The Most Effective Bank Directors Share These Two Qualities

director-6-14-19.pngBanks have a slim margin for error.

They typically borrow $10 for every $1 of equity, which can amplify any missteps or oversight. Robust oversight by a board of directors, and in particular the audit and risk committees, is key to the success of any institution.

“At the Federal Reserve Bank of Kansas City, we have consistently found a strong correlation between overall bank health and the level of director engagement,” wrote Kansas City Fed President Esther George in the agency’s governance manual, “Basics for Bank Directors.” “Generally, we have seen that the institutions that are well run and have fewer problems are under the oversight of an engaged and well-informed board of directors.”

This may sound trite, but the strongest bank boards embrace a collective sense of curiosity and cognitive diversity, according to executives and directors at Bank Director’s 2019 Bank Audit & Risk Committees Conference in Chicago.

Balancing revenue generation against risk management requires a bank’s audit and risk committees to invite skepticism, foster intelligent discussion and create a space for constructive disagreements. Institutions also need to remain abreast of emerging risks and changes that impact operations and strategy.

This is why curiosity, in particular, is so important.

“It’s critical for audit committee members to have curiosity and a critical mind,” says Sal Inserra, a partner at Crowe LLP. “You need to ask the tough questions. The worst thing is a silent audit committee meeting. It’s important to be inquisitive and have a sense of curiosity.”

Board members who are intellectually curious can provide credible challenges to management, agrees John Erickson, a director at Bank of Hawaii Corp.

Focusing on intellectual curiosity, as opposed to a set of concrete skills, can also broaden the pool of individuals that are qualified to sit on a bank’s audit and risk committees. These committees have traditionally been the domain of certified public accountants, but a significant portion of audit committee members in attendance at the conference were not CPAs.

Robert Glaser, the audit committee chair at Five Star Bank, sees that diversity of experience as an advantage for banks. He and several others say a diversity of experiences, or cognitive diversity, invites and cultivates diversity of thought. These members should be unafraid to bring their questions and perspectives to meetings.

Having non-CPAs on the audit committee of Pacific Premier Bancorp has helped the firm manage the variety of risks it faces, says Derrick Hong, chief audit executive at Pacific Premier. The audit committee chair is a CPA, but the bank has found it “very helpful” to have non-CPAs on the committee as well, he says.

Audit and risk committee members with diverse experiences can also balance the traditional perspective of the CPA-types.

It’s important [for audit committee members] to have balance. Bean counters don’t know everything,” says Paul Ward, chief risk officer at Community Bank System, who self-identifies as a “bean counter.”

“Some of the best questions I’ve seen [from audit committee members] have come from non-CPAs,” Ward says.

However, banks interested in cultivating intellectual curiosity and cognitive diversity in their audit and risk committees still need to identify board members with an appreciation for financial statements, and the work that goes into crafting them. After all, the audit committee helps protect the financial integrity of a bank through internal controls and reporting, not just reviewing financial statements before they are released.

Executives and board chairs also say that audit and risk committee members need to be dynamic and focus on how changes inside and outside the bank can alter its risk profile. Intellectual curiosity can help banks remain focused on these changes and resist the urge to become complicit.

I’ll be the first to admit that qualities like curiosity and cognitive diversity sound cliché. But just because something sounds cliché, doesn’t mean it isn’t also true.

Two-Thirds of Bank Directors Are Worried About the Same Thing

risk-6-12-19.pngAt around a quarter to seven o’clock on the evening of Saturday, May 11, firefighters showed up at Enloe State Bank in Cooper, Texas, to find a stack of papers on fire on the conference room table.

“We believe it is suspicious,” said the sheriff, “but we don’t have any more information at this point.” Three weeks later, regulators seized the bank “due to insider abuse and fraud by former officers,” according to Texas Banking Commissioner Charles Cooper.

It’s fair to say that Enloe State Bank is an outlier. It was the first bank to fail in a year and a half, in fact. And one can’t help but wonder what would lead someone to set papers ablaze on a conference room table.

