The Big Debate: Should Bank Boards Approve Loans?

A majority of banks approve individual loans at the board level, but should they?  

Bank Director’s 2023 Governance Best Practices Survey indicates that while the practice remains common, fewer boards approve individual loans compared to just a few years ago. Sixty-four percent of responding directors and CEOs say their board approves individual loans, either as a whole or via a board-level committee, while 36% say the board approves loan policies or limits. Four years ago, 77% of respondents to Bank Director’s 2019 Risk Survey said their board approved individual loans.

In an environment that’s characterized by economic uncertainty and sluggish loan demand, does this additional layer of review create more risk? Or does it provide a level of assurance that the credit will hold up, should the economy tip into a recession? 

”There’s no firm rule that says a board should be or should not be involved in this decision,” says Brandon Koeser, a senior analyst at the consulting firm RSM US LLP. 

Boards at banks below $10 billion in assets are more likely to be directly involved in approving individual loans. Those loans may be less complex, and board members may be more likely to know the borrower’s character. While it’s valuable to have former lenders in the boardroom who can review loan packages, it can also help to include perspectives from directors with other types of business experience.  

“A lender is going to approach a loan differently than someone who may have been in the actual borrower’s shoes or may still be in a borrower’s shoes,” says Koeser. “They might even give management additional questions to think through when they’re going through that decision.”

Some bankers say the additional board oversight benefits their organization in other ways, by giving directors a clearer window into the risks and opportunities the bank faces. And while it may be more work for lenders, it also allows those bankers to look at the deal several times before it’s finalized. 

At Decatur County Bank, the $270 million subsidiary of Decatur Bancshares in Decaturville, Tennessee, the board approves individual loans over a certain size, says CEO Jay England. Many of the bank’s board members have at least a decade of experience in approving loans, and the board recently added a former banking regulator to its membership. Those directors’ collective experience provides valuable oversight for larger deals, he says.  

Lending has historically been one of the riskiest activities banks engage in and approving loans as a director carries some degree of risk itself. In the aftermath of the 2008 financial crisis, a number of bank directors and officers at failed banks were sued by the Federal Deposit Insurance Corp. for loans they had approved that later went bad. 

If directors could be held liable for bad loans, England says, they “should be getting a look at the decisions we’re making.” 

But that doesn’t mean there isn’t room for some improvement. The bank revamped its lending and approval process several years ago, he says. As part of that, it adopted a board portal. Bankers upload loan packages into that portal so board members can review them on their own time in between meetings. 

The $1.5 billion Cooperative Bank of Cape Cod moved away from loan approvals by the board as part of an overall shift toward an enterprise risk management structure, says Lisa Oliver, CEO and chair of the Hyannis, Massachusetts-based bank. It created an internal loan committee staffed by bank officers — including the chief credit officer, chief risk officer, chief financial officer and chief strategy officer, along with Oliver as CEO — to approve credits and undertake a deeper analysis of the bank’s credit portfolios, trends, policies and risk tolerances.  

At the board level, the bank folded its loan, finance and IT committee functions into one enterprise risk management committee. That committee’s responsibilities around credit include monitoring portfolios for concentration risk, and reviewing each of the bank’s lending areas for trends in delinquencies, nonaccrual rates and net charge-offs. 

Loans up to $2.5 million are approved by the bank’s chief credit officer. Loan relationships over $2.5 million are sent to the bank’s internal loan committee for approval, and relationships over 15% of the bank’s total capital move to the board for ratification, says Oliver. In this context, the committee isn’t digging into the merits of a deal to approve a specific credit. Rather, the board sees an executive summary of the loan to evaluate its impact on concentration risk limits, risk rating levels and construction loan limits. 

Reading one single loan package can take 45 minutes to an hour for a seasoned credit professional, and Oliver says that moving to this structure has freed up board members’ time and resources to focus on the larger picture of risk management and strategy. 

