Mitchell Klein serves as Ncontracts as vice president of risk services after more than 25 years as general counsel, chief compliance officer and chief risk officer at two multibillion dollar credit unions. An expert in enterprise risk management, he’s also a former member of the CFPB’s Credit Union Advisory Council. Klein sat down to talk about managing risk, what it’s like to be on the vendor side of a relationship, and future risk management trends.
Q: What role does the vice president of risk services play?
Mitch: My job is to be a client resource. If a client has a question about a risk rating, business continuity planning or the best way to word something in a policy, our clients can come to me and my team for my real-world compliance and risk management expertise. I have been in the exact same place our customers are in now, so I understand the challenges that financial institutions face. I have built compliance training programs, hosted webinars and given operational risk presentations to banks and credit unions. In my role at Ncontracts, my role evolves based on requests from clients.
Q: You began your career in financial services more than 25 years ago as general counsel for a community financial institution. How has risk management evolved since that time?
Mitch: In the early 1990s risk wasn’t used as a monitor the way it is today. We didn’t even call it risk. As things evolved and more regulations promulgated and were expanded upon, risk began seeping into the lingo and fabric of financial institutions.
In 2011 or 2012 is when it really started to get more and more recognized. We saw things like vendor management, contract management, business continuity planning and disaster recovery guidance published. Where in the past this was done more on an as-needed basis, regulations and guidance from federal regulators made these things more and more important, and they needed to be dealt with.
Q: How did your role evolve along with risk?
Mitch: Over 24 years with $4.2 billion asset Police and Fire Federal Credit Union I oversaw the legal department, the collection department and at times human resources and the fraud and loss prevention department while serving as the chief compliance officer. As general counsel I was always looking to identify and mitigate risk, especially compliance, litigation and reputation risk. As things became more risk-based my role morphed into what’s considered a risk officer.
By the time I joined $2.7 billion-asset Citadel Federal Credit Union as the chief risk and compliance officer in 2013, I was still filling the general counsel role, but I was also responsible for enterprise risk management and was a senior member of the management team and sat on several committees.
Q: You’re very involved in the industry and are often called upon as an expert speaker on risk and compliance. What’s a common mistake financial institutions make with vendor management programs?
Mitch: Procedures should be detailed, but sometimes they are just too specific. People want to put everything into one document, but what they fail to realize is that if they say they are going to do something, even if it’s something small, they have to do it. They can’t skip over any documented step. If they do, they can experience trouble during an exam.
Q: What were some of your biggest challenges when you were a risk officer?
Mitch: Vendor management was becoming a hot topic with the NCUA and the systems we were using, which I was responsible for, just weren’t working. It’s difficult to run a $2 billion or $4 billion credit union, with all its contracts and third-party vendor relationships, solely with Excel spreadsheets and sticky notes.
I needed something to log contracts and give reminders when they were coming due so we could renew, renegotiate or terminate that contract within the time limits. We didn’t have the resources to set up an entire vendor management department. We needed outside help.
That’s when I learned about Ncontracts. After due diligence we signed on and it took so much responsibility off my plate, freeing me to do analysis and address my other responsibilities. Ncontracts helped risk rate vendors and pull up contracts and review them. It gave me the ability to spend quality time administering our program and overseeing it to make sure it was done right. It was such a critical tool that I implemented it at Citadel FCU after implementing it at Police and Fire FCU.
Q: What’s it like being on the other side of the vendor relationship now?
Mitch: I have the opportunity to work with clients so that their vendor management and ERM programs are robust and work for that individual company as a whole. I meet the people who actually use system and help with system. I know from experience that cookie cutter solutions don’t work.
Q: Where there any surprises?
Mitch: I always appreciated how Ncontracts gathered all the due diligence documentation on vendors, but now that I’m in-house here I see how much work goes into providing these resources to financial institutions. It’s time consuming to gather and review financials, SOC 2s, business continuity plans, cybersecurity information, and other vendor information. I always knew Ncontracts was saving us time but I hadn’t realized just how much time it takes to provide useful information to help financial institutions manage their vendors.
Q: What are examiners focusing on these days?
Mitch: Auditors’ focus changes on a yearly basis. I’ve experienced increased scrutiny on all kinds of operational risk: IT risk, security risk, cyber security risk, BSA/AML, liquidity risk and interest rate risk. After the very low interest rates of the past 10 years, there’s a huge concern that if interest rates spike that financial institutions need to be able to absorb it. BSA and cybersecurity roles are becoming more complex and important.
Q: Where do you see risk management going?
Mitch: In the past two years there have been so many breaches of client information from Home Depot, P.F. Chang’s and Wendy’s. It has reputation risk potential even though financial institutions have nothing to do with that. Financial institution clients do not call Target when there’s a breach, they call their financial institution.
Between breaches and the growing number of DDoS and malware attacks, due diligence on information security of vendors has become more and more pressing. I expect to see more guidance from regulators in these areas. It’s moving towards more complexity and analysis in risk management across different areas.