According to several companies that track such things — the number one thing that NCUA regulators are asking credit unions for this year is a copy of their risk assessment.
With fifty-five new regulators planned for 2009, the NCUA also announced it’s plan to move to a twelve-month examination cycle. This is in contrast to the previous 18-24 month examination cycle, and has prompted a written complaint by the Credit Union National Association (CUNA) which objects to adding new regulators, as well as objecting to the new examination cycle.
In fact, CUNA wrote, “We find this draconian and believe there is a more cooperative way in which NCUA and the state regulators can discuss this issue …”. It may turn out to be more prudent than draconian, because these risk areas, which should be detailed in the risk assessment, are areas that many credit unions have ignored, or have managed to ‘get by’ with a homemade spreadsheet, which does little to identify or quantify risk.
In a risk adverse environment with regulator issues on television every day, CUNA did state that “given the economic crisis and the need for NCUA to be able to continue reporting to Congress that it is handling problems well, CUNA is not opposing this change [the 12-month cycle]”, and continued, “Even so, we strongly support a reasonable phase-in period that focuses on problems and risk first.”
Looking at this, it seems that part of the problem is a disconnect between the financial regulators and the credit union senior management. Management and the Board looks at these requirements as annoyances that have to be completed and keep them from more important work — like getting new members or new loans, instead of looking at the risk assessment as a support to their business process.
When viewed as an integral part of a business process, it is clear that the risk assessment supports management by providing a quantitative view of the entire IT program, or the entire operational processes of the credit union. It supports management decisions directly by providing real justification for the controls that management and the Board need to implement; and by giving the NCUA regulators visibility into those decision processes.
It shows the logic of the decision process, i.e., why management decided to use biometrics on their laptops; or why they need to shift some of the security controls to their outsourced vendors and making the vendors more directly responsible for security. This allows the regulators to give better advice, and support to the credit union, because there is a rational process that can be discussed and examined, to the overall benefit of improved operations for the credit union.
The intent of increased regulation is not always to aggrevate or criticize the credit union management, but can be positive force which allows the credit union to advance, gain new members and be more profitable.