Examining Risk

Pay attention to new developments in NCUA’s seven risk factors.

March 01, 2014
KEYWORDS compliance , risk
/ PRINT / ShareShare / Text Size +

6. Strategic risk

NCUA broadly defines this category of risk as making adverse business decisions, improperly implementing decisions, or being unresponsive to industry changes. This is a good place to discuss NCUA’s November 2013 Supervisory Letter on enterprise risk management (ERM). NCUA makes clear that credit unions (other than corporate credit unions) aren’t required to implement a formal ERM framework. But NCUA believes ERM “presents potential benefits to larger [not defined by NCUA], more complex credit unions,” and that examiners “should ensure the credit union employs a comprehensive risk management approach, which may or may not include a formal ERM program.”

NCUA recognizes ERM is an evolving concept and there’s no “off-the-shelf” ERM program. Its 2013 Letter briefly discusses eight ERM components, and discusses only in very general terms what examiners should look for in all credit unions when evaluating risk (such as the credit union’s risk appetite, potential exposures, risk concentration, management performance, etc.).

Expect examiners to see if larger credit unions have risk management frameworks that manage risks across the credit union’s entire operations, rather than having a “silo” departmental approach, regardless of whether it’s a formal ERM program. And as examiners receive more training about ERM concepts, expect them to discuss an ERM program’s components with credit union management, such as the desirability of having a “risk culture” established throughout the credit union.

7. Reputation risk

NCUA’s Examiner’s Guide says “reputation risk is the current and prospective risk to earnings or capital arising from negative public [or member] opinion or perception.” It would be impossible to create a plan of action to address all possible problems, but one thing a credit union can do is formalize how it handles member complaints.

Some consumer protection regulations—those on electronic funds transfers and truth-in-lending come to mind—provide specific procedures for responding to member complaints involving specific products. But few credit unions appear to have in place an organized framework for tracking and responding to member complaints. This would include a centralized place to gather complaints regardless of how they arrive at the credit union, a formalized way to respond to complaints, and documentation (including how long records will be retained). And a credit union should make sure to have a procedure to periodically analyze complaints from all across the credit union. For instance, you’ll want to see if patterns of organizational weaknesses or disparate impact exist.

No regulatory requirement exists to take this action. NCUA’s Office of Consumer Protection now has specific procedures on contacting a federal credit union’s supervisory committee to respond to member complaints that come into NCUA. And remember in the Dodd-Frank Act the second enumerated function of the CFPB is “collecting, investigating, and responding to consumer complaints.”

The CFPB considers responding to consumer complaints to be one of four primary components of a “compliance management system” that the bureau expects the large credit unions under its supervision to maintain. The CFPB doesn’t require any specific compliance management system structure, but believes the other three primary components are: board and senior management oversight; a compliance program that addresses policies, training, and monitoring with corrective action as needed; and an independent compliance audit.

And the CFPB publicizes the types of consumer complaints it receives—and those complaints someday could form the basis for revisiting parts of its regulations.

So it just makes good business sense for a credit union to formalize tracking and handling complaints made by its members.

Adapted from the soon-to-be-released 2014-2015 CUNA Environmental Scan.

KATHY THOMPSON is CUNA’s senior vice president of compliance. Contact CUNA’s compliance team at

Other Risks

March 04, 2014 11:09 am
This is a great list, but falls short. Consider the myriad of other risks that can bring the credit union to its knees: Technology risks including viruses, trojans, data breaches and other forms of security compromises. People risks, including disgruntled employees, social engineering attempts, social unrest, prison breakout, social media entries that also affect the mentioned reputational risk. Environmental risks, which could include derailed or overturned chemical tankers,blizzards, hurricanes, tornados, sink holes (save the Corvettes!), earthquakes, mudslides, forest fires. Leaders always need to be asking themselves, "What could stop us from performing our mission?" A solid crisis management organization, coupled with a realistic, exercised business continuity plan is vital to ensure continued operations.

Flag Comment as Offensive

Post a comment to this story

What's Popular

Popular Stories

Recent Discussion

Who Should Be the 2015 CU Hero of the Year?

View Results Poll Archive