WASHINGTON—Credit unions necessarily involve risk. That is inescapable, said the panelists at a well-attended breakout at CUNA's Governmental Affairs Conference. The other, sharp side of that reality is that the NCUA has made it plain how the boards of directors oversee the risks faced by their credit unions will figure large in ratings.
"Risk is not a dirty word. It is essential," said panelist David Reed, a lawyer and founder of CUDoctor, a consulting practice. "If a credit union avoided all risk it would be out of business." But the risks, at all times, need to measured, monitored, understood. "The board needs to be the all-seeing eye at the top of the pyramid," added Reed,
Panelists, who also included CUNA Mutual Associate General Counsel John Christenson, CUNA Mutual Vice President of Credit Union Protection John Wallace and Kathy Thompson, a senior executive at CUNA, stressed that it is the board's job to oversee, not to attempt to manage, risks. The latter is management's job and, while splitting that hair is not always easy, understanding the delicate differences between the board's duties and management's is crucial to a smoothly functioning credit union, said the panelists.
The board, added Wallace, "needs to set a risk oversight policy" that tells management what risks the board believes the credit union should accept and also advises about risks to avoid.
A policy also would advise management about how and where to update the board about the key risks likely to be faced by the CU.
That varies by institution, stressed the panelists, but as a rule risks fall into four large buckets: fraud (where insider fraud looms very large); litigation (including class action litigation such as the current wave of ADA related suits involving ATMs); third-party risks (this category includes possible errors and omissions by every vendor to the credit unions, from the developer of a mobile banking app to the core system provider); and new interest rate risks.
With respect to vendor risk, Thompson warned: "The NCUA is examining in regard to the level of due diligence credit unions are performing on their vendors." That, she said, has become a topic of increasing importance and boards need to be sure their institution has in place thorough due diligence procedures.
As for interest rate risks, Thompson distributed a handout that stated that, effective January 1 2012, every federally insured credit union needs a written interest rate risk management policy. The only exclusions are institutions with assets under $10 million and also institutions in the $10 to $50 million range must comply only if total first mortgage loans plus investments with maturities greater than five years equals or exceeds 100 percent of net worth. By NCUA count, about 3,200 credit unions need to have policies in place and perhaps 800 have yet to do so.
"You need to talk about risk," said Christenson in perhaps the key take-away from the session. "The board and management need an ongoing dialog."