Aligning Risk Management with CU Business Strategy

Similar documents
Defending Against the Latest Fraud Trends

The Unique Footprint of Emerging Risks

Watching the Vault: Employee Dishonesty

Questions You and Your Supervisory Committee Should Ask

Employee Dishonesty Lessons Learned: Internal Controls

Making a Case for Sound Employment Practices

Claims and Litigation Trends in Credit Unions. June 21, 2017

Delivering Clarity to Credit Unions Through Expertise and Experience

An Introduction to Enterprise Risk Management. Mark Brown, SVP, Chief Financial Officer First Carolina Corporate Credit Union

Identity Theft Prevention Program Lake Forest College Revision 1.0

Equifax Data Breach: Your Vital Next Steps

Enterprise Risk Management Program

by: Stephen King, JD, AMLP

Risk Management Policy and Framework

Understanding Enterprise Risk Management: An Overview

Examiner Expectations for the Supervisory Committee

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

Business Auditing - Enterprise Risk Management. October, 2018

State of Card Fraud: 2018

Title Insurance and Settlement Company Best Practices

Kidsafe NSW Risk Management Plan. August 2014

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

RISK COMMITTEE TERMS OF REFERENCE. The Board has resolved to establish a Committee of the Board to be known as the Risk Committee.

International Prepaid Card. These are your International Prepaid Card Terms and Conditions.

BERMUDA MONETARY AUTHORITY THE INSURANCE CODE OF CONDUCT FEBRUARY 2010

PRIVACY AND CYBER SECURITY

Certified Enterprise Risk Professional (CERP) Test Content Outline

2016 Risk Practices Survey

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

The Connected Disciplines of Risk Disclosure and Risk Management

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

Date Here. Welcome University of Michigan International Students

Guidance paper on the use of internal models for risk and capital management purposes by insurers

H 7789 S T A T E O F R H O D E I S L A N D

IMPORTANT ACCOUNT INFORMATION FOR OUR CUSTOMERS from. Union State Bank 545 Main Street Everest, KS (785)

C a t a l y s t C o r p o r a t e F e d e r a l C r e d i t U n i o n SHARE DRAFT PROGRAM. Prepared by

CYBER LIABILITY REINSURANCE SOLUTIONS

FRAUD TRENDS TO WATCH FOR IN Presented by: Daniel J. Mahalak

S L tr lo a y t d egy s Cyber -Attack

International Prepaid Card. These are your International Prepaid Card Terms and Conditions.

Financial Literacy Mastery

360 Degrees of Enterprise Risk Management

Cyber Security Liability:

Visa Reloadable Prepaid Card Terms and Conditions

Quantitative and Qualitative Disclosures about Market Risk.

Setting Policies at the Board Level Agenda

FIRMA Nashville Tennessee April 21, 2015

Exactly what kind of bank is South State Bank?

Risk Management: Principles, Methodologies and Techniques. Peter Getugi Internal Audit Manager ILRI

Policy Number: 040 Risk Management August 2018

Risk Management Policy

Visa General Purpose & Student Reloadable Prepaid Card Terms and Conditions

Schedule of Fees & Charges and Transaction Limits

Fraud Risk Management

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Risk Management. Webinar - July 2017

(1) "Consumer" means an individual who resides in the District of Columbia.

Audit Planning PRESENTED BY: MICHAEL L. FORTMAN, CPA SENIOR MANAGER BROK A. LAHRMAN, CPA SENIOR MANAGER

More details regarding the Program and the requirements of the anticipated contract can be found in the attached draft document.

ELECTRONIC FUND TRANSFER DISCLOSURE

Stochastic Analysis Of Long Term Multiple-Decrement Contracts

First Savings Bank of Hegewisch

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Managing Risk For Financially Successful Families

Risk Management Policy

Check conversion is the process of converting a consumer check payment into an electronic payment.

Healthcare Data Breaches: Handle with Care.

Boston Chapter AGA 2018 Regional Professional Development Conference. Brandeis University Professor Erich Schumann May 2018

Northway Bank. Mobile Deposit Addendum. Addendum to the Online Banking Agreement

LEGAL & GENERAL GROUP PLC risk management supplement

Fraud Risk Assessment CARRIE KENNEDY, PARTNER DUSTIN BIRASHK, PARTNER

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

BERMUDA INSURANCE (GROUP SUPERVISION) RULES 2011 BR 76 / 2011

ELDER FINANCIAL ABUSE How to spot it How to stop it

Corning Federal Credit Union Business Services Account Agreement

Enterprise Risk Management Focusing on the Right Risks

was either an actual or potential victim of a criminal violation, or series of criminal violations, or that the

Thirty-Second Board Meeting Risk Management Policy

Port Jefferson Union Free School District. Annual Risk Assessment Update Pertaining to the Internal Controls Of District Operations.

