Enterprise Risk Management How Does ERM Apply to

Enterprise Risk Management How Does ERM Apply to your Credit Union? Presented by Louise Hanson, Partner, Moss Adams LLP Shannon Haas, Senior Manager, Moss Adams LLP 1

MOSS ADAMS AT A GLANCE • Full service public accounting firm with assurance, tax, and consulting services for middle-market public and private companies • Largest accounting firm headquartered in the West and one of the 15 largest in the United States • 21 offices in California, Arizona, New Mexico, Oregon, Washington and Kansas • More than 230 partners and over 1, 800 staff • Founded in 1913 and headquartered in Seattle, Washington • A founding member of Praxity, a global alliance of accounting firms • We are the 4 th largest firm servicing credit unions in the nation (based on assets) 2

TODAY’S DISCUSSION OBJECTIVES • What is Enterprise Risk Management? – an Overview of ERM • What is Driving ERM? • ERM & the Regulators • How ERM Can Benefit My Institution • How My Institution Can Build an ERM Strategy: Implementation Overview o Phase 1 – Planning o Phase 2 – Implementing the Plan o Phase 3 – Refining • Summary 3

WHAT IS ENTERPRISE RISK MANAGEMENT (“ERM”)? 4 4

QUESTIONS TO PONDER… • In today’s credit union environment what risks or “watch out fors” would you suggest directors, supervisory committees (or even executive management) focus on? • What would you be looking for in Board Report packages today? • Do we understand these issues enough to appropriately report on them in each of our credit unions today? 5

AT THE CORE… • What is the Nature of Banking? Risk Management • What should Credit Unions be doing? Intermediate Risks For Members and Borrowers • What are Directors Expected to do? Create & Protect Member funds and opportunities Governance Process and Risk Policies • How are Risks Portrayed in an Institution? Via Financial Statements Via Processes 6

ENTERPRISE RISK MANAGEMENT “The decline and ultimate failure of some great companies has been a historical fact. But such decline is not inevitable. Rather, it results when corporate leaders (CEO’s and directors alike) don’t anticipate and deal with the long term threats facing their companies. ” Harvard Business Review (5/08), “Leading from the Boardroom” 7

WHAT IS “ENTERPRISE RISK MANAGEMENT”? “Enterprise risk management (ERM) is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. ” The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, (Sept. 2004) 8

WHAT IS ERM? • • • A structured, consistent, and continuous risk management process that is applied across the entire organization Identifies, assesses, prioritizes, and manages the internal and external risks that impact the organization Driven by a decision-support process that is aligned with the management and execution of strategic objectives Enhanced by the assignment of roles and responsibilities, reporting and communication, policies and procedures, and Measure, Identify & Monitor & adoption of a risk-based culture Assess Report Business Objectives Planning & Management 9

ENTERPRISE RISK MANAGEMENT “WHAT MIGHT GET IN THE WAY OF MY DUTY TO DELIVER VALUE AND PROTECT THE MEMBERS? ” Risk The potential that events, expected or unanticipated, may have an adverse impact on capital or earnings. Risk Management The employment of systems and processes to manage the critical tradeoff between risk and return in financial decisionmaking. Enterprise-Wide Risk Management The formal mechanism or structure for managing risks across the entire institution on an integrated basis. 10

ENTERPRISE RISK MANAGEMENT (ERM) COMPONENTS Keys to a good ERM program – must include: • Risk Identification – What are our key risks? – What level of risk are we willing to allow/accept (“risk appetite”)? • Risk Measurement – Risk measurement models (ALM, Credit Stress) – Guidelines and quantification tools (Credit Risk Classification, Operational and Credit Losses) 11

ENTERPRISE RISK MANAGEMENT (ERM) COMPONENTS • Risk Control – Policies (Required and Best Practice) – System of risk limitations – Authorities and oversight systems • Risk Monitoring – System of risk reporting – key measurements § Board driven assessments (internal and external audits, monitoring reports) § Management Self assessments (management generated reporting against pre-set standards) 12

