Credit Union Risk Management: Building a Better GRC Program

  • June 18, 2020
  • Quantivate

Taking Credit Union Risk Management to the Next Level

Credit unions and other financial institutions face increasingly complex regulatory and risk environments. And traditional management methods — often manual, spreadsheet-based, and disconnected — result in siloed data and inconsistent processes. This type of approach can’t align risk management activities across your institution, and doesn’t equip credit unions to manage, monitor, and act on risk and compliance in real time.

“It amazes me how much dependence credit unions have placed on spreadsheets and manual processes,” Tony Diaz of SchoolsFirst Federal Credit Union, a Quantivate client, told CUNA in an interview on compliance technology.

“This was the norm until just a few years ago,” Diaz, SchoolsFirst’s vice president of compliance, explained. “Many effective risk management software platforms are on the market that can be scaled up or down depending on the complexity of a credit union’s operations and risk tolerance. It’s difficult to pass muster with your regulator without having a robust, software-based compliance management system. Examiners frown on manual processes and single points of failure.”

Looking for risk management solutions for your credit union?
Get an overview of Quantivate’s integrated governance, risk, and compliance software suite:

Download the GRC Software for Credit Unions Datasheet

Risk Management Priorities for Credit Unions

According to the NCUA’s announcement of 2020 supervisory priorities, examiners are focusing on some key risk areas:

Cybersecurity: Examiners will continue to assess credit unions’ cybersecurity maturity using the Automated Cybersecurity Examination Tool (ACET). Additionally, the NCUA is introducing new procedures to evaluate security controls, with reviews scaled to the size and risk profile of the institution.

Update, July 2020: The NCUA will be piloting a new tool to identify gaps in security safeguards called In-TREx-CU (Information Technology Risk Examination solution for Credit Unions). Due to the persistent threat of cyberattacks in the financial sector and the growth of the remote workforce, the NCUA will be prioritizing the evaluation of critical security controls.

Did you know? Quantivate’s IT Risk Management Software, one of the modules in our integrated GRC Software Suite, has ACET assessments built in, as well as an FFIEC Cybersecurity Assessment Tool, to verify that your credit union’s cybersecurity program is up to regulator standards.

Compliance With Consumer Financial Protections: Examiners are looking for compliance with regulations that cover member service and data protection requirements, including the Electronic Fund Transfer Act (Regulation E), the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley (Privacy Act), Payday Alternative Lending rules, and the Truth in Lending Act (Regulation Z), among others.

Update, July 2020: The NCUA will now also be focusing on compliance with changes to Regulation E and Regulation Z enacted since the start of the COVID-19 pandemic.

Read the full NCUA letter to credit unions on 2020 Supervisory Priorities →

Read NCUA’s July 2020 Update to Supervisory Priorities →

Note: Due to COVID-19, NCUA examinations are currently proceeding offsite until further notice, barring any serious or time-sensitive matters that require in-person attention.

The NCUA states that examiners will be “mindful of the impact information requests may have on a credit union experiencing operational and staffing challenges associated with the COVID-19 pandemic” and will also consider the “extraordinary circumstances credit unions are facing” when reviewing financial and operations conditions.

Read NCUA’s May 2020 Update to Offsite Examination and Supervision Approach →

Credit Union Risk Management Maturity and Alignment

A report from the Institute of Internal Auditors (IIA) aligns with these focus areas and offers additional risk categories to consider that are common concerns across industries. The OnRisk 2020 report surveyed key decision-makers at North American organizations (including board members, executive management, and internal audit leaders), who identified several top risks:

  • Cybersecurity: managing cyber threats that could result in business disruption or reputational damage
  • Data Protection: protecting internal, consumer, and other sensitive data
  • Regulatory Change: keeping up with new laws and regulations in an evolving regulatory environment
  • Business Continuity and Crisis Response: preparing to react, respond, and recover in the event of an unexpected incident or business disruption
  • Data and New Technology: leveraging data and new technology to adapt and thrive in an increasingly digital, rapidly changing business environment
  • Third Parties: selecting, monitoring, managing, and maintaining oversight of vendors and other third parties; understanding their impact on business processes and strategic objectives

While the stakeholder groups agreed on top-priority risks, their perceptions of their organization’s ability to manage specific risks and opportunities varied, sometimes widely. This “risk misalignment” creates dangerous ambiguity that may result in ineffective risk management strategy and unnecessary risk exposure.


risk management capabilities ranked by stakeholders

Stakeholder rankings of organizational risk management capabilities. Source: IIA, OnRisk 2020 report, page 15

Additionally, many of these risk areas — including business continuity and crisis response, cybersecurity, and regulatory change — have taken on new urgency in light of COVID-19 and will continue to shape financial institutions’ risk management priorities in a post-pandemic world. Having an incomplete, or misaligned, understanding of your credit union’s ability to manage risk in these uncertain times further complicates and may even impede your road to a successful recovery.

Survey data also suggests several potential causes behind this misalignment in stakeholder views on risk management.

1. Knowledge gaps are common in risk areas related to data, technology, and cybersecurity. Stakeholders rated these categories as having high organizational relevance, but low levels of internal expertise.

“One of the greatest challenges in managing [risks related to data and new technology] is assuring organizations are sufficiently flexible and prepared to adopt and adapt to technology that will support organizational growth and competitiveness. Such preparation involves building a corporate culture that is data- and cyber-savvy and readily embraces change.” ­– OnRisk 2020 report

2. Stakeholders, particularly board members, often lack access to “complete, accurate, and timely” information. Boards consistently rate organizational risk management capabilities higher than executives do, indicating a communication breakdown.

3. Organizations often fail to differentiate between risks and impacts in their risk management processes (i.e., you can respond to an event like a business disruption without mitigating the underlying risk, or root cause, of the event).

“The risk is not the disruption itself, but the organization’s ability to shift away from traditional manual practices and leverage data and new technologies to remain competitive in an increasingly complex and technology-driven environment.”
OnRisk 2020 report

4. Some industries are lagging behind in adopting a holistic approach to identifying, managing, and monitoring risk. Furthermore, risk management immaturity can be a problem for institutions of all sizes. Survey data found that the likelihood of having siloed versus systematic risk management processes did not correlate to organization size / revenue.

The Takeaway

This research makes it clear that credit unions need not only the ability to holistically manage and monitor risk, but also to facilitate better access to risk information so stakeholders can make strategic, data-driven decisions.

As GRC industry analyst Michael Rasmussen puts it, institutions “cannot look at risk in silos…. it has to be understood in the complex web of interconnections of risk and objectives that play out from it.”

Aligning risk management with business strategy and pursuing GRC program maturity will be key steps toward resilience and growth as credit unions look to manage enterprise-wide risks more effectively and plan for the future.

How Quantivate Can Help

The Quantivate GRC Software Suite was designed to help financial institutions implement a comprehensive, integrated risk management program. Our software products are robust on their own but even better together thanks to built-in integration. This means that processes, controls, action items, laws and regulations, and other data points can flow between user groups in your credit union. Our flexible data architecture enables:

  • Data-sharing between business units and departments
  • Real-time dashboards for at-a-glance program status updates
  • Greater risk and compliance oversight and governance visibility
  • Security and access controls
  • Automated workflows
  • Configurable reports and analytics, including executive reporting

Learn more about GRC Management for Credit Unions or download the datasheet:

GRC Software Suite for Credit Unions Datasheet


Stay up to date with the latest news, compliance alerts, and thought leadership for the financial services industry: