ACUIA Region 3 Meeting Enterprise Risk Management. Henry Robaszewski Director of Risk Management October 7, 2016

Transcription

1 ACUIA Region 3 Meeting Enterprise Risk Management Henry Robaszewski Director of Risk Management October 7, 2016

2 Henry Robaszewski, Director of Risk Management Joined BCU in 2008 In Finance Department, reporting to CFO Directly responsible for Interest Rate and Liquidity Risk Coordinate Enterprise Risk Previous work experience In Asset/Liability Management department at LaSalle Bank Head of Asset/Liability Management at Cragin Federal Savings Bank Introduction

3 BCU Headquartered in Vernon Hills, IL $2.6 billion in assets ~ 500 employees 212,000 members 97% loan to share ratio $2 billion of mortgages sold to FNMA Chartered in 1981 as Baxter Credit Union Primarily SEG based with concentration in healthcare industry (Baxter, Baxalta, Boston Scientific, Edwards, Cardinal, Beckman Coulter) and retail (Target) 41 service centers located nationwide from California to Puerto Rico and from Minnesota to Texas

4 Risk Management Governance Diagram of Governance Committees Board of Directors Supervisory Committee Finance Committee Credit Committee Pricing Committee Risk Management Committee Compliance Committee Vendor Management Red Flags Business Continuity Planning Member Data Security Risk Management Committee (RMC) meets every other month RMC reports to Finance Committee every other month with a summary to Supervisory Committee quarterly and a deeper dive annually

5 Risk Management Governance Decentralized risk control, as opposed to CRO function Interest and liquidity risk in Finance department Credit risk in Lending department Compliance risk and vendor management in Audit & Compliance department Information security, business continuity, and project management in IT department Summary reports from each risk area go to Risk Management Committee

6 Risk Statement Appendix 1 - Risk Tolerance Statement The risk tolerance statement will describe the different types of risk we are willing to accept in order to achieve our strategic and financial objectives. The Risk Tolerance Statement will be reviewed annually by the Risk Management Committee. The risk areas covered will be: compliance, credit, interest rate, liquidity, operational, reputation, and strategic. Compliance risk BCU has zero tolerance for violations and non-compliance with consumer protection laws and regulations, and a low appetite for non-compliance with technical regulations that do not have consumer protection implications. We will be judicious to comply with laws, regulations, rules, and examiner directives. Any areas where the risk of non-compliance to a technical regulation is accepted due to excessive operational burden or economic constraints will be documented and approved by the Risk Management Committee. Overall compliance risk will be overseen by the Compliance Committee and managed by the responsible business owner(s). We will rely on multiple tools to minimize member impact, the risk of penalties and fines, and the reputation risk associated with noncompliance. These tools include, but are not limited to a formal compliance training program, regular compliance risk reviews, a compliance helpdesk function to support internal staff, and an organizational compliance risk assessment. Credit risk Given our strong lending culture and high loan to share ratio, credit risk comprises the largest single risk category for BCU at roughly 50% of allocated net worth. The acceptance of credit risk is strategically important because it enables BCU to deliver mutually valuable products to members and build enduring financial relationships. In order to maximize member benefit and BCU revenue, we will manage a relatively higher level of credit risk than other risk areas (as a percentage of allocated net worth), but strive to reduce the volatility of that risk. Our overall credit risk tolerance is moderate compared to other credit unions, but low compared to bank or other non-bank competitors. Credit risk will be overseen by the Credit Committee. The acceptable level of variability in credit risk is determined by managing the Net Credit Margin to provide a return on pace with the degree of credit risk. Loan portfolios are reviewed for pockets of risk which may warrant underwriting or pricing changes and emerging concentrations.