IN A NUTSHELL… ERM is a process for managing and controlling risks across an entire organization, both within and across business lines and legal entities. 13 13

WHAT’S DRIVING ERM? 14

WHAT’S DRIVING ERM? - ENVIRONMENTAL • Growing size and organizational structure • Increasing diversity of business lines and complexity of products • Increasing number of regulations • Increasingly competitive marketplace ERM can be the key for how to win 15

WHAT’S DRIVING ERM - INSTITUTIONAL • Fragmented or “silo” risk management efforts – fail to recognize interrelationships of risk across businesses or products • Lack of aggregation of common risks and reporting – fail to keep Board and management informed of organization-wide risks • Lack of attention to how risks are correlated – fails to identify how loans, securities, businesses, etc. might be affected by common factors and create large exposures 16

POST DOWNTURN, ERM IS MORE IMPORTANT THAN EVER • Bankers, regulators, investors, members and counterparties will not soon forget the near-collapse in late 2008 • So far, the new era in financial services is a very strong emphasis on safety and risk management • Those who can demonstrate superior risk management will have a competitive advantage – Greater opportunities in the market due to goodwill from regulators and investors – More and better members • Key ERM implementation challenges for most credit unions – – Culture Right expertise Data and Measurement Transparency/Reporting 17

DRIVERS OF ERM – A SUMMARY Board of Directors • Demand increased financial disclosure and transparency Members as Stakeholders • Demand evidence that management understands and manages risk Regulators/Rating Agencies • Seek assurance around compliance and risk assessment processes Activists • Demand social awareness, safety & environmental consciousness Members as Customers • Make decisions based on differentiating factors Peers • Comparison with others drives industrywide practice Competitors • Push innovation, drive leadership 18

ENTERPRISE RISK MANAGEMENT AND THE REGULATORS 19

REGULATORY EXPECTATIONS FOR ERM STARTS WITH THE FUNDAMENTAL OF STRONG RISK MANAGEMENT: Active Board and Senior Management Oversight Adequate Policies, Procedures, and Limits Adequate Risk Measurement, Monitoring, and MIS Comprehensive Internal Controls From “Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies” (SR 95 -51 (SUP)) 20

NCUA ERM GUIDANCE NCUA advises an effective system of Enterprise Risk Management includes consideration of: • Market Condition • Field of Membership • Credit Union Structure – Size – Complexity – Geographic diversity 21

INCREASING EMPHASIS ON ERM PERSPECTIVE Basel Committee’s Core Principles for Effective Banking Supervision (2006) Principle 7 – Risk management process: “Supervisors must be satisfied that banks and banking groups have in place a comprehensive risk management process (including Board and senior management oversight) to identify, evaluate, monitor, and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile. These processes should be commensurate with the size and complexity of the organization. ” http: //www. bis. org/publ/bcbs 129. pdf Principles for Effective Operational Risk Management (2003) http: //www. bis. org/publ/bcbs 96. pdf Principles for Sound Liquidity Risk Management and Supervision (Sept. 2008) http: //www. bis. org/publ/bcbs 144. pdf 22

PRINCIPLES OF EFFECTIVE OPERATIONAL RISK MANAGEMENT (BASEL COMMITTEE ON BANKING SUPERVISION) 1. 2. 3. 4. 5. Board should approve and periodically review the Operating Risk Framework. Board should ensure that Framework is subject to independent, competent audit staff review. Senior management responsible for implementation Process to identify and assess operational risk inherent in products, activities, processes and systems. Process to monitor operational risk profiles and material exposure to losses. 23

PRINCIPLES OF EFFECTIVE OPERATIONAL RISK MANAGEMENT (BASEL COMMITTEE ON BANKING SUPERVISION) 6. Policies, processes and procedures should exist to control and/or mitigate material operational risks. 7. A contingency and business continuity plan should exist. 8. The regulators should require that all banks, regardless of size, have an effective framework in place to identify, assess, monitor and control/mitigate material operational risk as part of an overall approach to risk management. 9. Regulators should conduct regular, independent evaluation of bank’s policies, procedures and practices related to operational risks. 10. Banks should make sufficient public disclosure to allow market participants to assess their approach to operational risk management. 24

