Building a Third Party Risk Management Program

By: Jake Olcott, VP of Business Development at BitSight Technologies.

When looking at cyber security threats to your credit union systems, it is no longer sufficient to enlist the best practices for your institution without evaluating the practices of all your vendors and partners. In consideration of some high profile cases of cyber breaches in the past few years— including major corporations such as Target, American Express, and Experian—it is evident how serious third party breaches can be.

These breaches cost a great deal to the companies and customers affected. It is critical that credit unions move forward with plans to evaluate and mitigate the risks posed by vendors and other business partners. In light of this growing need, BitSight Technologies recently hosted a webinar entitled “How to Build a Third Party Risk Management Program” for credit union executives around the nation.

Legal Implications of Ineffective Third Party Risk Management

Third party risk management programs are more than an obligation to your customers; these programs are being brought to the forefront and scrutinized by those conducting oversight. During BitSight’s webinar, credit union executives participated in a poll indicating that 85 percent of them had been asked by regulators about their third party risk management practices. In fact, regulators are starting to pursue actions for failure to properly implement programs to prevent third party cyber risk.

What are the Immediate Steps to Ensure Appropriate Third Party Cyber Security?
There are four key steps to take for a top-notch security program:

  1. Identify and Tier Third Parties: A working group including IT, IT security, procurement, and legal should identify and classify vendors. Vendors handling data that is regulated or confidential should be prioritized as critical.
  2. Assess Security: There are a number of methods credit unions can use to assess security. In BitSight’s webinar poll, the most common tool utilized by credit union executives was audits and requests for documentation, with nearly all respondents already doing these. In addition, about a quarter of executives involved in the webinar said they were conducting onsite visits or desk assessments- 38 percent of managers are currently using vulnerability scans and penetration tests, and 43 percent of the webinar poll respondents were also using questionnaires.
  3. Negotiate Contractual Terms: Existing contracts need to be reviewed to ensure they reflect the level of security you expect. Use “point in time” tools to evaluate third parties.
  4. Ongoing and Continuous Monitoring: This involves constant oversight integrated into the lifecycle of the security assessment process, and leverages the use of automated feeds.

The Vendor Risk Management Maturity Curve

This curve represents each step of the security process as outlined above. When asked which level on the vendor risk management curve their credit unions fall, 16 percent of executives at BitSight’s webinar said they were at level one,  just over half of all executives were at level two, 30 percent were at level three, and two percent were at level four. One of the problems many executives have in reaching levels three and four pertains to small organizations: the process can become costly and require extensive manpower.

The entire webinar slide deck with in-depth graphics, tips, techniques, and tools your credit union can leverage is available for download here.

BitSight Technologies is the NAFCU Services Preferred Partner for Cybersecurity Ratings for Vendor Risk Management and Benchmarking. More educational resources and partner contact information are available at

How to Create a Successful ERM Program

By: Bill Hord, Vice President of Enterprise Risk Management Services for Quantivate.

Credit unions seek to accomplish their strategic objectives within the framework of their mission. Once management has determined their strategic objectives, they set about creating strategies to achieve their objectives. Having a solid ERM framework applied in the strategy-setting process allows the credit union to identify and mitigate or accept the risks in pursuit of their objectives.

Utilizing an ERM framework helps the credit union provide reasonable assurance to the board of directors and management related to the achievement of the credit union’s objectives. This assurance is based upon the understanding of risks related to the objectives, and furthermore, that the risks have been reduced to acceptable levels.

Proper use of ERM will assist the credit union by also providing better governance and management processes that ultimately lead to informed risk-based decisions. These decisions and the internal controls in place to help mitigate the risks will reduce the risk associated with achieving the credit union’s objectives and help ensure they are within the stated risk appetite.

