Risk Appetite and Risk Management Framework

Download MP3

Hey everyone.

This is Mark Treichel with another
episode of With Flying Colors.

We are here today to talk
about corporate governance.

You could call it corporate
governance part two.

You could call it risk
management framework.

We're going to talk
about risk appetite and.

Issues that we discussed in a
previous episode, which was the global

concept of corporate governance.

And I'm joined as I am frequently
with Steve Farr and Todd Miller

of my team, and formerly of NCUA.

Good morning.

Yeah, good morning.

Good morning.

And if just in case we have a
first time listener, if you guys

could give a brief intro of your
time at NCUA and what you did.

There and why don't we start with Steve?

Yeah.

All right.

You're what my 30 years specifically more
applies to this subject for my 1st, 15

years into I was involved in the field.

Most of it is the problem case officer.

Along those lines, you
get to become involved.

In the operations of those
trouble credit unions and fixing.

The operations and planning and
setting them up for success.

So I think that comes in into
play a lot here for this subject.

Then the last 15 plus years I had
it into I was in the central office.

Where worked a lot on developing guidance
for the examiners and looking at,

how other regions were dealing with.

Credit unions in helping them resolve
operational and issues and such.

And then I was involved in a lot of
rulemaking at NC way, which provided

a good basis for dealing with this
subject very good and Todd, your

background at NC way before retirement.

I spent about 34 years with NCUA.

I can break my career
into about three parts.

The first third of it as an examiner
and a problem case officer dealt with a

lot of troubled credeans there as well.

The second part of my career, I was
a capital market specialist for about

a decade and trained NCUA's staff on
interest rate, liquidity worked with a lot

of troubled credeans in that era as well.

And that capital markets position really
focused on risk management to a great

extent in very specific details as
to interest rate and liquidity risk.

And then the last third of my
career, I was the Director of Special

Action Supervising Problem Case
Officers, Capital Market Specialist,

Regional Lending Specialist.

And once again, a big focus
on troubled credit unions are

large, complex credit unions.

Enjoyed my 34 years with
NCUA, learned a lot.

Hopefully, we can share a little bit of
that experience with listeners today.

That's fantastic.

All right, guys.

Risk management framework.

How do we want to kick
this this hot topic off?

I wanted to start with that, we've
talked a lot about the proposed rules

that FDIC put out that would apply
to their financial institutions above

10, 10 billion, and it was guidelines,
establishing standards for corporate

governance and risk management.

And there was a notice of proposed
rulemaking issuance of guidelines.

And I think it's important that we
like the document and what it, how

it pretty concisely lays out all of
the elements of corporate governance

and it does a good job of that.

I wanted to make it clear that
we're not, saying, that they

should put this rule in place.

So I thought why don't I look at what
the comments came in on that, because

the comment period for that ended.

They ended originally in it goes October,
December of 2023, and they extended it

for another month and a week into 2024.

And so I looked at the comments
on there are 67 comments, which is

quite a bit, but, then they had a
form letter that was 82 comments.

It was exactly the same.

But in summary, the banks and bank
trade organizations really had

some concern about, the cost of
implementing this and certainly.

All these guidelines proposal policy,
do have costs associated with them.

And, that's something we bring
up a lot in terms of when NCOA

or other agencies tell you to do
something is, remind them of that.

It's not cost free.

And they had some issues over the
time that it was going to be spent on

this that are inside the regulation.

They thought it might be overly
prescriptive blurred the line

between the board and management.

And I think 1 thing we like
about this, and it does put.

The emphasis back and the power back in
the board of directors for taking control.

They would like to, they think
it's misaligned a little bit with

the Federal Reserve Bank and OCC.

The OCC has very similar requirements
inside of their regulation that

apply to banks over 50 billion and
which you can find in 12 CFR 30,

the safety and soundness standards.

It, and everyone was
there's a concern that.

Because of the requirements put
on the board of make it difficult

to attract new board members and
I think that is institutions get

bigger that certainly you're looking
for good quality board members.

And I would think that if your
institution has a good reputation and

standing in your community, that's
probably shouldn't be that difficult

to attract good board members.