IT TAKES 3 TO FLY THIS PLANE Time & Activities Audit Compliance Risk Past Do we do as we say? Present Are we in compliance? Future What can go wrong? • Risk Manager – looks thru the cockpit window to identify and assess current threats and future risks to the flight path and plane, and glances at the gauges for reassurance • Compliance Manager – assists the pilot in maintaining the proper flight path and plane operating procedures by using the manual and FAA regulations • Auditor – uses the cockpit gauges and controls to inform the pilot of how the plane is operating relative to its predetermined flight path 25

IN SUMMARY • Boards of Directors/Supervisory Committees are responsible for ensuring that their credit unions are managed in a safe and sound manner. (This hasn’t changed) • In today’s environment (and increasingly in the future), safety an soundness means that risks need to be well-managed given the credit unions’ risk environment and business model. • You need to be able to answer “Yes” to this regulator question: “Do you have a program that appropriately identifies emerging risks in a timely manner? ” • Therefore: Safety/Soundness = Risk Management Consequently, the foundation for modern Corporate Governance is Enterprise Risk Management. 26

BENEFITS OF ERM 27

ORGANIZATIONAL GOALS OF ERM • Protect/Enhance Members’ funds and opportunities • Link Strategy and Risk Profile • Recognize and Manage integrated/cross organizational risks • Enhance Risk Based Decisions • Capital Management/Preservation • Seize Opportunities • Disciplined Culture For a director/committee member, do these sound familiar? 28

BENEFITS OF ENTERPRISE RISK MANAGEMENT • • • Enhances integrated decision-making better deal with the risk from growth, mergers, new products, etc. Better align risk and strategy. Framework for identifying enhance return opportunities – improved risk mitigation. Improve deployment of capital resources – allocating capital to business areas to achieve superior risk returns (RAROC). Credibility and confidence in governance and risk management – members, regulators, external auditors. Anticipate risk – seize opportunities/minimizing cost. Improved understanding and management of interactions and interrelationships between risks. Clear accountability and ownership of risk. Regulatory compliance with safety and soundness guidelines, foundation for a strong internal control environment. 29

BENEFITS OF ENTERPRISE RISK MANAGEMENT (CONTINUED…) All the previous positively impact: • • • Protection of capital. Enhancement of earnings. Reduction of losses (Fraud, Credit, Operational). Greater efficiency in process flows. Better defined/more efficient internal audit programs. Better understanding of effect of market movements. 30

WHAT WE ARE OBSERVING: INDUSTRY ERM THEMES SO FAR FOR 2012+ • ERM – Managing an acquisition (valuation, financial integration, change in risk profile, culture, data integration, etc. ) – Model validation – Incentive programs that incorporate risk and are better aligned with organizational performance • Compliance and regulatory – Regulatory reform outcomes – Stress testing – Compliance: fair lending, BSA, AML • Credit – Provision and reserve going forward – Growing the loan portfolio – Diversifying away from risk concentrations in the portfolio • Market Risk – The investments portfolio – understanding the risks going forward – Interest rate risk management 31

BUILDING AN ERM STRATEGY: IMPLEMENTATION OVERVIEW 32

ERM IMPLEMENTATION PHASES Detective controls and processes Compliance and Prevention Preventative Controls and processes Proactive planning and improvement RM E c i g e Strat Operating Performance Enhanced Member Benefits GRADUAL EVOLUTION OF THE PROCESS 33

DEVELOPING ERM CAPABILITIES IS AN EVOLUTION, NOT AN EVENT Add Capabilities as Risk/Complexity are Added 34

LET’S DO A QUICK SELF ASSESSMENT • Go to the separate handout • Complete the “Risk Oversight Self Assessment” survey – There are no right or wrong answers – Try to objectively answer each question for a credit union you have in mind 35

SELF ASSESSMENT - IMPLICATIONS Q 1 -12 Yes Q 13 -28 No Implications Lots of focus on strategic planning, lots of risks, but few risk management processes Yes Strategic planning and risk management are reasonably integrated and organization making great ERM progress No Yes Few perceived strategic risks but overspending on ERM processes No No Few perceived risks, but no system to be sure or to identify risks-opportunities 36

LINKING ERM TO STRATEGY Maturity Level High Risk appetite articulated Strategic Integration Risk vs. Return Optimization Risk Management Risk Measurement Loss Minimization Compliance/Monitoring Low Time 37

ERM – STRENGTHENING FOCUS ON STRATEGIC RISK EXPOSURES Risk Metrics? Risk Drivers Risk Metrics? Risk Drivers Increased Loan Yield (Rate & Volume) Non-interest Income Products Reduce Head Count Increased Revenues Profitability Expense Savings Other Cost Savings Measures – Vendor Mgmt. 38

THE MOSS ADAMS PHASES TO ERM IMPLEMENTATION • STEP 1 – PLANNING – (a. k. a. , “putting your best foot forward, knowing the process isn’t going to be perfect because it’s a new area of focus, and every institution is unique”) • STEP 2 – IMPLEMENTING – (a. k. a. , “executing on your plan, making slight adjustments as needed; saving significant revisions to the process for the “refining” stage”) • STEP 3 – REFINING – (a. k. a. , “fixing what needs to be fixed and/or what wasn’t addressed after implementing your plan”) A simple 3 -step process for getting your ERM program off the ground 39

ERM IMPLEMENTATION PHASE 1 PLANNING 40

BUILDING YOUR ERM ROADMAP/ IMPLEMENTATION PLAN: STEP #1 – PLANNING A. B. C. Gain Board/Committee/Executive level of support - “Tone at the Top” might be the single biggest factor in being successful at implementing; start to build consensus/ buy-in Revisit/review your strategic plan – the ERM vision s/b aligned with your organization’s size/complexity Start thinking about how you are going to identify (and categorize) risk TIPS: • • • Define plan owners, roles and responsibilities for execution, timelines, resource alignment Prioritize key tasks – look for up-front, early wins Utilize existing management structures Think about existing organizational design/structure Other: degree of alignment with finance, specific control tools, etc? Start to build consensus among key internal and external parties (including regulators*) Preliminary risk assessment – work on the “completeness” of the risks inventory Look for risk concentrations Understand management’s current risk activities – functions, controls, what is tracked, who does it, etc. ? 41

TONE AT THE TOP & CULTURE • It’s that CULTURE thing!! • Mutual Expectations, Respect, Reliance • Model the Standard Legally: Duty of Loyalty and Care Business Judgment Disclosure / Transparency • Open Communications, Debate • Brainstorm risks at various management levels - what risk is coming around the corner? • Welcome the Messenger • Welcome Dumb Questions • Draft Policies 42

ERM POLICY • • • Policy Statement Purpose/objectives o o Integrated mgmt of risk Governance of risk oversight Independent review and monitoring Best practice risk control o o o o Board of Directors Supervisory Committee Board Risk Committee Management Risk Committee CEO CRO Internal Auditor Department Heads Responsibilities • Risk Metrics and tools – Risk Assessments – Measures • Controls & Monitoring • Risk Response • Communication & Reporting • Policy Exceptions Risk Categories ERM Process Policy Guidelines/Limits 43

ERM CHARTER • Purpose/Objectives – Board/Committee delegation to: Identify and Manage risks Adhere to policies • Committee Members and Chair Chief Risk Officer direct report • Meetings Full Board reporting • Duties and responsibilities Supervisory Committee interaction Oversight of Management Risk Committees • Performance Evaluation • Committee Resources 44

