Manage Your Risk Utilizing Collaborative Partnerships to analyze, simplify, compare & strategize

Agenda/Topics To Be Covered Who’s Who Information Security Program Using the Risk Management Report Generator Web Site Using Related Services for Overall Structure What else is new for Auditing, Reporting & Compliance

Information Security Program Appendix A of Part 748, NCUA Rules, GLBA MUST: Involve Board Risk Assessment Risk Management Training Testing Service Provider Oversight Adjustments

Board Involvement Ultimate responsibility Approved policies Annual reports Security committee Breaches

Risk Assessment Identify threats i.e. member data…disclosure and destruction Assess potential damage Policies sufficient to monitor and manage the risk

Risk Management Protecting against the threats and mitigating risk –Monitoring systems –Dual control –Employee controls –Physical controls

Training Recognizing the risk Making it part of everyday process Reporting unauthorized attempts Federal and State Requirements, GLBA

Adjustments “ you’re never done ” Reflect changes to technology New threats Business arrangements Services and products

Response Programs Assessment of access Notification of regulatory authorities Containment Notification of members “All, specific, none”

Oversight of Third Party Providers NCUA Letter 08-CU-09 NCUA Letter 07-CU-13 FFIEC During the selection process During the contract process For on-going monitoring

WHEN DOES IT APPLY Involves a new financial service activity Materially affects revenues and expenses Involves member data Involves marketing of CU products by a third party Involves subprime lending or card payment transactions Poses risk that could significantly affect earnings or capital

What is the Risk Management Report Generator Site? Your tool for evaluating third party relationships Creating a community of responses Serves as vault to store your reports and vital contract data Allows you to complete your annual reviews Follows NCUA guidelines as originally adopted in the letter to CU’s

Activity for Users 160 Reports created 40 Vendors

Where are we at today 122 Users 296 Reports created 288 Vendors

Vendors Most Common Vendor types: –Insurance –Mortgage –Financial –Collection –Shredding services –Janitorial –Statement Providers

Credit Unions are saying… Feedback –Easy to use. –Good educational start with canned responses –Excited to show examiners –It’s Free!! –Great single repository for all reports Improvements – notification to renew report? –Scanning contracts

What is coming Review dates Proliferating vendors outside of the cuasterisk network Promoting additional responses Audit Link Offerings –ACH –BSA –Audit Link Lite

Another Tool: Concentration Risk Analysis Model for predicting concentration risk in investment portfolios Includes Historical Loss Ratio and Credit Risk calculations Portfolios will be shock tested based on potential economic impacts to the portfolio, and will also include tests based on portfolio growth Clear and concise recommendations will be made based on test results Sample policies are also available upon request

Sample Concentration Risk Analysis Item FindingResult Actions Required Capital Ratio10.00%Safe None Credit Risk Segmentation 710Safe None Managed Concentrations 125% Aggregated Business Real Estate Monitor Credit Union must justify and monitor 120% Residential Real Estate (1st) Monitor Credit Union must justify and monitor Static Test Results9.26% Capital RatioSafeNone Dynamic Test Results9.07% Capital RatioSafeNone Risk Limits8.90% Capital RatioSafeNone Named Borrower17.50% Business 3Monitor Credit Union must justify and monitor

Conclusion – You Should now know Why is it important for me to use RMG Site? Who do I contact if I have questions regarding the Risk Management Report Generator Site? Who do I contact if I would like to participate in any of the other services highlighted today? How much does it cost?

Linking the powers together is your key to success! Jim Vilker- Joe Spenski – Patrick Sickels –