Skill-building fundamentals for

effective risk management

Presented by

Devon Lyon

Director of Education at NAFCU

From the NCUA

• From chapter one of the Examiners guide

• Due Diligence Credit Unions should have in

place a risk management program that includes

a strategic plan with implementing policies,

procedures, and internal controls necessary to

manage the risks inherent in their operations.

Successful risk management programs rely on

Credit Union management to employ sufficient

staff and have available necessary resources to

identify, measure, monitor, and control existing

and potential risks.

What is a Risk Assessment

The identification, evaluation, and estimation

of the levels of risks involved

1. in a situation*, their comparison against

benchmarks or standards (*Can also be credit, liquidity, or

enterprise risk)

2. and determination of an acceptable level

of risk a Credit Union is willing to assume.

1.Important to consider the size and nature of

your Credit Union

Why are Risk Assessments

important? • 1) They are required by Regulators.

• 2) They are an integral part of any good

Project Plan.

• 3) They add VALUE!

• 4) They help protect the safety and

soundness of your organization.

• 5) Did we mention they are required?

Required by guidance

• Supervisory Letter No.: 07-01 (Third Party

Vendors)

• Supervisory Letter No.: 14-05 (MSBs)

• Supervisory Letter No.:13-12( Enterprise Risk

Management)

• Supervisory Letter No. 13-03 (Investing in

Securities)

• Supervisory Letter No.: 14-04( Taxi Medallion

Lending)

Polling Question 1

• What is the value of a Risk Assessment?

• A) It is something that passes the time.

• B) It adds real value to the Organization.

• C) It is an important step in any Project

Plan.

• D) Both B and C

Has anyone noticed

• NCUA never clearly defines what a Risk

Assessment should look like:

• Mentioned numerous times in the

Examiners guide and Supervisory Letters.

• No official examples for CUs to follow.

What do other Regulators

provide

What do other Regulators

provide • http://www2.epa.gov/risk

• http://www.ccohs.ca/oshanswers/hsprogra

ms/risk_assessment.html

• http://hsa.ie/eng/Small_Business/Risk_Ass

essment_Made_Easy/

Item 11 on the job description

• You are now tasked with doing a Risk

Assessment for a product or service.

• Where do you start?

• What does it look like?

• Where can you go for guidance?

Ask another Credit Union

• Unlike policies, Risk Assessments are

very SPECIFIC to their Organizations.

• Sample templates and shared Risk

Assessments are fine to reference, but

should not be copied.

• Each Risk Assessment should be unique

to the risks and mitigation steps created at

your own Organization.

Where to begin

Real World Risk Assessment

• Issue: You and your family are going to

adopt a dog: This is your ideal dog

Real World Risk Assessment

• The dog you adopt turns out to be this:

Real World Risk Assessment

• Identify the Risks of the Dog

– The dog likes to run free

– The dog is aggressive towards strangers

– The dog doesn’t listen to basic commands

Real World Risk Assessment

• How do you reduce the Risk with the dog?

– Take the dog to obedience training

– Buy a sturdy leash

– Put up a fence in your home

– Slowly introduce the dog to other people

– Take the dog to the dog park for socialization

Real World Risk Assessment

• After your Risk review and mitigation your

dog is now:

Risk Assessment How to

• Step 1: Assess the product or service you

are tasked with reviewing:

– Determine how the product or service

operates.

– How it is offered.

– What “unique” characteristics are in the

product or service.

– Who the target user(s) of the product or

service are.

Risk Assessment How to

• Step 2: Apply the factors of Risk

• NCUA has Seven Risk Factors

– Credit Risk- (Risk of Default)

– Interest Rate Risk (Rate changes in Markets)

– Liquidity Risk- (Risk of Inability to fund

obligations)

– Transaction Risk- (Risk of fraud or operational

problems in transaction Processing)

Risk Assessment How to

– Compliance Risk (Risk of violations and non-

compliance with applicable laws and

regulations)

– Strategic Risk (Risk of adverse business

decisions through management’s actions or

inactions)

– Reputation Risk (Risk of negative public

opinion or perception leading to a loss of

confidence and/or severance of relationships)

Polling Question 2

• How many Risk factors does NCUA

mention?

• A) 6

• B)7

• C)4

• D) 7 plus one to two more depending on

the exam and environment.

Risk Factors

• The seven Risk factors are nicely laid out

in NCUA’s LETTER NO.: 02-FCU-09*

• Doesn't mention Concentration Risk

• Is there another Risk pending with Cyber

Security?

Risk Assessment How to

• Step 3: Apply your internal controls to the

defined Risk.

– For example if you have a transaction risk

defined, apply your transaction monitoring

steps to remediate the risk identified.

Risk Assessment How to

• Step 4- The Three R’s (Review, Revise,

Repeat)

• Review: Review your Risk Assessment(s) at

least annually.

• Revise: Based on your testing and review,

revise the Risk Assessments so they are

current.

• Repeat: Repeat these steps for continued

success.

Seems Simple Right?

• Risk Assessments are the foundation of

an Enterprise Risk Management program

at the Credit Union.

• ERM helps provide a holistic view of the

risks the particular institution is dealing

with.

Tips

• Typically when Risk- rating a product or

service you will use a numeric system to

represent the Risk.

• These can be either 1-5 or 1-10.

• Some also use colors, green, yellow and

red. This is often times referred to as a

heat map.

Risk Assessment Walk Through

• Scenario: Your Credit Union is launching a

new watch payment application. You have

been tasked with performing a Risk

Assessment and presenting it to Senior

Management.

• What do you do?

Step One

• Figure out how the watch application will

work and what is being offered through the

application.

Step One

• We had a meeting and the following

information is now known:

– Members can load their debt or credit cards

into the watch application.

– The watch can be used by any Near Field

Communication Reader.

– Member authentication can be handled either

by the watch company or the Credit Union.

Step One Continued

• Marketing and Senior Management want

the watch application to be open to

everyone.

• Interchange revenue is roughly 1% lower,

than traditional card swipe.

Step Two

• Look at the seven NCUA Risk Areas and

figure out which apply to the product:

Credit Risk

• Credit Risk- ask yourself, “would using the watch

application make your members more likely to

default?” The answer at first glance is probably

not.

• The payment mechanism does not change or

provide a higher usage rate then traditional

swipe cards

Interest Rate Risk

• Would your members using the watch be

subject to market factors that could lead to

changes in the market? No. Interest Rate

Risk is not likely to apply to a payment

technology.

Liquidity Risk

• Would your members using the watch

destabilize your ability to fund your

obligations? The chances of this are very

low.

Transaction Risk

• What happens if the watch app goes

down? What are the alternatives the Credit

Union can put in place?

• What is the likelihood of fraud on the

application?

• The transactional risk area for the watch

seems moderate to high for both

processing and fraud.

Compliance Risk

• The Credit Union needs to make sure that

the watch conforms will all applicable rules

and regulations.

• In addition since the watch is a new

payment channel, is there going to be a

disclaimer the members need to sign prior

to using the application?

• How will member’s be authenticated prior

to using the app?

Strategic Risk

• Ask if your members are requesting a new

payment channel.

• Marketing and Senior Management wants

everyone to have immediate access to the

watch, does this make sense for your

organization?

Reputation Risk

• If you delay your watch app will another

larger FI steal your members because

they have one?

• What happens if the app goes down?

• What happens if the watch has a breach

and member data is stolen?

Step 3

• The Credit Union has successfully

reviewed the watch application, and you

have a strong grip on the applicable risk

areas as defined by NCUA. Now it is time

to put the adequate controls in place to

help reduce the Risks identified in step

two.

Identified Risks

• Transaction Risk- App goes down.

• Transaction Risk- fraudulent payments.

• Compliance Risk- Make sure the app conforms

with applicable laws.

• Compliance Risk- Will our member need to sign

a new agreement to use the app?

• Compliance Risk- How are we authenticating

members?

Identified Risks

• Strategic Risk- Is this watch app being

requested by our members?

• Strategic Risk- Should we roll this out to

everyone in our field of membership?

• Reputation Risk- If we don’t roll out the

app will we lose members?

