Information Technology Governance in a Credit Union

“The rapid advancement of technology innovations in recent times has fundamentally changed business processes and models in financial firms of all sizes including credit unions. These advancements have introduced efficiencies and cost savings for firms and their customers. However, these technologies also bring significant risks, as firms become increasingly interconnected and more reliant on increasingly complex IT systems and outsourcing service providers to conduct their business and deliver services to members. “

Central Bank of Ireland 2020 PRISM Supervisory Commentary Report Sept 2020.

Information Technology is interconnected into all credit union functions, supports all functions and has become more complex and may be beyond the understanding of the Management of a credit union, in terms of Risk and Governance.

What Andrews Duffy Provide Is;

“an Independent oversight of the IT solution assuring it complies with required regulations, IT risk management and interfacing with the IT providers. We create using clear language IT oversight reports, to provide manageable, understandable information for the Credit Union management and board“

Simple questions to ask yourself

How do you govern a function if you do not fully understand how it works?

Do you have members of the Risk / Audit committee that have knowledge of IT?

“It is the board and management’s responsibility to understand the specific IT related risks that the credit union faces and to ensure that these are sufficiently mitigated in line with the credit union’s risk appetite. Credit unions need to understand their vulnerabilities in relation to risks associated with IT and cyber security and work to address these. This is of particular importance in an environment where an increasing proportion of services are provided remotely.” CBI 2020 PRISM Commentary

Various reports from the Central Bank highlight Governance issues – policies, procedures, business continuity, systems & security issues that have been discovered in their audits of credit union. This shines a light, good and bad practices in the credit union. We sieve through the IT orientated reports or sections from the central bank to highlight the positives that can be addressed and areas where improvement is needed.

  • Understanding of IT Governance and its approach is varied and ranges from good knowledge and practice, to being very dependent on external support from IT service suppliers and third party consultants to provide both IT services and assurance.
  • Some IT policies were not localised to the individual credit union requirements and therefore were not understood by the credit union’s Board and management.
  • Exit, termination and transition stages of services from an outsource partner to another third party or back in-house were not included in any outsourcing policies provided.
  • The majority of credit union managers interviewed demonstrated basic IT knowledge and basic understanding of IT Risk Management. The management of a credit union are responsible for understanding the specific IT risks based on the scale and complexity of the business and to ensure such risks are sufficiently mitigated. This knowledge and understanding must be appropriate to the scale and complexity of the activities undertaken.
  • Some credit unions viewed IT more as an expense item and did not appear to view IT as a core enabler of their business which requires robust risk management.

If you need advice, please contact us.