Yet, incidents like this are important for bank executives and directors to register, because they underscore the importance of proactive oversight by a bank’s board—especially the audit and risk committees.

“The essence of the audit committee’s responsibilities is protecting the bank,” said Derrick Hong, the chief audit executive at Pacific Premier Bank, at Bank Director’s 2019 Bank Audit & Risk Committees Conference taking place in Chicago this week. “There are so many pitfalls and risks that could potentially take down a bank, so focusing on those things is the key responsibility of the audit committee.”

Admittedly, it seems like an odd time to worry about risk.

Bank capital levels have never been stronger or of higher quality, noted Steven Hovde, chairman and CEO of Hovde Group. Net charge-offs are lower across the industry than they’ve been in decades. And tax reform has catalyzed profitability. Despite narrow lending margins and subpar efficiency, the banking industry is once again earning more than 1 percent on its assets, exceeding the benchmark threshold last year for the first time since the financial crisis.

But it’s in the good times like these that banking’s troubles are sowed.

“You have to be proactive rather than reactive,” said Mike Dempsey, senior manager at Dixon Hughes Goodman LLP. This approach stems from culture, said Dempsey’s co-presenter LeAnne Staalenburg, senior vice president in charge of corporate security and risk at Capital City Bank Group.

“Culture is key,” said Stallenburg. “Having that culture spread throughout the organization is critical to having a successful risk management program.”

To be clear, the biggest threat to banks currently isn’t bad loans. Credit policy isn’t something to ignore, of course, because loan losses will climb when the cycle takes a turn for the worse. But banks have plenty of capital to absorb those losses, and memories of the last crisis are still fresh in many risk managers’ minds.

The biggest threat isn’t related to funding, either. Even though bankers are concerned about large institutions taking deposit market share as interest rates climb, 74 percent of attendees at Bank Director’s Audit & Risk Committees Conference said their institutions either maintained their existing share or gained share as rates inched higher.

Instead, according to conference attendees, the biggest threat is related to technology. When asked which categories of risk they were most concerned about, 69 percent identified cybersecurity as the No. 1 threat.

Vendor relationships only aggravate this concern. As Staalenburg and Dempsey noted in response to an attendee’s question, vendors offer another way for malicious actors to infiltrate a bank.

Even though we are in a golden age of banking, Hovde emphasized, now is not the time for a bank’s board, and particularly its audit and risk committees, to be complacent.

“Generally, we have seen that the institutions that are well run and have fewer problems are under the oversight of an engaged and well-informed board of directors,” wrote Kansas City Federal Reserve President Esther George in the Fed’s governance manual, Basics for Bank Directors. “Conversely, in cases where banks have more severe problems and recurring issues, it is not uncommon to find a disengaged board that may be struggling to understand its role and fulfill its fiduciary responsibilities.”

An Easy Way to Lose Sight of Critical Risks

audit-6-7-19.pngLet me ask you a question…

How does the executive team at your biggest competitor think about their future? Are they fixated on asset growth or loan quality? Gathering low-cost deposits? Improving their technology to accelerate the digital delivery of new products? Finding and training new talent?

The answers don’t need to be immediate or precise. But we tend to fixate on the issues in front of us and ignore what’s happening right outside our door, even if the latter issues are just as important.

Yet, any leader worth their weight in stock certificates will say that taking the time to dig into and learn about other businesses, even those in unrelated industries, is time well spent.

Regular readers of Bank Director know that executives and experienced outside directors prize efficiency, prudence and smart capital allocation in their bank’s dealings.

But here’s the thing: Your biggest—and most formidable—competitors strive for the same objectives.

So when we talk about trending topics at this year’s Bank Audit and Risk Committees Conference, hosted by Bank Director in Chicago from June 10-12, we do so with an eye not just to the internal challenges faced by your institution but on the external pressures as well.

As we prepare to host 317 women and men from banks across the country, let me state the obvious: Risk is no stranger to a bank’s officers or directors. Indeed, the core business of banking revolves around risk management—interest rate risk, credit risk, operational risk.

Given this, few would dispute the importance of the audit committee to appraise a bank’s business practices, or of the risk committee to identify potential hazards that could imperil an institution.

Banks must stay vigilant, even as they struggle to respond to the demands of the digital revolution and heightened customer expectations. I can’t overstate the importance of audit and risk committees keeping pace with the disruptive technological transformation of the industry.

That transformation is creating an emergent banking model, according to Frank Rotman, a founding partner of venture capital firm QED Investors. This new model focuses banks on increasing engagement, collecting data and offering precisely targeted solutions to their customers.

If that’s the case—given the current state of innovation, digital transformation and the re-imagination of business processes—is it any wonder that boards are struggling to focus on risk management and the bank’s internal control environment?

When was the last time the audit committee at your bank revisited the list of items that appeared on the meeting agenda or evaluated how the committee spends its time? From my vantage point, now might be an ideal time for audit committees to sharpen the focus of their institutions on the cultures they prize, the ethics they value and the processes they need to ensure compliance.

And for risk committee members, national economic uncertainty—given the political rhetoric from Washington and trade tensions with U.S. global economic partners, especially China—has to be on your radar. Many economists expect an economic recession by June 2020. Is your bank prepared for that?

Bank leadership teams must monitor technological advances, cybersecurity concerns and an ever-evolving set of customer and investor expectations. But other issues can’t be ignored either.

At our upcoming event in Chicago, the Bank Audit and Risk Committees Conference, I encourage everyone to remember that minds are like parachutes. In the immortal words of musician Frank Zappa: “It doesn’t work if it is not open.”

The Good and the Bad Facing Audit and Risk Committees Today

committee-6-12-18.pngIn today’s news cycle, it seems barely a week goes by before another headline flitters across a social news feed about a data breach at some major U.S. or foreign company. Hackers and scams seem to abound across the marketplace, regardless of industry or any defining factor.

Cybersecurity itself has become an increasingly important issue for bank boards—84 percent of directors and executives responding to Bank Director’s 2018 Risk Survey earlier this year cited cybersecurity as one of the top categories of risk they worry about most. Facing the industry’s cyber threats has become a principal focus for many audit and risk committees as well, along with their oversight of other external and internal threats.

Technology’s influence in banking has forced institutions to come to terms with both the inevitability of not just integrating technology somewhere within the bank’s operation, but the risk that’s involved with that enhancement. Add to that the percolating influence of blockchain and cryptocurrency and the impending implementation of the new current expected credit loss (CECL) standards issued by the Financial Accounting Standards Board, and bank boards—especially the audit and risk committees within those boards—have been thrust into uncharted waters in many ways and have few points of reference on which to guide them, other than what might be general provisions in their charters.

And lest we forget, audit and risk committees still face conventional yet equally important duties related to identifying and hiring the independent auditor, oversight of the internal and external audit function, and managing interest rate risk and credit risk for the bank—all still top priorities for individual banks and their regulators.

The industry is also in a welcome period of transition as the economy has regained its health, which has influenced interest rates and driven competition to new heights, and the current administration is bent on rolling back regulations imposed in the wake of the 2008 crisis that have affected institutions of all sizes.

These topics and more will be addressed at Bank Director’s 2018 Audit & Risk Committees Conference, held June 12-13 at Swissôtel in Chicago, covering everything from politics and the economy to stress testing, CECL and fintech partnerships.

Among the headlining moments of the conference will be a moderated discussion with Thomas Curry, a former director of the Federal Deposit Insurance Corp. who later became the 30th Comptroller of the Currency, serving a 5-year term under President Barack Obama and, briefly, President Donald Trump.

Curry was at the helm of the OCC during a key time in the post-crisis recovery. Among the topics to come up in the discussion with Bank Director Editor in Chief Jack Milligan are Curry’s views on the risks facing the banking system and his advice for CEOs, boards and committees, and his thoughts about more contemporary influences, including the recently passed regulatory reform package and the shifting regulatory landscape.