Too many policies to approve.

Yes, there are a number of policies
that it emphasizes in there.

The overuse of the word ensure that
could set up unrealistic expectations.

They asked, making that size
consistent with the OCC's rules.

There are some potential
conflicts with state laws.

So that's what the
institutions have in there.

Nobody said anything about, wow,
this is just really poor guidance.

None of that.

That's interesting.

And as you said that, I go to
my friendly dictionary dot com.

You, you know what a word means, but
when you look at the actual words of it,

it can it, it can actually sometimes.

Drive a point home, even more certainly.

So insurer means make certain that
something shall occur or be the case.

So you're making certain they're
basically putting a heavy burden on that

board with the use of the word insurer.

So that's a good point.

And your point that it's only
guidance will it ever get approved?

Who knows?

But the reason we refer to it a lot
here on the podcast and here in credit

union conversations, is because.

Is it's principle based and
has a lot of really good ideas.

So I think it's good to talk through that.

I'm glad you brought that up.

Steve had any comments
on what Steve post there.

It's principle based and that's good.

And I think we'll probably get
into this more in the podcast.

You see this a lot in exam reports.

You see it a lot in writing.

You see it from the F.

D.

I.

C.

All the regulators are consistent on, a
risk management philosophy and program.

sophistication.

Things should be commensurance with
the institution size and complexity.

You just see that throughout the gamut.

And I think probably in this
case, I didn't look at the

comments like Steve did.

When you start regulating specific
instances for specific institutions,

Regulators and employees and examiners,
they tend to drag that bar down to

way below where the regulation says
it's just their natural tendency.

I think part of it is, it's an attempt to
improve institutions when they do that.

But examiners specifically, they
tend to lose sight of that cost

piece when they start placing burdens
and expectations from a larger

credit union on a smaller one.

And we see that off, we saw it a lot
when we were at NCUA and we're seeing

it now in our current roles that trickle
down you can say it's 10 billion.

And ironically too is you get
a lot of comments as Steve

described on the cost, right?

And you'd think, okay the 10 billion
credit union or a 10 billion bank who

commented on this would be a bank is
concerned about the costs of all this.

So even the big institutions.

Have cost pressures.

And then when you throw that trickling
down below the 10 billion, because an

examiner looks at it, or we look at it
and tell a credit union that, hey, you

might want to consider these principles.

That does have a trickle down
effect and a huge cost effect.

So risk management framework.

What is it?

What does it include?

And what can credit unions glean from
the concept of risk management framework

and what they should do to keep keep
their institution running optimally.

If you look at all the regulators, they
break a risk management framework down

into basically three parts, at the top,
they have a risk culture, which the

board establishes along with management,
they have a risk appetite and we'll

talk about those because it becomes
more and more important, the larger you

get, and then you have your basic risk
management system, which maybe you're

1 or 2 parts in smaller credit unions,
but as you get into the larger credit

unions and more complex credit unions,
you're looking at 3 lines of defense,

a separate risk management department,
and internal audit departments.

So you're looking at 3
separate departments.

And then where the cost starts becoming is
you build out the risk management officer.

Within a credit union, and you have a
chief risk officer and staff in that

department, you're looking at very
expensive, very experienced people and

systems to aggregate across your risk.

It's expensive really quick, but
at the top of that whole process,

our framework is risk culture.

And we talked about boards establishing
culture in part one of this, and

I'll just say that risk management
culture that the board and management.

Establishes in that tone from the
top is really the most important

piece of this because I don't care
what you put in writing under it.

I don't care what your
org chart looks like.

If you don't have a good risk management
culture to begin with all of that stuff

underneath it is going to be ineffective.

Yeah, I found it interesting.

I think we both looked at the same.

There, there's a pyramid inside of the O.

C.

C.

S.

Guidance on the corporate
governance and being a pyramid.

It reminded me of, I was a big.

Sports person growing up in the pyramid
that guided me when I was early was

John Wooden's pyramid of success.

Now, what I look at this 1 is, John
wouldn't have the pyramid of success.

