Audits Uncover a Frequently Overlooked Compliance Task Among Consolidating Credit Unions
December 22, 2022
Originally published in CUInsight, December 15, 2022.
More credit union compliance teams are dealing with mergers today than a year ago. In the third quarter of 2022 alone, the NCUA approved 58 mergers. That’s a nearly 35-percent jump over the 43 approved during the same time in 2021.
Among the very long list of to-do’s during a merger is reevaluating risk. Too often in recent months, ViClarity’s audit team has found risk assessments of the acquiring institution is overlooked and untouched—sometimes long after the consolidation is complete. This is problematic for a few reasons.
First, risk assessments are variable. They are highly dependent on the type of business an organization conducts and with whom it’s conducted. When mergers occur, memberships, products and services are all impacted. The average age or geography of a member can change overnight, as can a credit union’s product or vendor mix, transaction types and servicing needs. Any one of these changes has the potential to introduce an entirely new set of macro and micro threats to the business.
Second, risk appetite is relative. What is deemed an acceptable risk by one board of directors may be completely unacceptable to another. Take handling deposits for a marijuana business or investing in cryptocurrency, for example. Although increasing in numbers, the practices continue to be divisive among credit union executives and board volunteers. Leadership changes during mergers can easily reset a credit union’s overall risk tolerance.
Third, examiners expect it. Regulators want to see evidence of risk assessments being conducted on a regular basis. They also expect credit unions to break with that cadence when something monumental occurs. A merger certainly qualifies as one of these moments.
Fourth, you can keep it simple. Reevaluating risk is not a step practitioners should skip—and should consider that the process can grow in complexity overtime along with the organization’s own growth. Merging parties do not need to reinvent the wheel with a full-blown retooling of the practice. Start with the risk assessment process you and your incoming colleagues agree works the best. It may even belong to the smaller institution. Reevaluate the major areas first; calendar out the smaller areas for consideration at different times throughout the year.
Risk Assessments Can be Highly Enjoyable for the Right Compliance Pro
Risk assessments, regardless of merger activities, should never been considered a “check the box” discipline. Like so many areas of compliance management, risk assessments should be ongoing and continuously evolving. For that reason, credit unions should assign the task to a professional who loves risk assessments. (They’re out there. Ask me how I know!)
Risk management is an exciting field that is constantly changing, which makes it highly attractive to people energized by continuously learning. Someone who enjoys working with technology, too, can make a great fit for risk-related tasks. So much of the discipline is becoming automated by platforms that make evolving strategies easier to deploy and AI models that introduce prescriptive data analytics into the discipline. Yet, keeping a human in the loop will remain of paramount importance, particularly for people-centric organizations like credit unions.
Anyone who has been through a merger understands the threat of overwhelm. The to-do lists are long and getting longer as regulators turn up the compliance heat on consolidating financial institutions. Some things may need to come off that list, but the reevaluation of risk simply can’t be one of them. It’s too important, and who knows, it may also be one of your new team member’s favorite things.