• Reputation Risk- What happens in the

event of a data breach?

Mitigation

• Now that you have reviewed the product,

and identified the Risks it is time to

mitigate them.

• Important to note:

• Some Risks cannot be mitigated

• Some Risks can be accepted by the Credit

Union, and documented as such

Mitigation Steps

• Transaction Risk- App goes down

– Credit Union mitigation: Review watch uptime

monitoring. Create a member communication

strategy if the watch app goes down.

– Our members will still be able to use their

credit and debit cards if the watch goes down.

Also the Credit Union will provide a unique

phone number so that members can report

any problems or questions with the watch

application.

Mitigation Steps

• Transaction Risk- fraudulent payments.

– Credit Union mitigation: Watch payments will

be coded with a unique identifier on the Credit

Union’s core system. Fraud staff at the Credit

Union will review a report of all watch

payments daily to look for trends and potential

abuse. Call Center staff will forward any fraud

claims to fraud staff immediately.

Mitigation Steps

• Compliance Risk- Make sure the app

conforms with required laws.

– Credit Union mitigation: Credit Union has

reviewed the method that the watch app

performs payments. The watch conforms to

existing payment channels at the Credit

Union. No new regulatory hurdles are

presented at this time.

– Review payment processing for any changes.

Mitigation Steps

• Compliance Risk- Will we need the

member to sign a new agreement to use

the app?

– Credit Union mitigation: Compliance and

Marketing have created a small disclosure the

member must attest to prior to loading their

debit or credit cards onto the watch app for

us. The disclosure provides the member

details on fraud, reporting and the toll free

number to call.

Mitigation Steps

• Compliance Risk- How are we

authenticating members?

– Credit Union mitigation: Work on a real time

authentication with your core system, and app

provider.

– The member accepts the disclosures on the

watch app.

– The members cards loaded onto the app will

be verified in real time against the card data

stored in the CU core system.

–

Mitigation Steps

• Strategic Risk- Are your members asking

for this.

– This Risk is mitigated in the planning stage.

By reviewing demand the Credit Union

mitigates this step.

– Marketing created a page to determine

interest and had a good number of page

views. Your call center has had roughly 50

calls about this product. Member feedback

indicates the CU should roll out the watch

app.

Mitigation Steps

• Strategic Risk- Should we roll this out to

everyone in our field of member?

– After reviewing payment data, and member

trends you have a recommendation to

Marketing and Senior Management that the

watch app can be available to all members.

The risks involved are no different from

issuing a debit or credit card. The only

difference is the payment mechanism.

Mitigation Steps

• Reputation Risk- If we don’t roll out the

app will we lose members?

– This Risk was mitigated by the decision to

move forward with the app. Therefore, while a

valid concern it is already mitigated.

Mitigation Step

• Reputation Risk- What happens in the

event of a data breach?

Mitigation Step

– Credit Union mitigation:The first mitigation for

a data breach is to review the security of the

watch app itself.

– The watch app uses a finger print reader tied

to a phone to validate the transaction. If a

member’s watch is lost, the application will not

be able to process payments without the

finger print authentication.

– The watch also does not store the full credit

card information, so if the watch is lost the

member’s card information cannot be

retrieved.

Risk Assessment Cycle

Final Thoughts

• Specific Risks such as Concentration Risk

and Credit Risk should have their own

policies and procedures.

• The procedures should include specific

annual testing. The testing is important

because it goes beyond standard Risk

Assessments.

Final Thoughts

• Specific Risks such as Concentration Risk

and Credit Risk should have their own

policies and procedures.

• The procedures should include specific

annual testing. The testing is important

because it goes beyond standard Risk

Assessments.

Wrap Up

• Risk Assessments are essential.

• They are never properly defined.

• Create your own, do not rely on someone

else’s work product.

• Policies and Procedures should be a

compliment to your Risk Management

Program.

Polling Question 3

• There is a difference between a BSA Risk

Assessment and traditional Risk

Assessment.

• A) True

• B) False

• C) I don’t know

Any Questions?

If you have any questions please contact

Devon Lyon

dlyon@nafcu.org

703-842-2232