit union’s risk

management processes.• Prepare detailed report with findings, observations and

recommendations in respective risk categories.• Major conclusions and recommendations to create final

report.• Recommendations/Action Plan/Implementation

– Management Risk Comm.– Board Risk Comm.

68

ELEMENTS OF RISK APPETITE

Existing Risk Profile

Risk Capacity

Risk Tolerance

Desired Level of Risk

The existing level and distribution of risks across risk categories (e.g. financial risk, market risk, operational risk, reputation risk, etc.

The Maximum risk a firm may bear and remain solvent

Acceptable levels of variations an entity is willing to accept around specific objectives

What is the Desired risk / return level

Determination of Risk

Appetite (the amount of risk an

entity is willing to accept in the pursuit

of value)

69

WAYS TO DEFINE RISK APPETITE

Quantitative Clearly defined measureCan be cascaded to business unitsFor example, loss of capital or degree of volatility in earnings

Qualitative Not all risks can be accurately/credibly measuredFor example, risk of damage to reputation

Zero Tolerance A subset which can be very clearly definedFor example, loss of life or violation of laws

70

CREATE AN IDEAL ROSTER OF RISK REPORTS

EXAMPLES: • A high-level summary of the top risks for the enterprise as a

whole; broken down by operating unit, geographic locations, product group, etc., along with significant gaps in risk management capabilities

• Report of emerging issues or risks that warrant immediate attention

• Summary of risk events, e.g., significant exceptions versus policies or established limits

• Summary of significant changes in key variables beyond management’s control (e.g. interest rates, exchange rates, etc.) and the effect on earnings, cash flows, capital, and the business plan.

• Summary of the status of improvement initiatives

71

SOME EXAMPLES OF EXTERNAL KEY RISK INDICATORS

Industry and Competitor TrendsNumber of CompetitorsNew product or service announcementsPricing TrendsRisk events realized by competitorsShifts in customer tastes/trends

Economic TrendsUnemployment forecastsConsumer spending trendsTrade and foreign policy

Liquidity/Capital MarketsInterest rate trends/forecastsCredit spreads in debt and credit marketsStock market trends and forecasts

Supply Chain IssuesFinancial health of suppliersRisk events at suppliersPricing trends

Regulatory ChangesAnticipated changes in tax policyNew regulations/restrictionsChanges in key political offices

72

SOME EXAMPLES OF INTERNAL KEY RISK INDICATORS

Business OperationsTransactions, outputSales volume, failed dealsOperational performance issuesSupply chain/logistics

Information TechnologyDisasters, outages, disruptionHelp desk metricsSecurity metricsProject metricsIT incidents/investigations, complaintsIT audit issues

ComplianceState of controlsRegulatory inquiries/investigationsLitigation casesDiscovery requests

Human ResourcesTurnoverHeadcountCorporate training: policies,

procedures, ethicsVacanciesSick daysDisciplinary actions

Accounting/FinanceAdjustmentsUnsubstantiated balancesMissed deadlinesWrite-offs

AuditHigh-risk issues/material weak.Past-due audit issues

73

KEY RISK INDICATORS GUIDANCE FOR DEVELOPING YOUR ERM DASHBOARD (THE METRIC/DATA IS…)

• Loan Delinquencies• Portfolio Stress Tests• Interest Rate Thresholds• Profitability Goals• Regulatory Concerns

• Information Security Incidents• IT Changes• New Products• Failed Customer Interactions• Business Continuity Tests

• Operational Losses• Process Errors• Policy Exceptions• Audit Issues• Staff Turnover

Based on established practices or benchmarks

Developed consistently across the organization

Provide an unambiguous and intuitive view of the highlighted risk

Allow for measurable comparisons across time and business units

Provide opportunities to access the performance of risk owners on a timely basis

Consumes resources efficiently (not overly burdensome to get the info)

74

RISK REPORT EXAMPLE (KRI REPORT)Target Key

Better Than expected Expected Worse Than Expected N/A

1st qtr

2nd qtr

3rd qtr

4th qtr YTD

1st qtr

2nd qtr

3rd qtr

4th qtr YTD

Average Daily Census Past due over 30 daysAssets per FTE Past due over 60 daysetc. Past due over 90 daysetc. Over 90 days and accruing

ALLL/LoansNet charge-off %, annualized

1st qtr 2nd qtr 3rd qtr 4th qtr YTD TDR's/LoansNet Interest Margin etc.ROA etc.ROE etc.Effi ciency Ratio etc.Tangible Book Value

N/A etc.N/A etc.

etc.etc.etc.etc.

Human Resources Credit Quality

Financial

75

IN SUMMARY…

76

NO ERM AT YOUR CREDIT UNION?

• It’s happening already…this is the business of banking

• Start simply…joint Board/Committee and Management adventure

• Focus on Business and Regulators…how to use it to improve processes and performance…a continuous improvement perspective

77

GREAT DUMB QUESTIONS

• What happens if…?• Seems like that market is…could that impact us?• I heard about…do we have risk exposure here?• Does our policy explain what to do if…?• Who is responsible for making sure we don’t…?• Do we have a limit on…?• What does our strategic plan say about…?• Do you think senior management knows how the Board

feels about that risk?• Are there any other Board members who didn’t understand

that; I’m not clear about…?• Has anyone around here read the COSO template for risk

management?

78

RECOMMENDATIONS FOR ERM

• Develop ERM Policy– Define Risk categories, roles,

Measure, monitor, and reports

• Develop ERM Committee Charter– Define members, roles, scope, reporting relationship

to other committees

• Publish ERM Board Packet– Key risk indicators (KRI) dashboard– ALCO, Credit, Compliance, Operational Risk

summaries

79

RECOMMENDATIONS FOR ERM

• Prepare a glossary for risk, compliance, audit– Common terminology is part of culture

change and education

• Arrange all risk, compliance, audit, regulatoryactivities on a calendar– Show the full scope of ERM activities

• Use a standard set of risk categories– Assess and monitor these exposures and

tolerances across business units

80

QUESTIONS?

Louise Hanson425-303-3037

louise.hanson@mossadams.com

Shannon Haas415-677-8314

shannon.haas@mossadams.com