Risk, by definition, implies uncertainty. In today'sever-changing regulatory environment, credit unions must developand implement an effective enterprise-wide compliance riskmanagement program to mitigate and manage their compliance risk. Tobe clear, risk management is not the elimination of risk, butrather the responsible balancing of risk versus reward. In order toeffectively manage compliance risk, credit unions must conductcompliance risk assessments on their products, services,operations and the regulatory impact on such. You cannot mitigaterisk if you do not know it exists.

A compliance risk assessment is used to identify risk to thecredit union and its members (both consumer and commercial) byincorporating the inherent risks in a particular line of business,product or service and the quality of controls implemented by theinstitution to manage and mitigate those risks. An effectivecompliance risk assessment should include, at a minimum, riskidentification, measurement, control, monitoring and reporting.During my 20 years in the industry, I've found there are five keycomponents that contribute to the success of a compliance riskmanagement program.

1. Put a system in place.

The framework of your risk management program should provide amethod for communicating and documenting evaluations regarding:

• The quantity of risk (low, moderate, high), including themethodology in assigning risk ratings;
• The quality of risk management (how well the board andmanagement identifies, measures, controls and monitors risk);
• An aggregate synopsis of the institution's risk (the balance ofrisk versus reward inclusive of the quality and quantity of risk);and
• The direction of the risk (increasing, decreasing orunchanged).

2. Define tolerance for risk.

A comprehensive risk assessment should be commensurate with yourcredit union's size, product offerings, service area(s) andappetite for risk. To understand your credit union's tolerance forcompliance risk, examine the scope and complexity of its businessactivities, market service areas, and delivery channels forproducts and services.

3. Identify risk factors.

The greater the risks, the more extensive the compliance riskmanagement program must be to ensure sufficient controls are inplace to mitigate the inherent risk in such activities. Considerthe following factors:

• Strategic and business growth, complexity and trends;
• Product features, characteristics, volume, stability andthird-party involvement;
• Legal and regulatory factors, including nonconformanceconsequences; and
• Environmental factors such as market conditions, demographicsand competition.

The risk assessment should incorporate andcalculate inherent and residual risk. Inherent risk is thelevel of risk before controls are applied, while residualrisk is the level of risk remaining post-implementation ofcontrols. The calculation should encompass the exposure, quantityor likelihood, and quality of risk to the credit union.Enterprise-wide compliance risk management should identify,prioritize and assign accountability for managing potential legaland non-compliance threats that could lead to fines, penalties,reputational damage or prohibition of operating in, or expandingto, various markets.

4. Incorporate regulations.

The regulatory landscape is constantly shifting, both in newregulations and interpretations of existing regulations. As such,regulators expect institutions to regularly assess risk for:

• Overall consumer compliance
• Fair lending
• Unfair, deceptive, and abusive acts and practices
• BSA/AML and OFAC
• Vendor management

These particular areas pose the most significant compliance riskfor institutions of all sizes. Violations in these areas oftencause significant consumer harm as well as legal, financial,operational, and reputational harm to the institution. It isessential for every credit union to incorporate each of these areasin its product lifecycle risk assessment, not just at the time ofproduct development but throughout the entire cycle. By factoringin fair lending, UDAAP, BSA/AML/OFAC and vendor management risksinto the product lifecycle, the credit union can proactivelymitigate and manage compliance risk.

5. Continually update.

The risk assessment is a living process that must be adjusted asmarket, regulations, offerings and management's appetite for riskchanges. Risk must be assessed from both a current and perspectiveview of the credit union's risk profile. Look-back risk assessmentsshould be considered when regulatory reprieves or newinterpretations of existing regulations pose a threat or concern tothe credit union's then-current position.

Through effective compliance risk management, a credit union canincrease its efficiency and financial performance by minimizing andmitigating errors while focusing on appropriate operationaldecision making.

Leah M. Hamilton, JD is chief compliance officer forTemenos. She can be reached at 407-341-6764 [email protected].