ERM IS A SHARED RESPONSIBILITY: TYPICAL ROLES/NEEDS Board of Directors -Governance -Reputational Risk -Board Training CRO (Larger) -ERM Roadmap -Policies/Limits/Appetite -Risk Quantification -Dashboards CEO/COO -Business Risk -Execution Risk -Strategy/Mergers CFO -Internal Controls -Economic Capital -Performance Measurement Functional Risk Managers/Delegated Responsibilities: -Credit Risk - Market Risk - Interest Rate Risk - Operational Risk -Compliance Risk - Technology Risk -Etc. 45

A VISION FOR ERM IS FUNDAMENTALLY LINKED TO STRATEGIC GOALS FOR YOUR ORGANIZATION • What are your core competencies? What is your market? What does your credit union want to be? Who are your members? • What are your return goals? • (Risk vs. Reward = Credit & IRR; Capital Adequacy; Regulatory; Fraud; Other? ) • Identify Risks to your credit union – What risks do you take-on to generate these returns? Focus on “key” risks. – – – – Credit risks in lending? Credit risks in your investments portfolio? Market risks through interest rates? Market risks through your investments portfolio? Operational risks through providing processing/cash management services? Compliance risks in highly regulated markets? Other? • How much of each risk type will you take on? Is your level of risk appropriate given your return goals (risk appetite)? Do you have sufficient capital and liquidity to support these risks? 46

ERM RISK COMPONENTS • Credit Risk and Market Risk are typically called ‘financial risks’ – return and risk are usually directly correlated here • Greater risk will lead to higher returns in the long run, but will also result in significantly greater earnings volatility and require much more capital. A risk appetite is needed to decide how much risk and what types of risk are appropriate • Operational Risks can also be financial risks, but the risk/return relationship can be very different – Some operational risks such as regulatory and compliance concerns are not related to returns, only protection against future loss or are a cost of doing business – Fee-based businesses such as payment processing are operational-risk driven businesses with a direct relation to returns • Regardless of the risk type, ERM practices can enable management and the board to: – Develop a consolidated view of their risk profile across all risk types and understand hot spots – Measure risk exposure using quantitative and qualitative methods – Set a risk appetite and manage to it – Better understand where returns are generated 47

REGULATORY RISK CATEGORIES (RISKS EXAMPLE 1) NCUA Risk Categories Fed Risk Categories FHLB Risk Categories Credit Risk Interest Rate Risk Market Risk Liquidity Risk Operational Risk Legal risk Business Risk Liquidity Risk Transaction Risk Compliance Risk Strategic Risk Reputational Risk 48

REGULATORY CAPITAL RULES HAVE CREATED A FRAMEWORK FOR CLASSIFICATION OF RISK TYPES (RISKS EXAMPLE 2) Risk Type Credit Risk Definition Loss due to a borrower’s inability to meet its financial obligations Loss due to change in borrower’s credit quality Market Risk Loss due to change in market value of traded positions Loss due to impact of changes in cost to close accrual positions (primarily interest rate risk) Operational Risk Loss resulting from inadequate or failed internal process, people and systems, or from external events. The definition includes legal risk. The definition does not include strategic or reputational risks. 49

MANY INSTITUTIONS HAVE ADOPTED THESE DEFINITIONS FOR A FUNCTIONAL ERM STRUCTURE (RISKS EXAMPLE 2. 1) Enterprise Risk Management Functional Structure (Not Organizational Structure) Credit Risk Commercial Retail Counterparty Market Risk Change in Fair Value Interest Rate Risk Currency Risk Liquidity Risk Operational Risk Compliance Risk Int. and Ext. Fraud Business Process Failure HR Litigation Data Security Technology/Systems Natural Disaster Etc. Other Risk Category Possibilities: Business, Strategic, Concentrations, Reputation, etc. 50

ERM IMPLEMENTATION PHASE 2 IMPLEMENTING THE PLAN 51 51

BUILDING YOUR ERM ROADMAP/IMPLEMENTATION PLAN: STEP #2 – IMPLEMENTING A. Identify and prioritize the RISKS - Keep it to the “TOP 5” for in-depth Board reporting - Additional risks can be identified and listed, but don’t take away the focus from the Top 5 B. Simultaneously adopt a preliminary risk framework and conceptualize simple reporting C. Identify gaps in the process and start to analyze (but don’t let them slow you down!) TIPS: • • • Identify strengths and weaknesses in existing risk management function Re-align existing capabilities with where you need to get to Scope: risk controls, information technology, culture, expertise, policies, risk quantification, reporting/transparency 52 52

ERM IMPLEMENTATION – THINK ABOUT “RISK AWARENESS” Difficult process – 3 levels of risk awareness • Known – You lend money to various parties and someone isn’t going to pay (credit risk) • Unknown, but knowable – e. g. , flood or other natural disaster that isn’t unusual for the area. • Unknown, unknowable – would not ever know in advance, but is there a plan I can have if “something” takes me out of what I do? This helps you to think beyond the everyday risks. 53 53

FOCUS ON KEY ENTERPRISE RISKS • Risk issues that are most significant and deserve attention of executive management and the Board. • Issues identified through the risk assessment process within each functional risk area. • Escalated to upper levels with mitigation and action plans presented. 54 54

ERM IMPLEMENTATION – RISK ASSESSMENT Ask each Board member: “With our credit union’s business model in mind, what are the Top 5 emerging risks: ” 1. 2. 3. 4. 5. _________________________________________ _____________________ Ask Management the same question. Will the results be similar? How often does the Board and Senior Management engage in explicit discussions about risk? Reminder: Addressing risk in an advanced ERM process becomes strategic instead of defensive 55 55

RISK ASSESSMENT (CONTINUED)… • For identified risk events: – What is the time frame to consider? – How likely is the event to occur? – What would be the impact? • On financial goals (cash flow, capital, reported earnings) • On operational goals • On reputation/brand – Inherent vs. residual risks? 56 56

ONE COMPLICATION: INHERENT VS. RESIDUAL RISK • What risks are we assessing? – Ignore response to start: tendency to over value controls “ 100% under control” – red flag; nothing is foolproof. – Inherent risk: Risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact – Residual Risk: Risk that remains after management responds to the risk identified Back to some risk assessment examples…. 57

RISK CATEGORIES WITHIN ERM (RISKS EXAMPLE #3) Strategic Product Offering Merger & Acquisition Competition Revenue Growth Profitability Capital Credit Interest Rate Liquidity Payment Default Loan Concentration Loan Quality Collateral Valuation Interest Rates Yield Curve Investment Volatility Foreign Exchange Funding Sources On/off Balance Sheet Contingency Reputation Operational Compliance Image & Branding Employee Relations Customer Relations Regulatory Relations Public Relations Shareholder Relations ID Theft & Fraud Security & Privacy Business Continuity Physical Security Vendors Process Errors Financial Reporting Consumer Member Business Fiduciary Money Laundering Legal Employment Law Contracts Intellectual Property Litigation 58

ABC INSTITUTION SIMPLE ENTERPRISE RISK ASSESSMENT EXAMPLE (RISKS EXAMPLE #4). 59

RISK MANAGEMENT CONTINUUM Strategic • Proactive board and senior management involvement Aware • Some board and senior management support Reactive • Lack of Board or senior management emphasis on risk • No common risk lingo • Stove-pipe risk management • Ad hoc approach • Missing coverage of risk areas • Risk leader identified • Periodic risk profiling • Risk managed and assessed across entire organization • Common language and approach used and understood • Key risks defined in common vocabulary • Real-time analysis of risk portfolio (real-time KRIs) • Recognized need for ERM Most companies straddle Goal 60

RISK ASSESSMENT CYCLE *Report; reassess risks & ratings Identify risk & controls *Shows a snapshot of the pulse of enterprise risk management at – a-glance Assess exposures and control effectiveness Board of Directors Risk Assessment Determine corrective action(s) Management Certification *Record testing scope, conclusion and recommendation(s) Test Controls *Track Project & Task priority, status, due dates, hours 61

