Specific Risks

(v) Data Risk

A risk to any credit union relates to the security and integrity of its data bases, both automated and non-automated. Detailed records of all financial transactions and balance sheet data should be kept in more than one location. Where records are computerised, back-up and storage procedures should be documented by the credit union and audited, as should procedures for preventing data corruption. Adequate disaster recovery procedures should be in place.

(vi) Operations Risk

Credit unions carry a range of operations risk in carrying out their day-to-day business. Many of these risks are insurable, others are not. Of particular importance in the latter category are credit unions' administrative systems and the consequences of breaches of legislation. In smaller credit unions, overdependance on a small number of key personnel can constitute a substantial risk to their operations. Other risks arise from litigation associated with a wide variety of possible events and actions, including discrimination, negligent advice and invasion of privacy. Whether or not these risks are insured or even insurable, credit unions must demonstrate an understanding of the risks involved and the capacity to measure, monitor and control them.

An important source of insurable operations risk arises from potential damage to the physical assets of the credit union through accident or fire. While compulsory worker's compensation covers potential loss through accidents involving staff, there is a similar risk to members of the public that is not automatically insured. Other operational risks arise from the potential for legal action against the credit union or its directors.

In addition to compulsory worker's compensation, all credit unions should carry effective insurance with a reputable insurance company to protect their personnel, operations and physical assets. At a minimum, each credit union should carry the following insurance policies:

(a) fidelity guarantee;

(b) asset protection, including fire and malicious damage;

(c) directors' and officers' liability;

(d) public liability;

(e) professional indemnity; and

(f) business interruption.

Insurance should cover the credit union and all subsidiaries (if any). SSAs will seek details of insurance policies and each credit union's approach to insurance.

Prudential Standards

4.1.5 Data Risk

4.1.5.a Each credit union is to provide its SSA, on request, with a written statement of its policy in respect of managing data risk. Detailed records of all financial transactions and balance sheet data should be kept in more than one location. Where records are computerised, back-up and storage procedures should be documented by the credit union and inspected by the relevant SSA, as should procedures for preventing data corruption.

4.1.5.c Each society must have a comprehensive written statement dealing with the risks and events that may arise due to either the society or an external service provider suffering disruptions that may, in turn, disrupt the societys normal business operations. These policies and procedures should form part of a societys Disaster Recovery Plan in respect of managing both data risk and operations risk.

4.1.6 Operations Risks

4.1.6.a Each credit union is to provide its SSA annually with a written statement of its policy in respect of disaster recovery planning and insurance including details of its individual insurance policies. SSAs will monitor the adequacy and currency of these policies. At a minimum, credit unions should take out the following insurance cover:

(i) Fidelity/Bond Insurance

(ii) Fire and Specified Perils

" Physical loss or damage to tangible property due to fire and specified perils including: