Credit Union Compliance Management System (CU CMS)...For instructions on performing this step in the process, see 5.1 Manage Compliance Alerts. For more information on the law / regulation

Credit Union Compliance Management System (CU CMS)User Manual

This guide is meant to provide an in-depth explanation of the Credit Union Compliance Management System (CU CMS). Treat this document as a guide, but keep in mind that every organization is different. Adapt this guide as needed.

© Credit Union National Association 2019 11/14 1

Contents

1 Compliance Management Process/Life cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1 Identify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2 Assess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.4 Complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.5 Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.6 Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3.1 Compliance Management Dashboard Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4 Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4.1 Groups and Group Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4.2 Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.3 Credit Union Compliance Management System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5 Compliance Management Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.1 Manage Compliance Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.2 Manage Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.3 Review Action Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5.4 Add/Edit Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5.5 Advertisement Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

6 Law/Regulation Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.1 Review Law / Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.2 Law / Regulation Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

7 Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

8 Calculations and Modifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

8.1 Total Inherent Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

8.2 Total Control Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

8.3 Total Residual Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

8.4 Residual Risk (%) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

8.5 Residual Risk Rating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

9 Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34


1 Compliance Management Process/Life cycle In today’s environment, managing compliance with regulations, laws, and other requirements has become critical for success. Directives govern almost every aspect of running a business, requiring organizations to provide assurances to regulators, stakeholders, customers, and business partners. Ensuring compliance across a credit union necessitates a holistic, repeatable, and disciplined approach for defining an integrated, consistent set of processes and system-level internal controls. The following diagram is a visual of the Credit Union Compliance Management System (CU CMS) process.

1.1 Identify The Identify stage in the compliance management process focuses on identifying compliance obligations (known regulations, and other external requirements) on a continuous basis. This primarily involves understanding when changes are made to the required regulations. Within the CU CMS, compliance alerts are generated by the system and provide recipients with ongoing notifications that there are compliance requirements that they may need to take action on. Each compliance alert, which could be a change to an existing regulation or a completely new requirement, gives the user an opportunity to respond or create plans to address the requirements. As compliance alerts are sent out, a change record will automatically be created, ready for you to begin the change workflow process if necessary.

CUNA also provides users with a library of applicable laws and regulations to help ensure any applicable requirements are part of the formal development process.

For instructions on performing this step in the process, see 5.1 Manage Compliance Alerts.For more information on the law / regulation library, see 6 Law/Regulation Library.

1.2 Assess The Assess stage helps you determine the level of impact law/regulation changes will have on your institution. This includes reviewing the changes, conducting an impact analysis, and assessing risk associated with the change. A simple risk assessment and impact analysis are located within the Change workflow. When performing the risk assessment, consider the potential consequences for not complying, including (but not limited to):

• Potential areas of financial losses and penalties• Decrease in customer and business partner satisfaction• Increase likelihood of disputes with customers and regulators• Increase risk to business continuity from sanctions imposed by regulators• Poor corporate operational and financial performance

For instructions on performing an impact analysis and risk assessment, see the Change workflow in section 5, starting at 5.2.3 Assess Change.

Identify

Complete

Communicate Plan

Review Assess


1.3 PlanThe next step in the compliance management process is to review the Change Plan. As risk assessments and impacts are documented, the tasks to address the required changes will be created automatically. These tasks make up the change plan, which can be reviewed within the Change workflow.For more information on the change plan, see the Change workflow in section 5, starting at 5.2.6 Plan.

1.4 CompleteThe Complete stage of the compliance management process involves implementing the change plan. This involves completing the necessary action items, updating the necessary documentation, and performing advertisement reviews, etc. Much of this process can be completed within the Change workflow, but can also be completed within other workflows as well.

For instructions on implementing action items, see the Change workflow in section 5, starting at 5.2.8 Implement Change.

For instructions on performing an advertisement review, see 5.5 Advertisement Review in section 5. Please Note: Advertisement reviews can also be performed within the Change and Add/Edit Document workflows.

For instructions on creating/editing documentation, see 5.4 Add/Edit Document.

1.5 CommunicationThe Communication stage of the compliance management process involves communicating changes to all impacted areas as appropriate. Quantivate’s software automates much of this process through dashboards, reports, and notifications. Dashboards serve as homepages for administrators and users to view the status of their compliance management program at a glance. Reports can pull information from various areas within the program and display the data in a table that is exportable to Excel or in a document format that is exportable to Word. Notifications are sent out as you go through the compliance management process, informing the appropriate recipients of tasks or other items requiring their attention.

For more information on dashboards and reporting, see 3 Dashboard.

For information on the notifications setup in the system, see 7 Notifications.

1.6 ReviewThe Review stage in the compliance management process primarily focuses on ensuring your organization is in compliance with laws / regulations. This step is done outside the platform by periodically reviewing the laws / regulations that apply to your organization.


2 Introduction The system is set up to assist in tracking all compliance efforts your organization makes to manage a regulatory change once a compliance alert is received. Any impacts and the steps needed to become compliant can be tracked and managed in the software. The system includes these high-level components:

• Compliance Alert – A Compliance Alert is a notice of an upcoming change to an existing regulation or a new regulation that is being issued. This alert initiates an e-mail notification from the software regarding the alert. Compliance Alerts will also populate the system with information such as: effective dates,

executive summaries, action items, change records, etc. This information is stored in the Compliance Alert record. • Change – A ‘Change’ is a ‘Record’ in the system for you to track changes to the organization. A change

is initiated by receiving a compliance alert. The software will store all the data about the change including impacts, non-compliance risk assessments, action plans, evidence of compliance, etc.• Non-Compliance Risk Assessment – Risk assessments are performed on changes and allow you to assess

the impact and likelihood of compliance risks occurring. • Advertisement Review – Advertisement Reviews can be performed on marketing advertisements to ensure that the appropriate compliance requirements are being met. The review consists of an interactive checklist based on the product/services associated with the advertisement and is intended to guide the user through the review process covering all of the applicable regulatory requirements.• Action Items – Action items are the defined steps that are to be taken for implementing the change.

Action items are automatically created with the compliance alert and as documents requiring review are linked to the change. An action item is also created whenever CUNA Mutual Group alerts are available.

• Documentation – This is where all the policies, procedures, forms, marketing ads, or any other evidence of compliance, etc. are stored. The Add/Edit Document workflow within the CU CMS allows you to upload your documents, assign document owners and map the document to various GRC integrations in the system (such as laws/regulations, business units, products/services, etc.)

• Law/Reg Library – The Law/Reg Library is a collection of state & federal laws and regulations. These laws and regulations are linked to applicable ‘Change’ records.

The following diagram displays the system data elements described and their relationship to each other:

Figure 1. Data Structure


3 DashboardDashboards are the “homepages” of all Quantivate modules; they provide quick and easy access to the organization’s data. The Credit Union Compliance Management System Module provides two dashboards: Admin and User. To navigate to a dashboard, use the menu system on the left side of the screen and click Credit Union Compliance Management System > Dashboards, then select the desired dashboard. You can also return to your default dashboard at any time by clicking Home icon in the upper left corner of the menu.

Figure 2: Dashboard Navigation

3.1 Compliance Management Dashboard FeaturesQuick Access WidgetsAt the top of each dashboard are dashboard widgets (or dropdowns). These are unique to each dashboard, and provide quick access to common tasks, reports, and/or other resources.

Figure 3. Dashboard Widgets (Admin Dashboard)


ChartsCharts are included on most dashboards and are designed to give you a quick look at the status of your compliance management program. Most charts allow you to click each element (such as pie chart slices) and drill down for further details. The red arrow on the top right of each chart will expand the chart to full size. Lastly, there is a drop-down menu (displayed as 3 horizontal lines) next to each that will allow you to print it or export it as a PNG, JPEG, PDF, or SVG.

Figure 4. Dashboard Charts (Admin Dashboard)


Tables Dashboards commonly feature tables which are designed to give you quick access to in-process items. The red arrow on the top right of each table will expand the table to full size on the page for further analysis. The table can be searched using the search field, filtered, or exported to your clipboard (copy), CSV, Excel, PDF, or printed. Also, clicking on the RYG dot near the desired record will allow you to drill down into it, and will either open into a record editing page or workflow depending on the type of record.

Figure 5. Open Changes Table (Admin Dashboard)


4 Initial SetupTo begin the compliance management implementation process, first the program must be configured to fit your organization’s specific needs. This includes setting up your organization’s groups, group users, and accounts, and configuring your basic program settings within the Credit Union Compliance Management System Setup workflow.

4.1 Groups and Group Users

4.1.1 GroupsThe compliance management program begins with a broad understanding of an organization’s departments or business units. In the software these are referred to as ‘Groups’ that are tracked in hierarchical relationships. In the Credit Union Compliance Management System (CU CMS), groups are used for automating notifications and allowing access to documents, assigning tasks, etc. (Please Note: This can be set up or adjusted at another time.)

To create groups, use the menu system on the left-hand side of the screen to navigate through Administration > Add/Edit Groups. Use this tab to create and edit groups.

Figure 6: Add/Edit Groups

To create new groups: 1. Type in group name in the Create New Group text box. 2. Click Create.

To modify an existing group: 1. Click on the group name. 2. Change group name in Group text box. 3. Click Save.


To delete an existing group:Caution! Once you delete a group, it CANNOT be retrieved from the Trash Bin and will be permanently deleted.

1. Click on the ‘X’ next to the group to delete. 2. Click OK in the pop-up to permanently delete the group from the software.

To add an existing user to an existing group: 1. Click on group name. 2. Click on the desired User within the unassigned box and click green >> button to add to the group. 3. Click Save.

Figure 7: Assign User to Group


4.1.2 Add/Edit Group Users To add or edit a group user (Fulltime Employee) within the software, use the menu on the left and click on Administration > Add/Edit Group Users. You can use the Add/Edit Group Users page to create or edit a user and associate them to appropriate groups. (Please Note: If you create a new user in Add/Edit Group Users, you will also have to create an account and associate the user within Administration > Accounts. See section 4.2 Accounts for how to accomplish this.)

To create a new user:1. Fill in the fields as necessary with the user’s information, then click the Create and View button.2. To assign a group to the user, scroll to the bottom of the page and select the group from the

Unassigned box and click the >> button to assign them to the user. To unassign groups, select the group from the Assigned box and click the << button.

3. Click Save.

Figure 8: Add/Edit Group Users

To edit an existing user:1. Scroll to the bottom of the Add/Edit Group User page and click on the User you wish to edit.2. Update the fields as necessary and click Save.


4.2 AccountsOnce you have set up your groups and group users, the next step is to create user accounts. Accounts allow users to log into the software and access the data based on their security groups (Admin or User) assigned to their account, as well as their group. To access the Accounts page, use the menu to navigate through Administration > Accounts. Figure 9: Accounts

4.2.1 Create Account

To create a new account:1. Click the Add Account button in the upper right-hand corner of the screen. 2. Next, under the Employee Link dropdown, select the fulltime employee (group user) associated with the

account. (Please Note: if you added the User on the Add/Edit Group Users page, you can find them in this dropdown)• Add Employee – If the fulltime employee does not exist (if you did not add the user on the Add/Edit

Group Users page) you can create the fulltime employee record here by clicking Add Employee and filling in the information requested.

• Delete Employee – This button will delete the selected employee (User). You will be asked to confirm that you want to delete the employee. (Please Note: Deleting an employee may have negative consequences within the software. Any items assigned to the employee will revert to being unas-signed after the employee is deleted.)

• Set Selected Employee Group Permissions – This link will allow you to define the groups for the currently selected user.

3. Next, use the Security Group dropdown to select whether the account will have CU CMS User or Admin access.

4. Ensure that the Full Name, Email Address, and Username fields are populated with the user’s information.5. If you want the user to be notified via email of their login information, make sure the Notify User checkbox is clicked. This will send the user two emails, one containing the username and link to login and a second email containing their automatically generated password. (Please Note: The user will be prompted to change their password upon logging in for the first time.)6. Click the Create button when all information has been entered/verified.


