Those of us with The Rochdale Group have the opportunity to work with many credit unions, of all sizes, in implementing and enhancing their risk management processes. Our consultants have the luxury of viewing very effective risk management processes at some credit unions as well as a great number of processes that are less than best practice.
We have learned from hearing stories about things that work well for credit unions as well as the things that didn’t go quite as planned. We find the knowledge gained from these interactions valuable as we work with credit unions in improving their risk management practices to the levels necessary to consider diverse risk profiles and attain the delicate balance between best meeting the needs of members and ensuring safety and soundness going forward.
Our experience is that credit unions that fail to maintain sufficient risk management processes to confidently understand and manage key risks today often are ill-prepared to leverage uncertainties and opportunities tomorrow. Effective risk management is about much more than organizational value preservation. It’s about embedding a process into the culture of the institution to constantly drive value creation.
Current State Of Enterprise Risk Management Today
Many credit unions, of all sizes, have enterprise risk management programs in place. Those programs range from comprehensive processes that analyze risk across the organization and use that information for strategic and operating purposes, to programs in their infancy, where the risk identification process has just scratched the surface. However, most struggle with bringing together information from all of their risk management silos into a comprehensive program and summarizing the information for senior management and boards.
The Rochdale Group
Credit Union Risk Management Has Improved
Most credit unions today have reasonably effective credit, asset-liability management, information security, and physical security programs. In fact, most are incurring net credit losses well below their allowances for loan and lease losses, and in sessions to identify and assess their lending risks, seldom identify residual credit risk that is much more than 50% of allowance balances.
Most credit unions also seem comfortable with their ALM processes. The ease of placing excess reserve balances at the Federal Reserve Banks for short-term investing, excess liquidity, and other reasonable ALCO processes mean that ALM is not a source of great discomfort for most credit unions today.
Physical security, meanwhile, is so well entrenched at most credit unions that it seems to be an afterthought. Most credit unions have strong processes around opening, closing, surveillance, locks, dual control, lighting, staffing, greeting, and robbery training, in addition to insurance.
Finally, the credit unions we meet generally describe extensive information security processes. Effective information security continues to be a challenge as security professionals are constantly trying to keep up with internal and external vulnerabilities and new security threats.
Big Risks Credit Unions Face In The Future
Although many credit unions are comfortable with their current risk management practices, tomorrow will bring increasingly complex risks requiring new tools, paradigms and vision:
- Lack of brand image in market and lack of emphasis on sales
- Increasing threats on information security and complexity or ineffective use of information technology
- Threats to credit union philosophy and difficulty in providing and measuring value to members
- Uncertainty of business continuity recovery processes
- Ineffective vendor management and potential loss of personal information by third parties
- Challenges in recruiting, hiring and retaining top performing staff
Lack Of Brand Image In Market, Lack Of Sales Emphasis
Many credit unions continue to have lower than desired loan-to-share ratios and attribute this to a lack of lending demand or a member base that does not need to borrow. It’s true that some credit unions have members that have relatively modest borrowing needs. However, why is it possible for so many credit unions in the same markets to serve their members so fully through healthy lending activity?
As we look at those credit unions, we usually see that they are highly effective in promoting their brands in their markets. They engage in strategic marketing, community involvement, and other promotional activities so that everyone knows they are full-service financial institutions and are top of mind when people look for loans. This is not always easy for non-community-based credit unions, but even those with narrow fields of membership need to heavily promote themselves within their field of membership.
Remember that you’re looking out for the best interests of members, and certainly should be advising them of ways to improve their lives, even if that means having systems and processes to ensure your people constantly offer them your ideas.
Once successful credit unions have members in the door, they don’t hesitate to inform them of the products that would be beneficial to them. Yes, this means selling products to people and not just idly taking orders, and some people feel uncomfortable with this. But just think about this for a minute the entire reason members are with the credit union is to use its financial products.
Most members who are not borrowing from the credit union are borrowing somewhere. Remember that you’re looking out for the best interests of members, and certainly should be advising them of ways to improve their lives, even if that means having systems and processes to ensure your people constantly offer them your ideas. You can bet your competitors do, and they might not share your philosophy of looking out for the best interests of members in the process.
