Mountain America Credit Union ($3.5B, West Jordan, UT) began in 1934 as a credit union for telephone employees in Salt Lake City. It now serves more than 400,000 members and multiple SEGs across five states and more than 70 branches. The second-largest credit union in Utah prides itself on being a product leader. When Cathy Smoyer started working at Mountain America 15 years ago, she oversaw the card products department. The credit union promoted Smoyer to internal auditor after she earned an MBA, and her duties have continued to gradually expand. As a senior vice president and chief risk officer, Smoyer currently oversees five departments.
Our current approach to risk management began in 2005 when the CEO expanded my role from vice president of risk management to SVP and chief risk officer. As vice president, I oversaw four areas: internal audit, compliance and loan review, fraud, and risk management. The expanded position is more in line with a global enterprise risk management (ERM) program. More departments and staff report to me, including the operational security and IT risk management departments. ERM at Mountain America is a living, breathing entity of its own — adapting, changing, and growing.
Since the credit crisis there has been heightened scrutiny on risk management and accountability. But we were early in the risk management field, so we basically altered and enhanced what we already had going. We worked on critical metrics and expanded the notion of risk management to encompass the entire enterprise. We made the program richer and deeper.
Mountain America now has a risk management department that deals with operations and an IT risk management department that works closely with the IT/IS department and IT security. The risk management department performs risk and vendor assessments, handles bond and insurance issues, administers the vendor management program, and acts as a consultant on risk matters for the credit union.
IT risk management performs application risk assessments as well as vendor assessments. It administers the business continuity plan, which works with the disaster recovery program housed in the IT department, and is a consultant to other business units on IT risk issues.
The heads of these risk departments report to me. So do the heads of the compliance and loan review department, operational security department, and the fraud department. To bring these departments up to speed, we have sometimes gone outside the credit union for needed talent and skill. For example, we went outside for leadership in the IT risk management and operational security departments. But we also developed internal leaders for the compliance and loan review, fraud, and risk management departments.
All of the departments are located in the corporate building on the same side of the same floor. There is interdependence among the five departments and they consult one another often, especially on products that go out to the rest of the credit union, so proximity is helpful.
Risk management sits in on early meetings about potential products and services. We want to properly identify and address potential risks associated with innovations before a product or service gets halfway to development and then attracts questions and downsides. Having a seat at the table from the get-go has helped us quite a bit.
We want to propery identify and address potential risks associated with innovations before a product or service gets halfway to development.
Training is essential and neverending. Leaders and some staff attend off-site training at least annually. The training derives from professional association groups and credit union groups — local, regional, and national — and might be on software or evolving risk categories. Interacting with professionals outside the credit union in their various risk management fields helps staff learn about risks and how to keep ahead of them. Of course, federal and state regulators maintain steady pressure. They want to see a certain level of training and certification. I think this is appropriate.
Risk management has morphed throughout the credit union community as well as here at Mountain America. This is a challenging area for many credit unions and keeping up, especially for smaller credit unions, will continue to be a challenge.
We use sophisticated software for risk management. A standard spreadsheet cannot adequately manage the risk function for a credit union of our size and complexity. We analyze data daily, and we thoroughly examine specific elements at different frequencies. We interrupt or accelerate these frequencies as new factors arise, for example, when we hire a new manager or introduce a new product.
We don’t set aside a percentage of budget for risk management. Instead, the board, CEO, and executive management set the credit union’s course during the strategic planning session and determine how risk tolerance fits into that. This then flows through the credit union’s business units, and we determine what we need to support those departments in dealing with that level of risk.
Credit unions today face all the traditional risks, such as interest rate risk, but that is not all. Compliance risk has risen to the forefront, especially as it applies to mortgages and consumer regulation. Reputation risk is another overlooked, dangerous factor. It can harm the credit union if you do something wrong or are perceived as having done something wrong.
Technology security is a tremendous concern. Credit unions have to have protocols and guards in place. This is one of the hardest risks for smaller credit unions to address because doing so requires time, expertise, and money. The best approach is to work with others — leagues, consortiums, or larger credit unions — to make sure the credit union and its members are protected.
There’s also the threat from the likes of Google Wallet and the Wal-Mart/ American Express partnership, both of which are working their way into our market. Mountain America offers a suite of products, not just one, to do the same things these competitors can do. And we do it better.
We can’t eliminate risk. We can only properly identify it, accept it, and mitigate it to an acceptable level. No two risk management programs will look alike. There are likely to be structural similarities, but every credit union is distinct in its field of membership, location, mix of products and services, and so on. Each credit union, therefore, requires its own distinct risk management plan.