Figure 10: Create Account

4.2.2 Searching, Filtering, and Exporting AccountsThe search function within the Accounts page will allow you to search on the information within any column that is displayed on the page (Name, Username, Email, etc.).

The Filter button allows you to filter the accounts displayed by options within the columns. Active filters will display below the Filter button.

The Export button allows you to copy the list to your clipboard, export the list to a csv, excel, or pdf file, or print the list.

4.2.3 Modify Accounts

Individual Account:To modify an individual account, click on the Username which will be highlighted in blue, and then modify the information as necessary.

1. Update the username, employee link, full name, and/or email address as necessary.2. To change the password for a user, enter the new password in both fields for authentication.3. The Enabled field displays the current status of the account.

• Enabled – Actively enabled account, user can log in to the CU CMS. • Disabled by Admin – Account was disabled by an administrator. User cannot log in to the CU CMS.• Locked – User exceeded the number of unsuccessful log in attempts and has been locked out of the

software. The User cannot log in to the CU CMS.4. Use the Primary Security Group dropdown to update the default security group for the user.5. In the Additional Security Groups field, check all the additional security groups the user needs. If a user

has more than one group selected, they will be able to sign in and use those rights in addition to the primary security group.

6. Click Save.


Multiple Accounts:Modify multiple accounts at one time by checking the checkbox next to all the accounts you want to change. Then click on the desired action above the table to complete. The options available include:

• Delete – This option will remove the account permanently from the system.• Enable – Selecting this option will enable/unlock all the selected accounts.• Disable – Selecting this option will disable all the selected accounts.• Reset Passwords – This option will reset the passwords, enable the account and notify the user of

the updated login information.

4.2.4 View LogThe Log button will pop-up the activity log of changes made to security including a date/timestamp, the user performing the change and the changes made.

4.2.5 Delete an AccountTo delete a User account:

1. Check the checkbox next to the account(s) you wish to delete.2. Click the Delete button.3. When you are prompted, confirm the deletion.


4.3 Credit Union Compliance Management System SetupThe Credit Union Compliance Management System Setup workflow allows you to configure settings that will be used throughout the program. To access this workflow, use the menu system on the left-hand side of the screen and click Setup > Credit Union Compliance Management System Setup.

4.3.1 IntroductionTo begin configuring your settings, please fill in the Last Review Date field by typing in today’s date or selecting it by clicking on the field and using the date picker. This will let future users know when these settings were last reviewed. When you are finished, click the Next button to proceed.

4.3.2 Cost SetupThis page allows you to enter the estimated dollar amount of an hours’ worth of staff time. This field is meant to be an average of all staff hours and is used throughout the system to calculate the actual costs of change.

To add a new row to the table, click on the Add button, then select the year and enter the dollar amount. When you are finished, click the Next button.

4.3.3 Management Team SetupUse this section to configure who will be part of the compliance management team. These are the individuals who will be notified of important updates within CU CMS, such as compliance alerts, regulatory change effec-tive dates, etc.

To add team members, click the Add button and check the box near each person you wish to select. Then, click on the Link Record(s) button. (Please Note: The user and user account must already be setup in the system to link. Reference section 4.2 Accounts for how to accomplish this.)

The Compliance Management Team Email (Optional) field allows you to enter an email to receive compliance updates in addition to the individuals selected above. This is intended to allow you to add an external distribution list to receive updates. (Please Note: This must be a single email address, not a comma delineated list.)

When you are finished, click the Next button.


4.3.4 Regulatory Authority SetupThis page allows you to select your primary regulatory authority/authorities. These will be used to prioritize Laws/Regulations with multiple regulatory authorities. For example, if the CFPB and Federal Reserve jointly issued a final rule, the authority you selected as primary between those agencies would display in the name.

To add additional authorities, use the Add button above the table, then check the box next to the desired au-thorities and click the Link Record(s) button in the pop up. To remove an authority, click the Checkbox next to the record and click the Remove button above the table. In the popup, select Unlink.

Figure 11: Link Authorities

If you selected multiple regulating authorities, determine the priority for each by updating the numbers in the Order field. This determines the primary authority that will be used if the previous one is not applicable. For example, if your authorities are prioritized as follows:

1. NCUA2. FDIC3. CFPB

A final rule jointly issued by the FDIC and CFPB would use the FDIC in the law/regulation name, because the NCUA was not applicable and the FDIC was next in priority. The system comes with NCUA selected as first priority by default, but this can be customized to fit your organization. If you wish to change the primary authority displayed for a particular law / regulation, you can override this from within the law/regulation. For more information, see 6.1 Review Law / Regulation.


Figure 12: Select Primary Authority

Next, select the applicable states you would like to receive content for. If you wish to select multiple states, hold the CTRL or CMD key while selecting. If you would like content for all states, select All. (Please note: leaving this field “--” will default the system to not provide any state content.)

When you are finished, click the Save and Next buttons, which will take you to the Complete page. You have now finished configuring the settings for your Credit Union Compliance Management System. Click the Dash-board button to return to the dashboard.


5 Compliance Management Process The compliance management process is outlined in the steps below. (Please Note: Some items visible in the CU CMS and the screenshots below highlight additional functionality available in the Credit Union Compliance Management System PLUS (CU CMS+) version of the system. These items are usually indicated by words like “Upgrade to…” or “Learn about…”. To find out more information, click on one of these buttons. In addition, the “More Solutions” menu link allows you explore additional software and service solutions offered by Quantivate.)

5.1 Manage Compliance Alerts The first step in the compliance management process is to identify compliance obligations. This primarily will involve reviewing compliance alerts. You will receive an email notification when new alerts are pushed out with a link to the alert within the system. You can also review within the system by navigating to the Admin Dashboard, clicking on the Alerts dropdown, and selecting Review Compliance Alerts. This will take you to a workflow which will guide you through the process.