Managing Your Regions Personal Checking Account

CyberMatics SM FAQs. General Questions

TABLE OF CONTENTS. Introduction 3. General Guidelines for Successful Account Management 3. Managing Your Checking Account. 1.

Community Trust Company Basel III Pillar 3 Disclosures December 31, 2017

State Bank Financial State Bank Shelby 4020 Mormon Coulee Road La Crosse WI ELECTRONIC FUND TRANSFER AGREEMENT AND DISCLOSURE

HOW TO USE A FINANCIAL INSTITUTION. BUILDING A better FUTURE

Third party risk management: Friend or foe?

Practical aspects of determining and applying a risk appetite for SMEs

Cyber COPE. Transforming Cyber Underwriting by Russ Cohen

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

IMPORTANT ACCOUNT INFORMATION FOR OUR CUSTOMERS from. The Tri-County Bank 106 N Main St Stuart, NE (402)

Overdraft Privilege. E-ADV-2EL (Rev 08/13) Page 1 of 6

Surprisingly, only 40 percent of small and medium-sized enterprises (SMEs) believe their

RADIUS BANK ONLINE BANKING SERVICES AGREEMENT

2017 WEBINAR SCHEDULE Affordable training, when and where you choose

Community Trust Company Basel III Pillar 3 Disclosures March 31, 2017

Securitization. Management exercises authority that should rest with the board or engages in activities that expose the institution to excessive risk.

2014 AFP Payments Fraud and Control Survey

Protecting Your Credit Union

WASHINGTON, D.C. 601 Pennsylvania Avenue NW South Building, Suite 600 Washington, D.C Phone: Fax:

Cyber Risks & Insurance

Transcription:

Aligning Risk Management with CU Business Strategy Managing your most pressing risks CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited 2016 CUNA Mutual Group, All Rights Reserved.

What s in store for today Credit union strategy principles Understanding risk & risk controls Connecting to ERM All about financials Relevant risk impacts Resources to help you manage risk Theran Colwell theran.colwell@cunamutual.com CUNA Mutual Group 2

Credit union business strategy Governance & Oversight Making Significant Decisions Establishing Growth Initiatives Seizing Opportunities Managing Risk Understanding Risk Appetite It s all about balancing risks & rewards 3

Understanding risk Based on individual perception Can never be fully avoided May be neutralized or mitigated through preemptive action Probability of Occurrence Estimated Severity (ROA impact) Risk 4

Multi-pronged approach Controlling risks Assume Avoid Prevent Spread Finance / Transfer 5

Risk control techniques Assume Avoid Prevent / Reduce Spread Finance / Transfer Practice of absorbing or assuming losses Common practice with minor losses; however, definitely not for catastrophic losses Most effective means of controlling risks; however, not always realistic Simply means not undertaking an activity, action or program that produces an undesirable risk Implementing techniques to prevent a peril from occurring Prevention is usually related to loss frequency Reduction associated with severity of loss Either way change is needed and affected through awareness, education, policies, and procedures Diversify the risk by spreading, segregating, duplicating or separating the exposures For example participate in shared branches or online banking rather than open more branch locations Shifting a risk from one party to another Financing or transferring the risk is often handled through the purchase of an insurance policy or through contractual agreements A common mistake is making insurance the sole focus 6

Connecting with ERM NCUA Considerations Enterprise Risk Management Credit Strategic a collaborative process to identify, manage and monitor organizational risks and opportunities, both internal and external, to ensure achievement of the credit union s strategic objectives and continued financial stability and viability Interest Rate Liquidity Monitor Identify Finance Assess Control Reputation Compliance Transaction / Operational 7

Focused & relevant risk areas Business Lending Consumer Lending Consumer Payments Cybersecurity Deposit Account Services Disaster Preparedness Employment Practices Funds Transfer / ACH Internal Controls Physical Security Real Estate Lending 8

However, it s usually all about the financials And, you make changes by shifting these financial levers: Net interest income Fee income Provision for loan loss Operating expenses Capital 9

