Five Things to Understand about NCUA's ERM Guidance
Written by Anthony Demangone
Everything is risk management. Everything.Â
Do you invest in new software? Expand your branch network? Â Expand training?Â
Every decision involves some variation of a cost-benefit analysis.Â
That's why I believe NCUA's recently-issued guidance on Enterprise Risk Management (ERM) is a must read for all credit union leaders.  The guidance shares a Supervisory Letter that went to all NCUA field staff. This is what an examiner will read before he or she judges your risk management efforts. Â
I hope that got your attention.
Here are five key take-aways.
- Your credit union does not have to implement a formal ERM framework. That being said, NCUA will expect you to have processes sufficient to manage your risk. Â Also, the guidance says that NCUA does not view any approach as preferable. Â So, if an examiner says that you should use a specific risk management system, this guidance says otherwise.
- Be smart - read their guidance and weave it into your system. Â NCUA does expect you to include certain ERM components into whatever risk-management system you use. They use certain words, phrases, and descriptions. Â Show how your risk management system hits each of the components they seek. You can find them on pages 2 and 3 of the Supervisory Letter.Â
- The guidance expects board involvement. Â You'll see it on page one, where it says "(A)n organization's board of directors ultimately makes the decision to develop and implement an ERM framework..."
- The guidance expects policies and procedures to manage risk. Â The bigger or more complex your operations are, NCUA seemingly expects more.
- As I read this, the more work you put in up front, the better you'll be down the road.  Examiners will look to see your philosophy for risk management. Your appetite for risk. Your values.  Your products and services.  Your risk profile.  They want to see how your organization manages your specific risks.  This is great, and difficult, all rolled into one.  On one hand, there's no one-size-fits-all approach.  That gives you flexibility.  But it requires you to tailor a program to your specific risk profile. Again, more flexibility, but more work.
One other parting thought.  As I speak to credit unions across the country, I always bring up "risk appetite." What is your credit union's appetite for compliance risk? Reputation risk?  And more often than not, credit union professionals have no idea what their credit union's appetite for a given risk is. NCUA's guidance expects you to sort that out.  And it makes sense.  How can you manage a risk, if you don't set a base-line of what is acceptable?
So, your homework this week is to read this guidance. It totals six pages, including the cover page. Â And spread it around. Â Everyone in your credit union's management team should read this puppy.
***
Related posts.Â
- Ours is a risky business.  (Musings.)
- Staff concentration risk. (Musings.)
- Making decisions off the grid. (Musings.)
- Reputation. (NAFCU Compliance Blog.)
Â