This is your pyramid of success.

And at the top of theirs,
it's risk culture and we're

correctly pointed it out.

Their middle section is the risk appetite.

And at the bottom of the pyramid,
they have the three lines of defense.

And I think that was to me, I always
think that's a good way to look at

things because John Wooden, of course,
was very successful as the head coach of

UCLA in the sixties and early seventies.

A couple things now you're gonna
now I'm going down all sorts

of rabbit holes in my brain now
because you brought up John Wooden.

So I wasn't until recently that I learned
that John Wooden was was offered a job

to coach at the University of Minnesota
just before he accepted UCLA and Minnesota

was supposed to give him a call back
and they didn't give it back in time.

And then the UCLA offer came in
and As a golden gopher discovering

that the greatest basketball coach
of all time could have been a

gopher had they responded timely.

I was crushed and the other John
Wooden, two other John Wooden

references there's a great quote by him.

Be quick, but don't hurry, which is what
he told his basketball players, which

might've been part of this pyramid of
success and okay, the trifecta down this

rabbit hole is there was a recent three or
four part ESPN documentary on Bill Walton.

Which was Bill Walton.

I'm the luckiest man alive.

Something like that came out just before
Bill Walton passed away earlier this year.

Then that he talks about the pyramid
of success and how it, it made

him who he was as a player and how
much love he had for John Wooden.

Let's get forward so we can
get to the actual meet here.

But I like the reference to that
pyramid in this pyramid time.

Any rabbit holes you want to go
down or anything we triggered

there with our discussion of
basketball and John wouldn't.

No, I do think we got ahead of ourselves.

We never really defined what a risk
management program is or, and so

we started talking about it, but
without defining it in any specific

case, and maybe we shouldn't
have done that, risk management.

Basically, it's a program that identifies
major monitors that manages risk.

It's something that we do every
day as individuals, whether

we do it consciously or not.

We're thinking of that risk reward when
we get in our car and drive to work, we

think about risk management, or we don't
think about it, but we practice it when we

look both ways before crossing the street.

You do it when you put insurance
on your house and maintain things.

It's just an expectation of regulators
that when you get into a financial

institution, you do this a little bit more
consciously rather than unconsciously.

And that's what that risk management
culture is about, is in instilling

in people this whole thought that
there's some conscious thought

into their risk management, risk
reward decisions as they go.

Yeah, so the pro, as you said, a
program that identifies measures,

monitors and manage risk.

Steve, any thoughts you want
to highlight there on the,

what it is than the definition?

No, I think we're good.

That's good.

Excellent.

Excellent.

All right.

So what's up?

What's next?

Guys?

We walked through the risk culture,
the risk appetite, the risk

management system as 3 major areas
of this pyramid of this program.

Anything you want to expand
upon on the risk culture?

We talked about the importance
of the tone from the top.

Anything else there we want to hit?

Nothing other than if you go and look
at all our troubled credit unions, it's

almost always you can trace it back
to a breakdown in that risk culture.

Yeah, that's a great point.

And then risk appetite.

Any thoughts specifically
on risk appetite?

I know we've talked about this in
some discussions on other podcasts.

That we're seeing examiners
wanting credit unions to develop

a risk appetite for particular
concentrations, et cetera, et cetera.

What are your thoughts on a risk
management framework, specifically

as it relates to risk appetite?

This one is an interesting one, and this
is probably where you have the hugest

variants from small criteens up to large
sophisticated organizations, certainly

within ones, they expect risk appetite
statements to be very formal address

and see you a seven risk categories.

Listeners who are involved with
credit unions are familiar with

those seven risk categories.

Your other regulators, they add
concentration and model risk to

NCUA's seven risk categories.

But small credit unions, you
do this in a very informal way.

You lay out that risk appetite statement
by just having a business plan and

having limits in your various policies.

You put limits in your loan policy,
you put interest limits in your

liquidity policy, you put limits in.

your ALM policy.

As you get into larger organizations,
these risk appetites get a little bit

more sophisticated and more formal.

You start adding
concentration risk policies.

You start putting more metrics around
your business plan and what success

looks like or what failure looks like.

