Irish League
of Credit Unions
Overseeing Risk
Management in the CU
Navan – February 2014
Presented by:
Kevin Loughnane
©
©Irish
IrishLeague
Leagueof
ofCredit
CreditUnions
Unions2013
2013
www.culearn.ie
Objectives
The purpose of this training is to:
 Understand the principles of risk management
 Explore your individual role in risk management
 Be familiar with the components within a RMS
 Describe the reporting structures
 Develop an action plan to fulfil your requirements
Training Agenda
Time
Topic
9:30
Introduction
9:45
Principles of Risk Management
10:30
Case-study
10:45
Break
11:00
Requirements under the Act
11:15
Key Roles in Risk Management
12:15
The Risk Management System
13:00
Lunch
14:00
Risk Audit
15:00
Action Planning
15:45
Q&A Session
Section 1: The Principles of Risk
Management
Titles
Approach
to Risk Management
• Systematic
– RM officer
– Objective analysis of
risks
– Established lines of
reporting
• Informal
– No assigned officer
– Focus on perceived
threats
– No risk reporting
– System of internal
control
– Ad-hoc controls
– Need for RM to
protect members
– Need to protect
members
Think about…
• Does your credit union
have a formal risk
management system in
place?
• Do you think RM improves
the governance of the
credit union?
What 3 characteristics of RM do these
companies have in common?
• Sophisticated
risk
management
models
Enron
Lehmann
Brothers
?
AIG
Anglo
• Extensive risk
management
resources
And…..
Enron Corporation
• 1990’s – US Corporate Success Story
• Aggressive expansion
• Several unsuccessful business take-overs
• Hiding financial losses through creative accounting
• Board and management ignored obvious warning signs and
pursued growth at all costs
• 2001 – Bankrupt
• 4,000 jobs lost, $23 billion outstanding liabilities
Strong Risk Management Culture
• Risk management is box-ticking exercise without strong culture
• Key responsibility for senior officers
• All officers take personal accountability for protecting CU
• You need:
– Robust direction from board
– Long-term focus on stability of CU
– Recognition for officers who enhance risk management
– Think independently
– Adherence to policies & procedures
Benefits
More informed decision-making
Continuous improvement of processes
Transparency and accountability
Respond to changes in the environment
Peace of mind!
Defining Risk & Risk
Management
Risk
The uncertainty of an event occurring that could have an
impact on the achievement of objectives. Risk is
measured in terms of consequences and likelihood.
• Impact – the consequences for the credit union if a
risk event occurs
• Prevalence – the likelihood of the risk occurring
10 Categories of Risk
Capital
•
•
•
•
10 PRISM Categories
Recommend to use
Helps identify risks
Helps structure
findings
Governa
nce
Liquidity
Strategic
Conduct
Operati
onal
Credit
Market
Environ
mental
Insurance
Think about…
• What would the top three
risk categories which your
credit union need to be
aware of right now?
Risk Management
• A systematic
framework to deal
with and react to
uncertainty
1.
Identify
the risks
4.
Monitor
&
Review
2.
Analyse
Risks
3.
Mitigate
the risks
Impact
Financial
Loss
Reputation
Damage
Disruption to
Operations
When analysing risk we
generally measure
impact on a scale of 1-5.
1 = No material impact
5 = Disaster!
(termination of
business)
Prevalence
Extremely
unlikely
Fire
Default on
loan
Again, when analysing risk we generally
measure prevalence on a scale of 1-5.
1 = Extremely unlikely to occur
5 = Will inevitably occur
Inevitable
Risk Scoring
5
10
15
20
25
Very likely
4
8
12
16
20
3
6
9
12
15
Unlikely
2
4
6
8
10
Very unlikely
1
2
3
4
5
Catastrophic
Serious loss
Multiple
Medium
Medium
Impact
Minor loss
Possible
Probability
Inevitable
Internal Controls
• How can we respond to these risks?
