Supervision, Regulation & Risk Management
Definitions Supervision one who oversees the works or tasks of another Regulation a rule or law designed to control or govern conduct
Definitions Risk Management a formal process which analyses prevailing risks facing the organisation and identifies appropriate responses for addressing them
History of the Supervision & Regulatory System We have two regulatory bodies on the island of Ireland. Republic of Ireland (ROI) Credit Union Act 1966 Registrar of Friendly Societies, located within the Department of Enterprise, Trade and Employment was designated as the regulatory authority for credit unions Credit Union Act 1997- replaced the 1966 Act, this gave the Registrar an extensive range of powers.
History of the Supervision & Regulatory System In 2003 the Irish Financial Services Regulatory Authority (IFSRA) was established as the sole regulatory authority for all financial service providers in ROI. IFSRA was re-unified with the Central Bank of Ireland in October 2010. In recognition of the unique nature of Credit Unions a statutory position of Registrar of Credit Unions was explicitly created within the Central Bank of Ireland to assume responsibility for the regulation of Credit Unions The Registry of Credit Unions (RCU) is currently responsible for the registration, regulation and supervision of Credit Unions.
How we got to our current Supervision & Regulatory System The Irish Government established the Commission on Credit Unions on 31 May 2011 to review the future of the Credit Union movement and make recommendations in relation to the most effective regulatory structure for Credit Unions, taking into account their not-for-profit mandate, the volunteer ethos and community focus, while paying due regard to the need to fully protect members savings and financial stability Arising out of the Commission Report the 1997 Credit Union Act was amended. This brought new governance and prudential requirements for Credit Unions.
How we got to our current Supervision & Regulatory System Northern Ireland (NI) Industrial and Provident Societies (NI) Act 1969- This provided for the registration of Credit Unions and for the subsequent regulation of their activities by the Registrar of Friendly Societies. Credit Union (NI) Order 1985- This order recognises Credit Unions as a special class of mutual society, in essence, selfhelp, not for profit co-operatives. Credit Union (Loans & Deposits) Order (NI) 1993 Credit Union Deregulation (NI) Order 1997
How we got to our current Supervision & Regulatory System The Credit Unions (Deposits & Loans) Order (NI) 2006 The Credit Unions (Limit on Membership) Order (NI) 2006 On 31 March 2012 the responsibility for the regulation of Credit Unions in Northern Ireland was transferred from Department of Enterprise, Trade & Investment (DETI) to the Financial Services Authority (FSA). On 1 st April 2013 the FSA ceased to exist. Credit Unions in NI are now regulated by the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA)
Summary The credit union movement in Ireland has gone through many changes. We have evolved from a period of self regulation to a heavily regulated environment as we have moved through the business life cycle of development, growth, maturity and decline. Where are you on the business life cycle?
Questions Who is charged with responsibilty for supervising and regulating credit unions in your country? What is the biggest challenge facing credit unions in your country?
Risk Management As defined earlier Risk Management is a formal process which analyses prevailing risks facing the Credit Union and identifies appropriate responses for addressing them.
Risk Any event that would negatively impact upon the credit union Impacts: Financial, operational or reputational External versus internal Day-to-day versus strategic Financial institutions must proactively manage risk. 12
Financial Cost Impact of Risk Disruption to Operations Reputational Damage 13
Dealing with Risk Avoid the risk Accept the risk Minimise the impact of the risk Minimise the likelihood of the risk occurring Transfer the risk 14
Categories of Financial Risk include Operational Insurance Liquidity Governance Strategy / Business Capital Conduct Credit Environment Market 15
1. Identify the risks Risk Management Risk Audit 4. Monitor & Review 2. Analyse Risks 3. Create response to risk 16
Risk Management Terms Risk Management Culture - a credit union s collective system of values that shape its risk decisions Risk Capacity how much risk can we afford to take? Ultimately determined by our capital Risk Appetite* amount and type of risk that we are prepared to seek, accept or tolerate Risk Tolerance* our readiness to bear the risk after risk treatments in order to achieve our objectives * Risk Appetite & Risk Tolerance, Institute of Risk Management, 2011 17
Conducting a Risk Audit Step 1 Step 2 Step 3 Step 4 Identify risks Analyse risks Determine residual risk Report 18
Step 1: Identifying Risks Identify risks (current & future) which could impact upon the credit union Will be similar (but not identical) for all credit unions Depends on structures, products, services, delivery channels, risk appetite, etc. Description of each risk is important must be clear and specific! Should detail impact, event, cause 19