It's appropriate as part of your
risk appetite statement that you

have ways to measure risk and measure
whatever you're trying to control.

So Establishing metrics for that
is a very important piece of it.

Within your business plans,
business strategies, quite often

you see the qualitative things.

Here's what we're trying to do and
why in a big picture type of thing.

We're willing to accept moderate
risk or we don't want to be operating

in an unsafe, unsound manner.

Our investments so those are qualitative
type of ways where you can identify

and lay out your risk appetites.

Like I said, once you get into the larger
cranes, I know we see this in ones.

There's an expectation that these
large complex organizations will

have formal risk appetite statements.

And then they'll have policies underneath
them that are all consistent with that.

And this kind of goes back to the culture
thing, what you lay out in your risk

appetite, it should be consistent with
your business plans, business strategies.

There should be some level of consistency
across your organization with that.

And you communicate that to
your staff to be effective.

But to me, the biggest thing
with risk appetite, it's not

necessarily where these are.

It's that they're communicated that
they are in writing in some way, shape

or form, even if it's in within other
policies and the big piece of it,

appropriate metrics for measuring risk.

And then the 2nd, big piece
of that is a reporting system

that tells you where you're at.

There has to be some quantitative
measures there, and there has to be some

reporting of those quantitative measures.

You won't read this in any of the
regulators guidance, but the way

I've always framed it throughout
my career is it's incumbent on

management to demonstrate they're
complying with those board policies

and risk appetite statements.

I like that.

I like that.

Steve, any thoughts on what
Todd just shared there?

Yeah, no, that he covered it really well.

The big thing always comes to
my mind when I think of risk

appetite and, you're looking at
how you're trying to define that.

Mine always comes down to with
consistency is it should start

with how much capital do we have?

Is that really defines how much
risk you can take on if you're

operating on those lower ends
and close to those PCA triggers.

You probably need to have a risk
appetite that's pretty conservative

because you really don't have
the ability to absorb the losses.

So now you look at institutions that
are really well capitalized and they can

take on more risk, but it goes too far.

The best example we have, of
course, is the taxi credit unions.

So talk about concentration risk
and their risk appetite tech,

medallions in these major cities.

And some of these, those credit unions
had capital ratios in excess of 15

percent to thought, wow, we're okay.

No matter what happens.

So your risk appetite, you have
to understand how aggressive

it is, especially in terms
of that concentration risk.

Yeah, capital can cure a lot of things.

But just because you have a lot of
capital, if your asset quality in those

concentrations or the game changes where
you don't have diversification, you're

referring to the those credit unions that
all they did was the medallion loans.

And when the medallion was worth a million
dollars in New York City, for example, and

you had 28 percent net worth, yeah nobody
could envision that wasn't going to work

out well when a medallion is worth 100,
000, 28 percent net worth wasn't enough

in that situation for the risk that was
inherent in that huge concentration.

So people will be like, how do, how
exactly do you define that risk appetite

and find risk appetite statements?

I did some searching around.

I did find, some pretty good examples
out there and you can even look across

the industry as to how other industries
do it because NCOA and OCC, they all

have their own risk appetite statements.

So that's one you can look at.

There are you don't have to start from
scratch if you think you're trying to

develop one of these there are some
Examples out there that I think people

would find helpful And steve when you
talk about examples, you're seeing that

in the banking agency guidance or you're
seeing it in what type of What kind

of search result is triggering that?

I was just searching for specific
really bank ones that might

be out there and available to
look at, and I did find a few.

There's some that were European based,
and I've had good luck looking at

examples from some of these other
regulated institutions, but it's not

just America that's after corporate
governance, but it's international and

part of Basel, it's interesting that
Steve mentions kind of concentration risk.

One of the things, NCUA
has their seven risk areas.

Concentration risk isn't one of
them, but within NCUA's National

Supervision Policy Manual, they have
a whole section on concentration risk.

But one of the things we see consistently
amongst our clients is this whole

DOORS bindings to credit unions
support your concentration risk limits.

We see that consistently.

