An inspector general report on the federal credit union regulator’s enterprise risk management (ERM) found that the group of senior staff responsible for primary oversight of ERM “did not consistently establish, update, or use risk profiles to address” it.
The findings are in a May 20 report of the National Credit Union Administration (NCUA) Office of Inspector General (OIG).
The office initiated the review to assess the NCUA’s ERM risk profiles, the report says. The objective was to determine if the NCUA adequately established, maintained, and used risk profiles to address enterprise-level risks, it says.
“Our audit determined the NCUA’s Enterprise Risk Management Council (ERM Council) did not consistently establish, update, or use risk profiles to address the agency’s enterprise-level risks,” the report says. “The NCUA’s ERM Council needs to improve the regular assessment and updating of all enterprise-level risks. The ERM Council should improve how it communicates its results to necessary agency officials, as appropriate….”
The OIG report includes two recommendations:
- Implement a regular assessment and briefing of all enterprise-level risks, such as through discussion of risk profiles at ERM Council meetings, on a frequency commensurate with risk exposure to monitor that each risk is managed within risk appetite.
- Clarify how the ERM Council should communicate risk results to agency officials who implement decisions.
The report, which has numerous redactions, says agency management agreed with both recommendations and committed to implementing them by March 31, 2027.
NCUA OIG-26-05, Audit of the NCUA’s Enterprise Risk Management Risk Profile
Leave a Reply