HONOLULU – Credit unions' success in the 21st century will require the collective efforts by CUs' volunteer boards, CEOs and executive staff and their mutual agreement on their respective CU's strategic direction. Developing that strategic focus and vision requires an understanding and management of the myriad of risks. That was the clarion call issued at the Hawaii Credit Union League's (HCUL) Leadership Development Program last month. "Focusing on risk is a forward-looking process," said Leslie Thomson, NCUA Hawaii Supervisory Examiner, "Risk concentrates on management practices and controls, and the greatest risk areas receive the most scrutiny." Thomson is responsible for the safety, soundness and supervision of eight examiners and 100 credit unions in Hawaii Speaking at a session on "Risks Credit Unions Face Today," she added that, "Changes in the examination process involve a NCUA culture change, more examiner discretion regarding exam procedures and areas of focus. More examination of planning is included, as well as increased emphasis on supervision, and use of risk tracking tools and activities." Risk is not necessarily a negative term, in fact in the financial world it's a necessity. NCUA doesn't seek to eliminate risk in credit unions, said Thomson. Rather, the agency wants to ensure risks are managed at appropriate levels, given the structure and net worth of the credit union. The following categories of risk are more subjective, and are more difficult to measure using financial data. They must be evaluated in terms of the credit union's control structure and risk management systems: * Transaction Risk – Risk of fraud or operational problems in transaction processing that results in an inability to deliver products, remain competitive, and manage information. If one credit union staff member has responsibility for gathering information, completing, and verifying the accuracy of the bank reconciliation, the risk that the information will be incorrect (error or internal misstatement) is greater than if the duties for completing and validating are assigned to more than one individual. * Compliance Risk – Risk of violations and non-compliance with applicable laws and regulations resulting in fines, penalties, payment, or damages. If the credit union doesn't properly train staff regarding compliance with the Bank Secrecy Act, one result could be tellers failing to file required reports for large cash deposits. Failure to properly report could result in substantial penalties. * Strategic Risk – Risk of adverse business decisions through management's actions or lack of action. If management decides to add three new branches while emphasizing marketing of e-commerce services without a well-conceived business plan to demonstrate how these potentially conflicting initiatives can be accommodated, the membership could increase their use of electronic services rather than face-to-face transactions at the new branches. This has the potential, if not well planned, to result in the new branches being unprofitable. * Reputation Risk – Risk of negative public opinion or perception leading to a loss of confidence and/or severance of relationships. If management implements a real estate lending program without setting appropriate individual and overall loan limits, the credit union might be able to fund only a limited number of large real estate loans before it runs out of available funds. The credit union might have to significantly scale back the program or even cease real estate lending for a temporary period. The members could perceive this temporary cessation as a sign the credit union is having financial problems, resulting in members leaving the credit union or requesting large share withdrawals. Steve Kwock, president of Kwock and Company, outlined an awareness of the liquidity risk facing credit unions and how credit unions can monitor tightening liquidity by key indicators and possible solutions to liquidity pressure. Kwock, a CPA, has been auditing and consulting with credit unions for 24 years, and provides professional accounting and auditing services to credit unions in Hawaii and Guam. Kwock's presentation, "Understanding the Impact of ALM from a Board Member's Perspective," focused on asset/liability management (ALM) as a set of activities designed to control the credit union's risk and financial position. Understanding and reporting ALM can be a major challenge, according to Kwock. ALM is critical in monitoring a credit union's effectiveness in upholding its mission statement and goals. "Continuing comparison and evaluation by management of the underlying payment streams, maturities, rates, and risk inherent in credit union assets and liabilities, given the current and anticipated changes in market interest rates, are essential parts of the asset/liability management process," Kwock said. "This process manages and prices the credit union's funds, controls its exposure to financial risk, and manages its net interest income (interest margins) and net economic value." Blair Bautista, senior manager for Deloitte & Touche's Enterprise Risk Services (ERS) Group in Honolulu, a certified fraud examiner and certified information systems auditor, outlined specifically targeted transaction and operational risks credit unions in Hawaii must manage. "Between 2002 and 2005, the number of consumers using online account management will more than double, reaching 45 percent of the U.S. adult population," Bautista said. "Online account management is seen as a good surrogate for online activity in general. It is estimated that by 2005, 97.5 million U.S. users will adopt e-billing and online account management." Research shows that the vast majority of technology infrastructure investments fail to deliver expected returns because they were poorly linked to organizational plans, the strategies and tactics were flawed, the plan wasn't properly executed, or the organization failed to understand everything needed to support the objective. Systems have been compromised in 45 seconds, and companies' databases have been under attack. Bautista noted that the survivor in the market is the organization that can harness technology to effectively manage the risks to achieve cost effectiveness. Risk should be viewed from a strategic perspective in order to be sure that business and technical issues are addressed. "The risk of damage to a company's brand or image is significant in Web-based activity, and must be managed accordingly," Bautista explained. "The impact on recurring business is higher for web-based efforts, than "real world" business, because recovery can become impossible quickly. There are aspects of trust and confidence in any Web-based transaction that aren't present in "real world" activity to the same degree. Most of the user population, said Bautista, tends to ignore the relative severity of incidents when they occur, and this creates an environment that is ripe for risk. -

[email protected]