top of page

The Role and Elements of Good Policies With Expert Todd Miller

An organization needs to grow with good policies for better management and outcomes. Good policies allow board members and staff to understand the processes deeply and provide them the opportunity to ask better questions that can lead the credit union to a better place. In this episode of With Flying Colors, Mark Treichel talks with subject matter expert Todd Miller on the role and elements of good policies. Todd worked at the National Credit Union Administration for 34 years as an Examiner, Problem Case Officer, Regional Capital Market Specialist, and Director of Special Actions. Join in as he discusses the reasons for, general thoughts on, and common elements of good policies. Equipping yourself with this information can help you reach the success with NCUA.


Listen to the podcast here

The Role and Elements of Good Policies With Expert Todd Miller

In this episode, I am joined by a member of my team, Todd Miller. We are going to discuss the role and elements of good policies. Todd, before we jump into the role and elements of good policies at credit unions, for those of you who may not have read your past episodes or may not know you yet, could you give a little bit of your background?

I was with NCUA from November of 1987 all the way to June of 2021, when I retired. It was a very enjoyable career. I enjoyed it and I learned a lot. In the various roles, I have held during my career. I was an examiner (when I started right out of college), I was a problem case officer, I spent ten years as a Regional Capital Market Specialist and for the last ten years of my career, I was the Director of Special Actions in the Western region dealing with troubled credit unions.

That is interesting. We had three of the same jobs, examiner, problem case officer, and director of special actions. Also, I was on the West Coast. It was your region but the regions merged together. It did not dawn on me until you said it. You started a year after me and worked exactly one year more than me. You might have one more month on that. Anyway, I digress. Policies, what are they? What makes them good? What is their role? What are their elements? We are going to talk about policies. You described what your background is. Something in your background and what you saw made you want to discuss this as a topic. What was that?

There are a number of reasons why I wanted to discuss this as a topic. If you go back and look at what we do, we help credit unions pass their exams. A lot of the exam issues are policy-related. Underlying that is, we expect board of directors to have the general direction, control of their credit union, and how boards carry out their duties. They do that through their written policies. Secondarily, they also do it through their business plan and strategic plans.

Those are the two primary ways that boards carry out their duties to have that general direction and control. As a Director of Special Actions, I dealt with troubled credit unions. I also had twenty-some years of dealing with high performing credit unions as well. There are some consistent characteristics in these high-performing credit unions. One, they have strong corporate cultures. Its policies and strategic plans are how they build those corporate cultures and convey that to staff.

I always thought the high-performing credit unions were very interesting. You can go way down to branch manager and teller level, sit in the lunchroom, and talk to loan officers. Every employee in these high-performing credit unions was on the same page. They knew what was in the strategic plan, what they were supposed to be doing, and why they were supposed to be doing it.

They were all very efficient organizations and all had strong policies across the organization. It is a characteristic of high-performing credit unions. Their staff knows what they are supposed to be doing, why they are supposed to be doing it, and how they are supposed to be doing it. That is all conveyed to them through written policies, strategic plans, and business plans.

You reminded me of something one of my employees in Albany used to say that the regional office ran itself because it had good policies, procedures, structure, and corporate culture. You get that when you have that all in place. You can see how you can be a high performer. That is a correlation to a regional office that applies to the credit union world as well.

There is another piece to that. Another way to paraphrase and describe it is its transparency across the organization. Even if you look at my several years at NCUA, there are times when employee morale was better, higher, and lower. It was generally good the entire time, but there were times when it was better.

WFC 14 | Good Policies
Good Policies: Boards carry out their duties through their written policies and secondarily, they also do it through their business and strategic plans. Those are the two primary ways that boards kind of carry out their duties to have that general direction and control.

Those years when it was better than others were always years where NCUA was more transparent. The level of transparency from top to bottom was better. NCUA, over the years, tried to improve that. They have that national supervision policy manual now. They work at being a more transparent organization over time.

Transparency goes to expectations. When you are transparent and people know what your expectations are, people always desire to achieve expectations. If you have the structure in place, it allows everybody to excel. It is a great point. Specific to the policies, what are we going to dig into?

We will break this down into three pieces and talk about why you should have policies. I will give you some general thoughts on policies and how to execute them. The last and the most important piece is that we will talk about common elements to get a policy. I do not care if you are writing a policy related to personnel, lending, an ALM, or a compliance policy. Policies have some common elements. If you make your policy statements consistent throughout the organization, you will end up with a more transparent and effective organization. We will talk about some of those common elements of a good policy statement.

