In response to increasing regulatory oversight and threats such as cybersecurity, credit unions are placing more strategic emphasis on managing risk. However, despite similar titles, the role and scope of risk management varies widely by institution.
Internal Strengths. Outsourced Compliance.
For Lisa Malesky, chief risk officer of Capitol Credit Union ($123.0M, Austin, TX), managing risk means serving as an organizational gatekeeper, staying on top of third-party due diligence, and analyzing loan portfolio concentration and delinquency trends to stay ahead of issues.
|Lisa Malesky, CRO, Capitol Credit Union|
With 19 years of experience at the credit union, Malesky began in the lending area and went on to serve as vice president of lending and chief operating officer. This deep understanding of both the operations and lending functions are important in her new CRO role, which the credit union created just last year.
When Pierre Cardenas became CEO in December of 2014, he wanted to concentrate more on risk, Malesky says. After evaluating our roles, it seemed to be a natural fit for me.
CU QUICK FACTS
CAPITOL CREDIT UNION
Data as of 12.31.15
- HQ: Austin, TX
- ASSETS: $123.0M
- MEMBERS: 10,934
- BRANCHES: 3
- 12-MO SHARE GROWTH: 3.45%
- 12-MO LOAN GROWTH: 33.69%
- ROA: 0.42%
Although Malesky’s position is still a work in progress, many of her current duties, particularly in the area of lending analysis, are familiar. She had already been working closely with examiners to develop reports and other tools, but now she has the ability to concentrate fully on risk management.
As the loan portfolio becomes more diverse, it becomes critical to analyze how all loan types are performing and understand where delinquency and charge-offs are coming from, Malesky says.
That’s why collections reports to Malesky, so she can analyze the credit union’s various lines of business and spot disturbing trends. She also analyzes potential loan participations to help determine which ones the credit union will purchase.
Malesky reports directly to the CEO, and in her new role she also works closely with the Bank Secrecy Act officer and CFO in regard to BSA compliance.
Expenses and required experience made an internal compliance officer difficult to maintain, so the credit union outsources the remainder of its compliance obligations.
It is difficult for a smaller credit union to stay ahead of the curve in the compliance area, Malesky says. Outsourcing compliance was an easy decision for us.
The third-party currently performs an annual audit for the credit union and moving forward will conduct quarterly reviews of Capitol’s compliance policies, marketing materials, website, and other activities to help maintain compliance and resolve issues before exams.
But Malesky’s role doesn’t end with loan portfolio analysis and institutional compliance. The breadth of her focus also includes working with the credit union’s IT director on cybersecurity.
I’m not an expert in every area, but I am the gatekeeper who ensures we are completing our due diligence and focusing on the right things.
I’m not an expert in every area, but I am the gatekeeper who ensures we are completing our due diligence and focusing on the right things, Malesky says. By having someone at the senior level evaluating risk within the overall operations, we’re less likely to have something slip through the cracks. I want all of our operations to run cleanly and securely for our members.
At the end of the day, according to Malesky, the right structure for any credit union depends on its size and the complexity of its operations.
More than likely, you have various people in your credit union who are already performing many of the tasks that need to be done to manage risk, Malesky says. However, I think there comes a point for every organization when it’s time to have someone evaluate and monitor what’s going on more closely and more efficiently.
And that person needs to understand the operations of the credit union to be effective.
I’d encourage any credit union to take a step back and review the overall operation as they contemplate adding a risk management role, Malesky says.
A New ERM Program
|Donna Holmes, VP of Risk Management, Blue FCU|
Donna Holmes, vice president of risk management at Blue Federal Credit Union ($843M, Cheyenne, WY) has been in the world of financial institution compliance since the mid-80s. On April 1, when Warren Federal Credit Union and Community Financial Credit Union officially merged to form Blue FCU, Holmes dropped oversight of collections and changed her focus to oversee only compliance, legal, and internal audit for the credit union’s fledgling ERM program.
Altogether we are a team of six, Holmes says. I have two direct reports: a risk manager and an internal auditor [Holmes herself reports to the CFO]. A compliance specialist, a BSA specialist, and a fraud specialist report to the risk manager.
CU QUICK FACTS
Data as of 4.01.16 | Source: Blue FCU
- HQ: Cheyenne, WY
- ASSETS: $843M
- MEMBERS: 71,600
- BRANCHES: 11
- 12-MO SHARE GROWTH (4Q15): 11.46%
- 12-MO LOAN GROWTH (4Q15): 12.97%
- ROA (4Q15): 0.94%
In addition to the internal team, Blue FCU maintains a close relationship with an attorney who comes on-site weekly to meet with the risk and collections teams.
The risk management team handles all of the fraud and works with our outside legal counsel, Holmes says. Although he is not an employee, he’s part of our team.