“Everyone’s time is valuable. I don’t want my board to have to spend time reading these deals,” Oliver says. “What I need to do is elevate them out of management, which is really approving loans, and get them into their seat as risk oversight: approving policies, understanding trends, looking at concentrations and developing risk appetites.” 

Governance issues like these will be covered during Bank Director’s Bank Board Training Forum in Nashville Sept. 11-12, 2023.

Article updated on Sept. 15, 2023, to clarify approvals at Cooperative Bank of Cape Cod.

The Biggest Risk in Banking

Risk governance is undoubtedly one of the most challenging responsibilities of a bank board of directors. The issues are complex and often highly technical. Most bank directors come from outside the industry and have little experience managing financial assets, which are highly sensitive to changes in the economy. 

The risk environment presents a mixed picture. “Where exactly is the economy heading?” says Brandon Koeser, a senior analyst at the consulting firm RSM US LLP, in this edition of The Slant Podcast.

On the one hand, the U.S. economy grew 2.4% in the second quarter of 2023 and inflation has steadily subsided. A year ago, many economists were forecasting a recession by the end of 2023, although Federal Reserve Chair Jerome Powell said recently he does not anticipate an economic downturn by the end of the year.

“Maybe if we do have that downturn, it will be a little further out,” says Koeser. 

On the other hand, the Fed has raised the fed funds rate 11 times since March 2022 – most recently in July to a range between 5.25% and 5.5%. That dramatic shift in the Fed’s monetary policy has had a tremendous impact on bank balance sheets throughout the industry, and was a principal factor in the failure earlier this year of Silicon Valley Bank, First Republic Bank and Signature Bank.

Cyber risk, regulation and talent are additional challenges for all banks. But Koeser says the macro-economic environment is still the biggest risk that banks are currently facing. And he suggests that bank boards should take a hard look at how their institutions’ balance sheets will be impacted by sustained higher rates if the Federal Reserve maintains its monetary policy stance for the foreseeable future, and to consider how they should adjust their strategies accordingly.

“I think it’s really an opportunity for the board to engage – re-engage – with management about strategy,” he says.

Risk issues like these will be covered during Bank Director’s Bank Board Training Forum in Nashville Sept. 11-12, 2023. This episode, and all past episodes of The Slant Podcast, are available on, Spotify and Apple Music.

7 Essential Elements to Integrate Financial Metrics and Risk Strategy

Banks depend on their financial reporting and performance metrics — but often this data is scattered among multiple systems and spreadsheets at typical community and regional banks, and it is very rarely viewed in conjunction with risk data. As a result, bank executives do not have the visibility they need, while strategic opportunities slip by.

Bank’s risk data is often uncoordinated and confusing, stemming from disjointed risk management processes and poor communication flow. Employees may not have a view of their risk profile or have an established appetite for risk. They view risk as something to react to —not a strategic discipline operating across the entire enterprise.

Banks can no longer simply rely on financial metrics alone, any more than they should view risk as simply a credit issue. Financial data being viewed through a risk lens is necessary if any bank is to have the most accurate profile to make the most effective strategic and forward-looking operational decisions possible.

The largest banks have comprehensive tools, reporting systems and dashboards. Their approach allows several key leaders to pilot the enterprise in a coordinated effort. For the small- to -mid-sized bank seeking to be agile and innovative, the technology to make this possible has been either too expensive or difficult to implement.

This unification of finance and risk on a platform is now possible for banks of all sizes. Banks now can project a heads-up display of financial data onto a crystal clear windshield of risk visibility. Here’s what it’s going to take to see what you bank needs to see:

1. Strategic and Financial Management
Generate detailed, driver-based rolling forecasts to project financial performance over the short and long term. Streamline the budgeting and reporting process to incorporate branch, board and external reporting, complete with allocations and consolidating entries, to bring forecasting and strategic planning together.

