Risk Management

Objective

To protect and promote the financial integrity and efficiency of the State-based financial institutions system and to ensure that depositors are adequately protected from the risks that credit unions incur in the process of financial intermediation. Towards this end, to ensure that credit unions are aware of the risks to which they are exposed, and that these risks are adequately measured, monitored and managed.

General Background

Pooling and managing risks for both borrowers and lenders is an important element of financial intermediation. Careful management of these risks is fundamental to the successful operation of any financial institution. As noted earlier, the primary responsibility for risk management rests firmly with the management of each credit union; the role of the supervisory authorities is limited to protecting the interests of depositors. Depositor protection, in turn, is enhanced by ensuring that credit unions approach risk management in a consistent manner and that they maintain a sufficient cushion of capital to afford depositors maximum confidence in the security of their deposits.

In assessing the appropriate level of capital, SSAs will require detailed information about the risk management procedures and practices of credit unions. Inadequate management practices in this area will meet with additional requirements in terms of capital or, in certain cases, with additional requirements with respect to the holding of liquid assets.

While there will be no set formula relating the need for additional capital to particular deficiencies in risk management, SSAs will look for adequate procedures for identifying and measuring risk, adequate procedures for monitoring risks, and appropriate techniques for managing risks.

Additional capital will also be required of credit unions in direct proportion to their overall risk rating when these ratings imply risk in excess of industry norms. SSAs will advise credit unions as to their risk ratings and capital requirements.

In a number of cases, the Prudential Standards require a credit union to consult with its SSA before particular transactions or activities can be undertaken. Consultation in this context will focus on the credit union's ability and systems to manage their risks prudently; the emphasis will be on processes rather than on the quality or otherwise of the decisions involved. Such consultation should not be taken to imply that the SSA in any sense sanctions or approves the particular activity. Decisions about the appropriate balance sheet structure for a particular credit union are its own responsibility. The SSA's role is to ensure that risk analyses are adequate and that each credit union's capital base is consistent with the risks that it undertakes.

Notwithstanding this responsibility, each credit union must, prior to the assumption of any major new risks (for example, moving into a new area of lending) first satisfy its SSA that it has:

(a) met all current prudential standards;

(b) the expertise and systems in place to manage the new risks involved; and

(c) sufficient capital in place to meet any additional requirements imposed by the authorities - this may include additional capital requirements if the proposed lending activities alter the assessed risk rating of the credit union as a whole.

Limited exemptions from this requirement may be granted under the transitional arrangements outlined earlier.

Specific Risks

Credit unions face a number of different types of risk in conducting their businesses.

(i) Liquidity Risk - Prime Liquid Assets Requirement

Liquidity risk arises from the tendency for a credit union's deposit base to be more readily liquidated than its assets. This is partly a consequence of the longer maturity of loans relative to deposits. It is also a consequence of the fact that loans which are not in arrears are not normally callable, whereas term deposits are often callable, albeit at a penalty. Despite this asymmetry in balance sheet liquidity, the capacity to meet promptly all obligations as they fall due is fundamental to financial intermediation.

The prudential standards require credit unions to hold a minimum level of 7 per cent of their total liabilities (excluding capital) in the form of highly-liquid, high-quality assets. This prime liquid assets (PLA) ratio is to be met at all times. In day-to-day operations, however, these assets are not available to meet the ebb and flow of funds. They are intended only to provide a cushion of liquifiable funds, available in times of extreme pressure on liquidity, and then, only with the explicit approval of the SSAs.

(ii) Operational Liquidity Risk

While PLA provides a stock of high quality assets, each credit union must manage its cash flows without reliance on PLA. It is the responsibility of the board to assess its credit union's liquidity needs and determine the amount and composition of additional liquid assets required to cover day-to-day fluctuations in its operating liquidity arising from:

· withdrawals of deposits;

· increases in demands for loans, including increased drawdown of overdraft facilities;

· drawdown of credit card facilities;

· maturity mismatch of assets and liabilities; and

· unexpected operating expenses.

Each credit union is expected to have in place an appropriate management information system to allow monitoring and management of liquidity risk. Each credit union is also required to demonstrate an understanding of its deposit base (including strengths, limitations and historic volatility), the maturity mismatch between assets and liabilities and any risks arising from off-balance sheet activities. While cash flow projections, incorporating all significant cash flows and management of forward loan commitments, should form part of any liquidity management system, the sophistication of these systems will depend on the credit union's activities.