Taking on the Toughest Challenges

As bank leaders explore different avenues for growth, they must also weigh the risks that could threaten their institution. In this panel discussion from Bank Director’s 2016 Bank Audit & Risk Committees Conference, led by President & CEO Al Dominick, Dale Gibbons of Western Alliance Bancorp., Lynn McKenzie of KPMG and Bill Fay of Barack Ferrazzano Kirschbaum & Nagelberg focus on the key issues that bank boards and executive teams need to address, from third-party vendor risk to strategic growth.

Highlights from this video:

  • Top Issues for Audit & Risk Committees
  • Aligning Growth Strategy & Risk
  • Evaluating Partnership Opportunities
  • Addressing Technology & Cybersecurity as a Board

The Job of the Audit Committee

audit-committees-6-23-15.pngAs regulatory scrutiny intensifies and liability concerns mount, it’s more important than ever that financial institution audit committees are highly engaged. With the recession and the banking crisis fading in the rearview mirror, regulators are shifting their focus from asset quality to corporate governance—including the effectiveness of audit committees. Effective audit committees are likely to have the following critical attributes.

Proactive Involvement With Internal Audit
Greater audit committee participation in the internal audit process should be the new norm. In the past, audit committees typically took a more passive role—receiving reports from the internal audit department, entering them in the minutes, and rarely asking questions. But today, regulator criticism increasingly cites lack of detail in audit committee oversight of internal audit.

Regulators expect audit committees to have a better understanding of how the department operates on a daily basis and to be more involved with developing the risk assessment and the internal audit plan, including determining the scope of work. Rather than simply functioning as a rubber stamp, the audit committee should push back and challenge management when appropriate and ensure that internal audit has sufficient resources.

The challenge for some audit committees is achieving the necessary composition of members to provide effective internal audit oversight. The membership of audit committees, after all, is drawn from boards of directors, which may lack the requisite diversity in backgrounds and expertise. Financial institutions should address any such inadequacies.

Extensive Communication With External Auditors
The auditing standards under which external auditors work are undergoing significant changes that require expanded communication with the audit committee. The current auditing environment calls for more detailed communications and discussions between external auditors and the audit committee.

Yet, the communication the standards require is sometimes more complex than the information the audit committee wants to hear or has the ability to process. An effective audit committee needs to include at least one financial expert (preferably two) and to allow an appropriate amount of time for the sharing and understanding of vital information.

Comprehensive Understanding of Risk
Since the economy and financial services industry have begun to recover, regulators have placed greater emphasis on how financial institutions are managing risks currently and how risks will be managed in the future—what steps financial institutions are taking to identify risk earlier and respond appropriately. The audit committee therefore must satisfy a higher standard regarding its understanding of the entire organization when it comes to risk.

Regulators rightly assume that a financial institution’s overall strategy strongly influences the level of risk it is willing to assume, along with the level of controls required to monitor and mitigate that risk. In turn, the board and the audit committee are subject to substantially higher expectations related to their understanding of the institution’s risk profile, risk appetite, and mitigation and management of risk factors.

If the financial institution has a formal board risk committee, the audit committee should coordinate with it; if not, the audit committee often is delegated the responsibility for addressing risk management issues. In either case, the committee should stay on top of the bank’s chief risks (including understanding their probability and potential magnitude), the measures management is taking to combat those risks, and the amount of financial or reputation risk that management and the board have agreed is tolerable.

The Consequences of an Ineffective Audit Committee
A financial institution with an ineffective audit committee is vulnerable to regulatory consequences. The institution could find itself subject to criticism related to the audit committee’s failure to fulfill its responsibilities as laid out in the audit committee charter. In rare but potentially disastrous instances, the external auditors could conclude that the audit committee is ineffective, resulting in a finding of material weakness in the bank’s overall internal controls. To avoid such consequences, financial institutions must take action to see that their audit committees have the essential attributes.

Do Audit Committees Really Need a Lawyer for Every Meeting?

scales.jpgThe chairman of the board of a Securities and Exchange Commission (SEC) issuer recently told me that his company pays an annual $150,000 retainer to outside legal counsel to attend its audit committee meetings. He explained that this outside legal counsel attends every meeting as a matter of course, not because the committee is dealing with any specific legal issue. The chairman wondered if this expense was really necessary or required. Good question.

In 1999, the influential Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees issued a report and recommendations. The committee—11 members drawn from the business, financial and accounting communities—was established in September 1998 by the New York Stock Exchange (NYSE) and the National Association of Securities Dealers (NASD) to make recommendations on strengthening the role of audit committees in overseeing the corporate financial reporting process.

One recommendation advised that when circumstances dictate, “management should help the audit committee retain independent legal counsel.” It also included several sample audit committee charters. These included references to retaining independent counsel to help with investigations into matters within the audit committee’s scope of responsibilities.

Following release of the report, the stock exchanges and the SEC adopted several reforms focused on the role and independence of audit committees. Among other things, registered companies were required to adopt audit committee charters, and many nonregistered companies did the same just as smart governance policy. Today’s charters often call for independent legal counsel for the audit committee. 

With the emphasis on audit committee independence, it’s no surprise that an audit committee may, at times, need to turn to outside legal counsel rather than relying on corporate counsel. But this need usually arises in extreme situations, such as when dealing with management fraud, shareholder accusations of impropriety or regulatory complaints related to the board. Is it necessary to keep independent counsel on retainer and involve them in routine meetings? I find it hard to see the value of having independent counsel on retainer to attend regularly scheduled meetings. Absent specific ongoing issues, it would be difficult to justify the high costs of doing so. I’d like your feedback on this.

  • Has your audit committee ever engaged independent counsel?
  • Do you keep counsel on retainer?
  • What is the counsel’s level of participation in audit committee governance?

I look forward to reading your responses in the comments below.

Audit Committee: Important Questions to Ask Regarding Your Strategic Plan

questions.jpgIt is obvious that the banking industry has undergone some dramatic changes over the past five years. The national and global economic crisis and the ongoing recovery have changed the playing field, making it more difficult for community banks to successfully operate with the same business plan as just a few years ago.

This new reality has made it increasingly important that audit committee members understand their institution’s strategic plan for the next three to five years so they can appropriately conduct their oversight role. This was a focus of my presentation at the Bank Director Audit Committee Conference in Chicago last month. After talking with audit committee members during a peer group exchange and throughout the general sessions, it was clear that some boards and management teams have gone to great lengths to make sure that they have developed a clear vision of the strategic plan and how their organization will adapt to the new environment, while other organizations have not yet turned their focus to the future.

With that in mind, there are a number of questions that audit committee members should be asking themselves, their board colleagues and their management teams:

What is our strategic plan?  It is increasing important that boards of directors and management teams have a clear direction as to the strategic focus and goals of their institution. Directors should determine with management the role that directors play in establishing the plan, measuring the institution’s progress with the plan and modifying the plan, as necessary.

How does our strategic plan affect our risk monitoring?  Different strategic goals may give rise to different risks and different risk management tools may be necessary. For instance, an institution that is focused on growth through acquisitions may have different risk thresholds and considerations than a company that is focused on steady, organic growth. These differences should be taken into account by the audit committee when approving the company’s internal audit plan and reviewing the internal audit reports.  

How is our relationship with the regulators?  It is crucial in today’s environment that your organization has a solid, respectful relationship with its regulators. As a director, you should be comfortable that your management team is responsive to the regulators’ questions and suggestions. Additionally, it is important that the directors can show the regulators that they are engaged in their oversight role and are exercising independent judgment. Directors should consider reviewing the lawsuits recently filed by the Federal Deposit Insurance Corporation against directors to understand some of the practices at other institutions that have led to potential director liability.

What is our current capital structure?  Regulators and investors place a heavy emphasis on capital levels and this will continue into the future. Basel III, the Dodd-Frank Act and the unspecified “regulatory expectation” will shape what future capital requirements will be for all institutions, regardless of size. Not only are there going to be higher capital requirements, but the components of capital will also change, with a clear bias toward more permanent common equity. Capital plays a key role in an institution’s strategic plan, and all directors should have a clear understanding of the following to help ensure that capital issues do not interfere with the company’s plan:

  • their institution’s current overall capital levels;
  • the different capital components and how their institution’s capital is comprised (levels of common capital vs. trust preferred, TARP preferred, subordinated debt, etc.);
  • how much capital will be needed in the future; and
  • how their institution can raise additional capital.

What is occurring with M&A in the industry? Are we going to participate?  Over the past 18 months, industry insiders have been indicating that a wave of consolidation is right around the corner. While the level of merger activity has remained somewhat muted, it is likely that there will be more activity in the near future. Directors should understand their institution’s M&A plan and how it fits within the company’s overall strategic plan. Whether or not the company is planning to be an active acquirer or is contemplating selling, it is important to understand the industry trends, what investors are looking for and what your competitors may be planning.  Additionally, it is important that all institutions have an understanding of what different opportunities exist within their market areas. Having such current knowledge will help ensure that the company can act quickly if the company’s circumstances change and participation in a strategic transaction is in its stockholders’ best interests.

What Regulators Want To See From Boards

audit12-regulators.jpgWhile there is much in the Dodd-Frank Act that doesn’t apply to banks under $10 billion in assets, directors at smaller banks should still be worried about other things—like how they’re viewed by their regulators, how they approach risk and how they discharge their responsibilities.

That was the message coming out of a regulatory panel at Bank Director’s Bank Audit Committee Conference last month in Chicago.


A supervisor at the Federal Reserve’s Division of Bank Supervision and Regulation, Pamela Martin, told the crowd that Dodd-Frank isn’t geared toward institutions below $10 billion in assets. As an example, she said that the Federal Reserve has no intention of requiring stress tests to community banks.

Dodd-Frank mandates that banks above $10 billion in assets establish a board level risk committee, and banks above $50 billion in assets must have both a risk committee and a chief risk officer.

“I would doubt we would be more stringent than what we’ve already proposed,’’ Martin said.

However, the newly created Consumer Financial Protection Bureau (CFPB), which was authorized by Dodd-Frank, will take complaints from consumers and businesses about all banks, not just big banks.

Charles Vice, the commissioner of the Kentucky Department of Financial Institutions, who also spoke on the panel, said some rulemaking by the CFPB will impact banks of all sizes, but he didn’t see the agency “having time to go after community banks” specifically.  


During the panel discussion, the regulators talked about the importance of enterprise risk management, and of taking a thorough approach to analyzing the bank’s risks and trying to anticipate future scenarios that could impact the bank.

 “It doesn’t have to be these complex diagrams that consultants publish,’’ Martin said. “You need to understand the risks you’re taking and do something about it.”

Vice said that a small bank doesn’t necessarily need a chief risk officer. “Even if you don’t have a dedicated employee, at least your senior management and board should be looking at your risk and how to mitigate it and manage it,’’ he said.

Innovation and Risk

One potential area of risk is new business and investments.

Martin said she was concerned that banks had a lot of cash on their balance sheets and might invest in risky ways. She also is concerned whether banks understand new business lines or new geographic areas they might expand into.

“Why are you going into this market, or how are you going to make money and do you have the capital to support this new activity?” she said. “We’re paying attention to the fact that you’re in a low profitability environment. That’s not going to change anytime soon. Understand the risk you’re taking and how you will support the risk you’re taking.”


One of the ways that regulators assess the job that the board is doing is by reading committee minutes. Vice said his department’s pre-exam work includes reading audit committee minutes and reports.  His department will change the focus of the exam depending on the examiners’ comfort level with audit committee work, he said.

Regulators also look at the scope of the external audit. If it doesn’t look like internal or external audit work is robust enough, they’ll take a deeper look at the audit and whether the audit committee discussed results and had a game plan to deal with audit recommendations, Vice said.

Martin concurred that the Federal Reserve likes to see lots of discussion reflected in the audit committee minutes.

She said the bank isn’t downgraded for not having lots of discussion included in the minutes, but a robust discussion is an plus. If there are any issues uncovered in the audit, those ought to be addressed.

“We want the bank to identify the problems,’’ she said. “You don’t have to solve them immediately. You don’t necessarily have to solve them the next time the exam comes around, but we want to see progress.”