5.1.1 Review Compliance AlertThis page allows you to review the original compliance alert in a document viewer, as well as other relevant information such as the change status, exemption safe harbor, and the change name. To review the changes linked to this alert, click the Review Change button at the bottom of the page. You will be taken into the change’s Assess page (5.2.3 Assess Change), or if you have already worked on the related change, it will take to the last page you left off on. Otherwise, you can exit the workflow. Figure 13: Compliance Alert


5.2 Manage ChangesA Change is a ‘Record’ in the system where you can track your compliance efforts around a particular compliance change. Change records are created automatically as compliance alerts are sent out. The Change workflow will guide you through the process of assessing, planning, and completing all the required areas for each change.

To begin, navigate to the Admin dashboard, click on the Change dropdown, and select Add/Edit Change. You can also get here via the Review Compliance Alerts workflow. Steps are outlined in section 5.1.1 above.

Figure 14: Change Workflow

5.2.1 Select ChangeTo begin managing changes, click the Existing Change button. This will take you to a page where you can select the change you wish to edit. If any progress has been made on the change previously, the Resumes to column will display what page the workflow will begin with.

To select the change you wish, use the Click for Next icon next to the name. The Upgrade to Add New Change is a Credit Union Compliance Management System PLUS feature, and clicking this button will allow you to learn more about upgrading.

5.2.2 Compliance AlertThis page displays the information for the compliance alert associated with the change. Review this information as necessary, then click the Next button to proceed in the workflow.

5.2.3 Assess ChangeThis page allows you to review, update, and add details to the change information, as well as conduct an impact analysis to indicate how the change affects your organization.

1. Change Record – This field displays the calculated name for the change.2. Change Type – This field displays the change type (Federal or State).3. State – If the change type is state or state regulations are linked, this field displays the relevant state.4. Change – This field contains the name of the change based on the compliance alert. You can edit this

name as necessary within the text box. 5. Description – This field contains the description of the change based on the compliance alert. You can

edit this description and/or add your own notes as necessary within the text area. 6. Person Responsible – Assign an individual responsible for the change by using the ‘Person Responsible’

dropdown box. This is the primary person who will be notified as items are completed and the change moves through the process.

7. Effective/Due Date – This field displays the date when the change becomes effective/due and is automatically populated by the alert.


8. Law / Regulation Link – This field displays the law/regulation associated with this change. The following fields are automatically populated by the alert as applicable:

• Law / Regulation Status – The status of the change (Proposed, Interim Final, and Final).• Issue Date – The date that the change was issued.• Comments Due By – The date that comments are due to regulators.• Comments Provided to Regulators – The comments that were provided to regulators.• Comments Provided Date – The date that comments were provided to regulators.• Links 1-4 – Displays links to any relevant information.

9. Impact Analysis – Conduct an impact analysis to indicate how the change affects your institution. This involves selecting the areas impacted by the change:

• Business Unit(s) Impacted – Check all business units (groups) impacted by this change.• Documents Impacted – Link in Documents impacted by clicking on the ‘Add’ button. Search for the

desired documents, then check the box in front of the documents you would like to link and hit the Link Record(s) button. (Please Note: If you link in any documents, an automated notification will be sent to each of the document owners once you click the “Next” button.) If the document is a

marketing advertisement, an action item will automatically be created on the plan page and you will be prompted later in the workflow to perform an advertisement review. • Products / Services Impacted – Link in Product / Services impacted by clicking on the ‘Add’ button.

Search for the desired products/services, then check the box in front of the products/services you would like to link and hit the Link Record(s) button.

• Digital File Cabinet – Upload any relevant files here.10. Change Status – If this change is not applicable to your organization, there is an exception, or you accept the risk, please fill in the following:

• Change Status – Select the status of the change:• In Progress – The change is currently being worked on.• Pending Response - A change has been populated and no response/action has been taken yet.• Pending Approval – The change plan is pending approval (Please Note: For CU CMS, the approv-

al process is done outside the software. Approvals within the software are a CU CMS+ feature.)• Approved – The change plan has been approved and is ready for implementation. (Please Note: For CU CMS, the approval process is done outside the software. Approvals within the software are a CU CMS+ feature.)• Complete – The change has been implemented and is complete.• Exception/Accept Risk – There is an exception, or your organization has chosen to accept the risk

of not complying with this change.• Not Applicable – The change is not applicable to your institution.

• CU Exemption Comments – If the credit union is exempt from this change, please explain why here.• Comments – Enter any other comments as to why the change is not applicable here.

Please Note: If you marked the change as Not Applicable but do not provide any comments, you will be taken to a page which will prevent you from proceeding until the comments have been filled in.

11. Click the Save button. If the change is not applicable, click the Change is Not Applicable button. Otherwise, click the Next button to proceed.

5.2.4 Risk AssessmentThe risk assessment portion of this workflow will help you assess potential compliance risks. This involves selecting the impact, likelihood, and control reduction (%) override.

1. To begin, select the appropriate impact and likelihood values for this risk assessment. The inherent risk is calculated by multiplying the impact by the likelihood. For more information, see section 8.1 Total Inherent Risk. • Impact – Compliance Impact on financial transaction, legal reputational risk

• 1 – Low (minor impact, quickly fixed <$5k)• 2 – Low – Medium (solution objective not met, need to reassess, >$5k)• 3 – Medium (disruptive to specific operations, significant cost >$50k)• 4 – Medium – High (interrupts key operations, high cost >$500k)• 5 – High (critical systems failure, severe >$1 million)


• Likelihood – Possibility of risk occurrence - based on existing/planned internal controls to reduce risk of occurrence. • 1 – Low (rarely, may occur in exceptional circumstances) • 2 – Low – Medium (unlikely, could occur but doubtful) • 3 – Medium (possible, might occur at some point) • 4 – Medium – High (likely, will probably occur at some point)• 5 – High (almost certain, expected to occur)

• Control Reduction (%) Override – This percentage indicates how well you are controlling your risk environment for this change. The more controls in place to reduce the inherent risk, the lower your residual risk will be. When selecting the percentage, consider the strength and effectiveness of the controls you have in place. The stronger and more effective the controls you have in place, the

higher the Control Reduction (%) Override you select should be.• Risk Assessment Date – Select the date you performed the risk assessment.

