Risk Appetite and Risk Management Framework

And if just in case we have a first time listener, if you guys could give a brief intro of your time at NCUA and what you did. There and why don't we start with Steve? Yeah. All right. You're what my 30 years specifically more applies to this subject for my 1st, 15 years into I was involved in the field. Most of it is the problem case officer. Along those lines, you get to become involved. In the operations of those trouble credit unions and fixing.

The operations and planning and setting them up for success. So I think that comes in into play a lot here for this subject. Then the last 15 plus years I had it into I was in the central office. Where worked a lot on developing guidance for the examiners and looking at, how other regions were dealing with. Credit unions in helping them resolve operational and issues and such.

And then I was involved in a lot of rulemaking at NC way, which provided a good basis for dealing with this subject very good and Todd, your background at NC way before retirement. I spent about 34 years with NCUA. I can break my career into about three parts. The first third of it as an examiner and a problem case officer dealt with a lot of troubled credeans there as well.

The second part of my career, I was a capital market specialist for about a decade and trained NCUA's staff on interest rate, liquidity worked with a lot of troubled credeans in that era as well. And that capital markets position really focused on risk management to a great extent in very specific details as to interest rate and liquidity risk.

And then the last third of my career, I was the Director of Special Action Supervising Problem Case Officers, Capital Market Specialist, Regional Lending Specialist. And once again, a big focus on troubled credit unions are large, complex credit unions. Enjoyed my 34 years with NCUA, learned a lot. Hopefully, we can share a little bit of that experience with listeners today. That's fantastic. All right, guys. Risk management framework. How do we want to kick this this hot topic off?

I wanted to start with that, we've talked a lot about the proposed rules that FDIC put out that would apply to their financial institutions above 10, 10 billion, and it was guidelines, establishing standards for corporate governance and risk management. And there was a notice of proposed rulemaking issuance of guidelines. And I think it's important that we like the document and what it, how it pretty concisely lays out all of the elements of corporate governance and it does a good job of that.

I wanted to make it clear that we're not, saying, that they should put this rule in place. So I thought why don't I look at what the comments came in on that, because the comment period for that ended. They ended originally in it goes October, December of 2023, and they extended it for another month and a week into 2024. And so I looked at the comments on there are 67 comments, which is quite a bit, but, then they had a form letter that was 82 comments. It was exactly the same.

But in summary, the banks and bank trade organizations really had some concern about, the cost of implementing this and certainly. All these guidelines proposal policy, do have costs associated with them. And, that's something we bring up a lot in terms of when NCOA or other agencies tell you to do something is, remind them of that. It's not cost free. And they had some issues over the time that it was going to be spent on this that are inside the regulation.

They thought it might be overly prescriptive blurred the line between the board and management. And I think 1 thing we like about this, and it does put. The emphasis back and the power back in the board of directors for taking control. They would like to, they think it's misaligned a little bit with the Federal Reserve Bank and OCC.

The OCC has very similar requirements inside of their regulation that apply to banks over 50 billion and which you can find in 12 CFR 30, the safety and soundness standards. It, and everyone was there's a concern that. Because of the requirements put on the board of make it difficult to attract new board members and I think that is institutions get bigger that certainly you're looking for good quality board members.

And I would think that if your institution has a good reputation and standing in your community, that's probably shouldn't be that difficult to attract good board members. Too many policies to approve. Yes, there are a number of policies that it emphasizes in there. The overuse of the word ensure that could set up unrealistic expectations. They asked, making that size consistent with the OCC's rules. There are some potential conflicts with state laws.

So that's what the institutions have in there. Nobody said anything about, wow, this is just really poor guidance. None of that. That's interesting. And as you said that, I go to my friendly dictionary dot com. You, you know what a word means, but when you look at the actual words of it, it can it, it can actually sometimes. Drive a point home, even more certainly. So Ensure means make certain that something shall occur or be the case.

So you're making certain they're basically putting a heavy burden on that board with the use of the word Ensure So that's a good point. And your point that it's only guidance will it ever get approved? Who knows? But the reason we refer to it a lot here on the podcast and here in credit union conversations, is because. Is it's principle based and has a lot of really good ideas. So I think it's good to talk through that. I'm glad you brought that up.

