Four-plus years after the global financial crisis rocked the U.S. banking system, directors and risk officers at large institutions feel they’ve gained control over a broad array of financial, regulatory and operational exposures. More than 90 percent of directors, and 89 percent of risk officers, who participated in an inaugural survey of risk management practices and attitudes at banks and thrifts with assets exceeding $5 billion said they were either confident or highly confident of their institution’s ability to manage risk across all lines of business.
The 2013 Risk Practices Survey was conducted in January by Bank Director and Wolters Kluwer Financial Services, a consulting firm focused on risk management and regulatory compliance. The survey was completed by directors and risk officers at some of the nation’s largest banks.
In an industry that’s seen little in the way of positive vibes over the past few years, why all the confidence? “I think it’s fair to say that there’s been a dramatic and almost revolutionary change in risk management,” says Charles Rossotti, a director and chairman of the audit committee at Bank of America Corp., “where the level of attention paid at all levels has increased a great deal, and the level of scrutiny and skepticism that is applied at all levels really has increased.”
Banks have always taken risk management seriously, but attention at the board level has increased dramatically since the financial crisis. Seventy-two percent of risk officers and 63 percent of directors reported that during the last three years, time devoted to the discussion of risk management has doubled or tripled. No one reported that the time has decreased. T.J. Frickle, chief risk officer of Glacier Bancorp Inc., a $7.7-billion asset bank holding company headquartered in Kalispell, Montana, admits that his board has significantly increased the amount of time devoted to risk over the last several years. “Every [board] meeting starts with audit committee, compliance committee and risk committee,” he says, where before “the board didn’t spend as many hours with us risk folks.”
The risk officers who responded to the survey seem to agree that the additional time and focus has been well spent, with 83 percent rating their board’s ability to understand and interpret risk data as excellent or good. Directors are “asking questions that they weren’t asking several years ago,” says Timothy Burniston, vice president and senior director of the risk and compliance consulting practice at Wolters Kluwer.
Fifty-six percent of directors reported that their boards handle risk governance in a board-level risk committee, as the Dodd-Frank Act requires of banks with greater than $10 billion in assets. Thirty-four percent of directors reported that their board handles risk governance in the audit committee or a combined audit and risk committee, while 6 percent govern risk management as an entire board, and 3 percent through the governance committee.
Though Glacier Bancorp’s size does not require it to have a risk committee under the Dodd-Frank Act, Frickle says that the board wanted to be as proactive as possible when it comes to new regulations. So when a new director (Annie Goodwin, an attorney who served as Montana’s commissioner of banking and financial institutions until 2010) with the right skill set to chair the bank’s risk oversight committee came on board in June of 2012, Glacier formed a dedicated risk committee.
For banks without a risk committee, risk management is often delegated to the audit committee as its members are accustomed to working with complicated financial issues. But while the risk control and audit functions draw on similar skill sets, the mindset differs. “Audit and risk have different focuses,” says Christina Speh, director of new markets and compliance strategy in the risk and consulting practice at Wolters Kluwer. Patricia Langiotti, a director and chair of the enterprise risk management committee at National Penn Bancshares Inc., an $8.5-billion bank holding company in Boyertown, Pennsylvania, says it is difficult for the same group of people to focus on risk and audit issues simultaneously. “There’s a difference between auditing history and preparing for [the] future,” she says.
Still, the risk committee does not stand alone. At $87-billion KeyCorp, based in Cleveland, Ohio, certain risk categories, like operational and compliance risk, are presented to the audit committee, says Bill Hartmann, chief risk officer. Similarly, John Fleshood, executive vice president, risk management at Wintrust Financial Corp., a $17.5-billion financial services holding company in Rosemont, Illinois, says that due to differing expertise, the audit committee governs operational risks, while the risk committee deals with more dynamic risks like liquidity, credit and capital risk.
At First Interstate BancSystem Inc., a $7-billion financial holding company headquartered in Billings, Montana, the full board is responsible for risk management, delegating certain risk issues to relevant committees. Phil Gaglia, the bank’s chief risk officer, does not favor a risk committee. “Once you have a risk committee, the full board kind of throws that responsibility off to the risk committee, and it really needs to be a full board responsibility,” he says.
Since the board plays a key role in strategic planning for the institution, it’s perhaps surprising that 36 percent of directors do not link the risk appetite statement to their institution’s strategic plan. “I just don’t know how [the risk appetite and strategic plan] can be disconnected successfully and be an effective, efficient program,” says Speh. As the board sets its goals through the strategic plan, those goals should be set within risk perimeters set by the board. At KeyCorp, the board sets the risk appetite level, and the strategic plan is built around it to ensure that the bank operates within those boundaries. Langiotti says that boards must recognize that risk exists throughout the organization. As the board of National Penn develops the strategic plan, it determines the risk appetite around each goal, she says, “and then [we] carefully connect the development of the risk appetite statement, which is a very important document to our bank board, with what we look at, what we manage and what we have concerns about going forward.”
The board’s relationship with the chief risk officer seems to have deepened since the financial crisis, as the heightened focus on risk management requires the risk officer to be the harbinger of emerging concerns for the board. Rossotti says that while the stature of the risk management team used to be modest, chief risk officers have more clout as their technical expertise has grown and their importance has increased. Now “you have really senior people,” he says, “reporting directly to the CEO and interacting very significantly with the board.”
One of the foremost duties of the chief risk officer is to communicate and report to the board. “The board has to be educated on what the risks are,” says Burniston, and management should expect the board to follow up with questions about how those risks are being addressed and managed. Frickle meets monthly with the board at Glacier Bancorp. “It’s my mission to ensure that the board has confidence in the management team,” he says. “We share articles, and we conduct training with the board on different topics to make sure that they’re aware of new and emerging risks.” Frickle tries to focus on what is most important to Glacier’s board, which includes updates on new projects and services, recent fraud and operational loss events and vendor due diligence, as well as discussion on new regulations and guidance, insurance claims and litigation. Additionally, “I update them on our risk profile in general,” he says.
Sixty-nine percent of directors cited the discussion and distribution of regular risk management reports as one of the many ways the board can best set the tone from the top, and 82 percent expressed confidence in how the reports and materials they receive inform the board’s decisions. Yet the top challenge in supporting an enterprise risk management program, cited by 61 percent of risk officers surveyed, is collecting, analyzing and reporting risk data in a timely fashion. The same number also said that maintaining the technology and data infrastructure to support risk decision-making is a top risk management challenge for their banks. Executives interviewed for this story said it is a challenge to provide information that is concise and yet fully informs the board. Ed Garding, president and chief executive officer at First Interstate, believes that less is more when it comes to reporting. “We have to make it concise and almost somewhat simple so that we just don’t literally overwhelm our board and our staff with risk metrics,” he says. Fleshood agrees. “We work hard to make sure we give [the board] relevant information, not just data. It’s very easy to start dumping data on people,” he says. “I think we give them concise, relevant information that informs and helps them [to] have productive discussions, and that’s very much my goal.”
Speh confirms that it is time consuming and difficult to get information that is concise and focuses both on key areas of risk as well as providing a base level of information for the board to properly oversee risk. “The industry is still figuring out what works the best,” she says, “and will continue to change and evolve as technology, and our ability to pull the information and access the information, changes.”
Before the financial crisis, different risk categories were separately examined in silos, but now “we operate in a much more complex world,” says Speh, and decisions made in one risk category interact with other types of risk. During the crisis, regulators found examples of where bank executives and boards concentrated on risk in different areas, but not how they affect one another, adds Burniston. Since different risk categories interconnect, “tying it all together really does give not only management but the board of the organization that picture to understand how that institution is actually performing.”
Ninety percent of risk officers and 75 percent of directors reported that their banks either have or are in the process of creating an enterprise risk management program that measures risk across the organization. Gaglia describes enterprise risk management at First Interstate as a work in progress, but as the bank grew—and as regulators began to pressure the company—the management and board recognized the need to manage risk across the organization instead of within silos as the company had in the past.
Fleshood sees enterprise risk management as an important direction for the industry, and something that expanding organizations like Wintrust, which he says is growing quickly due to new business lines, FDIC-assisted deals and acquisitions of healthy banks, must learn to do well. “It’s important that we be able to assess all this and distill it down to an understanding, both as management and the board, as to where the risk’s coming from, which are the greater risks, and to be able to redirect our risk management resources” as needed, he says. “[Enterprise risk management] gives a much better platform from which to assess, communicate, describe and report all these risk elements.”
Directors and risk officers might agree on whether to invest in enterprise risk management, but they do not necessarily agree on why. Directors seek to ensure the success of the bank’s strategic direction, as reported by 50 percent of respondents, and develop a governance system that sets the tone from the top, cited by 41 percent of directors. Risk officers who completed the survey said their banks invest in enterprise risk management to ensure consistent, solid performance (61 percent)—and also because the regulators require it, as cited by 56 percent of risk officers. Regulators are “encouraging and in fact requiring” that some banks invest in an enterprise risk management program, says Burniston. But he adds that despite the regulators, boards need to understand the risks embedded in their organizations. “I would want to make sure that I understand what’s going on in every critical area here that presents risk to my institution, and for management to be in a position to explain the interconnectivity, the relationships between those risks, and how the organization holistically is taking a look at it,” he says.
While an enterprise view of risk is crucial for most banks, certain key categories were top of mind for those surveyed. Operational risk, for 56 percent of directors and 83 percent of risk officers, was the risk category cited as the top concern for both groups.
In the past, operational risk hasn’t received much attention at the board level, but “has caused a lot of issues over the last several years, so to see it on the top of the list meant that all of the work that people have done in order to raise awareness of operational risk has been successful,” says Speh.
Rossotti agrees that operational risk is a key concern for boards, which he describes as “everything that affects the health and profitability of an institution.” Operational risk covers a broad range of topics, including technology risks like cyber security. “You’ve got serious threats out there, ranging from in-house hackers to various state-sponsored external hackers,” he says.
Sixteen percent of directors wrote in that they are concerned about technology risk, which was not an option in the survey. The potential for cyber crime, coupled with the industry’s increasing reliance upon technology and automation, is a huge issue for the industry, Langiotti says. Fleshood says that the rapid rise of technology-driven products and delivery systems like mobile banking adds further challenges. “It’s evolving very quickly,” he says, making assessment of the technology and reputational risks a challenge.
Seventy-two percent of risk officers, and 53 percent of directors, cited compliance as one of the risk categories they worry about most. “Is [compliance risk] on our radar screen? Yes, absolutely,” Fleshood says, “because of the Dodd-Frank issue, the Consumer Financial Protection Bureau, [and] the pace of the new rules that are coming out of Dodd-Frank.”
Risk officers, at 72 percent, and directors, at 69 percent, said that keeping up with the expectations that regulators have for their policies and practices is their top risk management challenge. Frickle, who previously held a position with the Federal Deposit Insurance Corp., says that he sees benefits in some of the new regulations, but agrees that they can present a heavy burden for banks. “I really feel sorry for those smaller institutions who don’t have the staff or the expertise” to implement the necessary changes brought by new regulation, he says.
The board sets the tone at the top, but that tone must carry throughout the organization. Thirty-four percent of directors said that creating a culture that supports bank-wide communication and assessment is a significant challenge. Glacier views every individual employee as a risk manager, with a responsibility to manage risk within their area, according to Frickle. As a result, Glacier “is more risk aware. We’ve become better long-term decision makers,” he says.
KeyCorp conducts an annual risk culture survey to get a sense of how employees are thinking about the risks they have to manage, as well as online educational sessions and tests, to keep employees well informed about risk issues. “We’ve done a lot to build the risk culture in the firm,” Hartmann says.
“At the end of the day, you need to be able to empower individuals to be able to raise concerns and issues,” says Speh.
About the survey respondents
Bank Director surveyed in January risk officers and members of the board of directors at banks with $5 billion or more in assets, using two similar but separate surveys. Nineteen respondents were risk officers and 32 were directors. Of the respondents, 14 percent were from banks with $50 billion or more in assets, 37 percent from banks between $10 billion and $50 billion in assets, and 49 percent from banks between $5 billion and $10 billion in assets. Of the board members surveyed, 13 percent were lead directors and 3 percent were chairmen. Seventy-eight percent served on their bank’s audit committee, while 50 percent served on the bank’s risk committee. Six percent did not serve on either committee. Of the officers surveyed, 84 percent identified themselves as chief risk officers.