Enterprise Risk Management

Enterprise Risk Management June 15, 2011 www.vitalinsight.com

Credit Union ERM – Why we are here • Enterprise Risk Management is becoming top of mind for many credit unions • Board/supervisory committee members • Senior management • Regulatory examiners • External auditors • Credit unions want to more clearly understand: • The benefits of ERM • The goals, objectives, and deliverables of ERM • The most efficient way to implement ERM • Goal for today: Demystify the ERM Process

Introductions – Roberta Rodgers • Vice President, Risk Management, Redstone FCU • B.S. Degree, Middle Tennessee State University summa cum laude; Master’s Degree, Strategic Leadership, Middle Tennessee State University, in progress; Juris Doctorate Degree, University of Memphis • Located in Huntsville, AL • $3 Billion in Assets • 340,000 members and over 1200 service groups, including Redstone Arsenal • Working to expand by moving into new geographical areas, product areas, exploring merger opportunities

Introductions – Alan White • Former “Big 4” Executive and Experienced Internal Auditor • Conducted well over 200 risk assessments and control reviews • B.S. (Industrial Engineering), Carnegie Mellon & MBA (Finance), University of Texas • Founder and CEO, Vital Insight, Inc. • Focused on providing cost effective ERM Solutions to Credit Unions • Governance Insight software application • ERM consulting services from experienced professionals • Training and education • Risk assessment and evaluation • Content and best practices • Strong relationships with academic experts and industry associations • CUES Exclusive ERM Partner

Selected Credit Union Customers

Webinar Agenda • ERM Principles & Concepts • Goals & Objectives for an ERM Program • ERM Components • Getting Started • Questions and Comments

Huge changes in the operating environment What is Driving ERM?

Management and Board Challenge Risks management trends Competitive Marketplace Globalization Legal Requirements Complex Business Transactions Short Product Cycles Explosion of Technology

Management and Board Challenge Risks management trends Competitive Marketplace Globalization Legal Requirements Complex Business Transactions Short Product Cycles Explosion of Technology And, they are interconnected – with a cascading impact

Huge changes in the operating environment Liquidity is becoming volatile Margins are eroding Delinquencies & charge-offs have increased drastically Fee income is steadily becoming more important Restructuring of the Corporates (and the NCUA lawsuit) Regulations are changing GAAP is inadequate and may very likely change IT Risk management requirements will increase Freddie & Fannie (Risk Retention) Proposed tax code changes Efficiency (output/input) is critical Less room for errors and surprises – i.e. risk Regulators are extending risk management requirements What is Driving ERM?

Regulators are extending risk management requirements Redstone is getting too big to continue working in silos The regulatory environment is becoming more burdensome and affecting more areas of the CU Strategic goals are becoming bigger and require an enterprise-wide view It’s the right thing to do Redstone’s ERM Drivers

What is Risk? The possibility of an event occurring that will have an impact on the achievement of objectives. A Prerequisite to any risk discussion in an organization: You must know ……the organization’s objectives Risk is measured in terms of impact and likelihood. The Institute of Internal Auditors (IIA)

Traditional Risk Management Approach Strategic Market Risks Operations Risks Finance Risks Human Capital Risks IT Risks Legal Risks Reputation Risks “Silo” or “Stove-Pipe” Risk Management

ERM Brings Risks Together Valuation Creation and Preservation Enterprise Focus on Risks Reputation Risks Strategic Market Risks Operations Risks Finance Risks Human Capital Risks IT Risks Legal Risks Key Message: Senior Management is facilitating the aggregation and interactions of those risk exposures to evolve from Risk Management to Risk Intelligence

Rewarded Versus Unrewarded Risks • Rewarded Risks (Opportunities to take risk) • Risks that are expected to bring some benefit if properly managed • Interest Rate Risk • Credit Risk • Liquidity Risk • Strategic Risks • Unrewarded Risks • Those for which there is only a downside • Transaction Risk • Compliance Risks • Reputation Risk • Financial Reporting (Accounting) Risk

Maintaining a Balanced Focus on Risk Creating Value • Senior Management ERM Agenda • Board and Supervisory Committee Oversight • Reputation Risk • Executive Risk (Ethics, Integrity, Judgment) • SWOT (risk review) with strategic planning STRATEGIC RISKS • Credit, Market Risk Management Processes • Operational Risk Focus • Risk Analysis Techniques EXECUTION RISKS Increasing ERM Program Focus • Procedures, Controls, Insurance • Business Area Risk Reviews • Key Risk Indicators • Early-warning Signals OPERATIONS & COMPLIANCE RISKS Protecting Assets • The ERM program should help the organization to maintain a balanced focus on value creation (rewarded risk taking) as well as value protection (unrewarded risk mitigation).