They expect them to be measured against
capital, as Steve said, but that's a

pretty common finding nowadays in our
larger organizations where examiners

are demanding that institution through
stress testing or some other means,

justify their concentration limits.

And I don't know, that's been a pretty
much a constant since we started this.

It has been, and I think as we may
have discussed in other episodes,

or I know we've talked about it with
certain credit unions, there are

concentrations limits that are not
public that trigger we've talked about

how higher levels have to review exams.

If certain institutions go over
certain thresholds, as far as

concentration limits, it's actually
not just the region that they're.

Exam has to be cleared by it ends up going
to the Office of Examination of Insurance.

And that could be commercial loans
over a percent X percentage of net

worth that they're going to have
to get the okay or the concurrence

from the Office of Examination
of Insurance that is reasonable.

And sadly, those things
are not public, not in N.

C.

U.

A.

S.

The N.

S.

P.

M.

that you referred to.

They're either redacted or at dead links.

And that's something we've
mentioned on occasion.

But so there is some guidance
out there, but it's not perfectly

available to the credit union world.

I think just one last thing with
Rick's appetite, and this kind of

ties in with corporate culture, too.

And this kind of gets Cardine sideways
with examiners somewhat is, there needs

to be a process or a specific action
steps when limits are neared or breached.

And COA does expect that.

There will be an action plan when
appropriate when you get close to

limits or when you go over limits.

You quite often we see
this in our clients.

They're outside their limits
and, they haven't done anything.

Hasn't been discussed with the board.

Hasn't been discussed in ALCO.

Oh, we think it will correct itself.

We don't do anything.

There actually has to be a sense of
urgency with addressing situations when

you are overboard established limits.

And I think a second piece of that
too is You need to have an environment

where your staff is comfortable to say,
Hey, risk is getting out of hand here,

whether it's been quantified or not.

In the, the, so three, let's say someone
has a risk appetite that we will have

300% of net worth in commercial loans.

And then all of a sudden a member comes
in with a fabulous opportunity for the

credit union and for the member, and they
want to blow through that 300% limit.

They don't document it in the board
minutes, they don't have any conversations

with it, or they just, change the policy
from 300 to three 50 without having.

Any analysis that supports that limit that
kind of goes to where NCWA says we want

you to be able to support that limit it
wasn't a goal and now you've established

a new reach goal It actually is a limit
for the risk and it's important that

Your documentations and your discussions
and all those committees and places you

mentioned Are indicative of that or you
could end up getting criticized, in the

examination definitely risk management
systems and the three lines of defense do

we want to walk through each of the three
lines of defense and and discuss those?

I think so.

In larger complex organizations,
we'll talk about 3 lines of defense.

Generally, you have that
frontline business units.

That 2nd line of defense is,
usually a department that's

underneath your chief risk officer.

Then you have internal audit.

Realistically, that's at the end of
that long ruler of sophistication

where you have three lines of defense
for many of our credit unions really

more break this down into two lines
of defense and that they have their

frontline units and management and
then they have that internal audit

under the supervisory committee.

You don't start seeing this whole third
line of defense or a separate risk

management department until credeans
start crossing over a billion to three

billion dollars and they start thinking
about hiring chief risk officers and

setting up separate risk departments.

You typically don't see it in smaller
credeans, but smaller credeans can

still accomplish all the same things
without adding those extra people.

It just, needs a little bit more diligence
on the part of their executive management.

First line of defense, it's always those
people conducting your transaction.

That's your loan officers, your tellers,
your people that are interacting with

the members There are where things start.

There are where your risk assessment
starts for specific lines of business,

whether that's commercial lending,
consumer lending, real estate lending,

what have you, it's that first line
of defense that, hey, let's do things

in a safe, sound, appropriate manner.

Let's make sure we have liens
perfected on these vehicles.

Let's make sure we're making loan
checks out to the right people

and aren't getting defrauded.

Let's make sure these people have
the ability to repay and that loan is

for a provident productive purpose.

But that 1st line of defense, think
of that as your business unit.

These are the people that
interact with our members.

They're performing transactions.

