Aligning Risk Management with CU Business Strategy Managing your most pressing risks CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited 2016 CUNA Mutual Group, All Rights Reserved.
What s in store for today Credit union strategy principles Understanding risk & risk controls Connecting to ERM All about financials Relevant risk impacts Resources to help you manage risk Theran Colwell theran.colwell@cunamutual.com CUNA Mutual Group 2
Credit union business strategy Governance & Oversight Making Significant Decisions Establishing Growth Initiatives Seizing Opportunities Managing Risk Understanding Risk Appetite It s all about balancing risks & rewards 3
Understanding risk Based on individual perception Can never be fully avoided May be neutralized or mitigated through preemptive action Probability of Occurrence Estimated Severity (ROA impact) Risk 4
Multi-pronged approach Controlling risks Assume Avoid Prevent Spread Finance / Transfer 5
Risk control techniques Assume Avoid Prevent / Reduce Spread Finance / Transfer Practice of absorbing or assuming losses Common practice with minor losses; however, definitely not for catastrophic losses Most effective means of controlling risks; however, not always realistic Simply means not undertaking an activity, action or program that produces an undesirable risk Implementing techniques to prevent a peril from occurring Prevention is usually related to loss frequency Reduction associated with severity of loss Either way change is needed and affected through awareness, education, policies, and procedures Diversify the risk by spreading, segregating, duplicating or separating the exposures For example participate in shared branches or online banking rather than open more branch locations Shifting a risk from one party to another Financing or transferring the risk is often handled through the purchase of an insurance policy or through contractual agreements A common mistake is making insurance the sole focus 6
Connecting with ERM NCUA Considerations Enterprise Risk Management Credit Strategic a collaborative process to identify, manage and monitor organizational risks and opportunities, both internal and external, to ensure achievement of the credit union s strategic objectives and continued financial stability and viability Interest Rate Liquidity Monitor Identify Finance Assess Control Reputation Compliance Transaction / Operational 7
Focused & relevant risk areas Business Lending Consumer Lending Consumer Payments Cybersecurity Deposit Account Services Disaster Preparedness Employment Practices Funds Transfer / ACH Internal Controls Physical Security Real Estate Lending 8
However, it s usually all about the financials And, you make changes by shifting these financial levers: Net interest income Fee income Provision for loan loss Operating expenses Capital 9
Credit union financials ROE ROA Leverage Factor Asset Turnover Profit Margin Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 10
Risks impact on financials ROE ROA Leverage Factor Asset Turnover Profit Margin The risk impact: Net Interest Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 11
Consumer payments CASE STUDY Net Interest $948 million credit union Variety of fraud on both debit and credit Fraud superseding expected fraud rules in place Credit union recently switched card processors Mitigation Tips Check fraud rules and parameter setting regularly to ensure alignment with risk tolerance Ensure strong authentication when removing blocks from transaction or approving overseas travel Source: CUMIS Insurance Society, Inc. 12
Consumer payments CASE STUDY Net Interest $39 million credit union Card-present fraud on debit cards with no PIN Multiple gas station purchases at the same gas station Out-of-state Transaction performed within minutes of one another Source: CUMIS Insurance Society, Inc. Force PIN - globally; certain geo-locations; and certain BINs Reduce velocity settings Target $ transaction amounts Identify CPP Mitigation Tips Block / Reissue affected cards Place cards in a higher risk profile Educate members to monitor transactions 13
Key elements of protection EMV EMV Internet Payments Key Elements of Protection Mobile Wallets Fraud Management Mobile Wallets Internet Payments Fraud Management 14
Risks impact on financials ROE ROA Leverage Factor Asset Turnover Profit Margin The risk impact: Fee & Other Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 15
Overdraft fees litigation CASE STUDY Fee & Other Increase in class-action litigation related to overdraft programs Allegations: Member agreement fails to properly disclose when and how fees are assessed CU failed to follow agreement Seeking monetary damages, restitution, punitive damages, and injunctive relief Source: CUMIS Insurance Society, Inc. Review and update overdraft fee disclosures with counsel Train staff to clearly explain how overdraft and NSF fees will be assessed Understand how different transactions clear Audit procedures Mitigation Tips 16
Risks impact on financials ROE ROA Leverage Factor Asset Turnover Profit Margin The risk impact: Non-Operating Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 17
Cybersecurity Vendor exposure CASE STUDY Vendor exposed mortgage holders PII to another financial institution Data included name, address, loan numbers, loan balance, and Social Security Numbers of mortgage holders Breach impacted mortgage holders Individuals were notified and offered credit monitoring Impact Involved members in 50 states 67,000 individuals Non-Operating Source: CUMIS Insurance Society, Inc. & Beazley Group 18
Cybersecurity CASE STUDY Sophisticated malware attack Hackers accessed insured s system for at least six months using a sophisticated malware Fake accounts set-up & money withdrawn Member notification to with potential exposure of: Credit card numbers Social Security Numbers Driver s license numbers Impact Forensics investigation was extremely costly due to sophisticated malware used ~30,000 individuals Non-Operating Source: CUMIS Insurance Society, Inc. & Beazley Group 19
Employee fraud CASE STUDY Non-Operating AVP/Vault teller evaded detection during surprise cash counts on vault cash Made entries to sell cash to other teller and moved funds to the ATM general ledger account Reversed entries afterwards Credit union failed to monitor cash in & cash out transactions before and after surprise cash counts Impact $826,000 lost in 10 years Source: CUMIS Insurance Society, Inc. 20
