WSECU finds new best practices for compliance management while balancing enterprise risk and member service.
Enterprise stakeholders are building on the experience of suddenly going heavily virtual to explore new opportunities and create new standards for risk appetite.
CU QUICK FACTS
Washington State Employees Credit Union
Data as of 03.31.20
HQ: Olympia, WA
12-MO SHARE GROWTH: 12.4%
12-MO LOAN GROWTH: 9.6%
Perched near the place where the pandemic came ashore, Washington State Employees Credit Union ($3.5B, Olympia, WA) has leaned on its growing ability to manage risk of all kinds as the member-owned cooperative navigates a new reality.
Products and processes created to help members cope with the coronavirus have introduced uncertainty and possible compliance risk in, for example, responding to new laws that allow hands-off work such as digital notary signings for loans.
That’s just for starters, says Wilkes Hardin, vice president of lending compliance at WSECU.
Our quickly changing business and regulatory environment has increased operating risks in all categories across the enterprise, Hardin says. The same is true for many of the member accommodations and product enhancements we made. The good news is, we’re getting quicker and better about managing to risk so that we keep pace.
Wilkes Hardin, Vice President of Lending Compliance, WSECU
As another example, Hardin, who has served in his compliance roles for the past six years, points to WSECU’s rapid response to the SBA Paycheck Protection Program when that opportunity rolled out.
It was our first foray into the SBA world, he says. We made the decision quickly because of the urgency and circumstances.
Going live involved training staff, checking compliance on member-facing content, and putting policies, procedures, and vendor management oversight into place. Of course, it also included originating and servicing loans for the 285,000-member credit union that has 21 branches across the state, including in and around hard-hit Seattle.
Our commercial lending team performed flawlessly to stand up the program to help our members, Hardin says. We are working hard to support them by ensuring all the I’s are dotted and T’s are crossed.
The Many Flavors Of Risk
3 Ways To Manage Enterprise Risk
Wilkes Hardin, vice president of lending compliance at WSECU, provides three best practices his team has developed in managing risk.
- Consistently Evaluate Assessing risk is inherently subjective in nature, consistent evaluation curbs that somewhat. Use the same terms and define things the same way for everyone. Is it medium or moderate? How does the credit union define impact and likelihood? Words matter.
- Follow Through Do something with the results. See gaps in process or determine controls aren’t effectively mitigating identified risks? Correct the issue! GRC (governance, risk, and compliance) software is great for this because users can assign action items and document corrective action.
- Update As Needed Opinion and sentiment are greatly influenced by events and circumstances. If the environment changes rapidly, it might be prudent to update risk appetite guidelines more often than initially expected. Best practice is every two years.
You have to be nimble and willing to try things you never would before this, Hardin says. Hopefully, actions you make now don’t turn into massive risks later on. We’re all making decisions in about one-tenth of the time we normally do. They become more risk than compliance decisions.
Along with institutional responses, the COVID-19 pandemic has also ramped up the speed of regulatory change for every financial institution, Hardin says, increasing the threat of litigation, fines, penalties, and other damages, especially in the area of consumer protection, if the rules, new and old, are not followed.
Along with compliance, Hardin identifies four other areas of increasing risk: reputational, fraud, liquidity, and strategic.
There’s the increased likelihood of reputation risk based on the organizational responses to member needs early in the pandemic and carrying into the summer and fall, he says. One ugly element that has prominently surfaced is fraud in every channel. This unfortunate reality increases the likelihood for transaction and cybersecurity risk.
And the risk goes on, according to Hardin.
Some institutions are grappling with significant liquidity risk as the concessions they made earlier hit their bottom lines, he says. There’s the potential for meaningful strategic risk around re-prioritization of resources and proper alignment with updated business objectives.
The Onslaught Of Regulatory Change
Along with a compliance committee specifically charged with actively tracking and reviewing the onslaught of regulatory change, Hardin says, WSECU is taking several steps to identify and address specific potential trouble spots.
Those steps include updating and refreshing department and organizational level risk assessments, performing pandemic specific risk assessments, and updating risk appetite guidelines, Hardin says.
Organizationally, we rely heavily on our established, and now accelerated, compliance management routines to ensure we don’t miss details, the lending compliance executive says.
You Might Also Enjoy
How WSECU Spreads Compliance Risk Across The Enterprise
Those compliance management routines are linked to an ERM program that has been in place for more than 10 years, was reorganized about four years ago, and updated again two years ago, Hardin says.
That evolution occurred while the credit union itself shed its SEG-based charter in 2013 and became open to anyone working or living in Washington. A new CEO came aboard last fall, which, along with board changes, makes for fertile ground for culture change when it comes to adjusting the balance of risk and reward in meeting member and operational needs.
Helping lead that process is a committee that began working in 2016 to establish the credit union’s first guidelines for organizational risk appetite. The committee is sponsored by the credit union’s chief risk officer, is led by Hardin, and includes representatives from each business line, including operations, facilities, public relations, and internal audit.
Learning For The Future On The Fly
WSECU now uses the internationally accepted COSO standards for ERM to establish its best practices, and Hardin’s committee is currently analyzing results of a survey taken by the board, supervisory committee, senior managers, and other stakeholders to create new benchmarks and find new opportunities.
The abrupt nature of the pandemic already presented one such chance: fully testing WSECU’s business continuity plan instead of relying on table-top exercises.
This was a great opportunity to think strategically about our WFH program, Hardin says. We performed a work-from-home risk assessment, which aided in the initial deployment of our workforce and should greatly inform the decisions made regarding that program for our staff.
The compliance executive sees the opportunity for big plans for the future, too.
With this sudden abrupt shift toward digital, there might be some long-term changes in member engagement preferences and behavior, Hardin says. That’s an opportunity for institutions to think critically about their branching and channel strategies.