Steve had any comments on what Steve post there. It's principle based and that's good. And I think we'll probably get into this more in the podcast. You see this a lot in exam reports. You see it a lot in writing. You see it from the F. D. I. C. All the regulators are consistent on, a risk management philosophy and program. sophistication. Things should be commensurance with the institution size and complexity. You just see that throughout the gamut.

And I think probably in this case, I didn't look at the comments like Steve did. When you start regulating specific instances for specific institutions, Regulators and employees and examiners, they tend to drag that bar down to way below where the regulation says it's just their natural tendency. I think part of it is, it's an attempt to improve institutions when they do that.

But examiners specifically, they tend to lose sight of that cost piece when they start placing burdens and expectations from a larger credit union on a smaller one. And we see that off, we saw it a lot when we were at NCUA and we're seeing it now in our current roles that trickle down you can say it's 10 billion. And ironically too is you get a lot of comments as Steve described on the cost, right?

And you'd think, okay the 10 billion credit union or a 10 billion bank who commented on this would be a bank is concerned about the costs of all this. So even the big institutions. Have cost pressures. And then when you throw that trickling down below the 10 billion, because an examiner looks at it, or we look at it and tell a credit union that, hey, you might want to consider these principles. That does have a trickle down effect and a huge cost effect. So risk management framework. What is it?

What does it include? And what can credit unions glean from the concept of risk management framework and what they should do to keep keep their institution running optimally.

If you look at all the regulators, they break a risk management framework down into basically three parts, at the top, they have a risk culture, which the board establishes along with management, they have a risk appetite and we'll talk about those because it becomes more and more important, the larger you get, and then you have your basic risk management system, which maybe you're 1 or 2 parts in smaller credit unions, but as you get into the larger credit unions and more complex credit unions,

you're looking at 3 lines of defense, a separate risk management department, and internal audit departments. So you're looking at 3 separate departments. And then where the cost starts becoming is you build out the risk management officer. Within a credit union, and you have a chief risk officer and staff in that department, you're looking at very expensive, very experienced people and systems to aggregate across your risk.

It's expensive really quick, but at the top of that whole process, our framework is risk culture. And we talked about boards establishing culture in part one of this, and I'll just say that risk management culture that the board and management. Establishes in that tone from the top is really the most important piece of this because I don't care what you put in writing under it. I don't care what your org chart looks like.

If you don't have a good risk management culture to begin with all of that stuff underneath it is going to be ineffective. Yeah, I found it interesting. I think we both looked at the same. There, there's a pyramid inside of the O. C. C. S. Guidance on the corporate governance and being a pyramid. It reminded me of, I was a big. Sports person growing up in the pyramid that guided me when I was early was John Wooden's pyramid of success.

Now, what I look at this 1 is, John wouldn't have the pyramid of success. This is your pyramid of success. And at the top of theirs, it's risk culture and we're correctly pointed it out. Their middle section is the risk appetite. And at the bottom of the pyramid, they have the three lines of defense. And I think that was to me, I always think that's a good way to look at things because John Wooden, of course, was very successful as the head coach of UCLA in the sixties and early seventies.

A couple things now you're gonna now I'm going down all sorts of rabbit holes in my brain now because you brought up John Wooden. So I wasn't until recently that I learned that John Wooden was was offered a job to coach at the University of Minnesota just before he accepted UCLA and Minnesota was supposed to give him a call back and they didn't give it back in time.

And then the UCLA offer came in and As a golden gopher discovering that the greatest basketball coach of all time could have been a gopher had they responded timely. I was crushed and the other John Wooden, two other John Wooden references there's a great quote by him.

Be quick, but don't hurry, which is what he told his basketball players, which might've been part of this pyramid of success and okay, the trifecta down this rabbit hole is there was a recent three or four part ESPN documentary on Bill Walton. Which was Bill Walton. I'm the luckiest man alive. Something like that came out just before Bill Walton passed away earlier this year.

Then that he talks about the pyramid of success and how it, it made him who he was as a player and how much love he had for John Wooden. Let's get forward so we can get to the actual meet here. But I like the reference to that pyramid in this pyramid time. Any rabbit holes you want to go down or anything we triggered there with our discussion of basketball and John wouldn't. No, I do think we got ahead of ourselves.

