The NCUA issued Supervisory Letter No. 13-12 to discuss how the NCUA views enterprise risk management (ERM) as one framework for managing risk and their supervisory expectations with regard to credit unions’ risk management programs. The letter clarifies that natural person credit unions are not required to implement a formal ERM framework, however are expected to have sound processes sufficient to manage risk associated with their business model and strategies. The letter goes on to say that a credit union’s board of directors [emphasis added] ultimately makes the decision to develop and implement an ERM framework.
The supervisory letter defines ERM as a comprehensive risk-optimization process that integrates risk management across an organization. The basic components of an ERM framework were also included in the letter including the ERM component, description and positive examples. The ERM components included are: established “risk culture,” clear objectives, event identification, risk assessment, risk response, control activities, information and communication and monitoring.
Under the NCUA’s supervisory perspective, the letter indicates that core ERM principles can be integrated into the overall strategic planning and organizational risk-management infrastructure of credit unions of all sizes and risk levels. However, the NCUA also recognizes that most credit unions do not possess the size, depth of resources, or range and level of risk exposure to warrant the significant investment necessary to implement a formal ERM program. Instead, examiners should ensure the risk management framework is sufficient to manage the major risks present in the credit union’s business strategy and objectives, understanding the cost-benefit balance.
Lastly, it is important to note that the NCUA views the absence of adequate risk management framework (ERM or otherwise) as a failure in sound corporate governance and expects examiners to take appropriate action consistent with the severity of the deficiency.