skill-building fundamentals for effective risk managementdec 16, 2015 · •strategic risk- are...
TRANSCRIPT
Skill-building fundamentals for
effective risk management
Presented by
Devon Lyon
Director of Education at NAFCU
From the NCUA
• From chapter one of the Examiners guide
• Due Diligence Credit Unions should have in
place a risk management program that includes
a strategic plan with implementing policies,
procedures, and internal controls necessary to
manage the risks inherent in their operations.
Successful risk management programs rely on
Credit Union management to employ sufficient
staff and have available necessary resources to
identify, measure, monitor, and control existing
and potential risks.
What is a Risk Assessment
The identification, evaluation, and estimation
of the levels of risks involved
1. in a situation*, their comparison against
benchmarks or standards (*Can also be credit, liquidity, or
enterprise risk)
2. and determination of an acceptable level
of risk a Credit Union is willing to assume.
1.Important to consider the size and nature of
your Credit Union
Why are Risk Assessments
important? • 1) They are required by Regulators.
• 2) They are an integral part of any good
Project Plan.
• 3) They add VALUE!
• 4) They help protect the safety and
soundness of your organization.
• 5) Did we mention they are required?
Required by guidance
• Supervisory Letter No.: 07-01 (Third Party
Vendors)
• Supervisory Letter No.: 14-05 (MSBs)
• Supervisory Letter No.:13-12( Enterprise Risk
Management)
• Supervisory Letter No. 13-03 (Investing in
Securities)
• Supervisory Letter No.: 14-04( Taxi Medallion
Lending)
Polling Question 1
• What is the value of a Risk Assessment?
• A) It is something that passes the time.
• B) It adds real value to the Organization.
• C) It is an important step in any Project
Plan.
• D) Both B and C
Has anyone noticed
• NCUA never clearly defines what a Risk
Assessment should look like:
• Mentioned numerous times in the
Examiners guide and Supervisory Letters.
• No official examples for CUs to follow.
What do other Regulators
provide
What do other Regulators
provide • http://www2.epa.gov/risk
• http://www.ccohs.ca/oshanswers/hsprogra
ms/risk_assessment.html
• http://hsa.ie/eng/Small_Business/Risk_Ass
essment_Made_Easy/
Item 11 on the job description
• You are now tasked with doing a Risk
Assessment for a product or service.
• Where do you start?
• What does it look like?
• Where can you go for guidance?
Ask another Credit Union
• Unlike policies, Risk Assessments are
very SPECIFIC to their Organizations.
• Sample templates and shared Risk
Assessments are fine to reference, but
should not be copied.
• Each Risk Assessment should be unique
to the risks and mitigation steps created at
your own Organization.
Where to begin
Real World Risk Assessment
• Issue: You and your family are going to
adopt a dog: This is your ideal dog
Real World Risk Assessment
• The dog you adopt turns out to be this:
Real World Risk Assessment
• Identify the Risks of the Dog
– The dog likes to run free
– The dog is aggressive towards strangers
– The dog doesn’t listen to basic commands
Real World Risk Assessment
• How do you reduce the Risk with the dog?
– Take the dog to obedience training
– Buy a sturdy leash
– Put up a fence in your home
– Slowly introduce the dog to other people
– Take the dog to the dog park for socialization
Real World Risk Assessment
• After your Risk review and mitigation your
dog is now:
Risk Assessment How to
• Step 1: Assess the product or service you
are tasked with reviewing:
– Determine how the product or service
operates.
– How it is offered.
– What “unique” characteristics are in the
product or service.
– Who the target user(s) of the product or
service are.
Risk Assessment How to
• Step 2: Apply the factors of Risk
• NCUA has Seven Risk Factors
– Credit Risk- (Risk of Default)
– Interest Rate Risk (Rate changes in Markets)
– Liquidity Risk- (Risk of Inability to fund
obligations)
– Transaction Risk- (Risk of fraud or operational
problems in transaction Processing)
Risk Assessment How to
– Compliance Risk (Risk of violations and non-
compliance with applicable laws and
regulations)
– Strategic Risk (Risk of adverse business
decisions through management’s actions or
inactions)
– Reputation Risk (Risk of negative public
opinion or perception leading to a loss of
confidence and/or severance of relationships)
Polling Question 2
• How many Risk factors does NCUA
mention?
• A) 6
• B)7
• C)4
• D) 7 plus one to two more depending on
the exam and environment.
Risk Factors
• The seven Risk factors are nicely laid out
in NCUA’s LETTER NO.: 02-FCU-09*
• Doesn't mention Concentration Risk
• Is there another Risk pending with Cyber
Security?
Risk Assessment How to
• Step 3: Apply your internal controls to the
defined Risk.
– For example if you have a transaction risk
defined, apply your transaction monitoring
steps to remediate the risk identified.
Risk Assessment How to
• Step 4- The Three R’s (Review, Revise,
Repeat)
• Review: Review your Risk Assessment(s) at
least annually.
• Revise: Based on your testing and review,
revise the Risk Assessments so they are
current.
• Repeat: Repeat these steps for continued
success.
Seems Simple Right?
• Risk Assessments are the foundation of
an Enterprise Risk Management program
at the Credit Union.
• ERM helps provide a holistic view of the
risks the particular institution is dealing
with.
Tips
• Typically when Risk- rating a product or
service you will use a numeric system to
represent the Risk.
• These can be either 1-5 or 1-10.
• Some also use colors, green, yellow and
red. This is often times referred to as a
heat map.
Risk Assessment Walk Through
• Scenario: Your Credit Union is launching a
new watch payment application. You have
been tasked with performing a Risk
Assessment and presenting it to Senior
Management.
• What do you do?
Step One
• Figure out how the watch application will
work and what is being offered through the
application.
Step One
• We had a meeting and the following
information is now known:
– Members can load their debt or credit cards
into the watch application.
– The watch can be used by any Near Field
Communication Reader.
– Member authentication can be handled either
by the watch company or the Credit Union.
Step One Continued
• Marketing and Senior Management want
the watch application to be open to
everyone.
• Interchange revenue is roughly 1% lower,
than traditional card swipe.
Step Two
• Look at the seven NCUA Risk Areas and
figure out which apply to the product:
Credit Risk
• Credit Risk- ask yourself, “would using the watch
application make your members more likely to
default?” The answer at first glance is probably
not.
• The payment mechanism does not change or
provide a higher usage rate then traditional
swipe cards
Interest Rate Risk
• Would your members using the watch be
subject to market factors that could lead to
changes in the market? No. Interest Rate
Risk is not likely to apply to a payment
technology.
Liquidity Risk
• Would your members using the watch
destabilize your ability to fund your
obligations? The chances of this are very
low.
Transaction Risk
• What happens if the watch app goes
down? What are the alternatives the Credit
Union can put in place?
• What is the likelihood of fraud on the
application?
• The transactional risk area for the watch
seems moderate to high for both
processing and fraud.
Compliance Risk
• The Credit Union needs to make sure that
the watch conforms will all applicable rules
and regulations.
• In addition since the watch is a new
payment channel, is there going to be a
disclaimer the members need to sign prior
to using the application?
• How will member’s be authenticated prior
to using the app?
Strategic Risk
• Ask if your members are requesting a new
payment channel.
• Marketing and Senior Management wants
everyone to have immediate access to the
watch, does this make sense for your
organization?
Reputation Risk
• If you delay your watch app will another
larger FI steal your members because
they have one?
• What happens if the app goes down?
• What happens if the watch has a breach
and member data is stolen?
Step 3
• The Credit Union has successfully
reviewed the watch application, and you
have a strong grip on the applicable risk
areas as defined by NCUA. Now it is time
to put the adequate controls in place to
help reduce the Risks identified in step
two.
Identified Risks
• Transaction Risk- App goes down.
• Transaction Risk- fraudulent payments.
• Compliance Risk- Make sure the app conforms
with applicable laws.
• Compliance Risk- Will our member need to sign
a new agreement to use the app?
• Compliance Risk- How are we authenticating
members?
Identified Risks
• Strategic Risk- Is this watch app being
requested by our members?
