ALEXANDRIA, Va.–NCUA senior staff responsible for primary oversight of the agency’s enterprise risk management (ERM) “did not consistently establish, update, or use risk profiles to address” ERM at the agency, according to a new report from NCUA’s Office of Inspector General (OIG).
The OIG said initiated the review to assess the NCUA’s ERM risk profiles, the report says. The objective was to determine if the NCUA adequately established, maintained, and used risk profiles to address enterprise-level risks, according to the OIG.
The new report’s findings were first reported by Regulatory Report.
“Our audit determined the NCUA’s Enterprise Risk Management Council (ERM Council) did not consistently establish, update, or use risk profiles to address the agency’s enterprise-level risks,” the report states. “The NCUA’s ERM Council needs to improve the regular assessment and updating of all enterprise-level risks. The ERM Council should improve how it communicates its results to necessary agency officials, as appropriate….”
Two Recommendations
Regulatory Report said the OIG report includes two recommendations:
- Implement a regular assessment and briefing of all enterprise-level risks, such as through discussion of risk profiles at ERM Council meetings, on a frequency commensurate with risk exposure to monitor that each risk is managed within risk appetite.
- Clarify how the ERM Council should communicate risk results to agency officials who implement decisions.
Regulatory Report added that the OIG’s report, which has numerous redactions, says agency management agreed with both recommendations and committed to implementing them by March 31, 2027.
The report can be found here.