Why does a credit union need to have a set of comprehensive policies or another individual policy that covers a particular specific topic? What is the purpose of policies?

Reasons For Policies

There are many reasons for this. I am going to list them. It is not going to be all-inclusive. We could probably spend an hour going through why you should have a good policy. There are always NCUA’s Guidelines. Number one, they are required by regulation. If you go through the regulations, you would have to have a specific policy. They need a lending policy, an interest rate risk policy, and a liquidity policy.

If they are in the member business loans, they need a member business loan policy. If they are buying participation loans, the regulation requires a participation policy. First off, they are required by regulation. A corollary to them being required by regulation is good policies ensure compliance with the law. There is a plethora of regulations out there that you have to follow, from hiring all the way to non-discrimination in your lending, everything in between.

Another purpose of the policy is to ensure your staff knows what those legal requirements are and you comply with the law. Policies are a good training tool. When you hire a new employee, how do you get them familiar with the organization, what they are supposed to do, and what the organization’s expectations are? One of them is policies are there to set expectations. You communicate that corporate culture, values, and mission. That corporate culture is important.

There are a lot of benefits to a strong corporate culture. Organizations with strong corporate cultures tend to be more efficient. They have lower employee turnover, and your employees tend to be happier. They know what expectations are and meet them, making a more pleasant work environment for all your employees. There are fewer compliance failures. Service quality to your members tends to be much higher when you have good written policies.

The second piece of that is they set standards for behavior and conduct and performance for both the employees and management. This is important. People know how they should behave, and they should have standards. This is an important one for management. If you expect your employees to follow policies, you need to make sure as management and executives that you are following themselves. From a board perspective, good policies keep management accountable.

There is a plethora of regulations out there that you have to follow, from hiring all the way to non-discrimination in your lending, and everything in between.

From a human resource perspective, it helps you defend against lawsuits. It lets employees know where to get help if they have any questions about employment or any aspect of their job. Policies let them know where they need to go to get answers. Those are some general reasons and the purposes for having a policy and good policy statements.

There is a lot there to unpack on those statements. As you were going through it, I am going to highlight one of the topics you mentioned, which is it is good to have policies because they are required by regulations. Where the rubber meets the road, you and I were recently chatting with a credit union. We were having a discussion. The credit union had a draft examination report. They thought that perhaps some things did not need to be in a document resolution, and they could be in an examiner finding.

As they brought that up, you pointed out to them that the items in the Document of Resolution (DOR) were there because they were violations of regulations, so you thought that is where they should be (DOR) because they were a violation of the regulation. I am assuming you agree with that. Is there anything you want to add to that thought?

I am not going to add to it. I agree with that being in the DOR. Policies are so important. Credit unions should not get themselves into where you have multiple violations of regulations. If you have good policy statements and get training programs to educate your staff on those policy statements, you are not going to end up with a violation of regulations.

You have touched on some of the reasons or purposes for good policy statements. You also mentioned that we are going to discuss common elements of a good policy. Before we dive into that, are there any other general thoughts before we get into specific policy elements that you would like to chat about?

I have a couple of things before we get into the common elements of the good policy. These are some things that I have learned over my years of experience with NCUA. I did not read these in a book. They are my observations. These are my views. Implementation needs to happen from the top down.

The board needs to be clear in setting expectations. A lot of times, they do that with that strategic plan and business plan. They do that in their policy statements as well. If you want to have a high-performing organization, your executives need to set a good example. They need to abide by policies if they expect staff to do so.

Lead from the front. Sound policies are implemented from the top down. Policies need to be readily accessible by staff. It is hard to expect your staff to comply with policies if they do not know what they are. Within your organization, have them in your library and make them easily accessible to staff. If you are a loan officer, your lending policies should be in writing on your desk. Have staff meetings go over them periodically, but they should be easy to find for staff. Make them accessible, spend some time training on them, and communicate with them throughout the organization.

Policies need to be kept current. We find this a lot with our clients, exam work, and growing organizations. Their policies get outdated. They do not grow with the organization. If you are going to have a good policy program, you should have review dates put in there. Let’s look at these periodically and make sure we keep them current. If a new regulation comes out, read the regulation. Is that consistent with current policies?

WFC 14 | Good Policies
Good Policies: Another purpose of the policy is just to comply with laws.

On the other side of the coin, while employees should be educated on policy, they should also know that there are consequences for not following policies. Expectations and training are important. There needs to be consequences if policies are not followed. You will have a breakdown in the organization if there are consequences for not following policy.

Policy exceptions should be documented and reported. A lot of people write policies, and you can never write a policy that is going to cover every situation that will come up with a member. There are going to be times where there are exceptions to serve a member, help out an employee, or whatever it may be. If you get into a situation where you have more exceptions or a lot of exceptions to the policy, it is time for the board and management to sit down and say, “Is that policy appropriate? We have to go through and create a lot of exceptions to policies to serve our members. Maybe policy needs a little bit of revision.”

That last comment reminds me of a line from a song which is: "it is a one-time thing ... It happens a lot."

If it happens too much, maybe it is time to reevaluate the policy. When the exception becomes the norm, let’s tweak that. The other thing I want to say is that when you talked about it coming from the top down, it reminded me of the NCUA building security system in the central office. This is an abstract reference, but I would occasionally forget my badge. I would walk into work because I live close to the office.

I remember the first time after I had been executive director and forgot my badge. The guard let me in, and I saw the look in his eyes. It was like, “Mark needs to have me escort him up the elevator.” But he hesitated, I said, “I know you need to come with me.” I wanted to let him know that I was going to follow the rule. When we got on the elevator and there were other folks in the building, they saw that I had to follow the rules as executive director. Tone from the top. You can set the tone at the top by every action you take in the credit union, whether policy or procedures.

Common Elements Of Good Policies

With that background, let’s get into the key elements that are common to all policies. You mentioned interest rate risk, liquidity, and commercial lending. There are key elements that are going to be in every policy. Let’s walk through that.

This is the corporate culture thing too. When you sit down and write your policies, you put all these elements in there. It should be consistent with how you write your policies across the organization. You see that in high-performing credit unions. There is a format to these, but I will go through what I see as some of the common policy elements that should be in any policy. The way I would summarize it is your policy should describe your risk management process in the organization, common policy elements, purpose, and objectives of the policy.

Let’s tell the organization and our staff why we have this policy and what we are trying to accomplish with this policy. The second common element that you will find in good policy statements is they establish accountability. Who is responsible for identifying major monitor control risks to that area? There will be some internal controls laid out within the policy. This is part of the accountability. You separate risk-taking from reporting and it is good accountability. You separate the person who is making decisions from those who are reporting on the outcomes. It is good internal control.

Another common element of good policies is the board will communicate its risk appetite within those policies. I will call it a Risk Appetite Statement. Some examples of things that fall under that whole category of Risk Appetite Statements are organizational-wide balance sheet limits. X percent of net worth will go into commercial loans and indirect loans. X percent of net worth will be two gray D borrowers, C and D subprime loans. You will have interest rate risk limits and liquidity limits. Whatever the policy is dealing with, you will have some balance sheet wide limits. There should be limits on individual authority within a policy.

Individuals at this level are authorized to do X. Individuals at this level are authorized to do Y. If we get to this point, it will take a committee or multiple people to approve that. There should be limits on individual authority and how that authority is delegated downstream. You can authorize a CFO to purchase investments up to $2 million blocks. You should specify what he/she can let subordinates do. That should be laid out. How much can an individual with policy authority delegate downstream? Limits need to be real, not only guidelines.

Policies need to be readily accessible by your staff. It's hard to expect your staff to comply with policies if they don't know what they are.

Over my years, lots of credit unions have liked to put guidelines in policies. You get into higher-performing organizations and there are no guidelines in policies. There are hard limits in policies. Guidelines might lead you up to a limit, but it need to be real. You need to be wary of guidelines. It creates a wishy-washy corporate culture.

Limits get fuzzy. You can have guidelines, but they need to be backed up with real hard limits on the backend. Limits need to be triggered before risk profiles change significantly. You will see a lot of credit unions and organizations have the green, yellow, and red thresholds as a way to point out policies. It is like, “When we get to that yellow, let’s slow down.”

I see this as a weakness. It happens in many credit unions. There will be a limit, and they will make that their policy limit. I will give you an example. We have a regulatory limit that you can have low-income credit. Credit unions can have 20% of their deposits from non-members. You will see people write that in their limit, but they are at zero. There needs to be something triggered when they go from 0 for 10 years to 5% or 10%. It is not an effective policy limit if it doesn’t create some warnings as you change your risk profile.

Another one is investments. When I was a capital market specialist, there were a lot of credit unions that wrote investment policies where their policies authorized everything in the regulation, from repurchase transactions to high-risk private-label mortgages. In a lot of cases, the credit unions have never ever bought and will never buy those instruments. They do not understand half of those instruments. Things like that should not be in your policy. Your policy should be real, reflect the risk appetite, and identify if your risk profile is changing along the way. Those risk limits should be unique to each credit union.

The next one is one of the most important aspects of a sound policy. That is a system of reports based on a risk assessment. I will summarize it this way. It needs to demonstrate management’s compliance with the policy. Let’s turn it around. Management needs to demonstrate compliance with the policy in all aspects of their reporting. If you have a policy limit, there need to be reports on that and you have early warning indicators within your policy.

Reporting does not always mean every single thing goes to the board, but within the organization, there needs to be reporting to some level of responsibility. I will throw something out. A lot of credit unions are involved in indirect lending. For example, most places track dealer delinquencies. You do not necessarily need to tell your board what the delinquency level is of every indirect dealer.

They should know delinquency overall. Maybe delinquency for an indirect lending program but at a dealer level, they do not need to know that. Certainly, your loan committee and your loan officers or chief lending officer should know what that delinquency is at a dealer level. That is a key risk indicator. That reporting does not necessarily need to be at the board level, but there needs to be a system or reports that provide your early warning indicators. A demonstration with are compliant and demonstrate compliance with the credit union’s risk appetite, whatever that might be.

There should be reporting on risk limits. If you have an organization with wide risk limits, there should be reporting on that. All those limits are a percentage of net worth. I would argue those are limits that should be reported all the way to the board level. This is a little sidetracked, but I have seen several high-performing credit unions have a compliance report. It is interesting to see it in the board packet in those high-performing credit unions.

It is not on page 300. It is on page 3, 5, or 7 (upfront). It is somewhere close to the front in those high-performing credit unions because they take it seriously. A lot of times, there are strategic plan elements on that type of compliance report as well. Policy exceptions need to be reported. We talked about it a little bit earlier. If you get too many exceptions, it is time to review your policy.

Good Policies: The examiners say they should be appropriate to your complexity and to set up a process to review them periodically. So they grow with you.

Another thing with reporting and compliance with policies is it is important for boards, especially that your reporting process shows trends over time. It does not show what your limit was this month. It shows where we are at this month, last month, a quarter ago, a year ago, or whatever the case may be. For boards, they come down to common sense. They might not be experts at anything, but most board members, if they look at a trend and see things changing, will prompt them to ask a question that needs to be asked.

It is good to know what direction you are moving and how fast you are moving. It is not where you are but where you have been and where you are going. You need those headlights down the road. Trend reporting is very important in my mind. For board members, it is more important than even knowing where we are at now. It is, “Where have we been? Where are we at? Directionally, where are we going?” You need all three of those types of reports and monitoring and that should be written down within your policy. You should define this reporting process clearly in each of your policy statements.

Lastly, there should be a systematic review date. Not every policy needs to be reviewed every year. By regulation, there are certain policies that need to be reviewed every year, but there should be some ownership within the organization and a specific review date for all policies, even at NCUA. They go through all regulations every three years. In theory, NCUA would go through them every three years anyway.

A lot of credit unions, when they get findings, you see it quite frequently. They are going too hard, working every day. Their at $500 million in assets and all of a sudden, you turn around, and you are at $1 billion, and policies have not changed, but we have got all these new programs and different things going on. It is important as an organization grows that those policies grow with them. The examiners say they want it appropriate to your complexity. Set up a process to review them periodically so they grow with you.

That is a lot you threw at the audience and me. I am going to highlight a couple of things and have a couple of follow-up questions for you before we wrap up here. First regardiing trends at a point in time. To me, the word that jumps out is context. I need to have context. I like to see things over time. Is it growing? Is it shrinking? Knowing a number now can pretty much be irrelevant if you do not know what the goal is, what is allowed, where we have been, and where we are going.

You said it well that providing that allows the board members to understand and provides them the opportunity to ask better questions. That can lead to a dialogue that can lead the credit union to a better place. That is my take on trends at a point in time. Jumping back to limits on individual authority, things that jump into mind there is when people violate that limit to authority. There is the potential that you could have bond claims and situations like that under the most intense of those scenarios. Any thoughts relative to that side of things as it relates to limits on individual authority?

I am going to go back to something else that I said. If you have one employee violating limits in his or her own authority, other employees are going to see that. You are going to see that behavior occurs with other people in the organization. It is a morale killer when employees see management saying do this and they do something else. It is not good for morale. A lot of times, examiners find this because those employees that are unhappy and disgruntled about that will tell their examiners this is going on. That happens a lot.

Bond claims are never good. One of the things I mentioned in my general thoughts is there need to be consequences for not following policies. The system tends to break down if there are no consequences for not following policy. Individual limits are a key part of it. In dealing with our troubled credit unions and some of the credit unions that NCUA has had to pay out insurance funds to resolve, it seems too many times there are individuals who started out by violating their individual policy limits. It became a big problem that can cost the insurance fund money.

This is a two-part question before we wrap up. As you were talking about board packages and what is included and excluded, I am pretty sure in your mind that you have a feeling of what an optimal board package is. When you and I talk to different clients or when we are working to assist credit unions, oftentimes, you will say to me, “I would love to see the board package,” because that provides you context to best understand what is happening at the credit union. Along with that, separately, you and I had chatted that there are going to be some future podcasts that come out of this show. Can you comment on either of those two statements I made?

Not every policy needs to be reviewed every year. By regulation, there are certain policies that do need to be reviewed every year, but there should be some ownership within the organization and a specific review date.

You are going to see feature podcasts potentially on individual policies rather than general elements, what should be in an interest rate policy, or what should be in a business loan policy. I can see that coming. Board packages are an interesting thing. A couple of times in my career, I would sit down with groups of my own staff and say, “What should be in a good board package?” Board packages are very interesting because there are things the board wants to know, then there are things they need to know.

You can’t necessarily make them read it every month, but I will go back to it is important that management and the executives give the board all the information they need to know. Maybe they do not read it every month, but they read it every 3 or 4 months or something of that nature. It would be very easy to spend half a day sitting down where the board is and ask, “What is in your board packet?”

Credit union board packets, a lot of times they evolve, the examiner says, “Put this in there,” and they put it in there. Someone else says, “This should be in your board packet. I add another sheet in there.” Pretty soon, this board packet is huge, and they have never gone back at any given point in time as they’ve grown and said, “What needs to be in there?” Certainly, if the board wants to know something, you need to put it in. Management needs to demonstrate compliance with policies and give them progress reports on that strategic plan.

Board packages are a very interesting topic of what should be in there. It reflects the nature of the credit union. I will throw out an example. One of the problems credit unions I had at one point in my career was about $2 or $3 billion. They end up in special actions, they have negative earnings and all sorts of problems. At that time, they had more than 40 branches. In their cost accounting system, 31 of their branches were losing money. My comment to the CEO is, “Do not you think your board members would like to know that?”

Most credit unions do not necessarily report all that branch profitability to the board. There is not a necessity to, but in a strategic plan, occasionally, it is information that you should share with them sometimes. When 3 or 4 of your branches are losing money, your board members might want to know that. It gets situational. If all 42 branches were making money, it was not something they would have needed to share with their board.

When I was an RCMS examiner, that was the first thing I would always do. I want to open a board packet and share it with every examiner on the team. In these high-performing credit unions that I mentioned, you can go through the board packet. You can pretty much figure out what they are trying to do and how they are doing it. From a single board packet, it is very transparent in these high-performing organizations what is going on. You can figure it out only by looking at a board package.

That is a good place to wrap up with the example of the branch offices. As you said, if more than half of them are losing money, that seems to fall into the category of the need to know. You said there is the want to know and the need to know. They need to know that so that they can take some actions to lead the credit union into the future.

This is another great episode, Todd. I appreciate you sharing your wisdom with the folks that will be reading. That’s it. I want to thank everybody who read. I am Mark Treichel. I hope you join us again next time.

Important Links

About Todd Miller

Todd worked at NCUA for 34 years as an Examiner, Problem Case Officer, Regional Capital Market Specialist, and Director of Special Actions.


bottom of page