Credit unions are all about the mission. Built on the common value to promote the well-being of consumers and members by providing affordable access to financial services, they are focused on a member-first culture.
It’s a mission that goes far beyond keeping costs low. Credit unions must also focus on consumer protection, keeping pace with evolving technology to meet member expectations, and ensuring products and services are continuously available.
It’s a heavy lift—one that can only be accomplished when a credit union’s member-focused culture also embraces a culture of risk management and compliance.
What does it mean to have a risk management and compliance culture?
Risk management and compliance are at the core of the credit union mission. After all, what greater risk is there than failing to meet the needs of members and protect them from consumer harm?
A culture of risk management helps credit unions stay on mission by identifying, assessing, mitigating, and monitoring potential risks that could stand in the way of a credit union and its goals. It is a top-down commitment to developing policies, procedures, messaging, and compensation that supports the credit union’s long-term goals while keeping its risk appetite front and center. It ensures front-line employees take an active role in managing risk.
A culture of compliance is one where compliance is a priority and baked into every action and decision—and is not just an afterthought. When a credit union has a strong culture of compliance, there’s a proactive commitment to ensuring the credit union has the resources and awareness necessary to successfully manage regulatory compliance.
Let’s take a closer look at the elements of a strong risk management and compliance culture.
Elements of a strong risk management culture
A credit union’s values and ideals should serve as a guidepost when making both big picture and everyday decisions. It helps ensure the credit union is addressing potential risks, including disruptions in operations. This can only happen with:
- Risk appetite. The board should determine the financial institution’s risk tolerance. This should influence how the credit union approaches everything from setting strategy and identifying risks to deploying resources and responding to changing conditions. It should be an intrinsic part of every strategic decision.
- Strong leadership. Both the board and management should be committed to risk management.
- Employee involvement. Employees should be a part of the risk management process. They should know how to manage risks relevant to their jobs, understand risk tolerances, and consider them in decision making.
- Responsive. Credit unions should be responsive and non-punitive when employees point out problems. There must be policies and standards, clear accountability, and timely consequence for falling short.
- Communication. All levels, including the front-line, mid-level, management, and the board, need complete and accurate information to make decisions appropriate for the credit union’s risk appetite.
- Human capital. Judgment skills and risk management experience should be an important factor when hiring for the C-level. For mid- and lower-level positions, credit unions can seek out candidates who aren’t just competent but have a background and personality traits that suggest they work collaboratively and are open-minded and inquisitive.
- Training. Training should reinforce procedures, positive behaviors, and values while mentoring should focus on how their skills fit within the organization. Incentives should align with the credit union’s long-term goals and objectives.
Elements of a strong compliance culture
Compliance is more than just avoiding regulatory problems. A strong compliance culture helps protect members from violations of consumer protections laws—everything from fair lending to debt collection. This is accomplished with:
- Leadership that actively supports and understands compliance. Both the board and management should be familiar with the institution’s compliance responsibilities and be proactive and public in demonstrating support for maintaining compliance.
- Authority and autonomy. Compliance should have sufficient authority and autonomy to implement a successful compliance management program. Efforts to manage and mitigate compliance deficiencies and risks should be supported by internal policies, not undermined by conflicting priorities. For example, financial incentives should align with compliance goals and not conflict with them.
- Information and communication. Compliance should have access to relevant information required to comply with regulatory compliance regulations. That doesn’t mean just giving it access to information about regulatory change. It also needs to know what’s going on internally. Other departments and business lines should be sharing relevant information.
- Adequate resources. Based on the credit union’s size and complexity, financial institutions should be prepared to adjust resources to reasonably manage policies, procedures, reporting, risk assessments, due diligence, etc. This includes a compliance management system (CMS).
- Independent audit. Transparency requires double-checking work. Compliance should be tested by an independent and competent party (whether internal or external) to identify deficiencies and show where corrective action is needed.
- Clear reporting. The board is responsible for overseeing compliance, so it needs accurate, transparent information on how compliance is performing. While the board doesn’t need every last detail, it does need to know what changes have been made, how they impact the institution (products and business lines, additional resources needed, the risk of non-compliance, etc.), and how compliance plans to implement and monitor compliance.
- Staff training. Staff should be trained in all policies and procedures relevant to their job. The greater the risk of non-compliance, the more often training should be refreshed. Training should go beyond the how and explain the why—specifically why the policies and procedures exist and the potential consequence to the consumer, the credit union, and the individual employee (and their career) if a policy is violated.
Assessing your risk management and compliance culture
Risk culture and compliance culture share many similarities, including a tone from the top commitment and heavy employee involvement.
When assessing your risk management and compliance cultures, it’s especially important to look at how well employees are executing. Do they have the information they need? Can they find it easily? Do they know what’s expected of them? Are they following policies and procedures? Is the training they receive sufficient or is more frequent training needed?
How this information is communicated makes a big difference. If employees have to dig through their email or spend time wondering where a policy is or if there’s a more up-to-date version somewhere, you’re adding confusion that can sidetrack employees—and lead to oversights.
Make sure your credit union is doing everything it can to foster a culture of risk management and compliance. By setting a tone from the top and allocating the resources needed to make the job of risk and compliance more manageable, you’re promoting a culture that puts members first.