Risk Appetite Risk Appetite is target risk level you are willing to accept in pursuit of member value Managing and profiting from calculated risk is what financial services organizations do Risk management practices, risk appetite, strategy and capital are inextricably linked Management and the Board should engage in a specific dialogue around the follow questions: How much risk are you willing to accept? Are you taking enough risk to achieve the return/reward it is expecting? Do you understand the combined effects of the risks it is taking? How much of your capital can be put at risk at any one time? How much risk are you willing to take with its existing assets at any one time? How much risk are you willing to take to achieve future growth at any one time?

State your objectives Identify most critical areas of risk (risk assessment) Keep in mind that you may (have) not have seen the impact yet! Gather and analyze the relevant data Exercise sound judgment, ethics & integrity Identify potential root causes (WCGW) Determine best response Document and train Monitor, audit, and assure (and measure) Risk Management Principles

State your objectives Identify most critical areas of risk (risk assessment) Keep in mind that you may not have seen the impact yet! Gather and analyze the relevant data Exercise sound judgment, ethics & integrity Identify potential root causes (WCGW) Determine best response Document and train Monitor, audit, and assure (and measure) Risk Management Principles Assess Risk Manage Risk

What is ERM supposed to do? • Quickly identify emerging risks and problem areas before they escalate and cause serious harm • Reduce the incidence of serious negative surprises that undermine stakeholder confidence • Enable the organization to more effectively take advantage of opportunities • Reduce response time for emerging risks • Demonstrate to stakeholders that reasonable risk management processes are in place • Provide an efficient way to link business objectives, risks, mitigation strategies, residual risks, and procedural process documentation

What is ERM NOT supposed to do? • Be just one more audit • Be just one more compliance exercise • Be done by ONLY audit or risk management • Risk management is part of the decision making process • Prevent healthy risk taking • A good risk manager is a good risk taker • “Too much rigor creates rigor mortis!”

Huge changes in the operating environment Allows the CU to make well-informed decisions Reduces surprises; prepares us for the worst case scenario Ensures all areas have been considered – do things right the first time Opportunities for healthy risk taking are not overlooked Identify gaps and overkill in processes and procedures Redstone’s ERM Objectives

Enterprise Risk Management Components Strategic Risk Operations Risk Financial Risk • Relates to “macro” risks, strategic decisions, economic trends and planning • Includes NCUA categories of Strategic and Reputation Risk (also IT) • Typically managed through the Strategic Planning process • Identify relevant risk scenarios and develop plans for addressing them • All significant strategic risks should be managed due to large impact • Relates to risk that is present in the credit union’s investments and loan portfolio • Includes NCUA categories Interest Rate and Liquidity • Also includes concentration and accounting risk • Usually managed through the ALM process and includes executive and board level involvement • Subjectivity of assumptions underlying financial models • Risk that operations are not designed or executed effectively • Includes NCUA categories Transaction, Compliance, and Credit risk • Also includes Fraud, Accounting, IT • Managed through effective business processes and controls • Requires prioritization of efforts and activities to manage effectively

Enterprise Risk Management Components Strategic Risk Operations Risk Financial Risk • Relates to “macro” risks, strategic decisions, economic trends and planning • Includes NCUA categories of Strategic and Reputation Risk (also IT) • Managed through the Strategic Planning process • Identified four primary risk scenarios and developed plans for addressing them • All significant strategic risks should be managed due to large impact • Relates to risk that is present in the credit union’s investments and loan portfolio • Includes NCUA categories Interest Rate and Liquidity • Also includes concentration and accounting risk • Usually managed through the ALM process and includes executive and board level involvement • Subjectivity of assumptions underlying financial models • Risk that operations are not designed or executed effectively • Includes NCUA categories Transaction, Compliance, and Credit risk • Also includes Fraud, Accounting, IT • Managed through effective business processes and controls • Requires prioritization of efforts and activities to managed effectively

Financial Risk Management Components Liquidity Interest Rate Accounting

Financial Risk Management Components • Loan pricing (risk based pricing) • Investment yields • Duration • Typically managed through ALM process at the executive & board level • Ratio analysis & modeling are key components • Should include scenario analysis and shocks • Beware geeks bearing formulas (like VAR) Interest Rate

Financial Risk Management Components • Basic cash management • Budgeting & forecasting • Contract renewals and vendor management • Seasonality analysis • Should include scenario analysis • Be cognizant of NCUA requirements • Heavily linked to strategic risk! Liquidity

Financial Risk Management Components • Important for monitoring and measuring ratios • Allowance for loan loss is incredibly subjective • Should include scenario analysis • Should not be “outsourced” • Do not assume that accounting risk is managed just because the audit or regulatory exam is clean Accounting

Financial Risk Management Components Liquidity Interest Rate Concentration Risk Accounting