Credit union financials ROE ROA Leverage Factor Asset Turnover Profit Margin Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 10

Risks impact on financials ROE ROA Leverage Factor Asset Turnover Profit Margin The risk impact: Net Interest Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 11

Consumer payments CASE STUDY Net Interest $948 million credit union Variety of fraud on both debit and credit Fraud superseding expected fraud rules in place Credit union recently switched card processors Mitigation Tips Check fraud rules and parameter setting regularly to ensure alignment with risk tolerance Ensure strong authentication when removing blocks from transaction or approving overseas travel Source: CUMIS Insurance Society, Inc. 12

Consumer payments CASE STUDY Net Interest $39 million credit union Card-present fraud on debit cards with no PIN Multiple gas station purchases at the same gas station Out-of-state Transaction performed within minutes of one another Source: CUMIS Insurance Society, Inc. Force PIN - globally; certain geo-locations; and certain BINs Reduce velocity settings Target $ transaction amounts Identify CPP Mitigation Tips Block / Reissue affected cards Place cards in a higher risk profile Educate members to monitor transactions 13

Key elements of protection EMV EMV Internet Payments Key Elements of Protection Mobile Wallets Fraud Management Mobile Wallets Internet Payments Fraud Management 14

Risks impact on financials ROE ROA Leverage Factor Asset Turnover Profit Margin The risk impact: Fee & Other Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 15

Overdraft fees litigation CASE STUDY Fee & Other Increase in class-action litigation related to overdraft programs Allegations: Member agreement fails to properly disclose when and how fees are assessed CU failed to follow agreement Seeking monetary damages, restitution, punitive damages, and injunctive relief Source: CUMIS Insurance Society, Inc. Review and update overdraft fee disclosures with counsel Train staff to clearly explain how overdraft and NSF fees will be assessed Understand how different transactions clear Audit procedures Mitigation Tips 16

Risks impact on financials ROE ROA Leverage Factor Asset Turnover Profit Margin The risk impact: Non-Operating Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 17

Cybersecurity Vendor exposure CASE STUDY Vendor exposed mortgage holders PII to another financial institution Data included name, address, loan numbers, loan balance, and Social Security Numbers of mortgage holders Breach impacted mortgage holders Individuals were notified and offered credit monitoring Impact Involved members in 50 states 67,000 individuals Non-Operating Source: CUMIS Insurance Society, Inc. & Beazley Group 18

Cybersecurity CASE STUDY Sophisticated malware attack Hackers accessed insured s system for at least six months using a sophisticated malware Fake accounts set-up & money withdrawn Member notification to with potential exposure of: Credit card numbers Social Security Numbers Driver s license numbers Impact Forensics investigation was extremely costly due to sophisticated malware used ~30,000 individuals Non-Operating Source: CUMIS Insurance Society, Inc. & Beazley Group 19

Employee fraud CASE STUDY Non-Operating AVP/Vault teller evaded detection during surprise cash counts on vault cash Made entries to sell cash to other teller and moved funds to the ATM general ledger account Reversed entries afterwards Credit union failed to monitor cash in & cash out transactions before and after surprise cash counts Impact $826,000 lost in 10 years Source: CUMIS Insurance Society, Inc. 20

Internal controls guidance Conduct frequent surprise cash counts At least quarterly (monthly is better) Avoid patterns with random days and times Reconcile count to system totals, not manual records Prohibit: Selling/buying cash to / from each other Making general ledger entries reflecting buying / selling cash from / to vault Review transactions initiated before and after the surprise cash audit Selling cash to other tellers or the vault Transferring funds to the ATM / teller cash dispenser Cash withdrawals from member accounts 21

Credit union sustainable growth ROE ROA Leverage Factor Asset Turnover Profit Margin The risk impact: Operating Expense Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 22

Employment practices CASE STUDY Operating Expense Employers that discipline employees for social media activity that constitutes protected activity likely will be found to have violated the NLRA. Source: CUMIS Insurance Society, Inc. & Beazley Group National Labor Relations Act: Section 7: Employees shall have the right... to engage in other concerted activities for the purpose of... mutual aid or protection Section 8: Employers cannot interfere with the exercise of this right NLRA applies to union and non-union employers NLRB currently very employee-friendly forum 23

Employment practices & social media Mitigation Tips Review Social Media Policy Avoid undefined, broad terms Provide specific examples of the kind of behavior the policy aims to prevent Make it clear that the policy is not intended to target NLRA rights ( Nothing in this policy is intended to limit or interfere with ) Avoid policies that appear to workers to prohibit protected activities, such as talking about pay, benefits and working conditions Consult an employment attorney Train employees and managers Terminate carefully 24

Credit union sustainable growth ROE ROA Leverage Factor Asset Turnover Profit Margin The risk impact: Loan Loss Provisions Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 25

Collection letters CASE STUDY Class action litigation continues: Notices of Disposition - UCC 9-613 & 9-614 Notices of Deficiency - UCC 9-616 Not specific on public v. private sale (cannot be both) Items missing in the notice or improper order of items Failure to re-disclose significant changes Damages and/or penalties are generally not insurable Source: CUMIS Insurance Society, Inc. & Beazley Group Mitigation Tips Loan Loss Provisions Have forms reviewed / approved by appropriate legal counsel Ensure state-specific versions are developed and used for any other states in which you have collections activity Consider following any exemplar safe-harbor form language for disposition notices, if available for that state Train collections staff Audit notices periodically for accuracy and compliance 26

Managing the most pressing risks Focus on the most RELEVANT risks that impact your STRATEGIC decisions Start small and simple Ensure oversight and review is built in to ensure everyone is on the same page Implement a process to identify & assess risks and understand if risk controls are in place Build the process without a silo mentality. Once the process works consistently, expand it Establish a cross-functional risk committee that provides a coordinated review of the risk assessment, evaluation, and measurement 27

Risk assessment, mapping & measurement A few options to follow: Risk mapping matrix Risk heat map Risk table 28

Frequency Risk mapping matrix High Frequency Low Severity LOSS PREVENTION High Frequency High Severity AVOID Frequency number of times incident / loss occurs Low Frequency Low Severity RETAIN / ASSUME Low Frequency High Severity TRANSFER / REDUCE Severity dollar impact of loss Severity 29

Risk heat map 5 Very High >100 bps 4 High 75-100 bps 3 Moderate 50-75 bps 2 Low 25-50 bps 1 Very Low 0-25 bps Severity (ROA Impact) 0 None Probability of Occurrence None 0 Very Low 0-20% Low 20-35% Moderate 35-50% High 50-65% Very High >65% 30

Risk table Business Area Risk Impact Likelihood Inherent Risk Mitigation Residual Risk Operations Employee Theft 10 1 10 50% 5 Likelihood Frequency with which an event may occur Impact Potential magnitude of an occurrence Responses Action taken to mitigate or manage risk Mitigation Degree to which impact and/or likelihood are reduced Inherent risk Risk exposure before the credit union response Residual risk Risk exposure after the credit union response 31

Other tools & resources Protection Resource Center RISK Alerts White Papers / Checklists Risk Insight Dashboard / Assessments Webinars / Training Modules Partner Resources EPL & Cyber Risk Analyses & Consultations 32

Protection Resource Center One-stop shop available when you need it - 24/7 Exclusive to CUNA Mutual Group Bond policyholders Accessible @ www.cunamutual.com Nearly 4,500 credit unions have access 33

RISK Alerts Alert Type Warning / Watch / Awareness Title & Summary Risk details Mitigation tips Related resources 1-2 per week accessible online or as PDF More than 17,000 credit union subscribers Nearly one million impressions in 2015 34

Online Risk Assessments High-level risk overview in 11 risk categories Help credit unions identify, evaluate & estimate readiness Drive best practices through dynamically-generated rating and recommendations based on credit union responses 35

Webinars & Education They provide good lists for reviewing our controls and risk mitigation, particularly as we build our ERM risk system. SVP/CFO, $636M The webinar did a good job of identifying the biggest risks credit unions will face this year. Internal Auditor, $2B Go to Webinars & Education within the Protection Resource Center 36

A Proven Path To More Financial Model True CU Sustainability Enhance Value Proposition Improve Governance Governance Increase ROE Value Proposition 37

CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited 2016 CUNA Mutual Group, All Rights Reserved. Thank you for the opportunity to partner on managing risk.

This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this presentation/ publication, nor does it replace any provisions of any insurance policy or bond. CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers needs. For example, the Workers Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability may be underwritten by Beazley Insurance Group. This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions. CUNA Mutual Group 2016, All Rights Reserved. 39

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback