Talking Tech to Directors

Now more than ever, directors are responsible for making sure their banks don’t step on a technology land mine.

The problem might arise from a security breach that compromises customer information. It might come from a system that lacks the capability to handle growth or support new products, resulting in customer complaints. Or a major investment initiative might turn out to be out of step with the bank’s strategy. Any of these situations spells trouble for the board.

One factor that has increased banks’ risk is the recent advances in computer technology. No one worried much about customer information when it was safely tucked away in mainframe computers. Now it is apt to escape through portable laptops and PCs connected to the Internet if adequate measures aren’t in place.

In the midst of sweeping technological change, two recent federal laws have also forced bank boards to focus more on technology issues. The Sarbanes-Oxley Act puts greater onus on boards to make sure their institutions have a system of strong internal controls, while the Gramm-Leach-Bliley Act requires them to ensure the proper handling of customer data.

How CIOs work with the board

But while the responsibilities have increased, directors cannot be expected to shoulder the burden of technology oversight alone. They should be able to rely on a chief information officer to provide insight into both the risks and opportunities of technology, as well as developments on the broader technology landscape. “The board has a responsibility to be informed,” says Dawn Dillon, senior vice president of technology and operations at Salem Five Cents Savings Bank, a $1 billion mutual savings bank in Salem, Massachusetts. “And I’m one of the informing components.”

Just how much interaction a CIO has with the board appears to reflect an institution’s culture. At $5.2 billion Dollar Bank in Pittsburgh, Abraham Nader, who doubles as the bank’s chief operating officer and chief information officer, says he has no direct contact with the board. In a process that is fairly typical of larger banks, Nader says, various committees screen the information that goes before Dollar’s board. At the CEO’s request, Nader has, on occasion, made presentations at the committee level.

But a different picture of how bigger banks operate emerges at Boston-based Eastern Bank Corp., which has $6.3 billion in assets. There, Lloyd L. Hamm Jr., an executive vice president and chief information officer, says he attends monthly board meetings as well as quarterly audit committee meetings and annual board retreats. “Our board is interested in technology and wants to understand it,” Hamm says. “Plus, the regulators want them to be aware.”

At Calnet Business Bank, a Sacramento-based institution with $160 million in assets, CIO Robert A. Wood has plenty of interaction with the board, both formally and informally, thanks to the bank’s heavy emphasis on technology. Formed in late 2001 with a specific mandate to leverage technology, one of Calnet’s more notable creations has been the development of software to help political campaigns manage the collection of contributions made over the Internetu00e2u20ac”an application first developed for Arnold Schwarzenegger’s bid to become California’s governor.

Besides monthly board meetings, Wood serves on various committees, including a technology advisory group, which goes a step beyond the standard technology steering committee found at most banks. While Calnet’s steering committee focuses on the nuts and bolts of prioritizing technology budgets and making budgets, the advisory group hammers out the bank’s three- to five-year technology strategy. For example, work done through the advisory committee helped lead Calnet to adopt certain technical standards, Wood says, which enabled it to take advantage of an opportunity to develop Gov. Schwarzenegger’s campaign contribution system. Now, contribution management is a strong niche for Calnet.

Wood also spends one-on-one time with Calnet directors. For example, he recently had lunch with one board member who wanted to know more about a particular product to better explain it to peers and acquaintances and he regularly gets calls from directors wanting to better understand the profitability or security of particular services. “We rely heavily on our directors being actively involved,” Wood says.

Besides giving updates on technological activity, CIOs also often act as educators and even visionaries for the board. Given the whiz-bang nature of some technology, a CIO’s presentation can be the high point of an otherwise dry board meeting. On the other hand, there are days when the value of a proxy server (a computer server that mediates traffic between a protected network and the Internet) must be explained. “That was not fun,” says Dillon of Salem Five.

Calnet’s Wood shares an outline of the February 2005 presentation he made to his board. An executive overview covered the state of technology and the progress of various initiatives; an infrastructure section discussed possible changes and made specific recommendations; and a product section reviewed modifications to existing products along with new ones in the pipeline. Because Wood also runs the bank’s transaction processing unit as a profit center, he included a discussion on new processing clients; sales and marketing of technology services; revenue and expenses related to technology; and where revenue and sales activity were headed.

Hamm’s presentation to Eastern’s board last February included an update on the progress of the bank’s integration with Plymouth Bancorp, which became effective on Jan. 1, as well as potential back-office changes that would let the bank further take advantage of imaging technology. In general, Hamm sticks to describing technology in terms of business opportunities. “I rarely talk about underlying core systems.”

Improving communications

The nature of a CIO’s presentations may change over the course of the year. In January, Dillon’s presentation to the Salem Five Cents board included a recap of how the bank performed against its 2004 plan. In February, the discussion revolved around plans for 2005, and for its upcoming meeting in March, Dillon plans to talk about emerging technology trends. The first month after every quarter includes a dual update on the initiatives of the past quarter and planned activities for the next, she explains.

Dillon also makes an effort to remember she is speaking to people who may not know everything about the technology she is discussing. When “spyware” (programs that surreptitiously monitor computer users’ activities) became a hot topic, Dillon did not try to write a technical paper about it. Instead, she explained how board members’ own PCs could be affected, and then asked them to imagine that impact multiplied many times.

When Dillon presents on emerging trends, she prepares by readingu00e2u20ac”in one sittingu00e2u20ac”all the trade publications and other literature she received over the previous month to get a better sense of what technologies are gathering steam. A few months ago she talked to the board about radio frequency identification, even though her bank has no plans to use it. “It was an interesting, new thing,” she explains. Later, a board member told her he came across an article about RFID in the Wall Street Journal and read it. He thanked her for her presentation. “Now they’re familiar with it,” she says.

