Top Ten List of Things Ongoing Operations Learned in Their CUSO Exam

This is a post by Kirk Drake (with a little input from me) on the Ongoing Operations Blog which you should check out.

Earlier this year, the National Credit Union Administration (NCUA) conducted a voluntary CUSO exam of Ongoing Operations. Overall, the experience was a positive one with the Regulators having the opportunity to really learn about our business and our CUSO having the opportunity to address some of their biggest fears. Ongoing Operations is in a unique position as a Disaster Recovery and Business Continuity provider. Through our success in helping over 20% of the credit union market greatly reduce its business interruption risk, we have unintentionally become a cog in the wheel of systemic risk. We were successful in the exam process and through our diversified power, communication, data center, and staffing grids, we were able to demonstrate to NCUA that we actually reduce the risk for our clients both individually and systemically. We also believe the same approach will be successful in the hosted services and cloud world as we can bring expertise, technology, and scale to the credit union industry and reduce not just their IT Risk but their compliance and security risk as well.

Following the exam we requested, and were recently notified of, the NCUA’s posting of their supervision manual.

We believe it is essential for CUSOs and credit unions alike to know what NCUA will be looking for as they begin to examine more of us. We also think it is absolutely vital that as an industry we work together to make sure we don’t put CUSOs at a competitive disadvantage, reveal trade secrets, or squash a key innovation engine for the industry through regulation or regulatory burden. To help in that regard – Guy Messick, Messick and Lauer, and I have put together this list of top ten lessons learned from the Ongoing Operations exam.

  • Shape the Scope of the Exam: Read the CUSO Portion of the Examiner’s Guide and the National Supervision Policy Manual. See what the examiners are told to do and if they exceed the scope, call them on it. Ask other CUSOs what they were asked for, what they provided and what they refused to provide. CU Answers is providing a website for CUSOs to share their exam experiences. Filter everything you decide to share with the NCUA on the basis of “Does this pose an investment risk to our credit union Investors?”, “Would you share that information with an investor?” or “Does the information directly relate to an operational risk for a credit union client of the CUSO?” If not, the NCUA probably doesn’t really need the information or it may not be appropriate to provide it.
  • Expect What You Share to be Shared: If you provide a document or client list – don’t expect that it is in your control anymore and anticipate it may become public information. For example if you want to keep your non-owner clients private, you may not want to share the information with NCUA. Even if NCUA wants to keep information confidential, it is possible that a judge could overrule them on a Freedom of Information Request.
  • Control the Access to Information: Isolate the exam materials and data. Make it accessible only in one place and insist it never leaves the premises. Keep an inventory and check it at the end of each day. Don’t just provide login information for anything (such as an online Business Continuity Plan). Instead assign someone to sit with the examiner and walk them through stuff. Approach it from the angle that you really want to learn what is important to them and their opinion real-time. This will help prevent surprises in the process.
  • Be Professional and Courteous: Remember that the examiners are doing their job. They are following a process and procedures and don’t take out any general frustrations with the Agency on the individual.
  • Approach “No” as a Discussion: Explain to the examiner why you don’t think the information they requested has bearing on investor risk, listen to their answer and be willing to change your mind if needed.
  • Calculate Some Ratios: In advance of the examination, develop some key ratios of how you measure your financial performance against peers. NCUA is all about ratios. That is what they do in examining credit unions. So humor them and do ratios that you think have some meaning. Remember that meaningful ratios for capital intensive lending institutions are not the same as ratios for non-capital intensive fee based businesses or operational costs centers.
  • Manage the Process: Make sure you set your agenda and expectations related to the process including identifying what happens after the exam, follow-up calls, report response, meeting with your board, and notifying your investors of any findings. Being one step ahead on this one will eliminate unfortunate timing or process mistakes and make sure you manage the message to your constituents.
  • Communicate with Your Owners: Keep your owners informed of the CUSO Exam Process. Avoiding surprises is always the best policy when dealing with your owners, especially because the rules of the game for CUSO Exams are still in flux. Also, let NACUSO know about your experience. They can help get the word out.
  • Educate: Many examiners will think of the CUSO as a third party and do not understand the tangible benefits to the credit unions participating. Help them see that CUSOs are the collaborative extension of their credit union owners. Tell them how much the credit unions are saving or earning by working with the CUSO. In some cases, the CUSO will be the difference in keeping a credit union in the black. If you can turn the examiners into believers you will have expanded your marketing department.
  • Try to Buy Them Lunch: It is great sport. I failed at this one. I tried hard to preempt the waitress and buy the examiners lunch before she brought the bill. They are quick though and beat me to the punch. I don’t know what happens if you successfully do buy them lunch – but I think it is absolutely worth finding out how much paperwork that generates…they are government employees after all.

Ongoing Operations is a Cloud, Business Continuity, and Disaster Recovery CUSO that works with over 450 credit unions throughout the United States.