9

Risk management

9.1

Credit unions should have proportionate risk management systems, adequate for the needs of their business. Where there is evidence of poor risk management and/or governance at a credit union, the credit union should expect the PRA to engage with it on its mitigation plans. Where the credit union fails to engage or make meaningful progress, it should expect the PRA to engage more fully on whether it has a viable future and, if not, what plans it has to close in an orderly fashion. This could be by way of insolvent wind-up, solvent wind-down, or the transfer of its engagements to another credit union.

Internal audit function

9.2

Credit unions are required to establish and maintain an internal audit function under Rule 15.1 of the Credit Unions Part of the PRA Rulebook. The PRA expects the internal audit function[7] of a credit union to act as a forward-looking tool of risk management and control (taking into account the nature, size, and scope of the credit union’s activities). The PRA expects the internal audit function to be independent from management, report to the board, and be capable of providing robust advice to the board, in particular where material business and regulatory risks are being run. The PRA considers indicators of good practice include:

  • internal audit function checks go beyond basic operational checks; for example, the internal audit function carries out checks to assess the soundness of the credit union’s governance checks (examples include but are not limited to, observations of board meetings to determine whether there is comprehensive strategy-setting process, whether the board considers all matters of material relevance and documents the reasons for its decisions, checks of the board minutes to ensure actions are carried out);
  • the internal audit function provides sufficient challenge to the board; and
  • the internal audit function is sufficiently independent from the board. The PRA expects that where the credit union outsources its internal audit function, it does not engage its external auditor for that purpose unless in exceptional circumstances and, if it does so, only for the minimum practicable period.

Footnotes

  • 7. The PRA acknowledges that many credit unions will in effect utilise their supervisory committee to fulfil this function. The PRA rules make reference to an internal audit function rather than a supervisory committee and as such that terminology is repeated here. It is for credit unions and their boards to consider how they meet applicable rules and guidance and whether their supervisory committee fulfils their needs.

9.3

The PRA expects credit unions with total assets of more than £10 million should be able to meet all of the above expectations. Boards of smaller credit unions may use other means to satisfy themselves that their internal audit function is operating adequately.