• Strategic Risk- Should we roll this out to
everyone in our field of membership?
• Reputation Risk- If we don’t roll out the
app will we lose members?
• Reputation Risk- What happens in the
event of a data breach?
Mitigation
• Now that you have reviewed the product,
and identified the Risks it is time to
mitigate them.
• Important to note:
• Some Risks cannot be mitigated
• Some Risks can be accepted by the Credit
Union, and documented as such
Mitigation Steps
• Transaction Risk- App goes down
– Credit Union mitigation: Review watch uptime
monitoring. Create a member communication
strategy if the watch app goes down.
– Our members will still be able to use their
credit and debit cards if the watch goes down.
Also the Credit Union will provide a unique
phone number so that members can report
any problems or questions with the watch
application.
Mitigation Steps
• Transaction Risk- fraudulent payments.
– Credit Union mitigation: Watch payments will
be coded with a unique identifier on the Credit
Union’s core system. Fraud staff at the Credit
Union will review a report of all watch
payments daily to look for trends and potential
abuse. Call Center staff will forward any fraud
claims to fraud staff immediately.
Mitigation Steps
• Compliance Risk- Make sure the app
conforms with required laws.
– Credit Union mitigation: Credit Union has
reviewed the method that the watch app
performs payments. The watch conforms to
existing payment channels at the Credit
Union. No new regulatory hurdles are
presented at this time.
– Review payment processing for any changes.
Mitigation Steps
• Compliance Risk- Will we need the
member to sign a new agreement to use
the app?
– Credit Union mitigation: Compliance and
Marketing have created a small disclosure the
member must attest to prior to loading their
debit or credit cards onto the watch app for
us. The disclosure provides the member
details on fraud, reporting and the toll free
number to call.
Mitigation Steps
• Compliance Risk- How are we
authenticating members?
– Credit Union mitigation: Work on a real time
authentication with your core system, and app
provider.
– The member accepts the disclosures on the
watch app.
– The members cards loaded onto the app will
be verified in real time against the card data
stored in the CU core system.
–
Mitigation Steps
• Strategic Risk- Are your members asking
for this.
– This Risk is mitigated in the planning stage.
By reviewing demand the Credit Union
mitigates this step.
– Marketing created a page to determine
interest and had a good number of page
views. Your call center has had roughly 50
calls about this product. Member feedback
indicates the CU should roll out the watch
app.
Mitigation Steps
• Strategic Risk- Should we roll this out to
everyone in our field of member?
– After reviewing payment data, and member
trends you have a recommendation to
Marketing and Senior Management that the
watch app can be available to all members.
The risks involved are no different from
issuing a debit or credit card. The only
difference is the payment mechanism.
Mitigation Steps
• Reputation Risk- If we don’t roll out the
app will we lose members?
– This Risk was mitigated by the decision to
move forward with the app. Therefore, while a
valid concern it is already mitigated.
Mitigation Step
• Reputation Risk- What happens in the
event of a data breach?
Mitigation Step
– Credit Union mitigation:The first mitigation for
a data breach is to review the security of the
watch app itself.
– The watch app uses a finger print reader tied
to a phone to validate the transaction. If a
member’s watch is lost, the application will not
be able to process payments without the
finger print authentication.
– The watch also does not store the full credit
card information, so if the watch is lost the
member’s card information cannot be
retrieved.
Risk Assessment Cycle
Final Thoughts
• Specific Risks such as Concentration Risk
and Credit Risk should have their own
policies and procedures.
• The procedures should include specific
annual testing. The testing is important
because it goes beyond standard Risk
Assessments.
Final Thoughts
• Specific Risks such as Concentration Risk
and Credit Risk should have their own
policies and procedures.
• The procedures should include specific
annual testing. The testing is important
because it goes beyond standard Risk
Assessments.
Wrap Up
• Risk Assessments are essential.
• They are never properly defined.
• Create your own, do not rely on someone
else’s work product.
• Policies and Procedures should be a
compliment to your Risk Management
Program.
Polling Question 3
• There is a difference between a BSA Risk
Assessment and traditional Risk
Assessment.
• A) True
• B) False
• C) I don’t know