We never really defined what a risk management program is or, and so we started talking about it, but without defining it in any specific case, and maybe we shouldn't have done that, risk management. Basically, it's a program that identifies major monitors that manages risk. It's something that we do every day as individuals, whether we do it consciously or not.

We're thinking of that risk reward when we get in our car and drive to work, we think about risk management, or we don't think about it, but we practice it when we look both ways before crossing the street. You do it when you put insurance on your house and maintain things. It's just an expectation of regulators that when you get into a financial institution, you do this a little bit more consciously rather than unconsciously.

And that's what that risk management culture is about, is in instilling in people this whole thought that there's some conscious thought into their risk management, risk reward decisions as they go. Yeah, so the pro, as you said, a program that identifies measures, monitors and manage risk. Steve, any thoughts you want to highlight there on the, what it is than the definition? No, I think we're good. That's good. Excellent. Excellent. All right. So what's up? What's next? Guys?

We walked through the risk culture, the risk appetite, the risk management system as 3 major areas of this pyramid of this program. Anything you want to expand upon on the risk culture? We talked about the importance of the tone from the top. Anything else there we want to hit? Nothing other than if you go and look at all of NCUA's troubled credit unions, it's almost always you can trace it back to a breakdown in that risk culture. Yeah, that's a great point. And then risk appetite.

Any thoughts specifically on risk appetite? I know we've talked about this in some discussions on other podcasts. That we're seeing examiners wanting credit unions to develop a risk appetite for particular concentrations, et cetera, et cetera. What are your thoughts on a risk management framework, specifically as it relates to risk appetite?

This one is an interesting one, and this is probably where you have the hugest variants from small criteens up to large sophisticated organizations, certainly within ones, they expect risk appetite statements to be very formal address and see you a seven risk categories. Listeners who are involved with credit unions are familiar with those seven risk categories. Your other regulators, they add concentration and model risk to NCUA's seven risk categories.

But small credit unions, you do this in a very informal way. You lay out that risk appetite statement by just having a business plan and having limits in your various policies. You put limits in your loan policy, you put interest limits in your liquidity policy, you put limits in. your ALM policy. As you get into larger organizations, these risk appetites get a little bit more sophisticated and more formal. You start adding concentration risk policies.

You start putting more metrics around your business plan and what success looks like or what failure looks like. It's appropriate as part of your risk appetite statement that you have ways to measure risk and measure whatever you're trying to control. So Establishing metrics for that is a very important piece of it. Within your business plans, business strategies, quite often you see the qualitative things. Here's what we're trying to do and why in a big picture type of thing.

We're willing to accept moderate risk or we don't want to be operating in an unsafe, unsound manner. Our investments so those are qualitative type of ways where you can identify and lay out your risk appetites. Like I said, once you get into the larger cranes, I know we see this in ones. There's an expectation that these large complex organizations will have formal risk appetite statements. And then they'll have policies underneath them that are all consistent with that.

And this kind of goes back to the culture thing, what you lay out in your risk appetite, it should be consistent with your business plans, business strategies. There should be some level of consistency across your organization with that. And you communicate that to your staff to be effective. But to me, the biggest thing with risk appetite, it's not necessarily where these are.

It's that they're communicated that they are in writing in some way, shape or form, even if it's in within other policies and the big piece of it, appropriate metrics for measuring risk. And then the 2nd, big piece of that is a reporting system that tells you where you're at. There has to be some quantitative measures there, and there has to be some reporting of those quantitative measures.

You won't read this in any of the regulators guidance, but the way I've always framed it throughout my career is it's incumbent on management to demonstrate they're complying with those board policies and risk appetite statements. I like that. I like that. Steve, any thoughts on what Todd just shared there? Yeah, no, that he covered it really well. The big thing always comes to my mind when I think of risk appetite and, you're looking at how you're trying to define that.

Mine always comes down to with consistency is it should start with how much capital do we have? Is that really defines how much risk you can take on if you're operating on those lower ends and close to those PCA triggers. You probably need to have a risk appetite that's pretty conservative because you really don't have the ability to absorb the losses. So now you look at institutions that are really well capitalized and they can take on more risk, but it goes too far.

The best example we have, of course, is the taxi credit unions. So talk about concentration risk and their risk appetite tech, medallions in these major cities. And some of these, those credit unions had capital ratios in excess of 15 percent to thought, wow, we're okay. No matter what happens. So your risk appetite, you have to understand how aggressive it is, especially in terms of that concentration risk. Yeah, capital can cure a lot of things.

But just because you have a lot of capital, if your asset quality in those concentrations or the game changes where you don't have diversification, you're referring to the those credit unions that all they did was the medallion loans.

And when the medallion was worth a million dollars in New York City, for example, and you had 28 percent net worth, yeah nobody could envision that wasn't going to work out well when a medallion is worth 100, 000, 28 percent net worth wasn't enough in that situation for the risk that was inherent in that huge concentration. So people will be like, how do, how exactly do you define that risk appetite and find risk appetite statements? I did some searching around.

I did find, some pretty good examples out there and you can even look across the industry as to how other industries do it because NCOA and OCC, they all have their own risk appetite statements. So that's one you can look at.

There are you don't have to start from scratch if you think you're trying to develop one of these there are some Examples out there that I think people would find helpful And steve when you talk about examples, you're seeing that in the banking agency guidance or you're seeing it in what type of What kind of search result is triggering that? I was just searching for specific really bank ones that might be out there and available to look at, and I did find a few.

There's some that were European based, and I've had good luck looking at examples from some of these other regulated institutions, but it's not just America that's after corporate governance, but it's international and part of Basel, it's interesting that Steve mentions kind of concentration risk. One of the things, NCUA has their seven risk areas. Concentration risk isn't one of them, but within NCUA's National Supervision Policy Manual, they have a whole section on concentration risk.

But one of the things we see consistently amongst our clients is this whole DOORS bindings to credit unions support your concentration risk limits. We see that consistently. They expect them to be measured against capital, as Steve said, but that's a pretty common finding nowadays in our larger organizations where examiners are demanding that institution through stress testing or some other means, justify their concentration limits.

And I don't know, that's been a pretty much a constant since we started this. It has been, and I think as we may have discussed in other episodes, or I know we've talked about it with certain credit unions, there are concentrations limits that are not public that trigger we've talked about how higher levels have to review exams. If certain institutions go over certain thresholds, as far as concentration limits, it's actually not just the region that they're.

Exam has to be cleared by it ends up going to the Office of Examination of Insurance. And that could be commercial loans over a percent X percentage of net worth that they're going to have to get the okay or the concurrence from the Office of Examination of Insurance that is reasonable. And sadly, those things are not public, not in N. C. U. A. S. The N. S. P. M. that you referred to. They're either redacted or at dead links. And that's something we've mentioned on occasion.

But so there is some guidance out there, but it's not perfectly available to the credit union world. I think just one last thing with Rick's appetite, and this kind of ties in with corporate culture, too. And this kind of gets Cardine sideways with examiners somewhat is, there needs to be a process or a specific action steps when limits are neared or breached. NCUA does expect that. There will be an action plan when appropriate when you get close to limits or when you go over limits.

You quite often we see this in our clients. They're outside their limits and, they haven't done anything. Hasn't been discussed with the board. Hasn't been discussed in ALCO. Oh, we think it will correct itself. We don't do anything. There actually has to be a sense of urgency with addressing situations when you are over board established limits.

And I think a second piece of that too is You need to have an environment where your staff is comfortable to say, Hey, risk is getting out of hand here, whether it's been quantified or not. In the, the, so three, let's say someone has a risk appetite that we will have 300% of net worth in commercial loans. And then all of a sudden a member comes in with a fabulous opportunity for the credit union and for the member, and they want to blow through that 300% limit.

They don't document it in the board minutes, they don't have any conversations with it, or they just, change the policy from 300 to three 50 without having.

Any analysis that supports that limit that kind of goes to where NCWA says we want you to be able to support that limit it wasn't a goal and now you've established a new reach goal It actually is a limit for the risk and it's important that Your documentations and your discussions and all those committees and places you mentioned Are indicative of that or you could end up getting criticized, in the examination definitely risk management systems and the three lines of defense do we want to walk

through each of the three lines of defense and and discuss those? I think so. In larger complex organizations, we'll talk about 3 lines of defense. Generally, you have that frontline business units. That 2nd line of defense is, usually a department that's underneath your chief risk officer. Then you have internal audit.

Realistically, that's at the end of that long ruler of sophistication where you have three lines of defense for many of our credit unions really more break this down into two lines of defense and that they have their frontline units and management and then they have that internal audit under the supervisory committee.

You don't start seeing this whole third line of defense or a separate risk management department until credeans start crossing over a billion to three billion dollars and they start thinking about hiring chief risk officers and setting up separate risk departments. You typically don't see it in smaller credeans, but smaller credeans can still accomplish all the same things without adding those extra people. It just, needs a little bit more diligence on the part of their executive management.

First line of defense, it's always those people conducting your transaction. That's your loan officers, your tellers, your people that are interacting with the members There are where things start. There are where your risk assessment starts for specific lines of business, whether that's commercial lending, consumer lending, real estate lending, what have you, it's that first line of defense that, hey, let's do things in a safe, sound, appropriate manner.

Let's make sure we have liens perfected on these vehicles. Let's make sure we're making loan checks out to the right people and aren't getting defrauded. Let's make sure these people have the ability to repay and that loan is for a provident productive purpose. But that 1st line of defense, think of that as your business unit. These are the people that interact with our members. They're performing transactions.

It's important that they understand their job and understand that risk reward proposition and their role in it. That's the best way I can think of to lay out that 1st line of defense. They're closest and nearest to those members and those transactions in whatever area you're at. Yeah, so they're carrying out that strategic plan compliance with those policies that were put in place that have the limits that. We're, are part of the the risk appetite.

The other thing that comes into place is you, of course, these are the people that are, staffing and training, the keeping their staff adequately staffed and trained. And and they're all the other resources that it takes in to, to run the credit union, including it, tho they're all in that frontline unit. So that's that's their role is to. Carry out the operations consistent with the, with what the board is directed. Great points. Go ahead. No, go ahead.

Mark. Anything relative to the internal audit function on the third line of defense, what it is, general thoughts on how to principles and things that credit unions should be keeping in mind as it relates to the internal audit side of this. So you're going to jump from one to three and skip to smaller credit is you just have the You just have that supervisory committee internal audit, their role is really to test internal controls and verify that things are working the way they're supposed to.

That's the whole role of that supervisory committee audit. Are our financial statements accurate? Are our reporting processes accurate? They're the ones that verify everything is working the way it's intended. And that's an important piece of it. You need some confidence there and some testing of those things. Examiners fall into this a little bit, even though they're never ever mentioned anywhere in this risk management process. But that third line of defense, it's important.

And just having the existence of internal audit, And someone looking over everyone's shoulders and actually help staff comply. They'll do a better job of complying with internal policies procedures when they know someone's checking up on them. Yeah, it's like that. It's like the empty police car, right? You see it, you slow down, you go, Oh, wait, look, there was nobody in that car, but you slowed down because you saw it, it's there, they're going to be doing the reviews.

And Todd, that's exactly why I skipped over the second line of defense was your reference to, First line and third line are smaller credit unions will have that they might not necessarily have the second line Steve any thoughts on the third line of defense?

Yeah, if you're, credit union, you're trying to communicate to your with your examiner and that how you're doing that internal control when the big tool that you can provide them is that audit plan that so that the examiner or anybody else looking at the department can quickly go through and say.

During a year, this is what they're going to cover and that they cover all the important items and that becomes 1 of their main communication tools is to that kind of is their strategic plan as to what they're going to try and do. And then this is how they're going to go about doing it. And then, of course, they need the staff. According to that audit plan, the other thing we run into is sometimes that auditors are seeing has a wink and a wave, just, just do it, but don't make trouble.

That's also a problem and that they're appropriately respected by senior management. If you catch a. Examiners, if they feel that they're put in the back room and poor lighting and all that kind of stuff and not giving good resources, that's a real telltale sign that something might be a mess. Great point. Great point. This all worked together.

Speaking of cop cars, Mark, I have four pictures, one from Oregon, three from small towns in Montana, where they park cop cars with dummies beside the side of the road. I'll stop and take their pictures when I see that. You need to do that next time and we'll put that on a podcast art for one of the podcasts. My wife laughs because it does make me slow down. So it's effective. I was going to say something else about what Steve just said. No, I lost my train of thought.

Oh, so like auditors and independents, and this is important. These systems work together. Auditors are not necessarily, they're also getting paid. They're trying to preserve client privileges. I've had auditors look right at me and tell me in the face that they've signed off on something that wasn't GAAP. And I said the client's paying the bills. That's happened a couple of times in my career.

Which kind of leads into why larger organizations need that 3rd middle leg in that 2nd line of defense and that whole, their own internal risk management department under a chief risk officer is you need that other assurance. The other thing is in smaller cruddies and there's nothing wrong with it. It's a reality. In smaller, less sophisticated places. Risk management or risks tend to get managed in silos. You're lending people manage your lending risk.

Your CFO or another executive is going to manage that interest rate and liquidity risk. You're going to have an IT person back there is going to manage all that cyber security type risk and transaction risks. And you tend to do that separate and not bring them together.

But the thing is all these risks that Kind of add up over time and they're all stressors on your capital and you reach a point in size and complexity where You can't be managing this stuff in silos anymore You need a way to aggregate these risks across the organization And that's when you start adding a whole risk management department a chief risk officer Sometimes it's one person in larger organizations.

That might be three or four persons You But now you start aggregating risks across the organization. These people tend to be very experienced type people at that chief risk officer level. They start adding support to the first lines of defense. Here's other legal risk. Here's things you didn't think about. You're really talking about beginning steps are actually a fully implemented enterprise risk management system at this point in time.

And you start aggregating these risks across the organization. And, the biggest thing is with the chief risk officer. And if we have this department, it's another department with that. Reports directly to the board or the supervisory committee. So it's a way to watch over management. It's the department that you can supervise have a little bit more control over than necessarily an independent auditor where you get what you pay for.

Actually you get what you pay for with this as well in that second line of defense, but it's another just important piece where you can start aggregating risks across the organization. When you silo things on a complexity wise, sometimes you can get blindsided by risks you didn't know about or didn't realize they were there. That's another reason you put that second line of defense in.

Under a chief risk officer is hopefully you avoid being blindsided by these siloed risks when you start aggravating, aggregating them and putting them together. And it's a way to. It's a way to reinforce your risk culture too, because now you got one point that says this is how we're going to measure and monitor risks. It tends to get every case of the organization on the same page. So to speak.

And in those individual silos, like on the loan risks, the constant, if I'm out there and I'm a loan officer and My goal is to get loans out. I'm not going to, I'm going to want a higher risk appetite than somebody who's looking at how does that really relate to net worth.

So having that second line of defense that can do all the things you just described can help mitigate and control that to make sure that it's consistent with the risk culture that the board and management want to make sure is ever present. Steve, any thoughts on the second line? Just 1 thing comes to mind that we've had a couple of our larger clients that have that position and has commented on how they think that person should be included in the organizational chart.

And I think we've had general disagreement with on that and that the chief risk officer. Is going to be involved in virtually all of your major committees because they need to know what's happening throughout the institution. So I'm looking for your recollection of those discussions that we've had with clients. Yes, that's definitely been an issue.

And it's a scenario where the second line a couple of different scenarios, if I'm remembering right, where the second line has been given, it's almost as if it's veto power. So the board wants to do X and management wants to do X, but this committee is saying we shouldn't be doing X, we should be doing Y and NCOA almost framing it. Like they have more authority. Then the CEO and or the board, and I'm definitely not not convinced that's the way that it should be necessarily set up.

And then also we've seen situations where where NCOA is saying why is this person on this committee? And what, what's their role on this committee? And and the reality is based on the principles, they should be on that committee. Todd Any thoughts on what Steve or I just said there? Yeah, I have a note here somewhere about segregation and duties and how this plays out, but I'm not going to wait through it for the moment.

Essentially, you have a separation of those who measure monitor risks and those who take risks and I think sometimes NCUA blurs this a little bit. And I've seen this a couple different times in larger organizations where NCUA's expectation is that you would give this chief risk officer veto authority. And that's not the way the thing sets up. They're the folks that measure risk. Yes, there should be a measure or an effective channel for them to communicate, with the board.

Through the supervisory committee or however you want to set it up. If they believe that risks are getting on a line, but at the end of the day of that whole risk reward proposition, the folks taking risks or the board defines how much risks are allowable. And it's the chief executive and management staff that engage in risk taking. I don't think it's appropriate that your chief risk officer should have. blanche veto authority.

They're there to support these other functions in measuring that aggregated risk. It's their role to say, hey, we missed something here, let's think about this a little bit more. But, they are not the risk takers and I don't believe you should necessarily give a Chief Risk Officer veto authority either. They're one part of this tripod, but they're not any greater are.

And then the other part of it, and I do think N. C. U. A. gets that wrong when they lay out an expectation that a chief risk officer should have veto authority over things. The other thing we've seen is N. C. U. A. 's take an exception to a chief risk officer having voting privileges on whatever committee it might be. I don't think that's the regulator's role. There's a ruler of sophistication and there's no right or wrong answer to this.

That individual is involved in aggregating risks across the organization. Whether they're a voting or a non voting member, they probably need to be parts of these committees and understand what is going on in the various departments across the organization. And whether they're a voting or non voting member, it doesn't matter. Let them be a voting member because their role is to bring up discussions of risk and enhance this.

And I don't think it's the regulator's role to necessarily say you can or can't be a voting member on any committee within the organization just because you're in the chief risk officer's chair. I think in that case, it's a case of NCUA maybe overstepping their duties. And we've seen that a couple of times. Great points. And that goes to it's not a regulation that requires how it's structured. It's a management decision. They rely on safety and soundness. They rely on sound business practices.

They rely on finesse to get NC, get the credit unions to structure it in a particular way. But in the end, it's the credit unions decision. Particularly because there isn't a regulation that says it has to be done exactly A, B, and C. The credit union is responsible. As NSUA points out, corporate governance, the board is responsible. It's the board with the interaction with senior management that lays out the framework that makes most sense for the individual credit union, regardless of size.

Guys, what else, anything else here that I missed, any other topic we want to hit on the concept of the risk management framework the pyramid, anything else we need to hit here before we wrap today? I wanted to go through, we've talked about, resources available for credit union boards that NCOA doesn't have their board of director manual that was out there. The OCC does have the director's reference guide.

And that has a good section on risk governments governance, and it has questions to consider. And red flags that that would be brought to me 1 of the red flags would be the number of issues. Identified by regulators so we can put that and then in at the end of the, that section on there, it has a big example of all the references that they have that relate back to the subject of risk governance and corporate governance. That's very complete. So we'll make sure we get that out there.

Yeah, if you could send me those links, I'll put them in the show notes, any of those that you think people might be particularly interested, be good to, I may have those, but make a note to send me those and I'll put them in the in the show notes. Todd, anything you think we should hit here before we wrap up? I'll just reemphasize what we started out at the beginning and we brought this up in our 1st podcast on corporate governance.

This all really starts with culture that the board and management put in place. And like I said, it doesn't necessarily matter what's in writing and what that org chart looks underneath. Like underneath it, the most important piece of that is that culture that is established by the board and by executive management. And a lot of this isn't rocket science identify major monitor control risks or concepts that have been around hundreds of years.

I used to have a banking risk management books as concepts go back to Roman times. There were even documents in Latin about that. So those core concepts haven't changed. I think it's. For directors, you just be independent, ask good questions about this. It's not rocket science. You can get up to speed on it. But just be independent in your thought. And it goes back to corporate culture again. Let's have a way to articulate our risk. Let's have appropriate limits in place.

Let's hold management accountable for those limits. And I think that's a big piece of that culture too, is there has to be consequences when people choose to not stay inside the box, so to speak. That's a great place to wrap guys. This was a deep topic and I learned a little bit. Hopefully the listeners picked up some points here. I appreciate your thoughtful comments as it relates to this important topic. Thanks, guys. And listeners, I want to thank you for listening.

As always, I hope you will listen again soon. This is Mark Treichel signing off with Flying Colors.