2. Risk Appetite Definition
Specifically, the risk appetite framework objectives define and manage the levels and types of risk the board and management are willing to take in order to achieve the bank’s strategic objectives. Executives will want to represent the aggregate view of risk across all risk categories and lines of business and create a dynamic structure that allows for internal and external changes in risk profiles. Because every organization’s risk appetite is different, they should be sure to incorporate the bank’s core values, mission and objectives.

3. Top Risk and Key Risk Indicators
This is where risk appetite merges with financial analytics. Key risk indicators (KRIs) measure and indicate changes in the impact or likelihood of a risk against a risk tolerance range or threshold. Develop an enhanced key risk indicator inventory (KRI) aligned to the risk process structure of the corporation. KRIs not only define your bank’s risk capacity, they also provide early indication of changes to your risk profile. They measure performance targets and goals, and provide visibility to the key risk profiles of the corporation.

4. Expected Loss Credit Risk Measurement
Making loans is at the heart of what banks do. Visibility here is key. Banks need to accurately assess credit risk with scorecards that rate both the borrower and collateral, and quantify expected loss for risk rating, pricing and portfolio risk management. This lets executives see the potential impact on charge-offs and the provision for loan losses while identifying higher risk profile segments of the loan portfolio. Good credit portfolio analytics allow the bank to see the trends before they’re impacted by them, so the bank can act instead of react.

5. Stress Testing
This entails a consolidated risk tool set that includes credit and non-credit stress testing, based on prospective economic scenarios. Banks can simulate prospective economic scenarios and see the potential impact on capital and financial performance, while gaining visibility to the organization’s risk profile. They can also obtain visibility to the potential impact on charge-offs rates and the provision for loan losses, while identifying higher risk profile segments of the loan portfolio. If the bank grows too quickly, will it run out of liquidity and capital? What if earnings aren’t what’s expected? What if the economy slows and interest rates increase? What ultimately happens to credit risk exposure?

6. Monitoring and Visibility
Compare the bank’s risk appetite to its risk profiles across the enterprise, both real time and periodically, with your organization’s strategic plan and movements. This includes loan and deposits performance reporting, analytics and branch reporting. Capture instrument-level loan and deposit data to analyze profitability and activity by customer, product, loan officer and more. This will reveal the bank’s growth potential.

7. Real-Time Prospective Reporting
Where it all comes together: The ability to monitor and manage the business day-to-day using a highly graphical and intuitive interface for operating, performance and risk metrics. This is about making risk-adjusted decisions to optimize your organization’s strategic plan.

Embracing automation that unifies real-time financial optimization and risk quantification allows banks of all sizes to see much further, because the risk outlook and forecasting are driven by a shared and goal-oriented risk language and key risk indicators. Banks can finally look through a windshield that is crystal clear because their finance and risk metrics are comprehensive and true.

This all adds up to freedom, freedom to spend less time guessing, gathering and reacting, and more time executing strategy, optimizing risk and achieving goals.

Practical Tips on Artificial Intelligence Risk Management

The world is abuzz with artificial intelligence (AI) and advanced AI chatbots. Unfortunately, regulation rarely keeps up with the breakneck pace of change in the technology world. This leaves many financial institutions wondering how to take advantage of the seemingly endless possibilities of AI without ending up in regulatory hot water.

Even if your financial institution is not ready to dive headfirst into this enticing world, your employees may be curious about what the hype is all about and exploring it on their own. In addition, some of your third parties may be exploring these possibilities as well. Here are three things every financial institution should be doing today to address the future impact of AI:

1. Updating the financial institution’s acceptable use policy to address AI.
Given the rising popularity and curiosity associated with AI, it is critical to provide employees with guidance about your financial institution’s stance on the use of AI. Some areas your financial institution should address in your Acceptable Use Policy and IT program include:

  • Restricting the use of customer data within AI programs without the prior knowledge and approval of Information Security Department.
  • If public AI sites such as Chat GPT are accessible by employees, defining what activity is permissible on these sites. Some examples may include drafting communications or policies, brainstorming ideas, or analyzing publicly available information.
  • Requiring that all AI outputs are reviewed to verify that the information is accurate and correct.