It's important that they understand
their job and understand that risk

reward opposition and their role in it.

That's the best way I can think of
to lay out that 1st line of defense.

They're closest and nearest to
those members and those transactions

in whatever area you're at.

Yeah, so they're carrying out that
strategic plan compliance with

those policies that were put in
place that have the limits that.

We're, are part of the the risk appetite.

The other thing that comes into
place is you, of course, these are

the people that are, staffing and
training, the keeping their staff

adequately staffed and trained.

And and they're all the other
resources that it takes in to, to run

the credit union, including it, tho
they're all in that frontline unit.

So that's that's their role is to.

Carry out the operations consistent with
the, with what the board is directed.

Great points.

Go ahead.

No, go ahead.

Mark.

Anything relative to the internal audit
function on the third line of defense,

what it is, general thoughts on how to
principles and things that credit unions

should be keeping in mind as it relates
to the internal audit side of this.

So you're going to jump from one to
three and skip to smaller credit is

you just have the You just have that
supervisory committee internal audit,

their role is really to test internal
controls and verify that things are

working the way they're supposed to.

That's the whole role of that
supervisory committee audit.

Are our financial statements accurate?

Are our reporting processes accurate?

They're the ones that verify everything
is working the way it's intended.

And that's an important piece of it.

You need some confidence there
and some testing of those things.

Examiners fall into this a little bit,
even though they're never ever mentioned

anywhere in this risk management process.

But that third line of
defense, it's important.

And just having the existence of internal
audit, And someone looking over everyone's

shoulders and actually help staff comply.

They'll do a better job of complying
with internal policies procedures when

they know someone's checking up on them.

Yeah, it's like that.

It's like the empty police car, right?

You see it, you slow down, you go,
Oh, wait, look, there was nobody

in that car, but you slowed down
because you saw it, it's there,

they're going to be doing the reviews.

And Todd, that's exactly why I skipped
over the second line of defense was

your reference to, First line and third
line are smaller credit unions will

have that they might not necessarily
have the second line Steve any

thoughts on the third line of defense?

Yeah, if you're, credit union, you're
trying to communicate to your with

your examiner and that how you're doing
that internal control when the big

tool that you can provide them is that
audit plan that so that the examiner or

anybody else looking at the department
can quickly go through and say.

During a year, this is what they're
going to cover and that they cover all

the important items and that becomes
1 of their main communication tools is

to that kind of is their strategic plan
as to what they're going to try and do.

And then this is how they're
going to go about doing it.

And then, of course, they need the staff.

According to that audit plan, the other
thing we run into is sometimes that

auditors are seeing has a wink and a wave,
just, just do it, but don't make trouble.

That's also a problem and
that they're appropriately

respected by senior management.

If you catch a.

Examiners, if they feel that they're put
in the back room and poor lighting and

all that kind of stuff and not giving
good resources, that's a real telltale

sign that something might be a mess.

Great point.

Great point.

This all worked together.

Speaking of cop cars, Mark, I have
four pictures, one from Oregon,

three from small towns in Montana,
where they park cop cars with

dummies beside the side of the road.

I'll stop and take their
pictures when I see that.

You need to do that next time
and we'll put that on a podcast

art for one of the podcasts.

My wife laughs because it
does make me slow down.

So it's effective.

I was going to say something
else about what Steve just said.

No, I lost my train of thought.

Oh, so like auditors and
independents, and this is important.

These systems work together.

Auditors are not necessarily,
they're also getting paid.

They're trying to preserve
client privileges.

I've had auditors look right at me and
tell me in the face that they've signed

off on something that wasn't GAAP.

And I said the client's paying the bills.

That's happened a couple
of times in my career.

Which kind of leads into why larger
organizations need that 3rd middle leg

in that 2nd line of defense and that
whole, their own internal risk management

department under a chief risk officer
is you need that other assurance.

The other thing is in smaller cruddies
and there's nothing wrong with it.

It's a reality.

In smaller, less sophisticated places.

Risk management or risks
tend to get managed in silos.

You're lending people
manage your lending risk.

Your CFO or another executive
is going to manage that interest

rate and liquidity risk.