2. When you are finished, click the Next button to view your risk assessment results.

Figure 15: Change - Risk Assessment

5.2.5 Risk Assessment ResultsThis page provides a summary of the risk assessment’s results. To view a summary of the risk assessment, click the Risk Assessment Report button. When you have finished reviewing the risk assessment information, click the Next button to begin creating a plan to address the change.

For more information on the calculations displayed on this page, please see 8 Calculations and Modifiers.


5.2.6 PlanOn this page you will develop the plan to comply with the change. Once the risk assessments and impacts are documented, the next step is to review the plan to address the changes required. This page displays the action items which have automatically been created based on the information you provided so far. This includes action items automatically added with the compliance alert and any documents requiring advertisement reviews.

1. Review the list of action items for the change plan and fill in the Action Assigned to, Deadline, and Action Status fields as necessary. Users will update the Status and Actual Time (Hours) as items are worked on during the change implementation.

2. To notify users that an action item has been assigned to them, click the Notify Assigned Users button. This will send a notification containing a workflow to review and complete the action items. Additional notifications will be sent to assigned users as the action deadline approaches. (For more information, please see 5.3 Review Action Items and/or 7 Notifications).

3. If necessary, update the Change Status.4. When you are finished updating the change plan information, click the Save button and then

the Next button.

Figure 16: Change Plan Action Items

Please Note: The Approval and Training pages are CU CMS+ features. The workflow will automatically skip over these pages, but you can access them by clicking on the page name in the table of contents bar. To find out more, follow the instructions at the beginning of the 5 Compliance Management Process section.

5.2.7 Advertisement ReviewIf any of the documents impacted by this change were marketing advertisements, you will be asked if you would like to perform an advertisement compliance review. From here, follow the instructions outlined in the Advertisement Review portion of this manual, starting at 5.5.2 Marketing Advertisement Overview.

Once the advertisement review is complete, the action item that was automatically created for the advertisement in the change plan will also be marked as complete.

5.2.8 Implement ChangeOnce you have developed your change plan, you can begin implementing the change by completing action items and updating any applicable documentation.

1. As you or your employees work on Action Items, ensure the Action Status field is set to In Process. As the deadline approaches, users assigned to complete action items will be notified regularly. These

notifications will contain a link to a workflow which will guide them through the process (For more information, please see 5.3 Review Action Items and/or 7 Notifications). When each task is complete the following will automatically be populated. You can also complete your action items from this page:

• Action Status: Update the status to Complete when action item is complete.• Completed Date: Select the date of completion.• Action Item Comments: Provide any additional comments or information as necessary for the

action item.• Actual Time (Hours): Enter the total number of hours the task took to complete. The system uses this

field and the cost of labor entered during setup to calculate the actual cost of the change.


• Actual Implementation Time (Hours): This field will automatically calculate the combined total of all action item Actual Time (hours) fields.

• Click the Calculate Results & Save button once complete.2. To complete any tasks involving a document update, please follow the instructions in

section 5.4 Add/Edit Document.3. When all items within the change plan are complete, click the Mark Implementation Complete button

and proceed to the final page of the workflow. This will send a notification informing all the appropri-ate people that the change is complete. (Please Note: In order to mark the implementation complete, all action items must be completed. If there are any incomplete action items, you will be taken to the Open Action Items page.)

Figure 17: Implement Action Items

5.2.9 Open Action ItemsThis page allows you to view the incomplete action items associated with the change.

1. Review the list of incomplete action items. 2. If you would like to continue and mark the change implementation complete without completing the

action items, click on the Mark Implementation Complete button. (Please Note: This is NOT recommended and risks noncompliance.)3. If you would like to update the action items:

• Edit the action information as necessary, including assigning the action item to a different user if you wish to do so.

• If you would like to remove an action item from the list, check the box near its name and click the Remove button.

• Once you have finished updating the action items, click the Notify Assigned Users button to send a notification containing a workflow to review and complete the action items.

5.2.10 Change CompleteYou have now completed this change. Please review the completion information and the actual implementation time and cost of the change.

If you wish to complete an additional change, click the Select Additional Change button. To reopen this change and return to the Assess Change page, click the Re-Open Change button (the information you entered will still be within the workflow to add to or edit).

To view a report summarizing the change information, click the Change Summary Report button. You can download and/or print the report once generated. Otherwise, you may exit the workflow.


5.2.11 Accessing a Change Summary Report for a Completed ChangeIf you would like to view, print, or download the Change Summary Report after you’ve left the workflow, navigate to the Admin dashboard, click on the Change dropdown, and select Completed Changes. Next, click the Edit Record icon near the desired, then click the Change Summary Report button. You can now view, print or download the report.

Figure 18: Completed Changes Report

5.3 Review Action ItemsThis workflow will guide you through the process of reviewing and completing action items assigned to you. A link to this workflow will be sent to you via email notification as items are assigned, deadlines approach, risk alerts are added, etc. You can also access this workflow by navigating to the Admin dashboard, clicking on the Change dropdown, and selecting Review Action Items.

5.3.1 Action ItemsThis page displays a list of action items assigned to you. Select the action item you wish by using the Click for Next icon next to the name.

5.3.2 Edit Action ItemThis page allows you to review and edit the action item details.

1. Please review and update the action item information as needed. (Please Note: It is important to enter the time it took to complete the action item in the Actual Time (Hours) field, as this will be used in

calculations later.)2. When you are finished, if you wish to review/edit the change associated with this action item, click on

the Review / Edit Changes button. This will take you to the Change workflow. Otherwise, click on the Complete and Notify button to mark the action item and the date completed and inform the person responsible for the associated change.

5.3.3 CompleteYou have now completed the action item and can exit the workflow. To return to the default dashboard, click the Return to Dashboard button.


5.4 Add/Edit DocumentThis workflow enables you to create or edit documentation within your Credit Union Compliance Management System. To access this workflow, navigate to the Admin dashboard, click on the General dropdown, and select Add/Edit Document.

5.4.1 Create New / Select ExistingTo begin, choose whether you would like to create a new document, or edit an existing document.

1. To begin adding a new document, click on the Create New Document button. To begin editing an existing document, click on the Edit Existing Document button.2. If you chose to create a new document, you will be taken to the Name New Document page. Enter the

document’s name and the type of document you are creating, then click the Create & View button at the bottom of the page.

3. If you chose to edit an existing document, you will be taken to the Select Document page. To select the document you wish to edit, use the Click for Next icon near its name.

5.4.2 General Document InformationThis page allows you to update the document’s basic details.

1. Please update the document’s basic details, including the Document Type, Description/Purpose, Status, Document Owner, and Applies to (departments/groups).

2. Next, link in any Laws/Regulations, Upcoming/Past Regulatory Changes, and Products/Services associated with the document.

• To do this, click on the Add button. A pop up will appear where you can make your selection by clicking the checkbox and clicking the Link Record(s) button.

• To remove a linked item, check the box near the name in the table and click the Remove button.3. When you are finished, click the Save button, and then the Next button.

5.4.3 Upload DocumentThis page allows you to upload the document into the software.

Figure 19: Upload Document

1. To upload a document, first, click on the Choose File button.2. Next, click on the Refresh Document Viewer button. Once the viewer is refreshed, you can review the

document you uploaded in the digital file cabinet. 3. When you are finished, click the Save button, and then the Next button.


5.4.4 Perform Ad Review?If the document you are working on is a marketing advertisement, you will be asked if you would like to perform an ad review.

1. If you would like to perform a review, click the Yes button. This will notify the appropriate people that a document was added to the system and direct you to the Advertisement Review workflow. From there, follow the instructions outlined in the Advertisement Review portion of this manual, starting at 5.5.2 Marketing Advertisement Overview.

2. If you would like to edit any of the document information before leaving this workflow and performing the review, click the Back button.

3. If you do not wish to perform an advertisement review, click No. This will allow you to proceed in this workflow and finalize the document.

5.4.5 Finalize DocumentThis page displays all the information associated with the document. Please review and edit the information as necessary. When you are finished, click on the Complete and Notify button, which will send out a notification informing the appropriate people that a new document has been added to the software and will direct you to the Complete page.

5.4.6 CompleteYou have now finished adding/editing this document. If you would like to add or edit an additional document, click the Add/Edit Additional Document button. Otherwise, you can exit the workflow and return to the default dashboard by clicking on the Dashboard button.

5.5 Advertisement ReviewMarketing advertisements should be reviewed to ensure that they are meeting the applicable compliance obligations. If a change impacts a marketing advertisement, a review should be performed then as well. Advertisement reviews can be performed within the Change Management workflow as part of the change management process, within the document creation/editing process, or they can be performed independently within the Advertisement Review workflow.

To access this workflow, navigate to the Admin dashboard, click on the Advertisement Review dropdown, and select Perform Advertisement Review.

5.5.1 Advertisement ReviewAdvertisement reviews are performed on marketing ad documents. The first page of this workflow allows you to select whether you would like to create a new marketing advertisement document, or select an “Existing” marketing advertisement document.

1. If you would like to create a new document record to perform the advertisement review on, click the New button. This will create the record and direct you to the Marketing Advertisement Overview page.

2. If you would like to review an existing marketing advertisement, click the Existing button. This will direct you to a page where you can select the advertisement you wish to review using the Click for Next icon next to its name.

5.5.2 Marketing Advertisement OverviewOn this page, update the advertisement information as necessary.

1. Update the Document Name and the Document Owner fields.2. To view the advertisement file, you can either download the file from the Digital File Cabinet field or view

it in the Digital File Cabinet document viewer. Click on the Refresh Document Viewer button if the file is not displaying in the viewer.

3. Check the box for each applicable advertisement medium.4. Next, link up to five products and services related to this advertisement. (Please Note: If more than five

products/services are linked in, you will not be able to proceed in the workflow.) 5. Click the Next button to proceed to the next page of the workflow.


5.5.3 Current Advertisement ReviewsThis page allows you to proceed with an existing advertisement review, or to create an additional advertisement review. If you have already started or completed an ad review you can edit by selecting an existing review.

If you want to begin a new advertisement review from scratch for your advertisement, select the Create Additional Ad Review button.

1. To edit an existing advertisement review, click the Proceed with this Record icon next to the review you would like to edit.

2. To delete an existing review, place a checkbox next to it, and click Remove and then the Remove button.3. To create a new review, click the Create Additional Ad Review button.

5.5.4 Advertisement Compliance ChecklistThis page displays an advertisement review checklist generated based on your Product/Services selections.

Figure 20: Advertisement Review Form

1. Fill in the Review Date and select the person reviewing the checklist (Reviewed by field).2. Next, answer the questions included in this review – Yes, No, or N/A. If any questions answered are not

in line with compliance or best practice, please provide a compliance response in the Comments detailing the reason compliance/best practice is not being maintained.

3. To view a list of terms used throughout, click the Glossary button.4. Once you have completed the checklist questions, depending on your answers, you will be taken to

one of the following pages:• If any of your answers were not in compliance, or in line with best practice, you will be taken to the

Review Compliance Response page. Please ensure that you’ve provided a compliance response. (Please Note: you will not be able to advance in the workflow until comments have been provided.)

• If any questions were not answered, you will be taken to an Incomplete Checklist Items page dis-playing the unanswered questions. (Please Note: You will not be able to proceed in the workflow until all questions have been completed.)

5.5.5 Advertisement Review ResultsOnce you have finished answering all questions and providing comments as needed, this page will display a report containing the basic advertisement review information, checklist results, and document file to download. To view a print preview or to download the report, use the buttons at the bottom of the page. When you are finished, click the Next button.


5.5.6 CompleteYou have now completed the advertisement review. To edit this review, click on the Back button. To begin a new review, please click the Return to Start button. If there are no additional advertisement reviews to be completed, click the Return to Dashboard button.