In order to create a successful ERM program you should:

  • Determine and utilize the proper risk framework for your credit union
  • Define and prioritize significant risks and identify the weakest critical control
  • Measure risk and controls
  • Complete a risk assessment and build a risk committee

Listen to the full podcast, “How to Create a Successful ERM Program”, for and in-depth discussion about how your credit union can strategically create an ERM program that is set up for success from the very first day of implementation.

During this 25-minute podcast, industry expert Bill Hord, Vice President of Enterprise Risk Management Services for Quantivate, joins Devon Lyon, Director of Education for NAFCU, and breaks down the steps your credit union should take to properly determine, assess, and prepare for risks when evaluating the best ERM program for your organization.

If you missed Part 1- Getting Down to the ERM Basics, you can listen to the  full podcast here.

Logo for Quantivate  Quantivate is the NAFCU Services Preferred Partner for Vendor and Contract Management Software. More educational resources are available at

Let’s Talk – Seriously – About Retirement

As an industry leader, we are fully engaged in the continued national dialogue around retirement readiness. A major part of that effort is speaking with retirees as well as those still in the active phases of their careers to determine what issues and concerns they have about strategizing for their futures.

To learn more about retiree perspectives, Pentegra regularly commissions a Harris poll to determine the state of the retirement nation. This year we also independently interviewed dozens of retirees for additional insights as part of our Beyond the SmartPath™ initiative.

The results of the survey and follow-up interviews held no spectacular surprises. Among those we interviewed, every respondent echoed the long-standing plea of the retirement industry and our Harris poll results: Save early and often. Most suggested doing this by getting involved as soon as possible in any retirement savings vehicle offered by one’s employer – especially a 401(k), if available – and to contribute enough to take full advantage of employer matching contributions.

Our respondents also universally advocated the truism that it’s never too early – or too late – to start saving for one’s retirement. “The key thing is that the cost of living keeps going up, which makes it difficult to set money aside,” noted one. “But a little something is still better than nothing.”

A recurring theme was that conversations about planning for retirement are not taking place with enough frequency today. Most of the folks we spoke with said they grew up in households where serious advice about the topic was entirely absent.

The establishment of the 401(k) in 1978 changed all that. Workers became more directly involved in the topic, and as a result they tended to offer practical advice to their own children … if not from a young age, then certainly as their kids began weighing, and embarking upon, their own career options.

However, how seriously those children – and successive generations – have taken those talks remains very much in doubt. A constant misnomer that “comes with the territory” of being young is that thinking about retirement is viewed as something that does not need to occur for years to come … a fallacy that is unfortunately all too common.

Although retirement services providers like Pentegra can explain the ins and outs of various retirement savings strategies, the fact that so much misunderstanding, misinformation – or, for lack of a better word, apathy – about retirement planning remains, is a sobering fact. Thus, we are introducing and promoting the hashtag #talkaboutretirement, designed to help spur dialogue among family members, business associates and friends, in addition to industry professionals.

We hope that #talkaboutretirement will indeed become a trending topic – one that continues to trend for some time. Having an open dialogue about how you view your retirement savings (if at all) can only help, both in the short term and the long run.

Pentegra Retirement Services is the NAFCU Services Preferred Partner for Qualified Retirement Plans for Credit Union Employees. More educational resources can be found at

Getting Down to the ERM Basics

By: Bill Hord, Vice President of Enterprise Risk Management Services for Quantivate.

Most people in the credit union community likely have a basic understanding of Enterprise Risk Management (ERM). But why is it important to the success of your credit union? And more importantly, how do you get started?

Top three things to know about Enterprise Risk Management:

  1. ERM helps credit unions develop strategies to identify the risks and opportunities impacting their strategic objectives.
    • ERM enhances risk response decisions and reduces operational losses by identifying potential risks ahead of time.
  2. ERM helps credit unions mitigate those risks to provide reasonable assurance to the board of directors and management related to achieving their strategic objectives.
    • ERM programs help executive management make better decisions on how risk should be managed and builds confidence with your board and auditors. Having an enhanced risk identification strategy allows your credit union to implement preemptive and proactive practices.
  3. ERM helps credit unions with the alignment of risk appetite and strategy to improve the deployment of capital.
    • A successful ERM program ultimately decreases the number of risk incidents, reduces cost of capital, and increases overall risk awareness at your credit union.