You're going to have an IT person back
there is going to manage all that cyber

security type risk and transaction risks.

And you tend to do that separate
and not bring them together.

But the thing is all these risks that
Kind of add up over time and they're

all stressors on your capital and you
reach a point in size and complexity

where You can't be managing this
stuff in silos anymore You need a way

to aggregate these risks across the
organization And that's when you start

adding a whole risk management department
a chief risk officer Sometimes it's

one person in larger organizations.

That might be three or four persons
You But now you start aggregating

risks across the organization.

These people tend to be very
experienced type people at

that chief risk officer level.

They start adding support to
the first lines of defense.

Here's other legal risk.

Here's things you didn't think about.

You're really talking about
beginning steps are actually a fully

implemented enterprise risk management
system at this point in time.

And you start aggregating these
risks across the organization.

And, the biggest thing is
with the chief risk officer.

And if we have this department,
it's another department with that.

Reports directly to the board
or the supervisory committee.

So it's a way to watch over management.

It's the department that you can
supervise have a little bit more control

over than necessarily an independent
auditor where you get what you pay for.

Actually you get what you pay for
with this as well in that second line

of defense, but it's another just
important piece where you can start

aggregating risks across the organization.

When you silo things on a complexity
wise, sometimes you can get blindsided

by risks you didn't know about or
didn't realize they were there.

That's another reason you put
that second line of defense in.

Under a chief risk officer is
hopefully you avoid being blindsided

by these siloed risks when you
start aggravating, aggregating

them and putting them together.

And it's a way to.

It's a way to reinforce your risk
culture too, because now you got one

point that says this is how we're
going to measure and monitor risks.

It tends to get every case of the
organization on the same page.

So to speak.

And in those individual silos, like
on the loan risks, the constant, if

I'm out there and I'm a loan officer
and My goal is to get loans out.

I'm not going to, I'm going to
want a higher risk appetite than

somebody who's looking at how does
that really relate to net worth.

So having that second line of defense that
can do all the things you just described

can help mitigate and control that to
make sure that it's consistent with the

risk culture that the board and management
want to make sure is ever present.

Steve, any thoughts on the second line?

Just 1 thing comes to mind that we've
had a couple of our larger clients that

have that position and has commented
on how they think that person should be

included in the organizational chart.

And I think we've had general
disagreement with on that and

that the chief risk officer.

Is going to be involved in virtually
all of your major committees

because they need to know what's
happening throughout the institution.

So I'm looking for your
recollection of those discussions

that we've had with clients.

Yes, that's definitely been an issue.

And it's a scenario where the second
line a couple of different scenarios,

if I'm remembering right, where
the second line has been given,

it's almost as if it's veto power.

So the board wants to do X and management
wants to do X, but this committee is

saying we shouldn't be doing X, we should
be doing Y and NCOA almost framing it.

Like they have more authority.

Then the CEO and or the board, and I'm
definitely not not convinced that's the

way that it should be necessarily set up.

And then also we've seen situations
where where NCOA is saying why

is this person on this committee?

And what, what's their
role on this committee?

And and the reality is based
on the principles, they

should be on that committee.

Todd Any thoughts on what
Steve or I just said there?

Yeah, I have a note here somewhere
about segregation and duties and how

this plays out, but I'm not going
to wait through it for the moment.

Essentially, you have a separation
of those who measure monitor risks

and those who take risks and I think
sometimes NCUA blurs this a little bit.

And I've seen this a couple different
times in larger organizations where

NCUA's expectation is that you would give
this chief risk officer veto authority.

And that's not the way the thing sets up.

They're the folks that measure risk.

Yes, there should be a measure
or an effective channel for them

to communicate, with the board.

Through the supervisory committee
or however you want to set it up.

If they believe that risks are getting
on a line, but at the end of the day

of that whole risk reward proposition,
the folks taking risks or the board

defines how much risks are allowable.

And it's the chief executive
and management staff that

engage in risk taking.

I don't think it's appropriate that
your chief risk officer should have.

blanche veto authority.

They're there to support
these other functions in

measuring that aggregated risk.

