One of the key focuses for the regulator is Credit Union risk and how Credit Unions manage risks. Every Credit Union takes steps to manage risks every day from assessing a loan application for the risk of default before issuing a loan to locking up cash at night to prevent theft. The expectation of the regulator, however, is that Credit Unions have formal systems in place to manage risks. Formal Credit Union risk management systems can help ensure that key risks are not missed and are being properly considered. Risks are constantly changing especially in an environment with ever increasing regulation and technology advances changing how people transact. A system to manage risks is therefore becoming increasingly important.
What systems you have to manage risks will depend on the individual organisation but key components in most systems include:
Risk Management Policies and Frameworks
These should set out how the Credit Union will identify, monitor and react to risks as well as who is responsible for these tasks.
Risk registers are a method of recording risks, quantifying the impact and likelihood and documenting the controls to mitigate these risks. The controls should then be documented within the Credit Union’s policies and procedures. The Credit Union’s internal audit function is then used to provide assurance to the Board that the controls, used to mitigate the risks, are operating as they should be.
Risk Appetite Statements
Your Risk Appetite is the amount of risk that the Credit Union is willing to accept. It differs from your target level as it is the limit which the Board is willing to accept. The regulator expects Credit Unions to have risk appetite statements covering a range of different risks including conduct risk. Risk Appetite statements should include:
- The level at which the Board will be notified that the Credit Union is approaching the appetite level. This is to enable the Board to have time to take appropriate action.
- What potential corrective action that the Credit Union would undertake if it was about to breach its appetite level.
Business Continuity Plans
Business Continuity Plans are a key component of a risk management system. They set out what the Credit Union would do in the event of a disruption. From both our external and internal audit work we see a wide range of business continuity plans in a range of organisations. From our experience the two most common problems with business continuity plans are:
- Testing– Many plans unfortunately are not regularly tested and problems are therefore not discovered until it is too late.
- Focus on Office Disasters– Most plans focus on what would happen if the office is out of action. They should also cover the risk of loss of key personnel such as the CEO and cyber attacks which are both more common but need different actions than a fire or flood in the office premises.
These components not only help to satisfy the regulator but they can be useful tools for the Credit Union. For more information on how we can assist with risk management click here and for details on how our risk software can benefit you click here.