5.5.7 How to View/Download/Print Completed Advertisement ReviewsIf you want to view, download or print a completed advertisement review, you can do so from the dashboard by clicking on the Advertisement Review dropdown on the top of the dashboard and selecting the Advertisement Reviews (by name) report.

Figure 21: Advertisement Review Report Widget

A new tab will open in your browser with the Advertisement Reviews (by name) report and you will need to enter the name of the advertisement review and surround it with “%” symbols. This allows the system to find the records that are like that name.

Figure 22: Advertisement Review Report Widget


6 Law/Regulation LibraryThe Credit Union Compliance Management System comes pre-populated with a library of various laws and regulations from the CFPB, Federal Reserve, FFIEC, FTC, NCUA, etc. This library can be edited to include only the laws and regulations that are applicable to your organization.

To access the Law/Regulation Library, navigate to the Admin dashboard, then click on the Laws / Regulations dropdown and select Law / Regulation Library. This will open a report listing all the laws and regulations within the system. To assist in your search of the list, you may also hit (Ctrl+F on your keyboard) to bring up a search box.

Once you have found the desired law/regulation, click on the Edit Record icon in the column next to it. This will open a page which will allow you to view and update the law/regulation information.

6.1 Review Law / RegulationLaw / Regulation records contain all the relevant information for each Law / Regulation. Fields include the following:

1. Law / Regulation – The “Law / Regulation” field calculates the name which will be displayed in the software. It includes the originating authority, the eCFR part number of the Law/Regulation, and the name of the Law/Regulation (Authority – Number – Law/Regulation). (Please Note: If multiple authorities are applicable, the name will display the authority selected as primary within the Credit Union Compliance Management System Setup workflow.)2. Heading – Displays the name of the law / regulation without the associated authority and number.3. Authority – Displays the linked originating authority for this law / regulation.

• Authority – Displays the name of the authority.• Link – Displays a link to the ecfr.gov website, which provides additional information about the law/

regulation, such as the purpose, definitions, institutions that are exempt, etc. The number the link displays as is the eCFR part number used in the “Law / Regulation” name calculation.

• Default Authority Override – Check this box if you would like this authority to display for the law / regulation name.

4. Law / Regulation Type – Displays whether the law / regulation is state or federal.5. State – If the law / regulation is a state law / regulation, this displays the appropriate state.6. Law / Regulation Implementation Status – Select the appropriate Law / Reg. Implementation Status so

that as you go through the process of reviewing each Law/Regulation you can update this field to reflect the current status. Options include:

• Compliant – Select this option if your organization is compliant with this law / regulation.• Exception/Not Applicable – Select this option if your organization has an exception or the law/regulation is not applicable to you.• Change Pending – Select this option if there is a change associated with this law / regulation pending completion.

7. Exemption Safe Harbor – Displays any exemption safe harbor items.8. Applicability – The ‘Applicability’ field displays how the particular law or regulation applies.9. Penalties – The ‘Penalties’ field displays what penalties can be incurred if the organization fails to comply

with the law or regulation.10. Digital File Cabinet – Displays any files associated with this law/regulation. This is where the in-depth

analysis documents will be stored.11. CUNA Mutual Group Associated Risk Resource – This field contains risk alerts and mitigation considerations from the CUNA Mutual Group that are associated with this law / regulation. These alerts are action items that can be reviewed and updated within the Review Action Items workflow.

• Alert Link – This field displays the link to the CUNA Mutual Group Risk Alert information. • Action Assigned to – This field displays the person assigned to review the CUNA Mutual Group Risk

Alert. For more information, please see section 5.3 Review Action Items.• Deadline – This field displays the date the action item is due, which is 14 days after the alert was

created.• Action Status – Select the action status for this alert.


Figure 23: CUNA Mutual Group Associated Risk Response

12. Additional Resources – The ‘Additional Resources’ field displays links to external websites associated with this law/regulation, such as additional authorities.

13. Summary – The ‘Summary’ field includes a summary of what the law or regulation entails.14. Credit Union Notes – In the ‘Credit Union Notes’ field, enter any notes relating to the law/regulation for

your credit union.15. Credit Union Specific Requirements – If there are any requirements specific to your credit union, please

enter them here.16. Main Requirements – This table lists all of the ‘Main Requirements’ that are part of the law/regulation.

Figure 24: Main Requirements

17. Policy and Procedure Requirements – The ‘Policy and Procedure Requirements’ field displays the policies and procedures that will need to be in place to stay compliant with the law or regulation.18. Reporting Requirements – The ‘Reporting Requirements’ field displays any reporting requirements. 19. Record Retention Requirements – The ‘Record Retention Requirements’ field displays how long and

where the records related to this law or regulation must be stored.20. Training Requirements – The ‘Training Requirements’ field displays any requirements for training.21. CUNA Compliance Training – Displays specific training related to the topic provided by CUNA.22. Board Approved Policy Requirements – The ‘Board Approved Policy Requirements’ field displays

whether there are any board approved policy requirements. 23. Notice Requirements – The ‘Notice Requirements’ field displays any notice requirements.24. Risk Assessment Requirements – The ‘Risk Assessment Requirements’ field displays any requirements for

risk assessments.25. Changes/Risk Mitigation – Under the ‘Changes/Risk Mitigation’ section, any changes that have been

entered and are associated with the law/ regulation will be displayed. • To link in changes, click on the Add button, then search for the desired changes. Check the box in

front of the changes you would like to link in and hit the Link Record(s) button. 26. Associated Policies – Using this section you can link the law or regulation to a specific policy that exists in

the ‘Policies’ section. • To link in policies, click on the Add button, then search for the desired policies. Check the box in

front of the policy you would like to link in and hit the Link Record(s) button.27. Associated Products and Services – This section allows you to link the law or regulation to associated

products and services. • To link in products and services, click on the Add button, then search for the desired product/service. Check the box in front of the product/service you would like to link in and hit the Link Record(s) button.