– Accept
– Avoid
– Mitigate
• An internal control is any measure which is purposely put in place by an
organisation to manage a potential risk.
• The purpose of an internal control is to
– minimise the impact of a risk,
– minimise the likelihood of the risk occurring or
– a combination of the two.
Types of Controls
Corrective
Directive
Restrictive
Can you think of an
example of each type
of control to mitigate
the risk of fire in the
credit union office?
Internal Controls Effectiveness
Internal control strength
Score
Extremely robust controls - almost completely remove any
threat.
0.2
Robust internal controls - greatly reduce the threat of the risk
to an acceptable level.
0.4
Reasonable effective internal controls - reduce the threat of the
risk but not to an acceptable level.
0.6
Internal controls are weak and only offer minimal protection
against the threat posed by the risk.
0.8
Internal controls are completely ineffective or completely
absent, and do not reduce the threat of the corresponding risk.
1.0
Inherent vs. Residual Risk
Inherent
risk
Internal
Control
Residual
risk
Threat posed
when controls
don’t exist
Control
reduces
threat
The net threat
posed when
control is in effect
Risk Management
• A systematic
framework to deal
with and react to
uncertainty
1.
Identify
the risks
4.
Monitor
&
Review
2.
Analyse
Risks
3.
Mitigate
the risks
Section 1 Recap
• In this section we covered:
– The importance of risk management
– The need for risk management in credit unions
– The benefits of risk management
– The definition of risk
– 10 categories of risk
– The definition and types of internal controls
– The definition of risk management
Section 2: Roles &
Responsibilities in the CU
The CU Act, 1997 (as amended)
• Under the Act, the CU is required to:
– Implement a risk management system
– Have a risk management officer
– Establish a risk committee*
– Have documented clear lines of reporting for all
– Develop and maintain a risk register
– Have adequate system of control in place to manage risk
– Remuneration policy should promote good practice in RM
Who’s Responsible for Risk?
Members' Assets
Last line of defence:
External Auditor, CBI,
SPS
3rd line of defence:
Indepedent internal
oversight
2nd line of defence:
Risk Management
Officer
Ops. Risk
1st line of defence:
Board and staff
Roles under Risk Management
Board of Directors
Overall responsibility for RM
RM Policy, Appoint RM Officer & Oversee System
Risk Management Officer
•
Implement RM system
•
Compile risk register
•
Liaise w/ Manager on issues
•
Report monthly to board /
committee
Risk Committee*
•
Contact for RM officer
•
Report quarterly to board
•
Suggest improvements to policy &
system
Manager / CEO
• System of internal control
Internal Audit
• Independently monitors RM
system and controls
BOC
Reporting Structure
Risk
Management
Officer
2. Conducts audit and
reports findings to the
board / comm.
1. Performance management & policy
Risk
Committee
Manager
5. Independently
reviews the work
of management
team and reports
to the board
Internal Audit
Board of
Directors
4. Improve internal
controls and
reports progress to
board
Board Oversight Committee
• Assess whether the board of directors
are carrying out their functions as per
the Act:
– Risk management officer appointed?
– RM system – in place / overseeing?
– RM policy in place?
– Risk register in place / up-to-date?
– Adequate system of int. control in place?
• How do they report to board?
Risk Maturity
• How can we measure our progress on risk
management?
• Risk maturity - the extent to which a risk management
approach has been adopted and applied, as planned,
by management across the organisation
Naive
Aware
Defined
Managed
Enabled
Section 2 Recap
• In this section we covered:
– Requirements under the Act
– Four levels of risk management
– The role of the board & risk committee
– The role of the risk management officer
– The role of the manager
– The role of internal oversight
– The reporting structure
– Measuring progress – risk maturity
Section 3. Risk Management
System
Risk Management System
1.
2.
3.
4.
5.
6.
7.
8.
