Risk assessments are the ubiquitous time-sink for the credit union industry. Nearly all employees of a credit union will, at some time or another, be faced with assessing and managing risks. Have you ever considered the sheer number of risk assessments performed across multiple departments each and every year? IT is responsible for the IS&T, back office must manage the ACH risk, your compliance department or persons assigned to compliance must complete BSA and third-party payment processor assessments, someone will be responsible for vendor management … the work never ends.
Risk management isn’t as easy as getting an enterprise solution
While risk management is embedded in credit union operations, an odd fact about all of the focus on risk is that each of these assessments have their own templates and independent processes. These independent risk assessments can make management’s and the board’s role in managing risk staggeringly difficult.
Enterprise Risk Management solutions are expensive, and even the NCUA has acknowledged that Enterprise Risk Management is a poor fit except for larger, more complex financial institutions. However, there are ways to think about risk that, if embedded in the organization, can remove that clutter and disorganization to provide focus for your decision-makers. After all, assessing risk is being done each and every day by your decision- makers – regardless of regulatory requirements – so why not standardize the process as much as possible?
Although risk management is difficult, most credit union executives intuitively understand the need to identify and respond to risks. For example, most larger credit unions have a travel policy where not every executive will travel on the same airplane. This is a simple way of managing the risk of succession for the organization. The key elements are identifying threats (problem of loss of leadership), balancing against the possible loss that threat poses, and putting in a control to mitigate that loss (staggering airplane flights). These similar elements can be put into all of your risk assessments to help the organization make good decisions about risk.
Step 1: Define risk throughout the organization
The first decision is to consistently define risk throughout the organization. Risk can be defined in many ways; there isn’t necessarily a perfect definition and you need to use one that works for your organization. If you do not have a consistent definition, we recommend defining risk as the probable frequency and severity of future loss. The benefit of this definition is you are trying to assess how much a particular risk can hurt your institution.
If the loss is frequent but low, or if the loss if severe but highly unlikely, you can look to allocate resources towards more dangerous risks in your credit union. Make certain your staff uses a consistent definition, so your senior management team and board is clear as to what controls you need to invest in. For example, in the IS&T realm we know that email phishing is a very frequent risk and ransomware or exfiltration of sensitive data will result in severe loss. Investment of controls here may make more sense than investing in additional password controls.
Step 2: Get everybody on the same page
The next step is to get everyone on the same page regarding controls and residual risk. These ideas are inherent and natural to most people in the credit union industry. The issue is to get everyone thinking about these processes in the same way. Controls are just the mechanism for mitigating risks.
For example, the credit union’s BSA Customer Identification Program is designed to reduce loss by ensuring the credit union knows the true identity of the customer. The Customer Identification Program must also have procedures for circumstances in which the institution cannot form a reasonable belief that it knows the true identity of the customer. If the credit union is hit with a large number of fraudulent applications, the credit union may need to adjust the Customer Identification Program. The Customer Identification Program is simply a control to help mitigate the loss of fraudulent accounts.
Residual risk is just the “leftover” risk once controls are considered and is really where credit union management has the heavy lifting in the risk assessment process. For example, a credit union may do business with a vendor where sensitive member information is sent. The vendor may have mitigation controls, such as an SSAE audit. There is still a risk, however, that the vendor may have a data breach. Therefore, the credit union might insist that the vendor have cyber liability insurance for further mitigation. If the vendor refuses, credit union management has to decide whether to accept that risk or mitigate (e.g., having its own cyber liability insurance or moving to another vendor).
Note: there could be plenty of good reasons to accept the risk, including a low amount of information sent to the vendor, very good rates from the vendor, and so forth.
Step 3: Document your system
The final key is to make sure your staff documents its decisions in your common language of risk assessments. Most of your staff understand what they are trying to accomplish, but the decisions need to be documented so management can review and understand. Implementation is usually not too difficult; your staff wants to produce reports and information that are usable by executives and the board in making decisions. If you have a standard process for understanding what you are measuring by your risk assessments, your staff will do a better job conveying the information to you.
No matter what the assessment, the basics of risk management include identification of loss, what controls are in place to mitigate the loss, and evaluation of the residual risk. Executive management has the role of deciding whether this risk is acceptable, or if more resources must be applied to control the risk. By committing your team to a process, you can apply risk management across all departments. This process can also help your team review proposed new services, mergers, products, and balance sheet strategies, just to name a few.