It's their role to say, hey, we
missed something here, let's think

about this a little bit more.

But, they are not the risk takers
and I don't believe you should

necessarily give a Chief Risk
Officer veto authority either.

They're one part of this tripod,
but they're not any greater are.

And then the other part
of it, and I do think N.

C.

U.

A.

gets that wrong when they lay out an
expectation that a chief risk officer

should have veto authority over things.

The other thing we've seen is N.

C.

U.

A.

's take an exception to a chief risk
officer having voting privileges

on whatever committee it might be.

I don't think that's the regulator's role.

There's a ruler of sophistication and
there's no right or wrong answer to this.

That individual is involved in
aggregating risks across the organization.

Whether they're a voting or a non voting
member, they probably need to be parts

of these committees and understand
what is going on in the various

departments across the organization.

And whether they're a voting or non
voting member, it doesn't matter.

Let them be a voting member
because their role is to bring up

discussions of risk and enhance this.

And I don't think it's the regulator's
role to necessarily say you can or can't

be a voting member on any committee
within the organization just because

you're in the chief risk officer's chair.

I think in that case, it's a case of
NCUA maybe overstepping their duties.

And we've seen that a couple of times.

Great points.

And that goes to it's not a regulation
that requires how it's structured.

It's a management decision.

They rely on safety and soundness.

They rely on sound business practices.

They rely on finesse to get
NC, get the credit unions to

structure it in a particular way.

But in the end, it's the
credit unions decision.

Particularly because there isn't
a regulation that says it has

to be done exactly A, B, and C.

The credit union is responsible.

As NSUA points out, corporate
governance, the board is responsible.

It's the board with the interaction
with senior management that lays

out the framework that makes
most sense for the individual

credit union, regardless of size.

Guys, what else, anything else here that
I missed, any other topic we want to hit

on the concept of the risk management
framework the pyramid, anything else we

need to hit here before we wrap today?

I wanted to go through, we've
talked about, resources available

for credit union boards that
NCOA doesn't have their board of

director manual that was out there.

The OCC does have the
director's reference guide.

And that has a good section on
risk governments governance, and

it has questions to consider.

And red flags that that would be
brought to me 1 of the red flags

would be the number of issues.

Identified by regulators so we can put
that and then in at the end of the, that

section on there, it has a big example
of all the references that they have

that relate back to the subject of risk
governance and corporate governance.

That's very complete.

So we'll make sure we get that out there.

Yeah, if you could send me those
links, I'll put them in the show notes,

any of those that you think people
might be particularly interested, be

good to, I may have those, but make
a note to send me those and I'll

put them in the in the show notes.

Todd, anything you think we
should hit here before we wrap up?

I'll just reemphasize what we started out
at the beginning and we brought this up in

our 1st podcast on corporate governance.

This all really starts with culture that
the board and management put in place.

And like I said, it doesn't necessarily
matter what's in writing and what

that org chart looks underneath.

Like underneath it, the most
important piece of that is that

culture that is established by the
board and by executive management.

And a lot of this isn't rocket
science identify major monitor

control risks or concepts that
have been around hundreds of years.

I used to have a banking risk management
books as concepts go back to Roman times.

There were even documents
in Latin about that.

So those core concepts haven't changed.

I think it's.

For directors, you just be independent,
ask good questions about this.

It's not rocket science.

You can get up to speed on it.

But just be independent in your thought.

And it goes back to
corporate culture again.

Let's have a way to articulate our risk.

Let's have appropriate limits in place.

Let's hold management
accountable for those limits.

And I think that's a big piece of
that culture too, is there has to be

consequences when people choose to
not stay inside the box, so to speak.

That's a great place to wrap guys.

This was a deep topic and
I learned a little bit.

Hopefully the listeners
picked up some points here.

I appreciate your thoughtful comments
as it relates to this important topic.

Thanks, guys.

And listeners, I want to
thank you for listening.

As always, I hope you
will listen again soon.

This is Mark Treichel signing
off with Flying Colors.

Risk Appetite and Risk Management Framework
Broadcast by