Risk, by definition, implies uncertainty. In today's ever-changing regulatory environment, credit unions must develop and implement an effective enterprise-wide compliance risk management program to mitigate and manage their compliance risk. To be clear, risk management is not the elimination of risk, but rather the responsible balancing of risk versus reward. In order to effectively manage compliance risk, credit unions must conduct compliance risk assessments on their products, services, operations and the regulatory impact on such. You cannot mitigate risk if you do not know it exists.

A compliance risk assessment is used to identify risk to the credit union and its members (both consumer and commercial) by incorporating the inherent risks in a particular line of business, product or service and the quality of controls implemented by the institution to manage and mitigate those risks. An effective compliance risk assessment should include, at a minimum, risk identification, measurement, control, monitoring and reporting. During my 20 years in the industry, I've found there are five key components that contribute to the success of a compliance risk management program.

1. Put a system in place.

The framework of your risk management program should provide a method for communicating and documenting evaluations regarding:

  • The quantity of risk (low, moderate, high), including the methodology in assigning risk ratings;
  • The quality of risk management (how well the board and management identifies, measures, controls and monitors risk);
  • An aggregate synopsis of the institution's risk (the balance of risk versus reward inclusive of the quality and quantity of risk); and
  • The direction of the risk (increasing, decreasing or unchanged).

2. Define tolerance for risk.

A comprehensive risk assessment should be commensurate with your credit union's size, product offerings, service area(s) and appetite for risk. To understand your credit union's tolerance for compliance risk, examine the scope and complexity of its business activities, market service areas, and delivery channels for products and services.

3. Identify risk factors.

The greater the risks, the more extensive the compliance risk management program must be to ensure sufficient controls are in place to mitigate the inherent risk in such activities. Consider the following factors:

  • Strategic and business growth, complexity and trends;
  • Product features, characteristics, volume, stability and third-party involvement;
  • Legal and regulatory factors, including nonconformance consequences; and
  • Environmental factors such as market conditions, demographics and competition.

The risk assessment should incorporate and calculate inherent and residual risk. Inherent risk is the level of risk before controls are applied, while residual risk is the level of risk remaining post-implementation of controls. The calculation should encompass the exposure, quantity or likelihood, and quality of risk to the credit union. Enterprise-wide compliance risk management should identify, prioritize and assign accountability for managing potential legal and non-compliance threats that could lead to fines, penalties, reputational damage or prohibition of operating in, or expanding to, various markets.

4. Incorporate regulations.

The regulatory landscape is constantly shifting, both in new regulations and interpretations of existing regulations. As such, regulators expect institutions to regularly assess risk for:

  • Overall consumer compliance
  • Fair lending
  • Unfair, deceptive, and abusive acts and practices
  • BSA/AML and OFAC
  • Vendor management

These particular areas pose the most significant compliance risk for institutions of all sizes. Violations in these areas often cause significant consumer harm as well as legal, financial, operational, and reputational harm to the institution. It is essential for every credit union to incorporate each of these areas in its product lifecycle risk assessment, not just at the time of product development but throughout the entire cycle. By factoring in fair lending, UDAAP, BSA/AML/OFAC and vendor management risks into the product lifecycle, the credit union can proactively mitigate and manage compliance risk.

5. Continually update.

The risk assessment is a living process that must be adjusted as market, regulations, offerings and management's appetite for risk changes. Risk must be assessed from both a current and perspective view of the credit union's risk profile. Look-back risk assessments should be considered when regulatory reprieves or new interpretations of existing regulations pose a threat or concern to the credit union's then-current position.

Through effective compliance risk management, a credit union can increase its efficiency and financial performance by minimizing and mitigating errors while focusing on appropriate operational decision making.

Leah M. Hamilton, JD is chief compliance officer for Temenos. She can be reached at 407-341-6764 or [email protected].

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.