Threats To Credit Union Philosophy, Value-Measuring Difficulties
Credit unions, like other financial institutions, tend to measure their financial success through a variety of measures, principally the return-on-assets ratio, but credit union value goes way beyond that metric. You provide value to members through lower loan rates, higher share rates, increased service levels, education, community involvement, and other avenues.
We recently met with a very large credit union that targets a significant portion of income to give back to the community, and the ability to generate returns sufficient to support that target is a key strategic objective. Almost all credit unions forget about many of the ways they support their members and very few track any measures of total member value.
Because supporting the credit union philosophy and providing member-owners with added value is critical to ensuring the survival of our industry, it’s important for credit unions to think about the ways they provide that value, measure their returns to members, and communicate those benefits to the membership.
In many cases, we find that members are not even aware of their status as member/owners, further exacerbating the inability to differentiate credit unions through the overall value provided.
Every large credit union we meet tells us it experiences daily external penetration attempts! Even the credit unions with the most advanced information security programs are nervous about breaches, and fear a large incident could result in a loss of confidence and substantial reputation costs. Most credit unions assess this risk as having the largest potential impact of any of the risks they identify.
Clearly, every credit union should focus on ensuring it has the best information security processes it can afford. If the credit union cannot attain a best-practices level of security internally, it likely should consider the use of third-party services that can provide such a level.
Another interesting risk that we hear in this area is the potential for ineffective deployment of technology, coupled with the need to mesh technologies from a large number of systems. Almost every IT area cites a failure to involve IT personnel up front in selecting systems. Thus, every credit union needs an IT strategy, refreshed periodically, covering desired architecture and other system considerations, and IT personnel always should participate in the selection of every system.
Uncertainty In Business Continuity Recovery Processes
All credit unions say they have business continuity processes but often discuss uncertainty about their abilities to recover. Only about half of even the largest credit unions we work with regularly roll over or formally test their backup capabilities and many are afraid to do such testing due to uncertainty about being able to roll back.
Another issue revolves around relocation assignments and communication. After speaking with 10 to 20 areas in a credit union, we often are surprised to learn that they all plan to relocate to the same branch. It becomes apparent that the credit union never has thought about the number of personnel at certain recovery locations or communicated the actual plans to staff. Thus, even credit unions that think they have strong disaster recovery processes should revisit this topic.
Ineffective Vendor Management, Third-Party Information Loss
Vendors play a major role at most credit unions. The majority would say they have vendor management processes in place but what we see is that many of these processes have become a check-off-the-list exercise, done at the end of each period, providing little strategic value to the credit union.
Almost all credit unions could improve this process by ensuring the process receives the resources necessary, in terms of strong staff and systems. The process also should focus on the strategic side of the vendor relationships and ensure that personnel manage the vendors to strong performance that supports the specific goals of the credit union.
The majority would say they have vendor management processes in place but what we see is that many of these processes have become a check-off-the-list exercise.
Credit unions provide a great deal of member and other information to their vendors. Many departments cite the potential loss or theft of member information as a large vendor risk. Thus, as part of the vendor management and information security processes, credit unions should identify the types of data being provided to vendors, evaluate the vendors’ processes for safeguarding that information, and ensure they are comfortable with those processes.
Challenges In Recruiting, Hiring, Retaining Top-Performing Staff
Finally, most credit unions cite a key exposure to finding and retaining the people they need to provide the wide array of increasingly complex products and services demanded by members. This is experienced through unfilled positions, underperformance, the potential loss of key people needed to support certain business functions (e.g., member business lending), and lack of senior management succession capabilities.
Credit unions should ensure they have the compensation and benefit plans to attract strong talent; the culture, training and advancement opportunities to nurture those people; and plans for orderly replacement of senior management team personnel.
Credit unions have improved their risk management practices in recent years, and comprehensive enterprise risk management programs have contributed to this progression. It is not time to let down our guard during the recent, relatively stable economic environment. Credit unions are facing even larger and more complex risks, and must approach risk management strategically and opportunistically in order to achieve the greatest benefits possible from their risk management programs.
Are your credit union’s risk management processes staying up-to-speed with the dynamic complexities and challenges faced by our industry today? Are your systems and committees designed to report and talk about what has happened in the past, or are they intended to help drive conversations about the future? The Rochdale Group works with credit unions of all sizes on a number of strategy-related initiatives, including assistance with enterprise risk management (ERM) implementation and support. For more information on The Rochdale Group and its services, please visit www.rochdalegroup.com.