6.2 Law / Regulation ReportsThe CU CMS program also provides a number of reports to assist in reviewing laws and regulations, located on the Admin dashboard in the Laws / Regulations dropdown. These reports include:

• Gap Analysis – Report displaying the laws / regulations that are interim final or final and the changes to become compliant with then that are in process.

• Laws / Regulations with Policy Requirements – Report displaying the laws / regulations that have policy requirements and their associated policies.

• Laws / Regulations with Board Approved Policy Requirements – Report displaying the laws / regulations that have policy requirements approved by the board and their associated policies.

• Laws / Regulations with Notice Requirements – Report displaying the laws / regulations that have notice requirements.

• Laws / Regulations with Risk Assessment Requirements – Report displaying the laws / regulations that have risk assessment requirements.

• Laws / Regulations with Credit Union Specific Requirements – Report displaying the laws / regulations that have credit union specific requirements.

• Laws / Regulations with Training Requirements – Report displaying the laws / regulations that have training requirements.• Laws / Regulations Executive Summary – See a summary of your Credit Union Compliance Management System data including all requirement types.

7 NotificationsThe system comes with a set of pre-defined broadcasts which will go out on a recurring basis. These notifications include:

Notification Name Purpose Recommended Recipients Source of Notification UI

Action Item Completed

Informs recipients that an action item has been completed.

Associated Change: Person Responsible

Workflow (Review Action Items)

Alert

Action Item Deadline Approaching

Informs recipients that the deadline for an action item is approaching.

Action Assigned to, Associated Change: Person Responsible

Date (Deadline, Action Items Collection)

Alert

Action Item Past Due

Informs recipients that the deadline has passed for an action item.

Action Assigned to, Associated Change: Person Responsible, Manager’s Email

Date (Deadline, Action Items Collection)

Alert

Change Entered that Impacts Document

Informs recipients that a new change has been created.

Person Responsible for Change, Document Owner, Management Team Emails, Compliance Management Team (Optional)

Workflow (Change) Alert

Change Implementation Complete

Informs recipients that a change has been imple-mented and is complete.

Person Responsible for Change, Action Assigned to, Documents Impacted: Document Owners, Manager’s Email, Management Team Emails, Compliance Management Team Email (Optional)

Workflow (Change) Alert

Compliance Alert

Informs recipients that a new Compliance Alert has been added and requires review.

Management Team Emails, Compliance Management Team Email (Optional)

Date (Notification Date, Compliance Alerts Collection)

Task


CUNA Mutual Group Risk Alert

Informs recipients that new RISK alert details and mitigation considerations from CUNA Mutual Group has been created.

Management Team Emails Date (Created Date, Action Item Collection)

Alert

Documentation Added

Informs recipients that a new document was added to the system.

Document Owner, Person Responsible for Change

Workflow (Add/Edit Document)

Alert

Notice of Action Item Assigned to Individual

Informs recipients that an action item has been assigned to them.

Action Assigned to Workflow (Change) Task

Regulatory Change Comments Due By Reminder

Informs recipients that comments are due for a regulation change.

Person Responsible for Change, Management Team Emails, Compliance Management Team Email (Optional)

Date (Comments Due By, Change Collection)

Alert

Regulatory Change Effective Date Reminder

Informs recipients that the effective date for a regulatory change is approaching.

Person Responsible for Change Management Team Emails, Compliance Management Team Email (Optional)

Date (Effective/Due Date, Change Collection)

Alert


8 Calculations and ModifiersThe calculations described below are from the Risk Assessment Results page of the Change workflow. The following explanations are meant to help you gain a better understanding of how these values are generated and the risk for each change within your compliance program. (Please Note: All calculations for Credit Union Compliance Management System are based on qualitative values.)

8.1 Total Inherent RiskThe Total Inherent Risk calculation displays the sum of all the change’s inherent risk. Inherent Risk is an automatically calculated score of the risk associated with a change prior to applying the Control Reduction (%) Override. Inherent risk is calculated by multiplying the impact and likelihood values. Each option for impact and likelihood (Low-High) corresponds to a numeric scale, 1-5 (For more information about these options and values, please see 5.2.4 Risk Assessment). The equation is as follows:

(Impact × Likelihood)=Inherent Risk

For example, if you selected Low-Medium for your impact option (which corresponds to 2 on the scale), and Medium-High for your likelihood (which corresponds to 4 on the scale), the Inherent Risk would then be 2 x 4 = 8.

8.2 Total Control ReductionThe total percentage of inherent risk reduction provided by controls. This is calculated by multiplying the Total Inherent Risk by the Control Reduction (%) Override.

(Total Inherent Risk × Control Reduction (%) Override)=Total Control Reduction

For example, if the Total Inherent Risk = 8, and the Control Reduction (%) Override = 40%, the Total Control Reduction would be 8 x 0.4 = 3.2.

8.3 Total Residual Risk The Total Residual Risk is an automatically calculated score of the risk remaining after considering the existing control environment.

(Total Inherent Risk – Total Control Reduction)=Total Residual Risk

For example, if the Total Inherent Risk = 8, and the Total Control Reduction = 3.2, the Total Residual Risk would be 8 – 3.2 = 4.8.

8.4 Residual Risk (%)The Residual Risk Percentage displays the percentage of risk the change is still exposed to by looking at the amount of residual risk.

(Total Residual Risk x 100=Residual Risk (%)

Total Inherent Risk)

For example, if the Total Residual Risk = 4.8, and the Total Inherent Risk = 8, the Residual Risk (%) would be:(4.8/8)x 100=60.00


8.5 Residual Risk RatingThe Residual Risk Rating is based on the Residual Risk (%) and the corresponding rating in the scale shown below. The numbers in the Max Percent for Rating column indicate the maximum percentage value for each rating. For example, if the Residual Risk (%) = 60.00, the Residual Risk Rating will be Medium.

Risk Rating Max Percent for Rating

None 0

Low 20

Low - Medium 40

Medium 60

Medium - High 80

High 100

9 Customer SupportIf you experience any problems or have any questions, please feel free to call CUNA’s support line at (800) 356-9655 or send an email to: [email protected]
