Postcard from the Bank Audit Committee Conference

Upon receiving (with great relief!) a gentleman’s C in the one accounting course I took in college oh-so-many years ago, I vowed to steer clear of the topic from then on. It’s almost impossible to spend the better part of your working life as a financial journalist and not pick up a little bit of accounting knowledge along the way—and I have, although I have been home schooled so-to-speak rather than formally educated, and I still find the discipline to be a little mystifying.

It’s because of this arms-length relationship I’ve long maintained with accounting that I’m always a little surprised by how much I enjoy our Bank Audit Committee Conference, which took place June 5-7 at the JW Marriott in Chicago. This was our seventh year for the event and we attracted 330-plus attendees, most of whom were bank audit committee chairs or members. We don’t really talk about accounting issues all that much at this conference. Instead, we dive into some really fascinating non-accounting topics like government-mandated stress tests, cyber risk, regulatory compliance, enterprise risk management, whistle blowers and forensic investigations.

In recent years, the audit committee has become the most important board at most banks because just about everything of any significance that happens inside of a bank ends up passing through the audit committee in some form or fashion. The audit committee’s significance in the world of public companies was greatly elevated 11 years ago by the Sarbanes-Oxley Act, which among its many provisions made the audit committee responsible for overseeing the company’s relationship with its outside auditor.

If that was the first shoe to fall, the second shoe was the 2007-2008 financial crisis, which led to a greatly heightened emphasis by the bank regulatory agencies on risk governance at the board level. While a growing number of bank boards (especially at the larger institutions) have established separate risk committees, most institutions still handle risk governance oversight through their audit committees. I think it’s fair to say that the financial crisis was a wakeup call for most banks that they needed to do a better job of managing risk at the operating level, and that directors had to improve their understanding as well. Certainly the regulators expect bank boards to be taking a leading role in setting the institution’s risk appetite and monitoring its risk profile on a regular basis.

As you might expect, there were a lot of risk topics on the conference agenda, including overviews of enterprise risk management, board level risk committees and risk dashboards. Two sessions in particular stood out for me. One was a panel discussion that I moderated on cyber risk. I think you could describe the contest between banks and criminal hackers as an arms race in which the banks might be falling behind. Because of the creativity and sheer doggedness with which hackers try to penetrate banks, audit and risk audit committees need to make sure their management teams are placing as much emphasis on cyber security as possible. This is not an area of strength for most bank directors—they need to educate themselves about cyber risk so they can ask intelligent questions about their institution’s security practices. Over the next decade, cyber risk might end up replacing credit risk as the greatest threat facing the banking industry.

The other session that I thought was particularly insightful was a keynote presentation by Fifth Third Bancorp CEO Kevin Kabat. The Cincinnati-based bank was one of the top performing institutions in the country before it hit a rough patch prior to the financial crisis. Kabat made a compelling argument that Fifth Third’s resurgence owes a great deal to the cutting-edge risk management practices that began to develop even before the crisis.

Banking is a risky business, and managing that risk has become job one for many bank audit committees.