7 Risk Statement (continued) Interest rate risk We will maintain a low level of interest rate risk for the following reasons: 1) higher levels of interest rate risk do not necessarily translate to higher levels of member value, 2) there is less incremental revenue potential from taking on higher levels of interest rate risk, and 3) lower levels of interest rate risk will offset higher levels of risk taken elsewhere in the credit union. Interest rate risk will be overseen by the Risk Management Committee. Liquidity risk We will maintain sufficient liquidity to address deposit fluctuations, loan demand, and debt service requirements. We will mitigate liquidity risk by obtaining adequate and varied lines of credit, but we will not retain excessive amounts of cash, as that would be detrimental to earnings and to a high loan to share ratio. Liquidity will be monitored through cash flow and measured by liquidity ratios. Liquidity risk will be overseen by Risk Management Committee. Operational risk We will minimize operations risk to the extent economically and operationally reasonable. Relative to other Credit Unions, we will be a fast follower with technology, leveraging third parties for support, but ensuring that doing so does not detract from maintaining high-quality, low error operations overall, with little risk of major operational issues. Through training, effective business continuity planning, continual testing of controls, and insurance, we will minimize operational risk in an effort to reduce member impact, reduce financial loss, and improve efficiency. Operational risk will be overseen by the Vendor Management, Business Continuity Planning, Member Data Security Committee, and Risk Management Committee. Reputation Risk and Strategic Risk We will minimize reputation and strategic risk to the extent economically feasible. Reputation risk results from damage to BCU s image among the Members and/or SEGs, which may impair the CU s ability to generate or retain relationships. Such damage may result in a breakdown of confidence, trust and the loss of business with these stakeholders. We will accept a low amount of risk from losing potential business because our character or quality has been called into question. We will employ good governance practices and be socially responsible. Both risks will be overseen by the Risk Management Committee. The Vendor Management Committee will oversee potential of reputational risk regarding outsourced third parties.

8 Risk Assessment Grid Likelihood Impact Effectiveness Managing Risk Category Rating % of Chance Category Rating Exposure Category Rating % Effective Rare % Insignificant 1 < $470K Best in Class % Unlikely % Minor 2 $470K - $2.4M Strength % Possible % Moderate 3 $2.4M - $24M Effective % Likely % Significant/Major 4 $24M - $53M Somewhat Effective % Almost Certain % Extreme/Catastrophic 5 > $53M Ineffective % Risk Area Unmitigated Mitigated Risk Description Impact Likelihood Impact Likelihood Velocity Mitigation techniques We have evaluated 20 risk areas and quantified 250 risks. Survey of Senior Management for overall risks to BCU.

9 Less likely Likelihood More likely Top Risks Heat Map ERM Heat Map (Mitigated Risk) Top Risks Risk Immediacy 1 BCU Hacked: Extensive member data compromised and sold/ransomed Immediate 2 Credit Shock: Risk of return to peak recession loan losses >12 months 3 Fatigue and Operational Risk due to Significant Changes Immediate Inability to stem the tide of increasing fraud losses that become material to 4 capital Immediate 5 Regulatory impact on product offering and non-interest income 12 months 6 Wire Transfer Fraud: Worst case scenario is rogue operator wires arbitrage funds Immediate 7 Risk from interest rates staying where they are currently for many years >12 months 8 Failure of Remote Banking Strategy Immediate 9 SEG failure or SEG decision to discontinue relationship Immediate 10 Business Partner Failure and/or Disruption Immediate Lower impact Impact Higher impact

10 Leading Risk Indicators Leading Risk Indicators Credit Risk 2+ delinquency Net charge-offs Net Credit Margin Unemployment FHFA Housing Price Index Comments: Interest Rate & Liquidity Risk 3 years ago 6 month avg Current 2016 forecast range 6/30/2016 6/30/2015 Policy Limits MTD MTD +300bps Net Interest Income (NII) shock +300bps Net Economic Value (NEV) Volatility +300bps ramped NII shock +300bps post-shock NEV ratio Liquid Assets/Liquidity Uses Total Liquidity/Liquidity Uses Liquid Reserves for Checking Accounts Comments: Operational Risk Efficiency ratio Ops loss / avg assets Comments: Reputation & Strategic Risk Net Promoter Score (NPS) Net member growth On & Off bal. sheet growth Comments: 6/30/2016 6/30/2015 3yr Average YTD YTD 6/30/2016 6/30/2015 3yr Average YTD or YOY YTD or YOY

11 Sample Risk Management Committee Agenda 1. Current Identified Risks and Committee Updates a. Risk Management Committee (RMC) Dashboard b. Policy Compliance c. IS Update d. Vendor Management Committee Summary e. Compliance Committee Summary f. Credit Committee Summary g. Asset/Liability Management 2. Other Topics for Discussion a. Deposit Anywhere Limit Changes b. Derivatives c. FHLBC Stock d. Annual Asset/Liability Management Model Validation e. Annual Insurance Policy Renewal f. Alkami and P2P Risk Assessments g. Puerto Rico Dashboard 3. Reference Materials a. ERM Risk Assessment Grid b. RMC Dashboard from one year ago for comparison c. RMC Meeting Schedule d. Additional Audit and Compliance materials e. Additional ALM Model Validation materials f. Economic Indicators g. March 2016 Risk Management Committee Minutes

12 ERM Resources Callahan Leadership Risk Roundtable NC State ERM Institute Cornerstone Risk Roundtable CUNA CUERME Training CUES ERM School Variety of ERM conferences Other credit unions External auditor consulting