Laying the groundwork for possible future use of new technology is a familiar strategy to Anthony Chavez, the CIO of $2.6 billion Mechanics Bank in Richmond, California. A few years ago when his bank was investigating whether to switch its main processing from a mainframe to a client/server-based system, Chavez held several meetings with the board to help them understand the benefits of client/server processing. The informative sessions were never tied to a formal request for funding.

Mechanics never made the switch, but Chavez said the sessions proved worthwhile anyway, especially since the bank began using client/server technology to support all its new applications. “It makes it a lot easier later when you’re explaining the need for server technology, and the reason is because you need to interface with the Internet,” he says. “Boom, they understand. The puzzle fits together a little better.”

Educating the board is a standard procedure at some banks. Over the last three years, Wood of Calnet has held three half-day off-site meetings to inform board members of a specific aspect of technology. Once or twice year, Hamm at Eastern makes a formal educational presentation to the board, and sometimes he invites outside speakers. Recently, a Harvard University professor spoke about technology and how it affects the financial services industry. This year, Eastern plans to invite executives from Metavante Corp., its core data processor, to provide the board with a global perspective on what they see banks doing with technology.

Vendor relationships can be a key part of what CIOs communicate to their boards, particularly if a bank outsources a lot of its technology. San Jose, California-based Bridge Capital Holdings, a $400 million bank that opened in May 2001, decided early on to outsource its processing so it could support anticipated growth, says Ken Silveira, an executive vice president and the company’s CIO. An outgrowth of that decision has been a formal vendor management process, which includes weekly interaction with vendors through the bank’s technology steering committee. Early on, the bank brought its service providers in to meet the board. In addition, Silveira covers vendor management as part of the quarterly presentation he makes to the board. “Right now, we’re going through a big upgrade of our system,” Silveira says, “so I will report to the board more comprehensively.”

Managing risk; evaluating opportunity

Boards generally do not get involved in formulating technology budgets. The process at most banks more or less resembles what happens at Bridge Bank, in which the technology department submits a budget proposal to the technology steering committee. If a significant investment is involved, the agreed-upon budget may be submitted to the board for concurrence, Silveira says. Once a budget is approved, the board receives regular progress reports. “In most cases, the board does not approve specific decisions because the process is handled more through planning,” he explains.

What many bank boards want most from their CIOs is information that will help them manage risk and maximize opportunities. Silveira says a major concern of his bank’s board is ensuring Bridge’s systems can handle ever-increasing processing volumes, a pertinent issue for a bank that grew by almost 40% in 2004. “We have to anticipate growth, not just be at capacity,” he says. At the same time, Bridge is moving from its early, fast-growth stage to more of a focus on profitability, so it needs to carefully time its investments against its needs.

Bridge’s board is also cognizant of the risk of investing in technology it might outgrow, Silveira says. A year ago, for example, the board supported management’s decision to move to a more sophisticated phone system. The bank had considered installing the technology only in its headquarters, but by rolling it out bankwide Bridge is now able to more quickly open loan offices that are more closely integrated with the rest of the bank through voice mail and interoffice dialing. The move reflected the board’s concern that the bank be correctly positioned for the future. “They want to make sure we’re forward-looking,” Silveira says.

Hamm at Eastern has noticed more questions from the board that revolve around risk: how to identify it, manage it, and mitigate it. The board also wants to know how partnerships are doing, how growth is being handled, and the impact various technology decisions will have on customers, he says.

Ultimately, the board is charged with making sure technology initiatives support the bank’s mission. In the case of Calnet, its goal is to create a culture that supports technological innovation. “The board makes sure we don’t stray too far from that vision,” Wood says.

CIOs have their own goals when it comes to communicating with the board. Dillon at Salem Five notes the raft of new regulations surrounding customer data gives off the perception that regulators are putting more pressure on directors to understand the ins and outs of technology. Until the true expectations of examiners become clear, Dillon says she is trying to provide as much information about technology as the board wants. Hamm considers it his responsibility to keep the board apprised of ways the bank can use technology to expand into new businesses. “I need to communicate new opportunities as they become available,” he says.

Knowing what questions to ask a CIO can help a bank avoid distressing situations (see box). Sometimes the advantages of better communication are obvious. At Bridge Bank, several of the directors have technology backgrounds and can be a rich source of new ideas, says Silveira. And sometimes the benefits are more subtle. Eastern’s board asks good questions and that, says Hamm, “forces me to be introspective.”

10 Questions Bank Directors Should Ask about Technology

Have we reviewed the bank’s risk assessment program for information systems and security and does it identify, evaluate, and address vulnerabilities?

When was the last time the board received a report on the bank’s information system? (If it’s been more than a year, it’s been too long.)

Have we reviewed the bank’s information systems and security and do they address the regulatory requirements for customer information?

Has the bank designated a senior manager to be responsible for information security and does that person have adequate resources, staff, and support?

Does my bank conduct periodic independent tests of the vulnerability of its systems, and has follow-up action been taken on the findings of recent tests?

Does my bank classify the sensitivity of its information (mission-critical, highly sensitive, moderate risk, low risk, so that it can be protected accordingly?

Does my bank use automated and manual methods to detect suspicious activity on its information systems, and is there a formal process for responding to and reporting the activity? Is a report provided to the board?

Does my bank have a process for evaluating and overseeing the security of its outsourcing partners?

Has my bank reviewed its insurance coverage to identify any gaps in information technology or e-commerce activities?

Has my bank documented its information security initiatives to demonstrate it has exercised due care? Has the board’s involvement been documented as well?

Source: MOne Inc., Tempe, Arizona