2. Understanding how AI intersects with current regulation.
Although financial regulatory agencies have yet to publish any regulation related to AI, the United States government has been pushing for guidance. The first installment of it came from the National Institute of Standards and Technology (NIST) in the form of an Artificial Intelligence Risk Management Framework, published in January 2023.  In less than 35 pages, it offers a resource to help manage AI risks for organizations designing, developing, deploying, or using AI systems. The framework provides the readers with a method for evaluating and assessing risks associated with AI through common risk management principles that include: govern, map, measure and manage. In addition, the appendix provides a useful summary of how AI risks differ from those of traditional IT systems.

Another resource that mentions AI is the Office of the Comptroller of the Currency’s Model Risk Management Handbook. On Page 4 of the handbook, it describes how users should evaluate systems using AI/machine learning and that these systems may be considered a model. It goes on to state that “even if your financial institution determines that a system using AI is not a model, risk management should be commensurate with the level of risk of the function that the AI supports.”

3. Gaining an understanding of how third parties use and manage AI risks.
Given the dramatic potential for change presented by AI, many technology providers are carefully deliberating how to incorporate and utilize AI within their pre-existing systems or to launch new products. It is important that bank boards and management teams gain an understanding of what third parties are doing and how they are developing appropriate risk management programs.

Long standing financial institution model providers, in areas such as the Bank Secrecy Act or asset and liability management, have a deep understanding of model risk management guidance requirements and often provide certification reports that provide your financial institution with comfort over their model’s inner workings. However, the majority of technology vendors incorporating AI into their products may not be as versed in financial institution regulation and may not hold the view that their products are models — leaving them with nothing to show you. This is why it is critical to talk to third parties early and understand their future plans, to start the discussion about risk management and assurance early.

Like so many other things going on in this rapidly changing world, AI presents new and unique risks — but there is no reason that financial institutions can not setup effective risk management programs to properly identify and monitor these emerging risks. The key is keeping an eye on the horizon and taking the proper incremental steps to continue evolving and maturing your financial institution’s risk management program.

Is Relationship Banking Too Risky?

Before they failed, Silicon Valley Bank, Signature Bank and First Republic Bank were highly profitable and well known for using a relationship banking approach to attract and retain customers. But their failures demonstrate that this approach can create serious risks for an institution in an environment where technology makes it easier for customers to move money.

Peter Serene, a managing director at bank data firm Curinos, says the risks that stem from relationship banking are layered.

“Relationship banking was not the problem. The problem was the concentration,” he says. “[T]he banks that failed were very concentrated. Relationship banking is still good but you can’t be single threaded on a particular segment.”

Broadly defined, relationship banking is an approach where bankers establish long-duration affiliations with their customers, often paired with high customer service. The hope is that this closeness means customers will bring their lending, payments and deposit accounts to the bank and may be less sensitive to price.

“From the bank’s perspective, you have a pretty stable deposit base and stable, repeat customers who come back to you. It’s an opportunity to cross sell and upsell new products and offerings as the customer’s needs change throughout their life cycle,” says Elena Shtern, customer advisory lead for financial regulatory territory at SAS.

Shtern points out that relationship banking was a “big differentiator” for the three banks that failed this spring. Silicon Valley Bank served the innovation economy and First Republic Bank catered to the wealthy. Signature Bank focused on New York real estate firms; its approach paid off until 2023, given its no. 10 tie in Bank Director’s RankingBanking based on 2022 results for institutions with more than $50 billion in assets.

But relationship banking at Signature led to large deposit accounts, according to the Federal Deposit Insurance Corp.’s postmortem report. Uninsured deposit accounts totaled 90% of total deposits: around 60 clients had balances above $250 million and another 290 clients had balances above $50 million. The FDIC wrote that examiners flagged the potential volatility of an uninsured deposit concentration. Management responded that they “believed the deposit base was considerably stable” but the FDIC said those assumptions weren’t well documented or substantiated.