For more on Getting Down to the ERM Basics, join industry expert Bill Hord, Vice President of Enterprise Risk Management Services for Quantivate, for an insightful podcast. He sits down with Devon Lyon, Director of Education for NAFCU, for a high-level overview of enterprise risk management. Bill covers the ins and outs of what ERM is, what success looks like, and how to manage the ERM process. Listen to the  full podcast here.

How Innovative Plan Design Can Contribute to a Credit Union’s Success

Taking a holistic approach to designing any member’s retirement plan is a goal well worth trying to attain. This is especially true when it comes to credit unions, where many of the same factors facing banks today – ever-proliferating technology, competition, and consumer demands – are being felt just as strongly.

Developing an effective and flexible retirement program involves creating a plan that not only assists employees in meeting their retirement goals but that also addresses a credit union’s business needs. Designing the right retirement program requires a keen understanding of an organization’s management philosophy; compensation strategy; competitive considerations and analysis; demographic considerations; the maturity of the institution; and – of critical importance in today’s shifting landscape – the different types of retirement plans available.

We have identified two basic approaches to developing a business’s employee benefits program. First is the objective approach, wherein one takes into consideration what kind of balancing of benefits is needed for employees; after all, a 50-year-old employee’s needs are vastly different than a 25-year-old’s.

With the second – the competitive approach – benefits and compensation packages are offered in order to attract and retain employees; benefit adequacy involves an analysis of wages and the level of benefits offered by one’s peers. Again, the state of play in the credit union space in Washington, D.C. will be vastly different than that in Boise, Idaho, or Peoria, Illinois. An ideal plan will include both the objective and the competitive approaches.

What we call the “cross-tested plan” seems to be one of the most effective tools in plan design today. Such plans are being used more frequently as a way to reward longer tenured employees; reward and incent by job category; restore benefits lost due to a defined benefit (DB)/pension plan freeze or cutback; and/or provide additional benefits in lieu of a supplemental executive retirement plan (SERP) or non-qualified plan.

While DB pension plans tend to favor older employees, a cross-tested plan is a type of 401(k) or profit sharing plan that can be designed to allow a credit union to allocate contributions to specific groups of employees, who can be sorted by a number of categories including age, tenure, job category, management vs. non-management.

Furthermore, cross-tested plans focus on benefits at retirement rather than on regular contributions, enabling employers to provide higher contribution amounts (expressed as either a percentage of compensation or a dollar amount) to older employees, employees with more years of service, and/or employees who are performing the most important functions for the business. Because younger employees have a longer time horizon in which to grow their assets, cross-tested plans effectively permit employers to contribute more for their older employees.

In a cross-tested plan, each subset of employees receives a different level of contributions, and must be defined in the plan document. The actual contribution percentages can be decided at the end of each plan year and can change from year to year. What’s more, a company that already has a traditional 401(k) can overlay a cross-tested plan or establish a separate profit-sharing plan.

Keep in mind that every cross-tested plan has its own individually designed formula, allowing a given organization the ability to control its own destiny in terms of total contributions made on a year-by-year basis.

With an age-weighted plan, employer contributions are allocated among eligible employees based on both age and salary. Again, since a participant’s time horizon to retirement is factored into the allocation, older, more highly compensated employees tend to receive a larger share of the overall contributions:

Rich Rausser

There are, of course, other factors to think about when considering a cross-tested plan. But these are the broad strokes; I encourage you to investigate further on your own, or contact a reputable retirement planning provider to learn more.

Pentegra Retirement Services is the NAFCU Services Preferred Partner for Qualified Retirement Plans for Credit Union Employees. More educational resources can be found at