When I travel around the country and speak at conferences, one question I always get asked by credit unions is: “What are the hot examination issues this year?” Recently, I moderated a webinar with NCUA staff squarely on this topic. Two issues were discussed: the evaluation of third party relationships and strategic planning.
These issues have risen in importance because in the field, examiners have noticed a decreasing amount of emphasis on due diligence when credit unions establish relationships with third parties. To compensate for the loss of interest income due to a tough economic climate, credit unions have turned to products that generate additional fee income. In doing so, credit unions may overlook basic due diligence considerations to assure the vendor is a “good fit” with the credit union’s overall business and strategic plans.
Indirect lending, loan participations and other relationships must be accorded a due diligence review appropriate for each particular CU’s operations. In addition, examiners are seeing credit unions spend less time working with their boards to develop a three- to five-year roadmap for the future. Management and boards need to be engaged to look at the “here and now” so that the “there and then” don’t catch the credit union by surprise. Below is a brief summary of the highlights discussed during the webinar.
Evaluation of Third-Party Relationships:
In December 2007, NCUA published Letter to Credit Unions 07-CU-13. The purpose of the letter was to provide credit unions with the guidance provided to NCUA field staff on evaluating third party relationships. One aspect of 07-CU-13 that credit unions may find helpful is that NCUA recognizes that credit unions absolutely have to partner, contract, and engage third parties in order to provide the products and services members need and to stay competitive. However, credit unions also need to look at those relationships from a “360 degree” perspective to weigh the benefits and the risks.
An effective program to evaluate third party relationships includes three elements: (1) plan and assess risks; (2) due diligence; and (3) measure, monitor and control risk.
Planning should include the credit union comparing the expectations of the relationship to its strategic plan, goals and objectives. Do the expectations fit into the overall mission and philosophy of the credit union? The risk assessment process should take into account the critical nature of the relationship. A relationship which results in using a vendor to provide a critical product or service normally requires a more comprehensive review and oversight process.
Due diligence should include a comprehensive background check of the prospective vendor prior to entering into a relationship. Credit unions normally contact other credit unions for vendor references. While this is a very good first step and can provide valuable insights to a vendor’s abilities, it does not result in a comprehensive background check. A comprehensive background check also includes assessing the vendor’s experience in providing a service, determining whether a vendor has any past or current legal issues, ensuring that appropriate licenses and, if applicable, certifications are in place and are current and securing references from other sources such as the Better Business Bureau, FTC and credit reporting agencies.
The third element of an effective program is measuring, monitoring and controlling risk. Credit unions must have a written policy and procedure in place approved by the board of directors for the product or service. The policy is not for the benefit of the examiner. It’s there to provide direction and clarity to a credit union’s operation and boundaries to the level of risk the credit union will undertake. Credit unions can and should share policies and procedures. The key is that each credit union needs to tailor the policy so that it fits the credit union’s operation. Measuring, monitoring and controlling risk starts with receiving reports about the progress of the third-party relationship. It includes having internal controls to keep information secure and identify which party is responsible for which activity. Finally, it includes evaluating whether modifications need to be made to the relationship to reflect changing circumstances.
Strategic Planning:
Another key examination issue for 2008 is strategic planning. Strategic risk is one of the seven areas of risk in NCUA’s risk-focused examination system. It’s defined as the current and prospective risk to earnings and capital arising from adverse business decisions, improper implementation of decisions or a lack of responsiveness to industry changes. Examiners assess the credit union’s ability to anticipate and address rapid changes that might affect operations through the strategic risk indicator.
There are five steps to the planning process. The first is the identification of the credit union’s vision and mission. The vision statement represents the ideal state the credit union hopes to achieve and should represent something that is attainable but is a stretch. The mission statement describes the overall purpose for the credit union’s existence (i.e., what your CU does, why it does it and for whom).
The second step is to perform an environmental scan. A credit union should assess its internal and external operating environment. This part of the process provides valuable information about the existing or emerging risk that might arise from current or new business initiatives. The third step is to develop goals and objectives, both short and long term. The credit union’s goals and objectives should be consistent with its mission and vision. The credit union should also define the acceptable level of risk that management is willing to assume to attain its goals and the necessary level of capital to support that risk taking. The credit union should assign responsibility, authority and accountability for achieving the goals and establish a timeline for completion and a mechanism to measure progress.
The fourth step is implementation. Implementation means assuring the resources, policies, processes, personnel, control systems and communications are in place to get the plan moving. The final step in the planning process is evaluation and control. Evaluation and control relate back to goals and objectives. In the course of monitoring and measuring progress, information may come to light which results in the need for you to adjust your goals, your strategies or the means by which you will achieve those goals. A good performance measurement system should include a method to measure, monitor and report results, as well as make any changes that are necessary.
For more information on these topics, you can take a look at the archived webinar on NCUA’s website: www.ncua.gov.
Gigi Hyland is a member of the board of the National Credit Union Administration.