• Direction through the risk management policy & procedures of the credit union
• Defintion of the risk appetite and risk tolerance of the credit union
• Analysis of the prevailing risks facing the credit union in a risk register
• An evaluation and documentation of the internal controls attached to these risks
• The collation and analysis of the findings of a risk audit in an IT system
• Develop a risk response plan to deal with gaps or weaknesses in the sys of control
• Implement the necessary risk mitigations in line with the plan
• Ongoing reporting and review of the risk management system
1. Policy
• See appendix 1 for template
• Best way for board to discharge their duty
• Provide clear direction to all other officers
• All officers should review and sign
declaration
• RM Officer & Risk Committee recommend
changes
• Breach of policy
2. Risk Appetite
The level and type of risk which a credit union is
willing to be exposed to in pursuit of its strategic
aims, services and business model
– Zero risk appetite
– Low risk appetite
– Moderate risk appetite
– High risk appetite - X
2. Risk Tolerance
The level of inherent / residual risk which the
credit union is willing to tolerate within the
organisation
• Set by the board in policy
• Used as parameters for risk analysis
• Lower the tolerance, the more risks will
require mitigation
• Set for each risk category
Inherent Risk Tolerance
5
10
15
20
25
Daily
4
8
12
16
20
3
6
9
12
15
Occasional
2
4
6
8
10
Seldom / Rare
1
2
3
4
5
Catastrophic
Serious loss
Multiple
Medium
Medium/
Impact
Minor loss
Weekly
Probability
Constant
Residual Risk Tolerance
5
10
15
20
25
Daily
4
8
12
16
20
3
6
9
12
15
Occasional
2
4
6
8
10
Seldom / Rare
1
2
3
4
5
Catastrophic
Serious loss
Multiple
Medium
Medium/
Impact
Minor loss
Weekly
Probability
Constant
3. Risk Register
• Compiled by the RM Officer
• Created by conducting a risk audit
o Step 1: Identify the risks
o Step 2: calculate inherent risk score
o Step 3: re-rank risks according to highest score
o Step 4: assess attached controls
o Step 5: calculate residual risk score
o Step 6: re-rank risk again and report
4. Risk Audit
We will now conduct a mini-audit for your CU, tutor
will provide 5 risks for you to analyse
1. Calculate the inherent risk score
2. Re-rank & carry through top 3
3. Identify the attached controls to each
4. Assign a score based on strength of controls
5. Calculate the residual risk score
6. Report to group
Congratulations! You have just
completed your first risk audit!
5. Risk IT Systems
• Must document and report
findings
• Risk software can streamline this
• Also can have useful reporting
functionality
• Several suppliers in the market
• Remember – risk software is not a
risk management system!!
6. Risk Response Plan
•
•
•
•
Based on audit findings
Drafted by RM Officer & Manager
Identifies actions to improve controls
Must include:
– Actions to address weaknesses in controls
– An assigned person
– Deadline for each
• Approved by the Board
• Progress in monthly updates from Manager & RM
Officer
7. Risk Mitigation
• Term used for action to address control gaps
• Mitigation includes:
– action owners
– possible system developments
– training if required
– updating of policy/procedures or processes
– tracking of progress
– documented completion of the remedial action
– quality testing and reporting on testing
8. Reporting
• Board - minutes of decisions re: risk management
• Risk management officer - monthly written reports and a
report of findings (at least annually)
• Risk committee - quarterly reports which incorporates risk
management officer’s monthly reports
• Manager / CEO - a section of the manager’s report should
deal with the system of internal control
• Internal audit function - a quarterly report - deficiencies in
RM or Internal Control Systems
• The BOC - a quarterly report 2 weeks in advance of review
Section 3 Recap
• In this section we covered:
– Components of the risk management system
– Risk management policy
– Risk appetite & risk tolerance
– Risk register and risk audit
– Using risk IT systems
– Risk response plan and risk mitigation
– On-going risk reports
Action Planning
Conclusion
Further Information
www.creditunion.ie
www.culearn.ie
+353 1 614 6754
kloughnane@creditunion.ie
Further support from ILCU Monitoring Dept.
Joanne: jbruen@creditunion.ie