Four Steps to Robust Risk Assessment

Any product, service, or process may expose CUs to internal and external risks.

December 09, 2011
/ PRINT / ShareShare / Text Size +

Risk can never be entirely eliminated. But using risk assessments as part of an enterprise-wide risk management strategy will help credit unions continue to provide meaningful products and services to members while including necessary safeguards.

That’s the word from Ann Davidson, senior risk management consultant for CUNA Mutual Group. She says credit union leaders, including directors, have a responsibility to ensure their credit unions implement a formal risk assessment process to identify, measure, and control risks that threaten their institution’s net worth and earnings.

Davidson says any product, service, or process may expose a credit union to both internal and external risks.

Internal risks include employee theft and employment practices liability resulting from discrimination, harassment or a hostile working environment.

External risks range from physical threats (i.e., robbery and natural disasters) to automated clearinghouse fraud, data breaches, and identity theft.

Risk assessments should answer:

  • What can go wrong?
  • How can it go wrong?
  • What’s the potential impact?
  • What preventative measures can be taken?
  • How can risks be stopped from happening again or at all?

Subscribe to Credit Union Magazine“It’s the board’s responsibility to determine their credit union’s risk tolerance and formally establish it through approved policies,” Davidson says.

A robust risk assessment process forms the foundation for an enterprise risk management process—and increasingly important practice due to increased regulatory requirements.

The Federal Financial Institutions Examination Council, for example, issued new online authentication guidance in June that stresses and reinforces the importance of performing periodic risk assessments. Examiners will start reviewing credit union controls under the updated guidance in January 2012.

Risk assessments aren’t “one and done” activities, nor is there a “one size fits all” approach to completing them, Davidson says. Rather, assessments involve a continuous process comprised of four distinct activities:

1. Identify. This step establishes potential sources of loss associated with particular products, services, or processes. It’s the most important step in the risk assessment process and should include existing and potential risks.

Identification resources include checklists, physical inspections, compliance reviews, loss history reviews, educational alerts, and media reports.

2. Analyze. This involves measuring the potential impact various risks can have on a credit union. For service offerings, it means balancing the need for member service with risk exposure and considering the frequency and severity of potential losses.

3. Control. Techniques to control risk include avoidance, reduction, transfer (insurance), or a combination thereof.

4. Monitor. Credit unions should continuously monitor risks because they change, particularly with evolving technology. Risk assessments should be updated when necessary.

The ultimate goal: Reduce risk to a tolerable level.

More "Identify" thoughts

Ken Schroeder, VP-Business Continuity, Southeast Corporate FCU
December 14, 2011 12:13 pm
I agree with everything in the article as far as it goes. Especially the "Identify" section. Relating risks to individual products or processes is really shortsighted. There are many other risks affecting credit unions. Here's a few modest examples: Drunk jilted man races to town to commit suicide by crashing into a CU storefront, catching the building on fire. A rumour of corporate malfeasance (CEO, CIO cooking books) causes a run on the CU. Tanker truck full of annhydrous ammonia tips over at the major intersection next to the CU. The list goes on and on. None are specific to any product, service, or CU function, but all guarantee serious office or branch impact and damage. Happy Holidays.

Flag Comment as Offensive

Risk assessment

Bill Merrick
December 14, 2011 5:11 pm
Thanks, Ken!

Flag Comment as Offensive

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory (www.appreciationatwork.com/assess) will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive