Enhance the Credit Union’s Enterprise Risk Management

11/6/2017

Nov. 13, 2017 


By Eileen M. Iles, CPA, CIA, CCSA

Credit union enterprise risk management (ERM) programs to date largely have focused on operational internal controls, but proper ERM goes farther than that. Among other things, it also must consider a credit union’s risk appetite. The importance of risk appetite has multiplied in light of several developments, such as the opening up of credit union charters to a greater variety of members and the scrutiny by examiners of how credit unions define their risk appetites. When evaluating a credit union’s risk management processes, National Credit Union Administration (NCUA) examiners are expected to understand the credit union’s risk appetite and risk management strategies. If a credit union has not defined its risk appetite, it has not identified the amount of risk it is willing and able to assume.

Only after a credit union’s risk appetite has been established can management implement appropriate internal controls to mitigate and monitor the risks that could impede the credit union from achieving its strategic objectives. Risk appetite also should be considered in strategic and business planning and for other activities to help develop a more risk-aware culture. Credit unions can follow a four-step road map to help incorporate risk appetite, tolerance, and limits in their ERM structures.

The Key Terminology

Risk appetite and tolerance are created by management and approved by a credit union’s board of directors. The Financial Stability Board (FSB) defines risk appetite as the “aggregate level and types of risk a financial institution is willing to assume within its risk capacity to achieve its strategic objectives and business plan.”

According to the FSB, risk capacity refers to the maximum level of risk a credit union can assume given its current level of resources before breaching constraints determined by regulatory capital and liquidity needs; the operational environment (for example, technical infrastructure, risk management capabilities, expertise); and obligations – including from a conduct perspective – to members, stakeholders, and others. A credit union’s risk appetite should be less than its risk capacity.

Examples of risk appetites include:

  • The credit union’s appetite for strategic risk is high, as the credit union plans to target members within the broader community to gain market share in accordance with the credit union’s revised charter.
  • The credit union’s risk appetite for new innovative products is high, as the credit union has identified certain new products that are in demand by members.
  • The credit union’s appetite for reputation risk is very low, as reputation is imperative for the credit union to meet its strategic objectives.
  • The credit union’s risk appetite for third-party risk is high as a result of outsourcing its loan servicing function.

A credit union with a higher risk appetite usually will focus on greater earnings, growth, and return, while one with a lesser risk appetite will focus on stable earnings, growth, and return.

Risk tolerance encompasses the level of variation an organization is willing to accept for specific objectives. It provides constraints on the level of risk and might have upper boundaries and lower boundaries.1 In other words, risk tolerance reflects the amount of risk a credit union is willing to assume.

Examples of risk tolerances include:

  • The credit union has set concentration limits for consumer loans of X percent and business loans of Y percent.
  • The credit union will not tolerate a composite regulatory risk score of less than X.
  • The credit union will offer only new products with a projected return of no less than X percent.
  • Capital to be allocated to new products will not be greater than X percent.
  • The credit union will not tolerate loan servicing compliance audit exceptions of greater than X.

The FSB explains risk limits as quantitative measures based on forward-looking assumptions that allocate the credit union’s aggregate risk appetite statement to business lines, legal entities (as relevant), specific risk categories, concentrations, and, as appropriate, other levels. Lines of business should establish detailed risk limits that align with the credit union’s risk tolerance and are expressed relative to earnings, capital, liquidity, or other relevant measures.

An example of risk limits specific to lines of business is that a credit union has a strategic objective to grow assets 15 percent and, based on concentration limits, 90 percent of that growth will originate from consumer loans and 10 percent from business loans. To help the credit union successfully achieve its strategic objective, lending’s role might be to originate residential fixed-rate 30-year mortgages with a limit of $27 million dollars and originate auto loans with a limit of $3 million dollars.

The Risk Appetite Road Map

The following four steps can help credit unions define their risk appetites.
1. Confirm the credit union’s strategy and strategic objectives. As indicated in the FSB’s definition, risk appetite should align with a credit union’s strategy and strategic objectives. Executives invest substantial time to develop a strategy and devise objectives that will get them there. For example, the goal to “be the credit union of choice for the community served” might have strategic objectives such as achieving X percent market share, X percent asset growth, and offering current innovative products while maintaining a member satisfaction score of X or greater. Determining the necessary steps helps accomplish those objectives. Often, though, no one other than the executive is aware of these plans. An understanding of the plans is indispensable when defining risk appetite.

2. Assess the risks associated with the strategic objectives, given the credit union’s risk universe. Once the objectives and their requisite steps are identified, a credit union must identify and assess the risks for each objective – typical regulatory risks include credit, market, liquidity, operational, legal, compliance, interest rate, reputation, external, and strategic risks. Depending on its circumstances, however, a credit union’s risk universe could go beyond these regulatory risks. For example, a credit union that does extensive outsourcing might have significant third-party risk. A credit union with a growth strategy might be very concerned with member retention risk.

Of course, an ERM program cannot target every potential risk in a credit union’s risk universe. A credit union should identify its top 10 to 12 risks, including the relevant regulatory risks and several that are more specific to the institution’s particular circumstances.

3. Define and articulate the credit union’s risk appetite, tolerance, and limits. A risk appetite statement details a credit union’s risk appetite and risk tolerance. The FSB describes it as the aggregate level and types of risk that the credit union is willing to accept or avoid in order to achieve its business objectives. The statement might include qualitative statements, as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity, and other relevant measures as appropriate. It also should address more difficult-to-quantify risks, such as reputation risks, money laundering, and unethical practices. Examiners will review the risk appetite statement to determine whether the credit union understands the risks associated with its objectives, has articulated those risks, and is quantifying them.

The statement should establish risk tolerance in accordance with capital or other constraints. For example, how many dollars of residential loans does the credit union want to add to its balance sheet for its growth strategy, or how much capital will the credit union allocate to obtaining new technology? Setting risk limits might be necessary to avoid using too much capital. Risk limits are established to help a credit union monitor its risk-taking activities so they fall within the organization’s risk appetite and capacity. If risk limits are exceeded, such situations should be escalated and trigger management action.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has stressed the importance of effective communication and monitoring in risk appetite statements. For risk appetite to be applied effectively, the statement must be specific so that it can be shared, measured, and monitored by management. Risk appetite might be expressed, depending on complexity, as:

  • An overall, broad risk statement (for example, “assume risks that the credit union can manage in order to optimize returns” or “balance risk and reward against the impact and cost of managing risks for the credit union”)
  • A risk appetite for each line of business or major product
  • A risk appetite for each category of risk

Note that defining a risk appetite statement is not a one-time process. A credit union’s risk appetite and statement should be revised as needed to account for changing business and economic conditions, evolving strategic priorities, and changing competitive conditions.

4. Establish, track, and report key risk indicators (KRIs) aligned with risk appetite, tolerance, and limits. KRIs are metrics the credit union has selected to use to get an early signal of increasing risk exposures and trigger further investigation and follow-up to manage the risk more effectively. They should reflect the institution’s risk appetite and risk tolerance and satisfy the SMART criteria (specific, measurable, actionable, reported, time-based). For example, if a credit union has determined that its residential mortgage loans should not exceed a certain amount of capital, a relevant KRI would be the amount of residential loan dollars that have been originated year to date. KRI data should be collected on a regular basis.

Spread the Word

The board of directors should not go through the process of defining risk appetite in isolation. While it approves the credit union’s risk appetite and risk tolerance – and the business lines set the risk limits – the defined risk appetite must be communicated to managers, supervisors, and those on the front line so they understand how they fit into the bigger picture. This process can go a long way toward enhancing ERM and effectively communicating critical information throughout the organization.


1 Committee of Sponsoring Organizations of the Treadway Commission, “Strengthening Enterprise Risk Management for Strategic Advantage,” 2009, https://www.coso.org/documents/COSO_09_board_position_final102309PRINTandWEBFINAL_000.pdf

Contact us

Eileen Iles
Eileen Iles
Partner