Implementing Section 704.21 – Enterprise Risk Management

The purpose of this letter is to provide supervisory guidance on the implementation of Section 704.21 of the National Credit Union Administration’s (NCUA) Rules and Regulations.  The requirement became effective April 29, 2013, and requires corporate credit unions to develop and follow an enterprise risk management (ERM) policy.

Sound risk management is an integral part of running a corporate credit union.  A well designed ERM process can help a corporate by providing a framework within which the board of directors and senior management can determine:

• Where the corporate’s risk exposures lie;
• The amount of risk the corporate has in each exposure;
• The maximum levels of risk it is willing to accept;
• How the risk exposures are changing; and
• The appropriate risk controls to limit overall risk to targeted levels.

ERM will enable corporates to move away from the “silo” approach of risk management and move towards the “holistic” view of enterprise wide risks.  A corporate must be able to measure and understand not only all of the individual risks associated with its various business components but also how the risks interact dynamically. 

What does the Rule Require?

Section 704.21 requires corporates to develop and follow an ERM policy.  The board of directors must establish an ERM committee (ERMC) that is responsible for reviewing and overseeing the corporate’s risk management practices.  The ERMC must report on the committee’s activities, at least quarterly, to the board of directors. 

The ERMC must include at least one independent risk management expert with sufficient experience in identifying, assessing, and managing risk exposures applicable to the corporate.  The rule defines independent to mean that neither the expert, nor any immediate family member of the expert, is supervised by, or has any material business or professional relationships with; the chief executive officer (CEO) of the corporate credit union, or anyone supervised, directly or indirectly, by the CEO, and has been free of any such relationships for at least three years.

There is no explicit definition of an ERM expert, thus the Board defined that the risk management expert must have:

• A post-graduate education; 
• An actuarial, accounting, economics, financial, or legal background; and 
• At least five years’ experience in identifying, assessing, and managing risk exposures.

The expert’s experience must also be commensurate with the size of the corporate and the complexity of its operations.  Section 704.21 allows corporates flexibility in determining how best to fulfill the needs of their credit union; the risk management expert is not required to be a director of the corporate credit union.  The board of directors may hire the independent expert to work full-time or part-time for the ERMC or as a consultant for the ERMC. 

What is the purpose of the ERMC?

The ERMC will act in an advisory capacity to the board of directors to ensure the board obtains focused, comprehensive information on all of the corporate’s risk – including financial, operational, strategic, compliance, and reputational risks under one umbrella, and not just on the individual, specific business lines or risks.  For example, before Lending initiates new loan products Information Technology should be consulted to ensure the systems are prepared to adequately process the new products.  The ERMC will conduct its analysis and present its views independent of the earnings pressures faced by the operational side of the corporate.  Evaluating the risks across the corporate allows the board to better define risks qualitatively and quantitatively to determine the corporate’s ability to absorb losses through capital and retained earnings accumulations.   

What must the ERM Policy Address?

The rule does not specifically define the components of an ERM policy; however, the first step towards initiation of an ERM program starts with understanding the risk appetite, setting the tone for risk governance and planting and nourishing the risk culture across the organization.  Banks and other financial institutions’ ERM policies and programs generally include:

• Creating a standardized, enterprise-wide risk framework, i.e., views of risk, including common definitions, assumptions, and analytics.
• Setting risk objectives and ensuring that they align to corporate objectives, risk appetite and culture.
• Ensuring the management and oversight of identified risks remains independent of business lines or specific areas of operations.
• Using internal stress testing strategies, systems and procedures.  This may include defining internal model governance groups responsible for the independent review and validation of models.
• Incorporating liquidity management into the ERM process, specifically understanding liquidity pressures through the liquidity coverage ratio, net stable funding ratio and new liquidity reporting as well as including liquidity in stress tests and other financial models.
• Capital management to more effectively evaluate the capital required to absorb current known losses, anticipated losses through modeling scenarios, as well as capital needed to absorb future unanticipated losses.

Each ERMC will need to define an ERM policy appropriate for the size, complexity and risk profile of its corporate.  ERM is an evolving discipline and a “one-size fits all” approach is not suitable for all corporates.

Is there Industry Guidance Available?

ERM is an evolving concept.  Many financial institutions have identified and started adapting the ERM Framework released by COSO (Committee of Sponsoring Organizations of the Treadway Commission) as a framework to drive their initiatives in risk management beyond Basel norms and regulatory compliances.  The COSO ERM framework has all the components that could help financial institutions derive business value while meeting compliance requirements.  The ERM Framework is structured around eight key components and four key objectives of business or strategic plans, operations, reporting and compliance.  The components of the ERM Framework are below:

It is important to note that Section 704.21 of the NCUA Rules and Regulations does not require the use of a particular ERM framework. While the COSO framework is widely recognized in the financial services industry, there are other ERM frameworks as well. Each corporate should choose and design an ERM framework that is appropriate for the operations and complexity of the credit union. Corporate credit unions with larger, more complex operations and balance sheets may need a more structured ERM framework while others may use a simplified ERM framework.

Application of the NCUA Rule

When the NCUA Board approved the ERM requirements the effective date of implementation was delayed until April 29, 2013.  The delayed implementation was to allow corporates sufficient time to develop an ERM program as well as hire an independent risk management expert.  During annual safety and soundness examinations, Office of National Examinations and Supervision staff will evaluate each corporate’s progress in developing an ERM program and coming into compliance with the regulatory requirements of Section 704.21.

If you have any questions, please contact your assigned district examiner or this office via email at ONESMail@ncua.gov or by phone at (703) 518-6640.