Financial Risk Management Components • Hottest NCUA risk category • Supervisory Letter Issued • “A risk concentration is any single exposure or group of exposures with the potential to produce losses large enough (relative to capital, total assets, or overall risk level) to threaten a financial institution’s health or ability to maintain its core operations.” • Many credit unions are over-concentrated in cash (may increase need for fees) • No set guidelines for establishing limits have been communicated • Three key phases for concentration risk: • Policy setting • Initial analysis and remediation • On-going monitoring Concentration Risk

Asset Liability Policy Asset-Liability Committee meets monthly Monthly review of interest rate risk, liquidity risk, investment strategy Monitor key ratios: net worth, delinquency, charge-offs, ROA Monitor long-term asset ratio Quarterly qualitative review CFO establishes annually how much risk the CU can take with BOD based on worst case scenarios using NCUA’s 7 risk categories Planning, budgeting, forecasting, follow-up Redstone’s Financial Risk Plan

Two Step Process Enterprise Risk Assessment & Prioritization (“Top Down”) Detailed Process Level Risk Analysis (“Deep Dives”)

Two Step Process Enterprise Risk Assessment & Prioritization (“Top Down”) Scope Detailed Process Level Risk Analysis (“Deep Dives”) Scrutiny

Conducted EWRA Conducting initial deep dives on all high risk areas Forming a Risk Management business unit responsible for implementing operational risk plan By end of 2012 will have conducted a deep dive in every business unit Establish annual schedule for risk assessments Consult with business units on new projects Monthly reporting to the BOD Redstone’s Operational Risk Plan

EWRA Concepts • The Enterprise Wide Risk Assessment is used to identify, evaluate, and prioritize operational risk hot spots • Financial and strategic risks are not typically evaluated in this assessment • Goal is to identify areas that require further analysis by process owners, internal audit, etc.

Identifying Risk Events An item that is uncertain, can happen in the future, and has an impact on objectives Assigned scores for likelihood and impact During the initial phase Risk should be analyzed as though there were no controls (inherent risk) Example: “In the payroll process, there is a risk that the right people are paid the wrong rates” “Or that the wrong people are paid the right rates” Risks are usually identified by logic and analysis (intuition) But data can be used to identify holes as well

Risk Response Accept Risks that fall within the organization’s risk appetite and/or that do not significantly threaten the organization’s business objectives can be accepted Laziness or apathy cannot be the default Transfer (Reassign) Typically done through insurance Mitigate Risks that cannot be accepted or realistically transferred should be mitigated through the use of control measures Remaining risk is “residual risk” Most common mistake by organizations is an attempt to immediately determine “residual risk”

Risk Drivers on Value Fortune 1000 companies that lost > 25% stockholder value in one month… Customer Demand Shortfall Competition Cost Overruns Accounting Irregularities Management Ineffectiveness Supply Chain Issues M&A Problems Products Pricing Loss Customer Macroeconomics Commodity Prices Interest Rates Regulatory R&D Delays Lawsuit Natural Disasters Supplier Operational Strategic Financial Hazard Source: Marsh/Mercer; used with permission

Strategic Risk Challenges • Difficult to identify • Requires creativity and forward thinking • Some are outside of our control • Nearly impossible to quantify • Requires effective estimations and judgment • Most should be actively managed anyway • Hard to monitor • Metrics and action items are not obvious • There is rarely one “right answer” to any risk • Solutions can often create new risks • Extended timeline means they can change • Three huge risks of any project that lasts more than one year (technology, environment, people)

Many Overlook Risk of Committing to Wrong Strategy Range of Uncertainty Time Performance Observed Over Time Strategies Built Today Adapted from The Strategy Paradox, by Michael Raynor

Strategic Risk Identification • Start with external strategic risks • New Regulations • Changes to Asset Prices • Strategic Partner Plans & Viability • Corporate Credit Unions • Fannie & Freddie • Interest Rate Changes • Economy and Employment • New Competitors • Lost Competitors when Local/Regional Banks Fail • May increase your volume – are you ready?

Typical Internal Strategic Risks • Executive Integrity & Ethics • Loss or compromise of member data • Inability to identify and develop new/effective products & services • Insufficient access to capital • Inability to manage credit risk • Reputation is not maintained/perception of insufficient financial soundness • Lack of adequate resources • Inability to grow/scale to meet market requirements • Inability to attract and retain qualified personnel • And many others….

Strategic Risk Options • Accept • Avoid • Transfer (Insure/Hedge/Outsource) • Aggressively Manage • Operationalize (but this will create operational risk) • Monitor & Respond • Develop “Real Options” • Influence

Developed strategic objectives Identify risks associated with each objective – scenario planning Determine level of acceptable risk and risk mitigation strategies for each objective Utilize forecasting model to tie strategic risk plan to financial risk plan Monthly reporting to BOD with a detailed annual review to make the program more visible Redstone’s Strategic Risk Plan

Enterprise Risk Management