Standards of Sound Business and Financial Practices

1 Standards of Sound Business and Financial Practices February 2016 Standards of Sound Business and Financial Practices Version History Version Date of Issue Section(s) Updated Reason for Update Original June 2007 Revised October 2010 G-9, M-7 Enterprise Risk Management Revised February 2016 G-8, G-9, G-13, G-14, M-7, M-10, M-1, Appendix A IT Governance Standards of Sound Business and Financial Practices Table of Contents Page Last date revised Introduction .. 1 Jun 07 The Standards .. 1 Jun 07 Governance Standards G-1 Understand and Fulfill Responsibilities ..4 Jun 07 G-2 Exercise Independent Judgment.

2 6 Jun 07 G-3 Establish Board Committee and the Chief Executive Officer s Responsibilities and Accountability .. 8 Jun 07 G-4 Select the CEO .. 9 Jun 07 G-5 Evaluate the CEO .. 11 Jun 07 G-6 Review Compensation .. 12 Jun 07 G-7 Establish Standards of Business Conduct and Ethical Behavior .. 13 Jun 07 G-8 Oversee Strategic Management .. 16 Feb 16 G-9 Oversee Risk Management ..18 Feb 16 G-10 Oversee Liquidity and Funding Management ..20 Jun 07 G-11 Oversee Capital Management .. 22 Jun 07 G-12 Affirm Internal Control Environment .. 24 Jun 07 G-13 Oversee the Independent Internal Audit Function .. 25 Feb 16 G-14 Ensure the Institution is In Control.

3 27 Feb 16 Management Standards M-1 Strategic Management Process .. 28 Jun 07 M-2 Risk Management Process .. 30 Jun 07 M-3 Credit Risk ..34 Jun 07 M-4 Investment Risk ..39 Jun 07 M-5 Interest Rate and Foreign Exchange Risk ..42 Jun 07 M-6 Fiduciary Risk .. 45 Jun 07 M-7 Operational Risk .. 48 Feb 16 M-8 Liquidity and Funding Management .. 59 Jun 07 M-9 Capital Management .. 62 Jun 07 M-10 Regulatory Compliance Risk .. 66 Feb 16 M-11 Control Environment .. 68 Feb 16 M-12 Business Conduct and Ethical Behavior ..71 Jun 07 M-13 Process to Ensure 72 Jun 07 Glossary of 77 Jun 07 Appendix A: Enterprise Risk Management - Model Policy .. 81 Feb 16 Appendix B: ERM Risk Committee Sample Terms of 85 Jun 07 Appendix C: Implementing Enterprise Risk Management.

4 87 Jun 07 Appendix D: Conducting a Self Assessment .. 92 Jun 07 CREDIT UNION DEPOSIT GUARANTEE CORPORATION 2 February 2016 Standards OF Sound Business AND Financial Practices CREDIT UNION DEPOSIT GUARANTEE CORPORATION 1 INTRODUCTION Standards of Sound Business and Financial Practices set out what are considered the best Business and Financial Practices of Financial institutions. They were first defined in 1996, and subsequently revised in 2001 with the CUSAR (Credit Union Self-Assessment Report) introduced at that time. They have provided excellent guidance over the years. The Credit Union Deposit Guarantee Corporation undertook a review of existing Sound Business Practices with a view to ensure relevance in these changing times, and to incorporate the principles of Enterprise Risk Management (see Appendices A, B, and C for information specific to Enterprise Risk Management).

5 The project recognized the need to manage risk strategically as a result of the rapidly changing industry and environment, the greater concentration of assets and risks in fewer but larger credit unions, deeper organization structures, new delivery systems and products, increasing reliance on technology, and greater market volatility. The revision has been written such that the Standards have application to individual credit unions regardless of size and/or complexity. Standards formerly issued by the Canada Deposit Insurance Corporation s (CDIC), as well those in use by Credit Union Stabilization (British Columbia) and Credit Union Deposit Guarantee Corporation, Manitoba, were used as a basis for the review.

6 They were selected for the following reasons: they are recognized best Practices they reflect the operation of Canadian Financial Institutions the use of a proven model saved allocating resources to developing an entirely new framework. Our sincere thanks to them for sharing their work so generously. Additionally, draft Standards were provided to a number of credit unions for their preliminary review and feedback; we gratefully acknowledge all the assistance we have received. We believe these revised Standards support increasing autonomy for credit unions and assign accountability for risk management where it most appropriately resides.

7 THE Standards The Enterprise Risk Management Version of the Alberta Credit Union Standards of Sound Business and Financial Practices (" Standards ") were developed to enhance the current Standards and to assist credit unions in the development of their ERM Practices . The Standards use a number of defined terms which are included in the Glossary of Terms included just before the Appendices. The Standards are comprised of two parts: Standards G-1 through G-14 deal with Corporate Governance and the Board of Director s responsibility for overseeing risk management. Standards M-1 though M-13 deal with the CEO and senior management s responsibility to implement effective risk management processes.

8 Both the Board and management should have an understanding of all 27 Standards . An enterprise risk management model policy, which sets out the role of the Board and the role of management in the risk management process, was developed and is attached as Appendix B. Standards OF Sound Business AND Financial Practices CREDIT UNION DEPOSIT GUARANTEE CORPORATION 2 Application of the Standards The Standards are to be applied to the credit union and each of its subsidiaries and any other operating entity over which it has a measure of control. To provide guidance and interpretation, each Standard is accompanied by Commentary and Points to Consider.

9 Purpose of Commentary: and Points to Consider The Commentary which accompanies each of the Standards , discusses briefly the intent of the Standard and has been written to provide an overview of operating principles. It is not intended to impose requirements in addition to the Standards . The examples are for the purpose of illustration only, and may not include all risks that a credit union may incur. What is important is to identify the significant risks your credit union encounters in its Business activities and to develop policies, procedures, and processes to manage those risks effectively. The Commentary and Points to Consider are intended to promote thought and discussion.

10 They are not strict requirements nor are they checklists of criteria that individually or collectively warrant the conclusion that a credit union is meeting the Standards . These two areas may be amended to provide further detail or clarification, as the need arises. The Rationale for the Standards Risks are not uniform between credit unions as each is engaged in different Business activities and each has a different risk tolerance. Experience has shown that well-managed institutions, with robust risk management Practices are less likely to encounter difficulties of the kind, or to the degree, that may result in significant losses or regulatory intervention.