Our recent Credit Union webinar, An Introduction to Credit Union Risk Management, looked at each stage of the  cycle for managing risk as well as risk appetite statements and registers. Clients of the firm can view the recording by entering their password to the right of this text.

A summary of the discussion from the webinar on the risk cycle is set out below and provides some introductionary guidance to Credit Unions on risk management.



You do not have permission to see this content.


Risks can be defined as, “Any event or action that prevents an Organisation, from maintaining good performance and/or from meeting pre-set targets, goals and plans and/or, results in loss being incurred by that Organisation.”

Risks are therefore events or actions that prevent you from achieving your goals. Your best place to start then when looking at your risks is your business plan. This will set out your objectives and allow you to consider the risks coming from these objectives. 

Identify Risks

The next stage is to identify any other risks. There can be a variety of different ways of doing this. Some of the most common are:

  • Using the business plan to identify risks
  • Risks identified from any SWOT or PESTEL analysis
  •  Horizon scanning
  • Past events that have occurred will also help identify risks
  • Discussion with various departments and levels in the Credit Union 
  • Discussion with peers
The risks that you identify should be recorded within your risk register which will become a key document in managing risk.

Scoring of Risks

Risks then need to be scored or assessed before any controls are put in place. The risk before any controls is called the inherent risk. 

There are many different ways of scoring a risk. One of the most common is to give a score to the likelihood of an event occurring and the impact it would have on the credit union then to multiply these together to get the risk score. The table below shows a scoring system of 1-5 for likelihood and 1-5 for impact which are then multiplied to give an overall risk score. What score each risk is given for both likelihood and impact is subjective and everyone will have different view on the score depending on which areas effect them, issues they have seen previously and how risk adverse they are themselves.

Respond to Risk

Once the risks are scored you then need to consider how you are going to respond to the risks. There are four main options:

  1.  Avoid it- This would be where you decide to walk away from the event as the risk is too high.
  2. Reduce it- This would be where you reduce the risk by implementing controls
  3. Share or transfer the risk- An example of this is insurance where the insurance company takes on part of the risk.
  4. Accept it- Some risks you can do nothing about or the risk is so small that it is not worth taking action against it. 
Where you have decided to implement controls then these controls should be recorded in the register against the relevant risks. 

Rescoring Risks

The next stage is then rescoring each of the risks after the controls have been implemented. The risk after the control has been implemented is called the residual risk. The same scoring system as used for the inherent risk should be applied to get the residual risk. Going through this process can help provide real benefits to the Credit Union. You will identify areas where controls are insufficient and also areas where controls which are not reducing the risk. As each control will normally take up time, money or resources then this may help identify controls that are wasting resources and not benefiting the Credit Union. The risk scores should be documented within your risk register.

You also need to decide which risk scores are acceptable to the credit union, which need to be monitored and which are unacceptable. An example of this scoring is set out below which has used the traffic light system of red for unacceptable, amber for those being monitored and green for those acceptable. Where you decide to draw the lines between each category is subjective and up to the Credit Union.


There then needs to be communication of the risks between the Board, management and staff. It is important that there is proper two way communication so staff can communicate any red flags or emerging risks they identify and they are aware of what to look out for. The Board also need to receive information on key risks to allow them to govern the Credit Union and in turn they need to provide guidance to management on the Credit Union’s approach to key strategic risks.


Risks will change over time and it is important that they are regularly reviewed. The frequency of the review will depend on the nature of the individual risk. The risk register again should document the frequency for review and when the risks are next due to be reviewed.

In addition, there needs to be monitoring of the controls within the Credit Union to ensure that they are working as expected as this will impact the residual risk score and the Credit Union’s opinion as to whether further controls are required.


The Credit Union should set out its approach to each stage of the cycle in a Risk Framework document. This will set out how the Credit Union should identify, score and deal with risks. In addition, it would normally also set out who is responsible for dealing with risks and how risks will be managed within the Credit Union.

The information above is a very quick summary of the risk cycle and some of the considerations for the Credit Union. If you require further assistance please see our Risk Management section of the website.