Skip Ribbon Commands
Skip to main content

Compliance Matters – New regulations facing credit unions


Early in 2011 some significant changes were made by the Deposit Insurance Corporation of Ontario (DICO) to By-Law No. 5 relating to standards of sound business and financial practices. While By-Law No. 5 has been in existence since 2004, the recent changes have caught the attention of board members who are required to submit a board resolution annually to DICO confirming that “management has provided a representation letter to the board of directors regarding its assessment of adherence to management’s responsibilities under the standards of sound business and financial practices; and the board of directors is familiar with, and is acting in compliance with, the standards of sound business and financial practices”. In order to make such a resolution regarding these standards, it has been agreed that at a minimum, each Class 2 Credit Union is expected to implement an Enterprise Risk Management (ERM) framework that is comprehensive and scaled to suit the size, complexity and risk profile of the organization. Within the By-Law such terminology as risk appetite, risk tolerance, monitoring and other common nomenclature is used to address the requirements of both the board of directors and management.

But what does this all mean?

In order to help alleviate the concerns of Credit Unions as they attempt to interpret the new ERM requirements, on September 29, 2011, DICO published an ERM framework, guidance and an application guide which is available at These publications have been based on industry accepted standards developed in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). These documents provide a good baseline to be followed in building a comprehensive ERM framework, but there is still a lot of room for interpretation when attempting to customize the guidance to align with the business needs of each institution and not only mitigate risk, but maximize opportunities.

Understanding Risk Management

Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. It is a concept that denotes a potential negative impact to an asset or some characteristic of value that arises from some present process or future event. Risk is measured in terms of potential impact and likelihood. Enterprise Risk Management is the process of identifying and managing the risks affecting the organization, both internally and externally. Depending on the Risk Appetite and tolerance of the Credit Union, this determines the probability of objectives being achieved.

As illustrated above, ERM is the process followed to further the achievement of the Credit Union’s objectives. Ultimately, the goal is to maximize the value proposition for the members. So how does one translate the DICO requirements from the concept of “comprehensive ERM framework” to “robust ERM program”? This will take more than reviewing the publications introduced above, and will require applying their principles to meet the needs of each individual Credit Union. This is accomplished by building a risk methodology that will assess on an ongoing basis not only risks, but also opportunities. In order to do so, the methodology must contain some fundamental components that begin with strategic planning and aligning the Credit Union’s risk management efforts with the institution’s vision and long-term objectives. Only then, will the Credit Union truly be able to identify those events that may impact the resilience of the organization. Once those events are identified, the risks contributing to the occurrence of those events must be assessed, prioritized, mitigated and monitored. The ERM framework, guidance and applications provided by DICO are a good start when building such a program. However, in order to ensure the ERM program is effective it must include a sound methodology that is integrated with the strategic, operational and tactical elements of the Credit Union. The ERM program must also be scaled to reflect the size, complexity and risk culture of each individual Credit Union. This will ensure the benefits of implementing an ERM program outweigh its costs.

What does success look like?

In order to achieve the above, one question each Credit Union should be asking is, “what does success look like”? To achieve success and answer this question, we follow these five guiding principles for effective Enterprise Risk Management:

  • begin with having the right tone at the top (i.e. Governance);
  • be integrated within decision-making;
  • be linked to performance management;
  • include proactive risk assessment, monitoring and reporting; and,
  • be embedded in business processes.

Later this year, Credit Unions with assets in excess of $250 million will be preparing to put in place ERM frameworks that are in accordance with DICO’s expectations, which will be effective for years ending on or after December 31, 2012 with all other Class 2 institutions addressing the requirements in 2013. That’s why we recommend that in order for Credit Unions to develop an ERM framework that is relevant for their institution, they must carefully consider the objectives of the new requirements and balance them with their mandate to create maximum value for their members.

How MNP can help

MNP has extensive experience providing services to many financial institutions, including Credit Unions across Canada and recognize this as a time of opportunity and change for Credit Unions. With heightened regulations such as those introduced in By-Law No. 5 and greater expectations from members, many Credit Unions are turning to MNP for advice in the areas of Enterprise Risk Management, Internal Audit, Regulatory Compliance, Information Technology, Enterprise Security and Business Continuity.

For more information please contact:

Annette Kuckartz, CA
National Credit Union Leader
[email protected]
Geoff Rodrigues, CA, ORMP, CIA
Enterprise Risk Services Leader, Eastern Canada
[email protected]