The NCUA recently issued Supervisory Letter 13-12 on Enterprise Risk Management (ERM). Enterprise Risk Management has been a hot topic. Usually when I’m at a conference and someone brings up ERM, the conversation goes like this:
Attendee: “I just left a session on Enterprise Risk Management. That stuff is really interesting!”
Me: “Oh cool. How does that process work?”
Attendee: “It’s not just looking at a single individual risk, it’s looking at all of the risks and how they interrelate to come to an enterprise wide assessment of risk.”
Me: “Well ya, but how do you do that?”
Attendee: “Well, it’s all of the risks…”
Me: “I get it now… Let me tell you a little about Twenty Twenty Analytics where we use data to quantify risk as opposed to practicing the dark arts.”
I’ve never said that last part, but sometimes that’s how it feels. Talk about paralysis by analysis…
If unemployment goes down 60 bps, interest rates go up 300 bps, home values improve by 4%, we have a 98% employee retention rate, our portfolio has a weighted average duration of 5.4, mortgages prepay at a rate of 12%, we have 2.8 lawsuits over the next year and no one misses a Super Bowl winning field goal and kidnaps our mascot in an attempt to seek revenge on the Miami Dolphins (the plot from Ace Ventura: Pet Detective), our risk will be $2.8 million! It’s so simple!
After reading this supervisory letter, your conversation with the NCUA will go much more smoothly. Probably something like this:
You: I saw there was guidance issued on ERM. That’s a tricky topic. What is that all about?
Examiner: It’s pretty simple really. Enterprise Risk Management is a comprehensive risk-optimization process that integrates risk management across an organization.
You: Integrated risk? We have a hard enough time quantifying individual risks. I saw that we have to quantify both financial and non-financial risks. How do you quantify something non-financial?
Examiner: ERM is a broadly defined and evolving concept that, at its core, presents potential benefits to larger, more complex credit unions. Natural person credit unions are encouraged to explore how ERM might benefit their organization, but are not required by regulatory or supervisory expectation to implement a formal ERM process.
You: Phew, that’s a relief.
Examiner: Ya. It’s really no big deal. A DOR may be issued outlining underlying areas of unacceptable risk for which management does not have an adequate identification, measurement, monitoring, control and reporting structure.
You: Wait what?
Examiner: This letter says you should have a heat map… Can I see your heat map?
If I’m reading this correctly, you don’t have to have a formal ERM policy, but you should be doing something.
The Supervisory Letter outlines the eight components of Enterprise Risk Management and provides positive examples of the components. They are worth looking over to see what positive examples you could quickly provide if questioned by your examiner.
At the very least, periodically looking at the seven risk factors (credit risk, interest rate risk, liquidity risk, transaction risk, compliance risk, strategic risk and reputation risk) ranking them from 1 to 7 in order of greatest threat to your credit union would be a beneficial exercise. Would I highlight them from green to yellow to red based on the perceived risk to create a “Heat Map”? Absolutely!
Although the NCUA has said a formal policy is unnecessary, they wouldn’t have issued this supervisory letter if they weren’t looking for some forms of documentation at the credit unions to address the letter.
In preparation for questions stemming from this letter, I would think about where you have documented and/or quantified information regarding these risks, and for areas you are not quantifying, document that you have considered the cost/benefit trade off and why you do not perceive them as a large risk.