GOVERNANCE AND MANAGEMENT STRUCTURE RISK VIEW Risk Categories Credit Risk Board of Directors Board Credit Committee Finance Committee Risk Management Policies Credit Polity Funds Management Policy Senior Management Committees Executive Loan Committee ALCO Security & Cont. Plan & Mgt. Committees Chief Credit Officer Chief Financial Officer Senior Operations Officer Senior Management Officers Interest Rate Risk Liquidity Risk Operatio nal Risk Information Technology Risk Supervisory Committee Operation al Risk Policy Human Capital Ethics Committee Compliance Risk Legal Risk BSA/Compliance Committee Human Capital Risk Policy Compliance Program Technology Steering Committee HR/ Compensation Committee Management Committee Chief Information Officer SVP, Human Resources Director of Regulatory Risk Mgt. IT Policies Legal Policy Legal Director Strategic Risk Reputation Risk Strategic Planning Committee Strategic Risk Policy Reputation Risk Policy ERM Supervisory Committee ERM Policy Internal Audit Charter Management Committee Enterprise Risk Management Committee Chief Risk Officer *Supervisory Committee sole committee composed of strictly outside individuals 62

ASSESSED RISK REPORTING: RISK MAPPING • Heat Maps are a valuable tool for communicating/reporting risks • Chart both likelihood/probability and severity/impact 63

HEAT MAP PORTRAYAL OF INHERENT RISKS 9 Impact (Severity) Mitigation Risk 4 2 Not Mitigated 7 1 10 3 Marginal Mitigation 8 Sufficient/ Acceptable 5 6 Risk Event: 1. ----2. ----3. ----4. ----5. ----- Likelihood (Probability of Occurrence) 64

ERM IMPLEMENTATION PHASE 3 REFINING 65

BUILDING YOUR ERM ROADMAP/IMPLEMENTATION PLAN: STEP #3 – REFINING A. Plan for Remediation of Gaps/Execution B. Enhance Definition of “Risk Appetite” for credit union C. Enhance Reporting • What are you doing to address the immediate risks? (What’s the risk response – Tolerate, Terminate, Transfer, or Treat? ) • What controls will be in place going forward to monitor the risks? • Develop recommendations to remediate gaps • What Key Risk Identifiers (KRI’s) have you identified (or intend to indentify) going forward? • Cement consensus, buy-in among key parties • Further define plan owners, roles and responsibilities for execution, timelines, resource alignment • Memorialize project plan • Quantifying risk • What will reporting to executive management and the Board look like going forward? • Ongoing monitoring of implementation progress with board-level accountability • Benchmark vs. industry leaders in this area as well as peers 66

SELF EVALUATION APPROACH FOR IDENTIFYING GAPS TO REMEDIATE • Organize subject-matter experts in each of the credit union’s risk categories and at the ERM level. – Facilitate a discussion of the credit union’s risk categories. • Comprehensive evaluation of credit union’s risk management processes. • Prepare detailed report with findings, observations and recommendations in respective risk categories. • Major conclusions and recommendations to create final report. • Recommendations/Action Plan/Implementation – Management Risk Comm. – Board Risk Comm. 67

ELEMENTS OF RISK APPETITE Existing Risk Profile The existing level and distribution of risks across risk categories (e. g. financial risk, market risk, operational risk, reputation risk, etc. Risk Capacity The Maximum risk a firm may bear and remain solvent Risk Tolerance Acceptable levels of variations an entity is willing to accept around specific objectives Desired Level of Risk What is the Desired risk / return level Determination of Risk Appetite (the amount of risk an entity is willing to accept in the pursuit of value) 68

WAYS TO DEFINE RISK APPETITE Quantitative Clearly defined measure Can be cascaded to business units For example, loss of capital or degree of volatility in earnings Qualitative Not all risks can be accurately/credibly measured For example, risk of damage to reputation Zero Tolerance A subset which can be very clearly defined For example, loss of life or violation of laws 69

