The NCUA on ERM: Separating the myths from facts

Late last year, the NCUA finally, officially addressed Enterprise Risk Management (ERM) expectations for natural person credit unions. And for many if not most credit unions, that position could be summed up in a single sentence.

“Natural person credit unions are not required to implement a formal ERM framework.”

Did you stop reading right there? Tune out completely? Started thinking about lunch? I hope not, because as definitive as that statement sounds, the NCUA’s full statement, a supervisory letter from Office of Examination and Insurance Director Larry Fazio on ERM, has plenty of nuance and fine print you can’t afford to overlook.

The upshot is this. The NCUA will not require all natural person CUs to adopt ERM, but guess what? The agency can and will require individual CUs to adopt ERM-like risk management methods if they consider them too complex and risky. Thanks to NCUA regulation, your corporate now uses ERM. And what’s more, your examiner has been studying ERM concepts and will be using ERM-like techniques to evaluate your CU at your next exam.

In other words, the letter had much more to say about ERM and related, comprehensive risk management techniques than you might think. And the less you know about it the worse off you will be.

So, with that in mind, here are 4 things you need to know about ERM and what the NCUA wants from your risk management efforts.

1. The NCUA really likes ERM.

Here’s where we are right now with the NCUA and ERM. The agency has required corporate credit unions to adopt ERM and the agency has even implemented ERM itself to help it manage agency resources and manage risk. It wants all field examiners to understand ERM. And what’s more, it has also released an official letter that includes long, detailed description of ERM and comments encouraging natural person credit unions to consider it.

2. Your examiner will be using ERM techniques to evaluate your CU.

The NCUA’s letter has implications not only for what the agency expects from your CU, but also in what it expects from its exam staff. And it’s clear the agency wants examiners to understand ERM and evaluate risk in your CU “individually and collectively.”

Collectively? It means the NCUA wants its examiners to understand how risks can aggregate, conjoin, overlap and magnify one another. The days of examiners assessing your risks individually are over.

The letter also makes clear that examiners will be expected to understand a credit union’s risk posture, risk appetite statement and risk concentrations.

These are all bedrock elements of ERM, which may become the new framework by which examiners assess your risk. If this is the new standard, shouldn’t you know what it means for your credit union? Credit unions that don’t understand that framework may find themselves confused and lost at their own exam, says Joe Ghammashi, the Chief Risk Officer at Corporate One FCU, Columbus, Ohio.

Credit unions that don’t understand collective, or enterprise-wide risk management “won’t understand how they’re judged and they’ll be at a big disadvantage,” Ghammashi says.

Do credit unions need to at least understand methodologies for ERM and/or comprehensive risk management if they want to understand their exams? “Yes,” says Tim Segerson, the Deputy Director of the NCUA’s Office of Examination and Insurance.

The NCUA expects examiners to use what the agency calls the “total analysis process,” which “looks at the consolidation of risk across business lines” and “is not ERM, but in the spirit of ERM,” Segerson says.

The regulator recommends that credit unions read chapter three in the examiner’s guide detailing the agency’s total analysis process. “It’s there and it’s free,” he says. “It can help you understand how examiners will view your risk and the better understanding we have of one another, the less chance there is for conflict.”

3. The NCUA says ERM is not a requirement for natural person credit unions, but it’s clear that for larger or more complex credit unions, the agency wants something very much like ERM.

The NCUA may imply a distinction here between comprehensive risk management and ERM, but in practice, there isn’t much difference between the two concepts, says Mary Peter, Director of ERM with Eide Bailly, Minneapolis.

“Linking strategic planning and enterprise risk management are important skill sets for management teams and boards to embrace,” she says. “Without an enterprise view of risk and risk response, it would be difficult to evaluate risk collectively. ERM is not simply putting all your risk assessments together in one binder. It is the interrelation of risks across these various areas which brings value to the organization.”

The NCUA has a different view, Segerson says. According to the NCUA, there are many forms ERM can take, but what defines it, in the eyes of the regulator, is the existence of a true independent risk function (that is, an independent chief risk officer). This true independent risk function, combined with a sophisticated set of risk controls and a granular view of institutional data, can help institutions manage institutional risk really well, but it can be cost more than it’s worth, too.

In fact, Segerson says, for many credit unions already operating with small staffs, the idea that they’d spend thousands of dollars to institute an independent risk function or hire a consultant to design an enterprise-wide risk methodology just doesn’t make sense. It would cost far too much for the benefit, Segerson says.

“My view is that that when we start talking about degrees of precision – where you have people continually massaging the quality of the data, grinding it and presenting it to decision-makers, that’s a full-blown ERM program and you just won’t have that in a smaller organization,” he says. “Every time a credit union does something new, it adds a cost. Staff has to spend time, the institution spends money and that adds. Up. If a $50 million credit union spends $20,000 per year on ERM, will they see a $20,000 improvement in operational value? If we can’t prove that, we shouldn’t require it.”

But, he adds, there are ERM principles and components from which credit unions of all sizes can benefit. And that’s where the agency’s interest lies.

“Our view is, there may be something that looks like ERM,” he says. “Some may call it ERM. And it may be relatively comprehensive in scope. That’s a good thing, no matter what flavor [of risk management] you choose. There are elements here every credit union should know about and understand. But they wouldn’t rise to the level of what we’d define as ERM. That’s acceptable to us. We just want to know that they’re considering key risks.”

4. The NCUA can require natural person CUs to implement ERM or something like it. In fact, says Ghammashi, they’ve done it already. Ghammashi knows of a CU with assets under $500 million that recently received a Document of Resolution (DOR) demanding an ERM implementation.

“If an examiner walks into a credit union and perceived that the credit union has a material amount of risk that needs to be managed in a collective way, that examiner can issue a DOR and he can call it ERM,” Ghammashi says. “There are enough caveats in the letter to allow an examiner to tell a credit union that their risk management processes is not adequate,”

Selective ERM enforcement for individual natural person credit unions may sound like a reach, but the agency clearly paves the way for ERM DORs in the supervisory guidance, says Marcus Faust, Managing Director, RP Financial, Arlington, Va.

“The letter leaves the door wide open for the NCUA to conclude as to specific credit unions that all the components of ERM are necessary in order for its risk management program to be ‘comprehensive,’” Faust notes. “I see no other reason why they would have gone as far as to even include examples of best practices. How can any examiner conclude that a credit union risk management program is comprehensive if it doesn’t consider the inter-relationship of risks?”

Still not convinced? Consider this quote from the NCUA’s ERM letter.

“NCUA views the absence of adequate risk management framework (ERM or otherwise) consistent with an institution’s size, diversity, and depth of risk exposures as a failure in sound corporate governance, and expect examiners to take appropriate action consistent with the severity of the deficiency,” the NCUA states.

Do examiners have the leeway to issue a DOR requiring ERM implementation? That’s not the point of the guidance, Segerson says. It’s instead focused on encouraging credit unions to explore ERM if it makes financial and risk management sense to them – and to explain to examiners that they should be prepared to evaluate ERM programs already in place. Nevertheless, he won’t rule out ERM enforcement, either.

“I don’t like to say ‘never,’” he says. “There should be an extensive vetting process between an examiner and a supervisor before they issue a DOR specifically relating to an ERM program. But I can’t say it wouldn’t be justified in certain cases. Circumstances can vary wildly and we require examiners to use their judgment. But we’re careful about what we do and don’t want and what we don’t want is for examiners to use cookie-cutter conclusions like, “Go and get an ERM program.’”

Joe Ghammashi, CRO of Corporate One FCU will be speaking on ERM and the NCUA’s emerging expectations at the National Directors and CEOs Leadership Convention, August 5-8 in Las Vegas.

 

Aaron Steinberg

Aaron Steinberg

Aaron Steinberg is the chairman of the National Directors and CEOs Leadership Convention, the leading industry event for credit union leaders. He has been writing about and reporting on credit ... Web: www.cudirectors.com Details