FedChoice Federal Credit Union ($346.5M, Lanham, MD) exclusively serves federal civilian employees, retirees, and their families from Washington, DC, to Philadelphia. It has six branches, 25,000 members, and $346 million in assets. Michael Martin joined the credit union as risk manager in 2007; David Bunch has been president/ CEO since 1996.
FedChoice has had a risk manager since the mid-’90s, but the position’s scope has changed. The job was originally designed as a compliance and internal audit function; the risk manager was meant to look at internal operational risks and oversee regulatory compliance. Since that time, regulations have increased in complexity and scope, and managing the variety of risks at a credit union has become more complicated. Pressure from the regulator to anticipate risks has increased, and the exam itself has become more risk-based. All of this has forced risk management to be more global.
CU QUICK FACTS
FEDCHOICE FEDERAL CREDIT
HQ: LANHAM, MD
12-MO SHARE GROWTH: 5.45%
12-MO LOAN GROWTH: 4.85%
We now outsource a lot of internal auditing to our supervisory auditor — we previously used two different firms for internal and external auditing but now feel that is unnecessary — which allows Mike to broaden his scope. For example, he monitors a matrix of operational risks at the departmental, functional, and transactional levels.
Over the years, when the credit union was searching for a risk manager, it was typically looking for the competencies of an accountant and auditor. More recently, it was looking for someone versed in security. Mike was a good choice because he had strong backgrounds in operations and technology. Moreover, he understood credit unions. FedChoice could build on that. Mike become a certified compliance officer, which gave him more experience in the member-facing areas of operation.
Risk management pertains to anything that could hurt the credit union. One person can’t handle it alone. It has to be a collaborative, engaging effort. It can’t be a silo, and it can’t be feared. Mike has his compliance certification, but the department heads are responsible for compliance within their departments. Mike supports them and is a resource, but he wears many hats.
All the risks of yesterday are still present today, but they are weighted differently. The NCUA shifts its interests or technology morphs and the risk manager has to be sensitive to that. Today’s risk manager has to be proactive. If he’s reacting, in one sense, he’s already too late.
Since Mike came to the credit union in 2007 there has been a sea change in the expectations of this job. There are the expanded expectations the credit union has of him. There is also what we see becoming the focus for the risk manager. As one part of a larger potential enterprise risk management function, the risk manager is a voice among many voices that creates an overall risk assessment and develops a corporate risk assessment.
One of Mike’s principal roles is to make sure department managers — who are in a sense also risk managers in their respective departments — are ready for the NCUA exam. This involves not just accumulating required materials but also knitting together people and expertise. He prepares managers by discussing the needs, expectations, and hot buttons on the NCUA’s radar screen.
This is an important point about today’s risk manager. In the traditional view, the risk manager was a kind of internal auditor and employees could be a little afraid of him or her. Employees need to think of the risk manager as a safety net, someone who is a resource and will lend support, as well as someone they can go to for help. This might be for a case in which a single member is attempting an act of fraud or a more complex situation dealing with broad policy points. The more the staff perceives the risk manager as a resource, the more successful risk management in the credit union is going to be.
Risks Today And What To Do About Them
Credit unions today are facing the traditional risks they have always faced: interest rate risk, data breaches, loss of financial integrity, and business continuity coordination. But there are also others to consider, including reputation risk, loss of important or highly trained employees, loss of morale or engagement among employees, and loss of momentum from dealing with the glut and depth of regulations. As the role of risk management either transforms into or aids the evolution of a broader enterprise risk management, the risk manager will help the credit union take a thirty-thousand-foot-view to better ascertain these issues.
We are trying to anticipate what the NCUA wants in their guidance as we build a wider risk management mentality. We are building a rudimentary risk-assessment tool, a kind of dashboard, to allow us to assess risk input from various departments and then assess overall risk at the corporate level. It will give us the perspective we need. It will allow us to look at critical events in real time and give us a risk score. It will allow us to add or avoid risk and show us if we are moving to a good place with respect to strategic planning.
Mike’s background was IT so he looked at risk initially from an IT perspective. Now he looks at risk with a much broader lens. He studies reports from different segments of financial services to sharpen his focus on what he needs to look for inside the credit union. He talks to people at various employee and management levels. He also mentors new managers. A lot of our staff is young, and he explains to them why we need policies and procedures and the net effect of not having them. If Mike is successful, then the credit union is safer and his job as risk manager is easier. He also attends conferences and roundtables, including the ERM Institute roundtable in Raleigh, VA, where more than 100 companies from 26 states offer guidance and ideas on how to develop risk management into a wider contributory role and make credit unions even stronger.