CREATE AN IDEAL ROSTER OF RISK REPORTS EXAMPLES: • A high-level summary of the top risks for the enterprise as a whole; broken down by operating unit, geographic locations, product group, etc. , along with significant gaps in risk management capabilities • Report of emerging issues or risks that warrant immediate attention • Summary of risk events, e. g. , significant exceptions versus policies or established limits • Summary of significant changes in key variables beyond management’s control (e. g. interest rates, exchange rates, etc. ) and the effect on earnings, cash flows, capital, and the business plan. • Summary of the status of improvement initiatives 70

SOME EXAMPLES OF EXTERNAL KEY RISK INDICATORS Industry and Competitor Trends Economic Trends Number of Competitors Unemployment forecasts New product or service announcements Consumer spending trends Pricing Trends Trade and foreign policy Risk events realized by competitors Shifts in customer tastes/trends Supply Chain Issues Financial health of suppliers Risk events at suppliers Pricing trends Liquidity/Capital Markets Interest rate trends/forecasts Credit spreads in debt and credit markets Stock market trends and forecasts Regulatory Changes Anticipated changes in tax policy New regulations/restrictions Changes in key political offices 71

SOME EXAMPLES OF INTERNAL KEY RISK INDICATORS Business Operations Transactions, output Sales volume, failed deals Operational performance issues Supply chain/logistics Human Resources Turnover Headcount Corporate training: policies, procedures, ethics Vacancies Sick days Disciplinary actions Information Technology Disasters, outages, disruption Help desk metrics Security metrics Project metrics IT incidents/investigations, complaints IT audit issues Accounting/Finance Adjustments Unsubstantiated balances Missed deadlines Write-offs Compliance State of controls Regulatory inquiries/investigations Litigation cases Discovery requests Audit High-risk issues/material weak. Past-due audit issues 72

KEY RISK INDICATORS GUIDANCE FOR DEVELOPING YOUR ERM DASHBOARD (THE METRIC/DATA IS…) Based on established practices or benchmarks Developed consistently across the organization Provide an unambiguous and intuitive view of the highlighted risk Allow for measurable comparisons across time and business units Provide opportunities to access the performance of risk owners on a timely basis Consumes resources efficiently (not overly burdensome to get the info) • • • Loan Delinquencies Portfolio Stress Tests Interest Rate Thresholds Profitability Goals Regulatory Concerns • • • Information Security Incidents IT Changes New Products Failed Customer Interactions Business Continuity Tests • • • Operational Losses Process Errors Policy Exceptions Audit Issues Staff Turnover 73

RISK REPORT EXAMPLE (KRI REPORT) 74

IN SUMMARY… 75

NO ERM AT YOUR CREDIT UNION? • It’s happening already …this is the business of banking • Start simply …joint Board/Committee and Management adventure • Focus on Business and Regulators …how to use it to improve processes and performance …a continuous improvement perspective 76

GREAT DUMB QUESTIONS What happens if…? Seems like that market is…could that impact us? I heard about…do we have risk exposure here? Does our policy explain what to do if…? Who is responsible for making sure we don’t…? Do we have a limit on…? What does our strategic plan say about…? Do you think senior management knows how the Board feels about that risk? • Are there any other Board members who didn’t understand that; I’m not clear about…? • Has anyone around here read the COSO template for risk management? • • 77

RECOMMENDATIONS FOR ERM • Develop ERM Policy – Define Risk categories, roles, Measure, monitor, and reports • Develop ERM Committee Charter – Define members, roles, scope, reporting relationship to other committees • Publish ERM Board Packet – Key risk indicators (KRI) dashboard – ALCO, Credit, Compliance, Operational Risk summaries 78

RECOMMENDATIONS FOR ERM • Prepare a glossary for risk, compliance, audit – • Arrange all risk, compliance, audit, regulatory activities on a calendar – • Common terminology is part of culture change and education Show the full scope of ERM activities Use a standard set of risk categories – Assess and monitor these exposures and tolerances across business units 79

QUESTIONS? Louise Hanson 425 -3037 louise. hanson@mossadams. com Shannon Haas 415 -677 -8314 shannon. haas@mossadams. com 80