A credit union can pursue a range of strategies to manage liquidity risk including:

· holding adequate cash and readily liquefiable assets in addition to PLA;

· maintaining stand-by and overdraft facilities with banks, SSPs or other counterparties acceptable to AFIC;

· developing and maintaining a stable core of deposits;

· matching maturity structures of assets and liabilities, securitising assets and sourcing long-term funding; and

· developing sophisticated cash flow projections including improving asset and liability management.

In relation to the first point, each credit union is expected to hold 2 per cent of total liabilities (excluding capital) in one or more of the following: excess PLA, cash, funds securing settlement accounts and liquidity deposits with SSPs.

In determining liquidity needs, a credit union's board should aim at maintaining access to funds for the purpose of meeting operational demands at 6 per cent of total liabilities (less capital). Access to funds may be through off-balance sheet facilities and generally, each credit union is expected to look beyond its immediate deposit base to alternative sources of liquidity. These alternative sources include stand-by lines of credit or overdraft facilities with other financial institutions, including SSPs. Evidence that these arrangements have been firmly established and are available for immediate use will be required by SSAs.

To ensure that each SSA is aware of any weakening of a credit union's liquidity position, each credit union must advise its SSA if on-balance sheet liquid assets held to meet operating requirements falls below 2 per cent of total liabilities (excluding capital). Deviations below this liquidity trigger may occur from time to time and are not necessarily a source of concern.

Liquidity risk is also associated with large exposures to a single source of funds. Each credit union must include in its approach to liquidity management, a policy in respect of large liquidity exposures. Further, each credit union must report exposures in excess of 5 per cent of the credit union's total liabilities and, before a credit union adopts an exposure in excess of 10 per cent of total liabilities, it must consult with its SSA.

In reviewing a credit union's approach to liquidity management, the SSA may consider that the large liability exposure, or exposures in aggregate, create the potential risk for a credit union's liquidity to be strained or may consider that systems are otherwise inadequate. Under these circumstances, the SSA may require the credit union to hold higher levels of PLA or operational liquidity, report more frequently, or impose other requirements.

(iii) Market Risk

Market risk arises from the fluctuations that occur in the market values of assets and liabilities in the normal course of business. The primary source of such fluctuations is movements in interest rates. When interest rates change, the market values of loans, securities and deposits change to different extents. Whenever the interest rates paid on a financial institutions liabilities do not adjust in line with the rates earned on assets, the institution is exposed to market risk. The net effect of these valuation changes alters the institutions earnings and its net worth.

Financial innovations have provided credit unions with a range of techniques for managing this risk. To the extent that deposits and loans are matched, either as variable interest instruments or, in the case of fixed-interest loans and deposits, by duration, the risk may be relatively small. Where a credit unions book is not naturally matched in the above sense or not readily adjustable, the market provides instruments for managing the mismatch, while still meeting customer preferences on the terms of loans and deposits. Interest rate futures, options and swaps are now widely used in the finance industry to manage market risk. Section 120 and the prohibitions in Section 121 of the FI Code outline the scope for credit unions to trade in these instruments for the purpose of managing market risk.

SSAs will seek detailed information about each credit union's methods for measuring and monitoring market exposures. In particular, where assets do not satisfy either the primary objects or the liquid asset tests, SSAs will look for evidence that credit unions are employing appropriate risk management techniques, including regular market value assessments and appropriate provisioning for risks (see Prudential Note 4.3 on Accounting and Disclosure).

(iv) Credit Risk

A primary source of risk for any financial institution is the risk of default. Undue concentration of loans can expose a credit union to excessive credit risk. Sensible diversification of a credit union's loan book by geographical area, type of borrower and to some extent by type of loan can reduce the risk of the overall loan portfolio.

SSAs will seek detailed information about each credit union's practices with respect to credit scoring, loan monitoring and the overall assessment of credit risk. Credit unions should be able to demonstrate an understanding of the inter-relationships between the various credit risks they are carrying. SSAs will pay special attention to credit risk policies relating to assets which lie outside the definitions of primary objects and liquid assets. In particular, credit unions inevitably carry a substantial fixed asset exposure to property through their branch network systems. In the normal course of business this exposure should not exceed the size of the credit union's capital base. Exposure beyond this level will require prior consultation with its SSA.

