The prolonged low interest rate environment, slowly improving economy, use of more sophisticated technology, and increased reliance on third party service providers each present inherent risk to individual banks and the industry as a whole. In the upcoming exam cycle, directors and senior managers will be under increased pressure by the bank regulatory agencies to demonstrate that their institutions maintain a robust risk management culture to account for these and other inherent risks.
Among the key risks facing banks today that the regulators expect boards and senior managers to address are:
- strategic risk as banks adapt business models to respond to the current economic and competitive landscapes;
- management succession and retention of key staff;
- loosening loan underwriting standards;
- expansion into new products and services;
- exposure to interest rate risk;
- oversight of third party service providers;
- increased volume and sophistication of cyber threats;
- BSA/AML risk from higher-risk services and customer relationships; and
- maintaining effective compliance management systems.
Bank boards can go a long way toward proving the robustness of their risk management culture by focusing on the following five governance actions.
The board should expressly charge senior management with the task of identifying those key risks, and any other material risk, to which the bank is exposed. It is management’s role to educate the board on the identified risks and to clearly and completely explain to the directors how each risk affects the bank. Armed with this information, the directors will be able to conduct the necessary detailed discussion of risk at board and committee meetings and to plan the bank’s strategy to effectively manage the identified risks.
Working with management, the board should develop and approve policies to manage the identified risks. Ultimately, it is the board’s responsibility to ensure the bank maintains appropriate and up-to-date policies to manage the bank. Off-the-shelf, generic policies will not pass muster. Policies should be tailored to the size, scope and complexity of the individual bank’s operations and identified risks; a policy appropriate for the bank down the street is not necessarily appropriate for your bank. The board should review and approve the policies on at least an annual basis, making the necessary changes and additions based on the evolution of the risk to the bank.
Each policy should contain procedures for implementation of the policy and training of appropriate personnel. It is imperative the board and management give thoughtful consideration to the personnel who should receive training. For example, the risk of cyber threats to the bank demands that all employees, from entry level staff to the CEO, understand the bank’s cyber security policies and procedures and how their particular job at the bank is at risk; while the risk of loosening loan underwriting standards only applies to a smaller segment of the employee population. It is the board’s responsibility to monitor the complete and effective implementation of, and training on, the bank’s risk policies.
Even with the best policies and most effective teams employing them, exceptions to, and violations of, policies will occur. The regulators understand this, and it is unlikely they will criticize the bank for individual exceptions/violations. However, it is highly likely the regulators will criticize the bank for the failure of the board and management to identify and take steps to correct such exceptions/violations. The board should receive regular reports identifying material exceptions/violations and management’s proposed corrective action. Corrective action should be specific, detailed and contain appropriate time frames within which it will be taken.
Well-crafted board meeting minutes can be the bank’s best friend when it comes to showing evidence of its risk management culture. The minutes should reflect the board’s deliberations relating to the key risks affecting the bank and the processes, procedures and steps the bank takes to manage those risks. They should not be a complete transcript of the meeting but should contain sufficient detail to enable the reader to confidently say, “I know what took place at this meeting.” Minutes should be prepared in draft form as near in time as is practical to the meeting, while memories are fresh, and promptly circulated in draft form to the directors for comment. Properly done, board minutes help tell the bank’s risk management story.
Your bank will be best served if your directors buy into the statement, “The bank’s risk management culture must begin at the top.”