Approach to Risk Management
While our strategy is the primary driver of all activities at BlueShore, we recognize that there are risks inherent in our strategy and business activities and therefore prudent risk management is a constant companion and a lens through which we view and manage the execution of our strategy.
These risks are managed through an Enterprise-Wide Risk Management program; a structured, consistent and continuous program across the organization for identifying, assessing, managing and reporting on the significant risks inherent in the business. The program is comprised of policies, procedures, activities, tools, reports, oversight and independent review, and designed to ensure significant risks are managed in accordance with BlueShore’s Risk Appetite Framework through its Risk Management Governance Structure.
Risk Management Governance Structure
BlueShore’s Board of Directors has overall responsibility for the oversight of the Risk Appetite Framework and Risk Management policy. The Board has established sub-committees to oversee BlueShore’s risk management activities. These include the Human Resources and Compensation Committee, Investment and Loan Committee and the Audit Committee. In 2022, commensurate with our growth, the Board formally approved a Risk Committee to provide additional oversight of enterprise risk management. This Committee must satisfy themselves that the risk management processes designed and implemented by Management are acceptable and aligned with BlueShore’s strategy and the Board’s approved risk appetite and governance frameworks. It has direct oversight of the Chief Risk Officer and utilizes the tools and reporting provided by Management to independently determine the adequacy of Management’s actions to manage risk.
Management’s responsibility is to identify and assess the risks faced by BlueShore and to determine the most appropriate way to manage these risks. In carrying out this responsibility, Management monitors adherence to established risk policies and limits. Risk management policies and controls are reviewed regularly to reflect changes in the business, market conditions, product and service offerings, portfolio performance and economic trends.
Management has established various committees to oversee the organization’s risk management activities. The Management Risk Committee (MRC) is BlueShore’s highest (non-Board) risk committee. MRC is responsible for overseeing a consolidated, enterprise-wide view of BlueShore’s risks, regardless of how these risks may be managed on an individual or departmental level.
The MRC has the authority to delegate any risk-related responsibilities to other committees, as required or prudent (e.g. liquidity risk is managed through the Asset Liability Committee and credit risk is managed through the Management Credit Committee). Risks identified through other Committees are escalated back to the MRC by committee chairs for further discussion, tracking, and resolution if required.
Risk Appetite Framework
The Risk Appetite Framework sets out BlueShore’s ability and willingness to accept and manage different types of risk in the course of engaging in its business activities. The MRC ensures that significant risks are appropriately identified, assessed and managed via mitigating controls to ensure alignment with the Risk Appetite Framework. Through its ongoing review of risks, the MRC may also recommend changes to the Risk Appetite Framework to the Board at any time.
The Credit Union’s risk appetite identifies the amount and types of risk that we are willing to accept, both in our day-to-day business and in executing our strategy, given our structure, size, complexity, business model, vision, core purpose, capital capacity, and competitive marketplace. Therefore, defining our risk appetite requires appropriately balancing risk and rewards.
We also reassess our risk appetite in anticipation of, or in response to, changes in the business, economic or regulatory environment.
Three Lines of Defence
BlueShore has adopted the “Three Lines of Defence” approach. This model details the accountabilities of each line and clearly documents the responsibilities of each.
First Line of Defence
Business and Functional Department Accountabilities
- Accountable for identifying and mitigating within their respective functional departments
- Develop policies, procedures and controls to ensure the assets of the organization are protected
- Identify opportunities to optimize risk and responsibilities for ongoing effectiveness of controls
- Act within their delegated risk-taking authority as set out in established policies
Second Line of Defence
Risk Management Team Accountabilities
- Develop and review BlueShore’s risk management policies and procedures for managing significant risk to ensure that they remain appropriate
- Oversight of, but independent from, the day-to-day management of risks
- Challenge risk ratings and control effectiveness assertions from risk owners
- Establish risk policies and procedures
- Oversee the Enterprise Risk Management Program
- Provide the Board of Directors with reports that will enable it to assess whether BlueShore has an ongoing, appropriate and effective risk management program
Third Line of Defence
Internal Audit Accountabilities
- Challenge the effectiveness of the first and second line of defence
- Set an audit program independently to validate strengths and assess weaknesses
- Issue audit findings that require Management action; close findings when remediation is completed to Internal Audit’s satisfaction