A particular source of credit risk is large credit exposures to single borrowers. Large exposures can accumulate indirectly through lending to associated borrowers even though the exposure to any one member of the group may appear reasonable. While 'associate' has been defined under Part 4 of the FI Code, the existence of these relationships may not represent any aggregation of risk (for example where loans to associated family members are separately collateralised). It is recognised that a number of these relationships cannot be identified from data collected in the normal course of opening and operating accounts. Therefore, credit unions will not be expected to monitor large exposures to groups of associated family members who have independent retail relationships with the credit union. In the case of commercial lending, borrowers will be assumed to be associated where they collectively control the source of credit risk to the credit union.

Each credit union will be required to provide its SSA with a copy of its policy in respect of large exposures and to report exposures to individual borrowers or groups of associated borrowers in excess of 5 per cent of the credit union's capital base. These exposures are to be measured in terms of exposures to the consolidated group where relevant. Exposures beyond 10 per cent of a credit union's capital base will require prior consultation with its SSA. Certain exemptions may be permitted with respect to lending within primary objects. Further exemptions and general approvals may be granted by SSAs in the light of experience.

(v) Data Risk

A risk to any credit union relates to the security and integrity of its data bases, both automated and non-automated. Detailed records of all financial transactions and balance sheet data should be kept in more than one location. Where records are computerised, back-up and storage procedures should be documented by the credit union and audited, as should procedures for preventing data corruption. Adequate disaster recovery procedures should be in place.

A particular risk to a societys data exists due to the potential for damage to or misuse of date-related data, caused by the use of computer programs or code that fail to calculate correctly or record dates after a particular date. This is commonly referred to as the "Year 2000 problem" because many computer and other electronic systems cannot deal with dates after 31 December 1999. However, the problem is not confined to the year 2000 and could arise through a range of other critical dates that might be embedded in computer systems. For convenience, AFIC is referring to this matter as the "Year 2000 problem".

To ensure the security and integrity of a societys data, the Directors of a society should ensure that a full review and assessment of the risks associated with the Year 2000 problem is undertaken. Those systems affected that are critical to using or storing the societys data, must be corrected. Directors must:

• ensure that appropriate tests are carried out to ascertain that any critical computerised systems using or storing the societys data are not affected by the Year 2000 problem; and

• obtain sufficient assurance that the societys systems and dates will not be significantly affected by inaccurate data or failure of services by its suppliers.

It may not be possible for every internal and external system to be corrected in the short time available before the year 2000, or any other critical date, arrives. Therefore, in anticipation of possible failures, each society must have a comprehensive written statement dealing with the risks and events that may arise due to either the society or an external service provider suffering disruptions that may, in turn, disrupt the societys normal business operations. These policies and procedures should form part of a societys Disaster Recovery Plan in respect of managing both data risk and operations risk.

(vi) Operations Risk

Credit unions carry a range of operations risk in carrying out their day-to-day business. Many of these risks are insurable, others are not. Of particular importance in the latter category are credit unions' administrative systems and the consequences of breaches of legislation. In smaller credit unions, overdependance on a small number of key personnel can constitute a substantial risk to their operations. Other risks arise from litigation associated with a wide variety of possible events and actions, including discrimination, negligent advice and invasion of privacy. Whether or not these risks are insured or even insurable, credit unions must demonstrate an understanding of the risks involved and the capacity to measure, monitor and control them.

A particular risk to a societys operations exists due to the Year 2000 problem. Societies are faced with the potential for impairment of normal business operations through the failure of systems dependent on computer microchips, such as communications, security, and fire protection systems.

To ensure the societys operations risk is minimised, the Directors of a society should ensure that a full review and assessment of the risks associated with the Year 2000 problem is undertaken. Those systems affected that are critical to the societys normal business operations must be corrected. Directors must ensure that appropriate tests are carried out to ascertain that any critical computerised systems and devices required for the societys day-to-day operations are not affected by the Year 2000 problem.

A society must keep its insurance contracts under review to ascertain whether it is covered for interruptions to business and possible litigation, due to non-performance or disruption to business, as a result of the Year 2000 problem.

The costs and resource requirements to address the Year 2000 problem may be beyond the scope of some societies. Where directors are of the opinion that the society will be unable to address the Year 2000 problems adequately, with regard to its critical systems, the society should immediately notify its SSA. The SSA, together with the society, will then consider the appropriate action to be taken to ensure that the interests of the societys members are not adversely affected by the societys inability to manage Year 2000 problems adequately.

An important source of insurable operations risk arises from potential damage to the physical assets of the credit union through accident or fire. While compulsory worker's compensation covers potential loss through accidents involving staff, there is a similar risk to members of the public that is not automatically insured. Other operational risks arise from the potential for legal action against the credit union or its directors.

In addition to compulsory worker's compensation, all credit unions should carry effective insurance with a reputable insurance company to protect their personnel, operations and physical assets. At a minimum, each credit union should carry the following insurance policies:

(a) fidelity guarantee;

(b) asset protection, including fire and malicious damage;

(c) directors' and officers' liability;

(d) public liability;

(e) professional indemnity; and

(f) business interruption.

Insurance should cover the credit union and all subsidiaries (if any). SSAs will seek details of insurance policies and each credit union's approach to insurance.

Prudential Standards

4.1.1 Prime Liquid Assets Requirement

4.1.1.a Each credit union is to maintain at all times a minimum proportion of its balance sheet in specified prime liquid assets (PLA). The required PLA ratio is to be 7 per cent of total liabilities excluding capital as defined in Prudential Note 4.2 (Capital Adequacy).

4.1.1.b The PLA ratio is to be met at all times. If a credit union finds itself in danger of breaching the minimum ratio, it must advise its SSA immediately and, in consultation with the SSA, take prompt action to correct the situation.

4.1.1.c To be eligible for inclusion in the PLA ratio, assets must be held in the credit union's own name, must be unencumbered by any pledge or restriction (other than restrictions arising from the emergency liquidity support facility) and must be readily negotiable.

4.1.1.d Assets deemed acceptable by AFIC for inclusion in the PLA ratio may change from time to time as circumstances and asset quality change. Until notice of alteration, PLA will include the following:

(i) Treasury notes;

(ii) other Commonwealth Government securities;

(iii) bank deposits and bank accepted and endorsed bills;

(iv) loans to authorised money market dealers against the security of Commonwealth Government securities;

(v) State or Territory Government issued or guaranteed securities; and

(vi) PLA deposits with special services providers (see Book 1).

4.1.1.e Given the potential for the liquidation value of some PLA to vary with market conditions, assets will be valued at market value for the purpose of calculating the PLA ratio.

4.1.1.f Credit unions must hold half of their required PLA assets in a manner that can be immediately accessed under the emergency liquidity support facility outlined in Part 6 of the AFIC Code (see also Prudential Standard 4.4.5).

4.1.2 Operational Liquidity

4.1.2.a Each credit union is to provide its SSA, on request, with a written description of its systems to measure, monitor and manage liquidity risk. These systems are to be audited annually by the credit union's external auditors and their operation in practice will be subject to review during on-site inspections by the SSA.

4.1.2.b It is the responsibility of each board to determine the liquidity needs and normal liquidity operating range of its credit union and the associated composition and liquidity of assets to be held. Notwithstanding, each credit union should aim to maintain access to funds to meet operational demands at 6 per cent or more of total liabilities (less capital) with a minimum component of on-balance sheet assets of 2 per cent of total liabilities (less capital). As part of its liquidity management, each credit union must also satisfy its SSA that it has access to appropriate levels of funding through off-balance sheet facilities provided by banks, SSPs or other entities advised by AFIC.

4.1.2.c Unless otherwise advised by Standard or Guidance Note, assets that may be included in on-balance sheet operational liquidity are:

(i) cash on hand;

(ii) PLA in excess of the required minimum;

(iii) funds securing settlement accounts; and

(iv) liquidity deposits with Special Services Providers.

4.1.2.d A credit union must advise its SSA if the level of on-balance sheet operational liquidity falls below 2 per cent of total liabilities (less capital).

4.1.2.e As part of its liquidity management system, each credit union must include a policy in respect of large liability exposures to individual lenders or a group of associated lenders. Each credit union must report quarterly liability exposures in excess of 5 per cent and must consult with its SSA prior to acceptance of a liability greater than 10 per cent of the credit union's total liabilities. The onus will be on the credit union to establish that the liability exposure does not constitute an excessive risk to the credit union.

4.1.2.f A credit union that fails to satisfy its SSA that it adequately manages its cash flows and operational liquidity may be directed to hold higher levels of liquid assets, maintain higher levels of capital, report more frequently or otherwise as determined by the SSA.

4.1.3 Managing Market Risk

4.1.3.a Each credit union is to provide its SSA, on request, with a written description of its systems to measure, monitor and control market risk. These systems are to be audited annually by the credit union's external auditors. Their operation in practice is subject to review during on-site inspections by the SSA.

4.1.3.b Failure by a credit union to satisfy its SSA that its practices are adequate to the risks involved may lead to its being required to maintain a capital adequacy ratio above the 8 per cent minimum.

4.1.4 Managing Credit Risk and Large Exposures

4.1.4.a Each credit union is to provide its SSA, on request, with written descriptions of its systems to measure, monitor and control credit risk. These systems are to be audited annually by the credit union's external auditors. Their operation in practice is subject to review during on-site inspections by its SSA.

4.1.4.b Each credit union is to include in this description a written statement of its policy with respect to acquiring assets not defined within primary objects or liquid assets.

4.1.4.c In the normal course of business, a credit union's exposure to its own fixed assets should not exceed the size of its capital base. Exposure beyond this level will require prior consultation with its SSA.

4.1.4.d Each credit union is to provide its SSA, on request, with a written statement of its policy in respect of exposures to individual members or groups of associated members.

4.1.4.e Each credit union must provide quarterly returns of all exposures of the consolidated group to individual borrowers and/or associated borrowers greater than 5 per cent of its capital base (as defined in Prudential Note 4.2). The intention of this Prudential Standard is to identify concentration of risks. SSAs will declare borrowers to be "associated" if there is any suggestion of intent to disguise concentration.

4.1.4.f Before entering into any such exposure greater than 10 per cent of a credit union's capital base (or, in the case of a group, 10 per cent of the groups capital base), the credit union must first consult with its SSA. The onus will be on the credit union to establish that the exposure does not constitute an excessive risk. Lending within primary objects may be exempted from this process if, after examining the credit union's lending policies, the SSA is satisfied that they do not introduce excessive risk.

4.1.4.g Failure by a credit union to satisfy its SSA that its practices are adequate to the risks involved may lead to its being required to maintain a capital ratio above the 8 per cent minimum.

4.1.5 Data Risk

4.1.5.a Each credit union is to provide its SSA, on request, with a written statement of its policy in respect of managing data risk. Detailed records of all financial transactions and balance sheet data should be kept in more than one location. Where records are computerised, back-up and storage procedures should be documented by the credit union and inspected by the relevant SSA, as should procedures for preventing data corruption.

4.1.5.b The Directors of a society should ensure that a full review and assessment of the risks associated with the Year 2000 problem is undertaken. Those systems affected that are critical to using or storing the societys data, must be corrected. Directors must:

• ensure that full testing is carried out to ascertain that any critical systems for using or storing the societys data are not affected by the Year 2000 problem; and

• obtain sufficient assurance that the societys systems and dates will not be significantly affected by inaccurate data or failure of services by its suppliers.

4.1.5.c Each society must have a comprehensive written statement dealing with the risks and events that may arise due to either the society or an external service provider suffering disruptions that may, in turn, disrupt the societys normal business operations. These policies and procedures should form part of a societys Disaster Recovery Plan in respect of managing both data risk and operations risk.

4.1.6 Operations Risks

4.1.6.a Each credit union is to provide its SSA annually with a written statement of its policy in respect of disaster recovery planning and insurance including details of its individual insurance policies. SSAs will monitor the adequacy and currency of these policies. At a minimum, credit unions should take out the following insurance cover:

(i) Fidelity/Bond Insurance

(ii) Fire and Specified Perils

" Physical loss or damage to tangible property due to fire and specified perils including: