By: Gene Fredriksen, Security Strategy Consultant
When a member can’t withdraw money from an ATM, they don’t wonder whether or not the credit union has set its operational risk appetite correctly – they just want to know when they can access their cash. IT or third-party supplier errors/failures, cyberattacks, bad weather or any other external hazard can result in excessive operational risk, as well as a poor member experience.
An area of growing concern for many financial institutions, operational risk primarily measures a credit union’s ability to deliver products and services to their members. A good place for credit unions to start for guidance is to look at how the National Credit Union Administration (NCUA) defines operational risk. The following is an excerpt from the NCUA Examiner guide:
Why should credit unions be assessing their operational risk program? As our industry has increased the use of technology to deliver digital services to members, we have also amplified the complexity and dependent nature of our systems. This category of risk, firmly rooted in technology, is now a common boardroom subject.
Defining Your Credit Union’s Operational Risk Appetite
Overall, credit unions should uphold a balanced approach to risk. Effective risk management is not purely about avoidance of risk. A credit union’s vision and strategic objectives should require that risk is managed based on value. Typically, an organization should accept risk that is commensurate to a potential reward, such as growth or transformation.
Fostering a credit union culture that supports value-based assessment and risk management is crucial to long-term success. An essential building block to incorporating risk decisions as part of your credit union’s business plan is to define the risk your credit union is willing to accept.
Creating a “risk appetite statement” can help your credit union maintain a strong risk management focus. A risk appetite statement should explicitly note the level and nature of risk your credit union is willing and able to take to pursue your mission. For instance, if your credit union has a high-risk appetite, you are willing to accept a high risk of potential financial loss or exposure, a major breakdown in an information system or information integrity, reputation damage, or significant incident(s) of regulatory compliance. Other levels of the broad risk appetite spectrum include moderately high-risk, balanced risk, low-risk and risk-averse, where your credit union would have positive controls in place to ensure that harm cannot happen.
Since many risk discussions are focused on technology initiatives, let’s look at an example of an operational risk statement, specifically an information technology risk appetite statement:
Information Technology (IT) risks cover both daily operations and ongoing enhancements to the credit union’s IT systems. These include:
- Processing – Prolonged outage of a core banking system: The credit union has a very low appetite for risks to the availability of systems that support its critical business functions, including those which relate to settlements, banking operations and treasury. Maximum recovery times have been identified and agreed upon with the outsourced supplier.
- Security – Cyberattack on credit union systems or networks: The credit union has no appetite (risk-averse) for threats to its assets arising from external malicious attacks. To address this risk, the credit union aims for strong internal control processes and the development of robust technology solutions.
- Ongoing Development – The implementation of new technologies creates new opportunities, but also new risks. The credit union has a low appetite for IT system-related incidents which are generated by poor change management practices.
Credit unions face a range of risks reflecting their charter and responsibilities to their members. These areas of risk include deposit-taking, lending, investment, the security of information, financial stability and day-to-day operational activities. Risk appetite and risk tolerance are also dynamic, and will change over time in response to different drivers, which is why a common definition of risk tolerance is important for providing a shared starting point and terminology. Ultimately, the goal of a documented risk tolerance statement is to help ensure that all critical business decisions align with your credit union’s strategies, mission, vision and values, and delivers strong value to your members.
The key to long-term success is remaining relevant in the marketplace. The future success of a credit union starts with your members. As new business applications roll out, members are demanding simple-to-use, trustworthy products and services that put them first. In simple terms:
- Your members expect your credit union to keep their information accurate and secure.
- Your members expect your credit union to ensure their information is available 24/7.
- Your members expect your credit union to offer services on all types of computers, smartphones and other devices.
In addition to defining your credit union’s operational risk appetite, educating your staff on how to use risk appetite guidance is critical to effectively delivering products and services to your members. Understanding your credit union’s tolerance for risk will help to make sure that as you deliver new products, they will meet all of your member, regulatory and operational expectations.
Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO and the principal cybersecurity consultant with PureIT CUSO. He has previously held the positions of CISO for PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.
Fredriksen served as the chair of the security and risk assessment steering committee for BITS, and also served on the R&D committee for the financial services sector steering committee of the Department of Homeland Security. He also served as an advisor on various cybersecurity steering committees for the administrations of George W. Bush, Bill Clinton and Donald Trump, assisting in the preparation of the president’s Cybersecurity Position Paper.