Example: Identifying Risks 1. Internal and External Fraud Financial loss incurred when an officer defrauds the credit union of significant sums of money by setting up false loans for fictitious members. Financial loss incurred when an officer steals a series of small sums of cash from the cash drawer over a period of months. Financial loss incurred when a member cashes a number of fraudulent cheques through the credit union. 20
Step 2: Analysing Risks Impact & likelihood of occurrence The impact of each risk is scored 1 to 5 The prevalence (likelihood of occurrence) is scored 1 to 4. Scoring is a subjective exercise look for consensus Both scores are multiplied to get the risk ranking score Low scoring risks may be excluded High scoring risks taken to next stage 21
Prevalence of Risk How likely? Score This risk is very unlikely to occur 1 There is some possibility that the risk will occur 2 It is likely that this risk will occur 3 It is almost certain that the risk will occur 4 22
What is the impact? Impact of Risk Score There is negligible or no impact on the credit union 1 There is a minor impact on the credit union 2 There is a significant impact on the credit union 3 There is a very serious impact on the credit union which would undermine the stability of the organisation There is a disastrous impact on the credit union which could result in termination of business 4 5 23
Risk Prevale Impact W E L O O K A T T H I N G S D I F F E R E nce N T L Y 1. Internal and External Fraud Risk Ranking 1.1 Financial loss incurred when an officer defrauds the credit union of significant sums of money by setting up false loans for fictitious members. 1.2 Financial loss incurred when an officer steals a series of small sums of cash from the cash drawer over a period of months. 1.3 Financial loss incurred when a member cashes a number of fraudulent cheques through the credit union. Irish League of Credit Unions, 2012 24
Risk Prevale Impact W E L O O K A T T H I N G S D I F F E R E nce N T L Y 1. Internal and External Fraud Risk Ranking 1.1 Financial loss incurred when an officer defrauds the credit union of significant sums of money by setting up false loans for fictitious members. 2 2 4 1.2 Financial loss incurred when an officer steals a series of small sums of cash from the cash drawer over a period of months. 2 2 4 1.3 Financial loss incurred when a member cashes a number of fraudulent cheques through the credit union. 4 3 12 Irish League of Credit Unions, 2012 25
Risk Risk Ranking Fraud 1.3 A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss. Score 12 1.1 An officer defrauds the credit union of significant sums of money by 4 setting up false loans for fictitious members. 1.2 An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months. 4 26
Where to draw the line? Determined by Risk Tolerance and Risk Capacity Financial Loss relate to your capital Disruption to Operations - time Reputational Damage may lead to financial loss 27
Step 3: Determining Residual Risk This step will determine the threat posed by a risk once internal controls have been considered A control is any measure deliberately put in place to manage risks Determine effectiveness of these internal controls Risk ranking score is multiplied by the controls effectiveness scores to determine residual risk 28
Internal Controls A control is any measure which is deliberately put in place to manage risks. A control will: Minimise impact (protect) Minimise likelihood of occurring Transfer the risk (insurance) Tangible The cash safe Intangible Cash handling procedure 29
Mapping Internal Controls Policy / Plan People Practices Paperwork 30
Plan Does a policy or procedure exist? Is it in line with current legislation? Is the policy and procedure up-to-date? Has the policy been clearly communicated to all officers? Does the policy put clear controls in place? Does the policy clearly identify persons of responsibility? 31
People Are there adequate resources in place? Are the committees or officers active? Do they have the knowledge to carry out their role? Have roles been clearly defined? Do they carry out their role to a set standard? Is appropriate action taken if standards are not met? 32
Practices Are the practices in line with legislation / policy? Are processes being carried out in a consistent manner? Are there clear and transparent reporting structures back to the board? Are people accountable for their actions? When errors are detected, are they being addressed? 33
Paperwork Are sufficient records being kept as per policy or legislative requirements? Is the paperwork being completed correctly? Is the paperwork being completed in a timely manner? Does the board receive regular written reports from the committee s and manager? Is important documentation being stored correctly? 34
Example: Credit Risk Plan: Loans Policy & Procedures People: Loans Officers, Credit Committee Practices: Lending limits Paperwork: Loan forms 35
Calculating Residual Risk (Risk Ranking Score) x (Internal Control Score) = Residual Risk 36
What makes a good control? Answer: One that is free from material weakness. 37
When conducting a risk audit we must ask. 1. Are there controls in place to manage the risk? 2. How effective are these controls in managing risk? 38
39
Step 4: What do we do with the findings? Report of findings from audit Already identified internal controls which must be improved Develop risk response plan Delegate tasks to appropriate officers and set firm deadlines for delivery 40
Recap Who is charged with responsibilty for supervising and regulating credit unions in your country? What is the biggest challenge facing credit unions in your country?
Thank you for your attention! Any questions? 42