In today’s regulatory environment, staying compliant requires more time and resources. That’s why credit unions across the country have begun hiring chief risk officers and tasking entire departments with the responsibility of risk management.
Such is the case with TTCU ($1.5B, Tulsa, OK). Six years ago, it named Stephanie Jones as its chief risk officer. Jones had worked at TTCU since 2002 in charge of its internal audit and compliance department. Before that, she was an examiner at the NCUA. When she left the agency, she was the supervisory examiner in Oklahoma.
Here, Jones discusses her responsibilities, how her experience as an NCUA examiner influences her work, and the skills required to succeed.
How has your role at TCCU evolved?
Stephanie Jones: I initially had compliance and internal audit. When I became the chief risk officer, we took away my internal audit responsibilities and collections started reporting to me. That’s a little different from most chief risk officers, but my CEO at the time wanted to give me more operational experience.
Stephanie Jones, Chief Risk Officer, TTCU
How many people are in the risk management department? How does it fit into the TTCU org chart?
SJ: I have two employees that report to me, and we handle the compliance and the fraud. I report to the CEO. The executive vice president is also the chief operations officer. He’s a bit more elevated than the rest of the c-level executives — the CFO, the CIO, the chief human resource officer, the chief administrative officer, and I.
What are the titles of your two employees?
SJ: Risk management specialist I and risk management specialist III.
What is the difference?
SJ: How complicated their responsibilities are. The risk management specialist I does mostly currency transaction reports, reviews fraud alerts, and makes decisions on whether to conduct additional research for fraud less than $5,000. We don’t have a risk management specialist II. The risk management specialist III does the additional research on fraud more than $5,000, determines whether to file a suspicious activity report, reviews advertising pieces, and helps me with vendor due diligence. If we have a new regulation that is fairly complicated, I would use her to help me implement it. If it was something that was not so complicated, I would use the risk management specialist I.
CU QUICK FACTS
data as of 12.31.14
HQ: Tulsa, OK
12-MO SHARE GROWTH: 7.02%
12-MO LOAN GROWTH: 1.76%
What are your responsibilities as a chief risk officer?
SJ: Compliance and collections. The risk management department monitors the industry for new regulations and makes sure we implement them correctly. The Bank Secrecy Act responsibilities fall under the compliance umbrella, so we do all the suspicious activity reports and currency transaction reports. The risk management department also handles non-plastic fraud — fraud dealing with virtual branch and check fraud — and vendor due diligence.
I serve as the chair of the security committee. The security committee makes sure external audits are performed, maintains a member information risk assessment, and takes care of any findings.
I also serve on all these committees that manage risk throughout the credit union. I’m on the loan committee, and I ask questions like, "Do we want to change our underwriting?" During loan committee meetings, I report collections and delinquency information. I serve on the allowance for loan loss committee, which determines what kind of provision for loan loss expense we want to make and whether our allowance is adequate. I also serve on the asset liability management committee.
Do you develop programs or initiatives to help departments stay compliant? Or do you mostly advise?
SJ: For other departments, I mostly advise on the regulatory requirements.
Here in risk management, I developed and implemented our policies and procedures on vendor due diligence to comply with regulations. Now, we realize we’ve got so many vendors and contracts, we need a software program that can better help us handle vendor management.
With the collections team reporting to me, I have a lot of involvement in handling the risk and making sure we have processes in place. We’re always on the lookout to implement new programs. We implemented a software package about four years ago that has helped tremendously.
You’ve held this position during what many have called the Regulatory Tsunami. How has the industry changed since you started?
SJ: When I started in internal audit and compliance there were not as many regulations coming out. Now, especially over the past few years with all the real estate regulations, compliance takes up a lot of my time. There’s no way I could have handled the auditing part.
Examiners are placing more emphasis in how closely credit unions are following the regulations, and I think their scope is broader. It used to be they’d barely touch on some of the regulations, but now when they come in they are looking at each regulation in-depth to see how we’re complying. With the Regulatory Tsunami, it takes up a lot of time and a lot of resources to implement the different pieces.
How much time do you spend looking at laws and regulations? How detailed do you need to be in your analysis?
SJ: If it’s a new regulation, I spend a lot of time reading it and making sure we understand what the regulation requires and how we are going to implement it. I brief the executive team. If it’s a particular regulation, say on lending, I might not go as in-depth as I would on a regulation that covers the whole credit union. I would just meet with our vice president of lending to make sure they are aware of the new regulation and they’ve got plans in place to implement it. They’re usually pretty good about taking on the task themselves instead of relying on me. They’re pretty good, too, at monitoring the industry and what regulatory changes are coming out.
How does your time at the NCUA influence your work today?
SJ: I have the background to know what the regulators are looking at and how to interpret the regulations. I’ve seen it from the regulatory standpoint and also from the credit union side. When I was with the NCUA, I didn’t realize how much time, effort, and resources went into implementing regulations. It’s much harder than what you think as an examiner.
What kind of skill set would you look for in a chief risk officer?
SJ: A chief risk officer has to have experience in a variety of areas within the credit union. Examiners look at a variety of departments and they have a wide scope when they do the exam.
When I was with the NCUA, I didn't realize how much time, effort, and resources went into implementing regulations. It's much harder than what you think as an examiner.
Technical knowledge is another important skill set. I don’t know every regulation, but often times we can be discussing something — some service or product that we want to implement — and I know enough to say, “I think there’s a regulation that affects that. I’ll do the research and let you know what that is.” Knowing there’s a potential regulation that might come into play is important.
Finally, being able to read, comprehend, and interpret is important. A lot of people don’t read and comprehend. They aren’t willing to do the research to figure out what the regulation means, what it affects, and how the credit union is going to implement it. It takes a lot to pull all that together.
What is the value of the chief risk officer in the credit union industry?
SJ: Chief risk officers see beyond one particular department. I try to look at the risk to the credit union as a whole. You have your investment portfolio that your finance department takes care of, and you’ve got your lending portfolio that your vice president of lending is responsible for. But I’m looking at everything as a whole and not in silos.