Internal controls guidance Conduct frequent surprise cash counts At least quarterly (monthly is better) Avoid patterns with random days and times Reconcile count to system totals, not manual records Prohibit: Selling/buying cash to / from each other Making general ledger entries reflecting buying / selling cash from / to vault Review transactions initiated before and after the surprise cash audit Selling cash to other tellers or the vault Transferring funds to the ATM / teller cash dispenser Cash withdrawals from member accounts 21
Credit union sustainable growth ROE ROA Leverage Factor Asset Turnover Profit Margin The risk impact: Operating Expense Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 22
Employment practices CASE STUDY Operating Expense Employers that discipline employees for social media activity that constitutes protected activity likely will be found to have violated the NLRA. Source: CUMIS Insurance Society, Inc. & Beazley Group National Labor Relations Act: Section 7: Employees shall have the right... to engage in other concerted activities for the purpose of... mutual aid or protection Section 8: Employers cannot interfere with the exercise of this right NLRA applies to union and non-union employers NLRB currently very employee-friendly forum 23
Employment practices & social media Mitigation Tips Review Social Media Policy Avoid undefined, broad terms Provide specific examples of the kind of behavior the policy aims to prevent Make it clear that the policy is not intended to target NLRA rights ( Nothing in this policy is intended to limit or interfere with ) Avoid policies that appear to workers to prohibit protected activities, such as talking about pay, benefits and working conditions Consult an employment attorney Train employees and managers Terminate carefully 24
Credit union sustainable growth ROE ROA Leverage Factor Asset Turnover Profit Margin The risk impact: Loan Loss Provisions Net Net Revenue Net Revenue Total Expenses Net Interest Revenue Drivers Fee & Other Non-Operating Operating Expense Expense Drivers Loan Loss Provisions 25
Collection letters CASE STUDY Class action litigation continues: Notices of Disposition - UCC 9-613 & 9-614 Notices of Deficiency - UCC 9-616 Not specific on public v. private sale (cannot be both) Items missing in the notice or improper order of items Failure to re-disclose significant changes Damages and/or penalties are generally not insurable Source: CUMIS Insurance Society, Inc. & Beazley Group Mitigation Tips Loan Loss Provisions Have forms reviewed / approved by appropriate legal counsel Ensure state-specific versions are developed and used for any other states in which you have collections activity Consider following any exemplar safe-harbor form language for disposition notices, if available for that state Train collections staff Audit notices periodically for accuracy and compliance 26
Managing the most pressing risks Focus on the most RELEVANT risks that impact your STRATEGIC decisions Start small and simple Ensure oversight and review is built in to ensure everyone is on the same page Implement a process to identify & assess risks and understand if risk controls are in place Build the process without a silo mentality. Once the process works consistently, expand it Establish a cross-functional risk committee that provides a coordinated review of the risk assessment, evaluation, and measurement 27
Risk assessment, mapping & measurement A few options to follow: Risk mapping matrix Risk heat map Risk table 28
Frequency Risk mapping matrix High Frequency Low Severity LOSS PREVENTION High Frequency High Severity AVOID Frequency number of times incident / loss occurs Low Frequency Low Severity RETAIN / ASSUME Low Frequency High Severity TRANSFER / REDUCE Severity dollar impact of loss Severity 29
Risk heat map 5 Very High >100 bps 4 High 75-100 bps 3 Moderate 50-75 bps 2 Low 25-50 bps 1 Very Low 0-25 bps Severity (ROA Impact) 0 None Probability of Occurrence None 0 Very Low 0-20% Low 20-35% Moderate 35-50% High 50-65% Very High >65% 30
Risk table Business Area Risk Impact Likelihood Inherent Risk Mitigation Residual Risk Operations Employee Theft 10 1 10 50% 5 Likelihood Frequency with which an event may occur Impact Potential magnitude of an occurrence Responses Action taken to mitigate or manage risk Mitigation Degree to which impact and/or likelihood are reduced Inherent risk Risk exposure before the credit union response Residual risk Risk exposure after the credit union response 31
Other tools & resources Protection Resource Center RISK Alerts White Papers / Checklists Risk Insight Dashboard / Assessments Webinars / Training Modules Partner Resources EPL & Cyber Risk Analyses & Consultations 32
Protection Resource Center One-stop shop available when you need it - 24/7 Exclusive to CUNA Mutual Group Bond policyholders Accessible @ www.cunamutual.com Nearly 4,500 credit unions have access 33
RISK Alerts Alert Type Warning / Watch / Awareness Title & Summary Risk details Mitigation tips Related resources 1-2 per week accessible online or as PDF More than 17,000 credit union subscribers Nearly one million impressions in 2015 34
Online Risk Assessments High-level risk overview in 11 risk categories Help credit unions identify, evaluate & estimate readiness Drive best practices through dynamically-generated rating and recommendations based on credit union responses 35
Webinars & Education They provide good lists for reviewing our controls and risk mitigation, particularly as we build our ERM risk system. SVP/CFO, $636M The webinar did a good job of identifying the biggest risks credit unions will face this year. Internal Auditor, $2B Go to Webinars & Education within the Protection Resource Center 36
A Proven Path To More Financial Model True CU Sustainability Enhance Value Proposition Improve Governance Governance Increase ROE Value Proposition 37
CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited 2016 CUNA Mutual Group, All Rights Reserved. Thank you for the opportunity to partner on managing risk.
This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this presentation/ publication, nor does it replace any provisions of any insurance policy or bond. CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers needs. For example, the Workers Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability may be underwritten by Beazley Insurance Group. This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions. CUNA Mutual Group 2016, All Rights Reserved. 39