A Teenage Perspective is The Fastest Way to Understand Your Risk Appetite

We are pleased to announce that Randy Marsicano has recently earned the designation of NAFCU Certified Risk Manager (NCRM). This designation shows a dedication to understanding enterprise risk management (ERM) methodology and National Credit Union Administration regulatory requirements for risk.

One question that I keep hearing is about the difference between a Key Performance Indicator (KPI) and a Key Risk Indicator (KRI). Examiners are starting to hone in on this now as well, telling us it is something we want to pay attention to. In short, a KPI is a backward looking indicator, and a KRI is a forward looking indicator. One tracks how well you did, and the other attempts to predict where you are going. If you are just starting out in setting up risk indicators for your monitoring activities and Risk Appetite Statement, it is more important to get your monitoring tasks set up and working in a useful way, then to get bogged down in the difference between backward and forward looking. In other words, having some monitoring program in place is better than waiting until all risk indicators are perfectly classified as forward looking or backward looking. That being said, it is important from a regulatory perspective, and just plain good business practice, to be able to monitor risks from both perspectives. You'll eventually want to get to this level of maturity.

Some organizations can have hundreds of vendors, and risk assessing all of them can be a battle. You might not have all the resources you need to do a full risk assessment on all of them and frankly - you don't have to. Here are three tips for third party assessments that will help keep you on track for your organization's security and your regulatory visits.

If you're the Risk Manager at an organization, it's a pretty safe bet that you're feeling like you don't have the resources available to properly secure your organization. You might also feel like it leads you to a reactive management style, pinged by regulators and following up instead of building baked in controls and security.

Managing vendors at your organization can feel like herding cats. Every department has vendors that they use for services, and keeping all the contracts, due diligence information, and monitoring activities organized and centralized can feel downright impossible. This doesn't even touch on the often changing regulations you need to understand and adhere to - and determining the standards that will keep your organization both protected and compliant.

Whether you're a museum buff, love a night on the town, or are an adventurous foodie, we know there is so much to gain from a new experience and a little bit of adventure. We also know that time can fly when you're jet-setting, touring, or pulling up anchor - which is why travel is the theme for our 10th annual WolfPAC User Conference! We'll explore the journey of Enterprise Risk Management, including what we've done, what we're doing, and what we have in store to keep you at the forefront of your industry, and strategic within your organization.

The NCUA recently held a webinar (recording available until March 7, 2019) to outline the new exam approach, and what credit unions should expect. The NCUA has released the Automated Cybersecurity Examination Tool (ACET) to aid examiners in the complex world of cybersecurity risks and controls.

My first impression after hearing about the new European General Data Protection Regulation (GDPR) was that it wouldn’t apply to a US company. Better safe than sorry, I decided to take a few minutes to study it anyway. What I found was that it does establish privacy rights for European Union (EU) residents or visitors, but in some cases can also apply to companies outside of the EU. That applicability is based on the location of the Business Activity, not the home office of the company. This means if you have a branch, or are actively promoting business (i.e. web based) in the EU, GDPR applies to your company for all activity related to EU residents that transaction business in the EU. Conversely, if you do not have a branch, and are not actively promoting business in the EU, GDPR does not apply to your company, even if an EU resident seeks you out for business.

The WolfPAC Integrated Risk Management suite is designed to align with the changing needs and regulatory guidelines of the financial industry. Part of the way we honor our commitment to streamlining the risk management process and enable risk managers is by keeping our solutions up to date with compliance standards through monthly updates to our assessments and functionalities.