How The Risk Management Role Has Changed

Risk Manager Michael Martin and CEO David Bunch discuss risk management strategies for FedChoice FCU.


FedChoice Federal Credit Union ($318.1M, Lantham, MD) serves federal civilian employees, retirees, and their families from Washington, DC, to Philadelphia. The credit union with a TIP charter has 22,000 members and six branches. In fourth quarter 2012, FedChoice posted a 12-month share growth of 2.11% and a 12-month loan growth of 2.68%.

Michael Martin joined FedChoice as risk manager in 2007. Martin has more than 30 years experience in the credit union industry, including at Tower Federal Credit Union, where he was employed before joining Fed Choice. David Bunch has been CEO of FedChoice since 1996.

What does FedChoice look for when it hires a risk manager?

DB: We want the competencies of an accountant and auditor and then more recently for someone versed in security. Mike has a strong operational as well as technological background. Moreover, he understands credit unions. We built on that. We gave him exposure to become a certified compliance officer and gave him more experience in the member-facing areas of operation.

Risk management pertains to anything that could hurt the credit union. One person can’t handle all that; risk management has to be a collaborative and engaging effort. Mike has his compliance certification, but our department heads are responsible for compliance within their departments. Mike supports them and is a resource for them. He wears many hats.

How has the risk manager position changed over the years?

DB: We’ve had a risk management position since the mid-’90s, but the scope has changed. Originally, our risk manager was meant to look at internal operational risks and oversee regulatory compliance. Since that time, the complexity and scope of regulations has increased, and the business of managing credit union risks has become more complicated. Pressure from the regulator to anticipate risk has increased, and the exam itself has become more risk-based. All of this has forced the risk manager position to be more global.

All the risks of yesterday are still with us today, but they are weighted differently and the risk manager has to be sensitive to that. The interests of the NCUA shifts and technology morphs. The risk manager has to be proactive. If he’s reacting, in one sense, he’s already too late. 

Employees could be a little afraid of the traditional risk manager, but employees today need to think of the risk manager as a safety net, someone who is going to be a resource and lend support, someone they can go to for help. There’s now a real human side to being a risk manager, and the more the staff perceives the risk manager as a resource, the more successful risk management in the credit union is going to be.

MM: Since I came to the credit union in 2007 there has been a sea change in the role and expectations of this job. The credit union has expanded expectations of me, and I see the potential for the credit union risk manager to focus on the enterprise risk management function. The department managers are in a sense risk managers in their respective departments, and the risk manager is a voice among many voices that helps create an overall risk assessment and develop a corporate risk assessment.

One of my principal roles is to make sure managers are ready for the NCUA exam.  This involves accumulating required materials as well as knitting together expertise and preparing managers by discussing the needs, expectations, and hot buttons on the NCUA’s radar. 

What do you feel are the major risks facing credit unions today?

MM: There are the obvious, traditional ones — interest rate risk, data breaches, loss of financial integrity, and business continuity coordination. But there are also less-considered risks such as reputation risk, loss of important or highly trained employees, loss of morale or employee engagement, and loss of momentum because of the glut and depth of regulations. As the role of risk management either transforms or aids the evolution to a broader enterprise risk management, the risk manager will help build a mindset of looking at the credit union from a thirty-thousand-foot view to better ascertain issues and risks. 

What kinds of things are you doing now?

MM: We are trying to anticipate what the NCUA wants in its guidance as we build a wider risk management mentality. We are working on building a rudimentary risk-assessment tool, a kind of dashboard that will allow us to assess risk input from the departments and then assess overall risk at the corporate level. It will give us the new perspective we need. It will allow us to look at critical events in a real-time mode, give us a risk score, and show us if we are moving to a good place with respect to strategic planning by adding risk or avoiding risk.

Other than this, what sorts of techniques are you using now that you did not use before?

MM: My background was in IT, so I looked at risk initially from an IT perspective. Now I look at risk with a broader lens. I study reports from different segments of financial services to sharpen my focus on what I need to look for inside the credit union. I talk to people at various employee and management levels. I also mentor new managers, at present, for example, our new accounting services manager. A lot of our staff is young and I try to explain why we need policies and procedures and the net effect of not having them. If I am successful, then the credit union is safer and my job is easier. I also go to conferences and roundtables. I just attended the ERM Institute roundtable in Raleigh, NC. More than 100 companies from 26 states offered guidance and ideas on how to develop risk management into a wider contributory role to make credit unions stronger.