What is concentration risk for credit unions? According to Basel Committee on Baking Supervision, risk concentration is "any single exposure or group of exposures with the potential to produce losses large enough (relative to capital, total assets, or overall risk level) to threaten a [credit union’s] health or ability to maintain its core operations."
The primary source of revenue for most banks, including credit unions, is extending credit, which concurrently poses risk to earnings and capital. A significant grouping of like assets and/or liabilities can result in a “concentration.” These concentrations can increase in risk proportional to their size. Avoiding concentration risk is a core tenant of effective risk management practices. According to the National Credit Union Association (NCUA), “credit union officials and management have a fiduciary responsibility to identify, measure, monitor, and control concentration risk.”
Implementing sound risk management practices is the key to managing a credit union's concentration risks. A concentration risk policy's goal is to reduce the impact risk could have on the credit union's financial structure, balance sheet, and/or business model.
Here are the necessary steps to building a concentration risk policy for credit unions.
How to Build a Concentration Risk Policy for Banks
Unfortunately, concentration risk is present in many forms across most major credit union operations. Some of these risks include asset classes, concentrations within a class of assets, liabilities, third-party providers, and services provided to other parties. When reviewing types of risk concentrations, boards and managers must be aware of all asset categories, even if they seem unrelated.
For example, the types of loans and characteristics of the loan may be a concentration risk, which is easy to identify, but similar characteristics may exist in places like a loan participation portfolio or an investment portfolio, which could make it a bit more challenging to identify. Concentration in credit union portfolios is one of the most significant risk factors for credit unions. The highest risk exposure in credit unions are:
- Real Estate Loans
- Member Business Loans
- Loan Participations
- Construction & Development (C&D Loans) Loans
- Investment in Mortgage-Related Securities
Failure to develop and implement a concentration risk policy could put your organization at significant risk. Here are a few simple steps to build a risk management policy for credit unions.
1. Identify and Measure Concentration Risk
Each product or service carries some risk of financial exposure or loss for the credit union. Your concentration risk policy should require business units engaged in credit transactions to perform a risk assessment to understand the risk of the product or service, quantify the potential loss exposure, and document a rational business decision on the acceptable concentration level based on the analysis.
The policy should require more robust and sophisticated risk management techniques in the following circumstances:
- The concentration level is large.
- The service is important to the core operation of the credit union and the amount of activity and dollar volume of credit union activity it handles is higher.
Technology plays a vital role in risk management by enabling credit unions to perform streamlined tasks such as risk identification and assessment, process and control mapping, data analytics and reporting.
Compliance Core can provide you with immediate impact in the following areas:
- Risk identification and assessment
- Risk and control mapping
- Data analytics and reporting
- Regulatory change management
- Loan review
RELATED READING: The Ultimate Risk Assessment Template for Growing Businesses
2. Establish Concentration Risk Limits for Each Portfolio
Your policy should address your board's philosophy on concentration risk, limits and rationale as to how the limits fit within the overall strategic plan of your credit union. The limits set should be specific to each portfolio and should include limits on loan types, share types, third party relationship exposure, etc.
Pay attention to related policies. The risk limits laid out in the concentration risk policy should be linked to limits specified in related policies such as those related to real estate loans, member business loans, loan participation, asset/liability management (ALM), and investment policies.
3. Monitoring and Reporting
The concentration risk policy should address board and senior management's expectations regarding ongoing monitoring and reporting. Once the appropriate risk management systems and policies are in place, it is essential to build in monitoring and oversight into business as usual operations. The policy should define the process for setting and monitoring credit concentration limits and for approving changes and exceptions.
Regular formal reporting to the board and senior management on compliance with established concentration and risk limits should be expected. In addition, the policy should address expectations regarding the implementation of appropriate internal controls, including segregation of duties, to ensure accurate reporting on concentration risk.
4. Stress Testing
The concentration risk policy should require portfolio-level stress testing to quantify the impact of changing economic conditions on asset quality, earnings, and net worth of the credit union. The sophistication of the stress testing required by the policy should be consistent with the size, complexity, and risk characteristics of the portfolio as a whole.
RELATED READING: How to Find the Best Risk Management Advisory Services
Getting Started With Compliance Core
How Mature is Your Risk Management and Compliance Program? Our self-assessment will show you how your credit union is performing against processes for establishing a concentration risk policy and framework for ongoing management. Use these findings to identify your gaps and problem areas.
After the assessment, you'll get the opportunity to connect with us to discuss the next steps towards your risk management goals. Not all concentration risks are created equal. Therefore using a one-size-fits-all approach in establishing concentration risks policies can lead to missed opportunities or a false security.
Compliance Core is a technology-enabled risk management service provider. We manage all aspects of enterprise compliance and risk management, giving organizations the ability to focus on their core business tasks. We’re here to help you with all of your concentration risk policy concerns and management.