bankmecu works to minimise and manage exposure to risk by maintaining high levels of awareness, analysing reliable information and implementing effective controls. Each operational area across the Bank manages its own risks. This approach creates a first line of defence and encourages a risk culture that involves all staff. A central risk and compliance team, led by our newly appointed Chief Risk Officer, creates a second line of defence. This team is responsible for:
- developing risk strategy and risk treatment plans
- overseeing risk management practices
- maintaining risk registers, incident and issue registers, complaints and disputes registers
- monitoring compliance obligations
- applying the risk appetite into day-to-day business activities.
Internal audit provides our third line of defence, via an independent assurance function. Our internal auditors report to the Audit and Compliance Committee, which meets quarterly.
The Risk Committee of the Board meets monthly and considers all aspects of risk performance, including appetite and risk tolerance levels. Our tolerances for credit risk and capital and liquidity risk are well above those set by APRA, reflecting our responsible banking practices and sensitivity to risk.
Risk management and risk appetite
bankmecu is currently considering a new risk appetite statement and risk management improvements for six major risk categories:
- Financial Risk. This category covers risks directly associated with the Bank meeting its financial obligations as and when they fall due. On the back of a responsible loan portfolio underwritten by customer deposits, we manage our capital, liquidity and interest rate positions within Board approved limits. We aim to preserve balance sheet strength, ensure a strong and sustainable credit rating and not introduce unacceptable risks. Hedging may occur within strict guidelines.
- Credit Risk. This category covers the risk of financial loss if a customer fails to meet contractual obligations to repay a debt, and it arises principally from loans and advances to customers. Lending is the major part of our business and has the potential to be a significant risk in difficult economic times. The Bank has a low risk–high quality loan portfolio, based on established procedures and assessment techniques, conservative lending policies and clear approval limits. Risk taking occurs within a tight framework of controls, established criteria and pursuing growth in target markets.
- Governance Risk. This category covers the rules, processes, policies, and regulations outlining and defining the Bank’s capacity, operational management and administration. It includes risk management and compliance risk. Our three lines of defence means we designate risk ownership at the points of failure and points of loss taking, with oversight from second and third lines. Because we pin our reputation on ‘higher’ values and responsible banking practices, we are sensitive to any failures to adhere to values and our governance model is supported by a strong compliance culture.
- Development Risk. This category covers all risks associated with promoting and communicating products and services to existing and potential customers. It includes risks associated with brand awareness and positioning, product and service distribution, competitors, reputation, and communications to customers and the public via all media. The Bank’s brand and market position is built on its commitment to environmental and social responsibility. We have controls that bring products, brand, media profile and community initiatives together to deliver profitability and growth as a responsible and sustainable bank.
- Operational Risk. This category covers the risk of loss from inadequate or failed internal processes, people and systems, or from external events. It includes infrastructure failure, security breaches, human error, fraud and privacy protection. The nature of operational risk means it can never be completely mitigated, but staff training and education, regular maintenance and test schedules, software upgrades, ongoing threat assessments and documentation are steps that can reduce the impact if an operational risk occurs.
- Strategic Risk. This category covers the potential loss that might arise from pursuing an unsuccessful corporate strategy. It can arise from making decisions based on incorrect information, unfounded assumptions or a mismatch between opportunities and capability. It can also be the result of poor execution of the Strategic Plan, not assigning the right resources or a failure to respond to changes in the business environment. bankmecu has a robust annual strategic planning exercise with strong Board engagement. The Board regularly tests decisions, and we have measures to evaluate current and future performance. Our smaller scale means bankmecu can be extremely agile and directional changes can be implemented quickly.
Each risk category has five sub-categories, creating 30 key risks altogether. Each risk is allocated indicators and tolerance levels, which are monitored to ensure the risk remains within acceptable levels.
Top 10 risks
Key risks are identified at least annually. The top 10 risks in 2014 were:
- credit risk
- fraud risk
- contagion from underperformance or problems in the mutual sector
- competition and margin squeeze
- technology risk
- emerging technologies risk
- regulatory risk
- hostile takeover risk
- media and communications risk
- environmental, social and governance (ESG) performance risk.
Key risk incidents and how we managed them
Hazelwood Fire at Morwell, Victoria in February and March 2014
A fire at the Hazelwood open cut coal mine affected the air quality in Morwell, Victoria, with potentially hazardous threats to health for two weeks. We took the following actions to support staff at the Morwell service centre:
- Staff received community information sheets the Victorian Government Department of Health prepared, which provided guidance and advice on air quality in Morwell.
- We advised staff they could work from other sites in Gippsland if the conditions affected them adversely and provided counselling services (via the Employee Assistance Program).
- We adjusted the working arrangements at the Morwell site as necessary, such as closing the automatic doors, providing side access for customers and staff, using fans to direct smoke out.
- We closed external air conditioning ducts and recycled air internally. We also employed a commercial cleaner after the incident.
Power failure at Computer Data Centre March 2014
Our banking system provider experienced an unplanned power outage when the bureau hosting services provider implemented a new Uninterruptable Power Supply (UPS). The IT systems, including the Core Banking System, were unavailable for three hours. To mitigate against further outages and possible data corruption, management invoked the Business Continuity Plan and transferred all key IT systems to the backup site. We maintained the ATM and EFTPOS network using offline balances via Cuscal and provided other face-to-face services at our service centres.
Cryptolocker virus attack May 2014
A staff member followed a web link embedded in an email which instigated a Cryptolocker virus attack. Customer service was not disrupted. IT staff isolated the virus, blocked further emails containing the source web link, identified and removed the infected files, and then restored the infected files from the previous night’s backup files. A post incident review recommended changes to staff web site access, and we conducted an awareness training program to educate staff on identifying potential email phishing attacks and other internet based scams.