CUMA Conference 2005

1
CUMA Conference 2005

• Where Credit Union Managers Connect

2
CUMA Welcomes

• Andy Poprawa
• Deposit Insurance Corporation of Ontario

• Implementing DICOs Revised By-law 5

3
Agenda

• Update on By-law 5 Revisions
• Relationship to ERM
• DICOs New Risk Assessment Framework

4
Standards of Sound Business and Financial
Practices

• Effective for year ends after July 1, 2005
• Need to update policies, procedures in certain
  areas to comply
• New reporting regime
• Resolution of the Board of Directors certifying
  compliance
• Workbooks available
• MISAR no longer required to be filed

5
Standards of Sound Business and Financial
Practices

• Specific standards
• Governance responsibilities of board /
  management
• Capital
• Credit Risk
• Operational Risks
• Market Risk
• Structural Risks (asset / liability management)
• Liquidity Risk

6
Standards of Sound Business and Financial
Practices

• Governance responsibilities of board and
  management
• Board is responsible for
• Approving risk management policies
• Establishing authorities for approvals, code of
  conduct, business objectives consistent with
  cooperative principles
• Appointing competent management
• Evaluating results
• Management is responsible for
• Implementing risk management policies and
  procedures
• Implementing business plan
• Reporting to the board

7
Standards of Sound Business and Financial
Practices

• Capital Management Policy and Controls
• Quality, quantity composition of capital
  required
• Distribution of dividends to members
• Credit Risk Management Policy Controls
• Types, classes, limits of loans
• Security requirements
• Credit assessment process
• Levels of credit decision making
• Management of delinquent impaired loans
• Operational Risk Policy
• Levels of authority, security, technology
• Internal controls disaster recovery

8
Standards of Sound Business and Financial
Practices

• Market Risk Policy and Controls
• Authorized types of investments decision making
  authority
• Measuring market impairment
• Structural Risk (Interest Rate Risk)
• Limits on amount and maturities of deposits,
  loans and capital
• Limit on exposures to interest rate risks
• Pricing of loans and deposits
• Liquidity Risk Policy and Controls
• Limits on sources, quality and amount of liquid
  assets to meet liquidity needs
• Reporting on compliance at least once a year

9
Relationship of Standards to ERM

• ERM is an organized, disciplined process to
  identify, manage and control risks to which the
  credit union is exposed
• By-law 5 provides a basic framework for an
  effective Enterprise Risk Management Process
• Several models available to implement an ERM
  program based on the Standards, i.e.
• COSO
• Grant Thornton

10
COSO Model

• Committee Of Sponsoring Organizations of the
  Treadway Commission (www.coso.org)
• Eight components
• Internal environment
• Objective setting
• Event / risk identification
• Risk assessment
• Risk response
• Control activities
• Information and communication
• Monitoring

11
The COSO ERM Framework

• Components can be viewed in the
• context of four categories
• Strategic
• Operations
• Reporting
• Compliance

12
Grant Thorntons RAFT Model
The operation of
Business Processes
introduces
and exposes
People, data, applications, facilities
technology affected by IT
Events that cause harm or loss
Threats
Assets
if poorly controlled means
Vulnerability
Absence of Control Unprotected from Danger
resulting in
Possibility of suffering harm or loss Danger
Risk
13
Threats

• Assessment based on
• Probability x Impact
• x Characteristic
• Characteristics influence the impact of the
  threat
• Speed of onset
• Forewarning
• Duration

The operation of
Business Process
introduces
and exposes
Threats
Assets
if poorly controlled means
Vulnerability
resulting in
Risk
14
Threats

• Business perspective
• Pre-defined Assessed
• High, medium, low (stoplight approach)
• Related to Information Criteria

The operation of
Business Processes
introduces
and exposes
Threats
Assets
if poorly controlled means
Vulnerability
resulting in
Risk
15
Threat Assessment
Probability Low1, Medium2, High3
Impact Low1, Medium2, High3
Characteristic Sum of 1 plus Speed of onset (slow0, fast1)Forewarning (forewarned0, not forewarned1) Duration (short0, long1)
16
Vulnerability

• High, medium, low vulnerability assessment is
  based on the control assessment.
• Good controls Low vulnerability
• Poor controls High vulnerability

The operation of
Business Processes
introduces
and exposes
Threats
Assets
if poorly controlled means
Vulnerability
resulting in
IT Risk
17
Control Assessment

• Carnegie Melon Maturity model

0 Non-Existent Management processes are not applied at all
1 Initial/Ad Hoc Processes are ad-hoc and disorganized
2 Repeatable Processes follow a regular pattern
3 Defined Processes are documented and communicated
4 Managed Processes are monitored and measured
5 Optimized Best practices are followed and authorized
18
Vulnerability Assessment
0 Non-Existent Management processes are not applied at all
1 Initial/Ad Hoc Processes are ad-hoc and disorganized
2 Repeatable Processes follow a regular pattern
3 Defined Processes are documented and communicated
4 Managed Processes are monitored and measured
5 Optimized Best practices are followed and authorized
P Primary Impacts S Secondary Impacts
19
Risk Assessment
20
DICOs Risk Assessment Framework
21
Conceptual Framework

• Significant Activities Associated Risks
• Assessment of Quality of Risk Management
• (Based on Criteria in By-law 5)
• Risk Offsets Capital Profitability
• Residual or Net Risk

22
New Risk Assessment Framework

• Why?
• Current CAMEL-based process is a risk rating,
  quantitative exercise
• Move to risk-based capital and prudent person
  approach to regulation will require a better
  understanding of an institutions risk profile
• Who?
• Developed by OSFI for FRFIs
• Being used by BC Saskatchewan credit union
  regulators deposit insurers

23
New Risk Assessment Framework

• When?
• Current CAMEL ratings to be retained until the
  new capital rules are implemented (probably in
  2006) and a revised differential premium system
  is designed (likely in 2007)
• Migration to new risk assessment process already
  started on a preliminary basis with 44
  institutions completed
• Target to complete assessment of all institutions
  within a year

24
Risk Assessment Framework
25
New Risk Assessment Framework

• How?
• Start by examining the significant activities
  of each credit union and the materiality of each
  activity
• Determine the inherent risk of each activity as
  defined by the categories of risk in By-law 5
• Evaluate the quality of risk management by
  significant activity again using the criteria set
  out in By-law 5
• Determine the residual or net risk of each
  significant activity and its direction

26
New Risk Assessment Framework

• How? (cont)
• Determine the overall net risk of the
  institution
• Assess the risk offsets profitability and
  capital
• Make a conclusion about the composite risk rating
  of the institution
• Discuss the analysis with each institutions
  management and board
• Determine what, if any, action is required

27

28
New Risk Assessment Framework

• Frequently Asked Questions
• Is the assessment confidential?
• What are the implications of this process?
• Will DICO intervene if risk is assessed as high?
• Will this assessment affect my premium?
• If we disagree on risk assessment what happens?

29
Thank You!Questions Dialogue
30
Awards Banquet Cocktail Reception

• Sponsored by Platinum Conference Partner