With an experienced team and extensive compliance knowledge herself, Holmes sees clear advantages to keeping compliance in-house.
We have control over what we look at, and we have access to everything, she says. There is nothing the credit union can hide.
The internal team is also able to talk regularly about compliance with senior leaders.
We’re not siloed, Holmes says. As other areas plan to roll out new products and services, we are able to sit down with them and go through new offerings from a compliance and risk perspective.
This includes reviewing the credit union’s marketing, working with IT when staff members request access to the core system, walking through e-services, and looking over the credit union’s applications and documents.
1 + 1=Blue
As of April 1, 2016, Warren Federal Credit Union (Cheyenne, WY) and Community Financial Credit Union (Broomfield, CO) have merged to become Blue Federal Credit Union.
Warren FCU’s CEO Stephanie Teubner will continue as chief executive officer of the merged institution. Community Financial Credit Union’s CEO/president Greg Hill will serve as president. The board of directors of the continuing credit union will include members from the boards of both credit unions. Read more here.
We are a part of the system, Holmes says. We have the support of our CEO who feels compliance and risk is an important part of the organization. This will prove to be the foundation as we begin a formal ERM program. We have just introduced ERM to our new board of directors and are excited to begin introducing the management team to our new program. We are taking a crawl, walk, run approach to integrate a program into the credit union, starting off with using a dashboard to get everyone to think outside their direct line of business.
As other credit unions decide how to best structure their own risk area, Holmes recommends considering internal applicants who have the desire and interest in doing the job.
If you can afford to have compliance in-house, I highly recommend doing that, Holmes says. It touches everything and changes continually. For us, keeping compliance in-house and having the support of the executive team is vital.
The Project Management Methodology
|Vanessa Madore, VP of Risk Management, Maine Savings FCU|
For Vanessa Madore, vice president of risk management for Maine Savings Federal Credit Union ($304.1M, Hampden, ME), project management is a significant part of enterprisewide risk management. So much so that she recently received her MBA in project management, an area of study she chose because of its implications to her area of service at the credit union.
In Madore’s 11 years at Maine Savings, she’s held various positions and found a niche in compliance and risk management. Her current role is new to the credit union and its elevation to the executive team from mid-management is a reflection of how the board of directors and CEO view the strategic importance of this area.
CU QUICK FACTS
MAINE SAVINGS FCU
Data as of 12.31.15
- HQ: Hampden, ME
- ASSETS: $304.1M
- MEMBERS: 27,837
- BRANCHES: 10
- 12-MO SHARE GROWTH: 2.64%
- 12-MO LOAN GROWTH: 2.69%
- ROA: 0.36%
Madore oversees three staff members, each with distinct areas of focus: software; depository operations/BSA; and audit, policies, and vendor management.
It’s been interesting to see the dynamic development from compliance being a singular department focused primarily on BSA/depository compliance to global compliance, risk management, vendor management, and more, Madore says. Risk management covers every facet of the credit union’s business today, from new product development and marketing to software and hardware.
The broader scope means compliance and risk management must be project and timeline oriented, but even then prioritization can be challenging.
Risk management must be part of strategic planning, goal setting, and new product/service discussions to be effective.
Members always come first, so if we have an issue during operating hours that involves a member, that is our priority, Madore says. We have a number of projects we’re working on any given day and we participate in a lot of meetings, so we need to be flexible and re-prioritize as needed.
Collaboration is also key, and managers, executives, and employees incorporate compliance into their own daily tasks to the best of their ability.
We work together with others across the organization to identify goals, set timelines, and create project teams, Madore says. By delegating duties across the project teams, we’re able to accomplish a lot more.
And according to Madore, this all-hands-on-deck mindset is vital in today’s environment.
Traditionally, credit unions have been siloed, she says. That might have worked in the past, but that was before the tsunami of regulation hit and threats like cybersecurity came onto the horizon. Now, if I change something in one area, it has a ripple effect that impacts many other parts of the credit union and the members.
The fact so many people need to be at the table when launching a new product or service is a cultural shift, and risk management cannot afford to work as a closed team, Madore says. Instead, they must be able to work across the organization and understand how roles are connected.
And at Maine Savings FCU, vendor management is a large part of risk management as well.
We don’t own all of the contracts, but we manage them to ensure the credit union remains in compliance and mitigates risk, Madore says. I find that when vendors specialize in financial institutions, those are usually better relationships as they understand our regulations and needs. We speak the same language.
When it comes to advice for other credit unions, Madore’s is simple: Risk needs to have a seat at the leadership table. Risk management must be part of strategic planning, goal setting, and new product/service discussions to be effective.
This is the biggest challenge Madore hears from her peers, many of whom share the same title but with vastly different responsibilities, priorities, and often no voice in leadership-level discussions.
I’m fortunate at Maine Savings that I have a seat and voice in our executive team meetings.