Relationship banking also couldn’t assuage customer concerns about bank solvency — and digital banking technology has made it easier for funds to move. Serene says the large accounts, which were often non-operational corporate funds, “moved faster than models predicted” they would in a stressed liquidity environment. He points out that under the liquidity coverage ratio rules, these types of accounts have an assumed runoff of 40% over 30 days.

“In the case of the banks that failed, the numbers were more like 40% of [those] deposits left in 30 hours. There’s some real rethinking about behaviors,” he says. “Evolution in technology has made a difference.”

But technology doesn’t have to undermine a relationship banking approach. Sioux Center, Iowa-based American State Bank is building and strengthening relationships with customers and their children through its partnership with The Postage, a fintech that helps families organize their finances far ahead of transitions such as a move into care facilities or death, create wills and leave memories and messages for each other.

Tamra Van Kalsbeek, the bank’s digital banking officer, sees The Postage as a way the bank cares for its customers, while gathering deposits and connecting with different family members. It also allows the bank to attract business without competing on price. She says the bank’s “spirit club” of customers aged 55 and older were “really receptive” to the product. It has been a way for the customer or the bank to start a conversation with an executor of an estate or will.

Going forward, institutions that use a relationship banking approach may want to closely examine naturally occurring concentrations and diversify their customers and the types of accounts they have, Shtern says. Diversification among clients can increase bank stability, since it offsets the negative impact one group of customers might have. Martin Zorn, managing director, risk research and quantitative solutions at SAS Institute, adds that directors should ensure that executives are addressing concentration risks through close monitoring, hedges and increased liquidity. Boards should also press management on the inputs and assumptions that populate risk management models, ensure that they understand the answers and hold management accountable to addressing these risks.

“How do you manage your models? What is that governance around the model management? How do you stress test, back test or validate your models?” Zorn says. “Depending on your strategy, you may not be able to avoid concentration. There’s nothing wrong with taking more risk if you have the appropriate mitigants in place.”

Governance issues like these will be covered during Bank Director’s Bank Board Training Forum in Nashville Sept. 11-12, 2023.

Compensation Lessons in a Banking Crisis

Between March 10 and May 1, three regional U.S. banks failed. How were these bank failures similar, or different, than the bank failures of the Great Recession? We already know that there will be more regulatory pressure on banks, but what lessons can these failures teach directors about compensation? First, it is important to compare the Great Recession to the 2023 banking crisis.

Credit Versus Liquidity
The Great Recession was defined by a general deterioration in loan credit quality, incentive compensation that overly focused on loan production and a lack of a risk review process that incorporated the role incentives and compensation governance played.

Contrast that to 2023: Banks have upgraded credit processes and their risk review processes to evaluate the role of incentive compensation under the 2010 regulatory guidance of sound incentive compensation policies. Unfortunately, the banks that failed did not have enough liquidity to cover depositors who desired to move their money.

General Versus Unique
The three failed banks had unique patterns that responded dramatically to the increase in interest rates by the Federal Reserve and complicated each firm’s ability to fulfill depositor withdrawals. Silicon Valley Bank’s bond portfolio was long duration, and First Republic had a material portion of its portfolio tied to long-term residential mortgages. In contrast to the Great Recession, this banking crisis has more to do with business model and treasury management than actions of mortgage or commercial lenders.

Poor Risk Review
This is one area of commonality between the Great Recession and 2023. The Federal Reserve’s postmortem report on Silicon Valley Bank noted that the institution’s risk review processes were lacking. Specifically, the bank’s incentive plans lacked risk measures, and their incentive compensation risk review process was below expectations of a $200 billion bank.

“The incentive compensation arrangements and practices at [Silicon Valley Bank] encouraged excessive risk taking to maximize short-term financial metrics,” wrote the Fed in its postmortem report. This is a responsibility of the board of directors: Examiners review the board’s incentive risk review process as a part of their effectiveness evaluation, as well as a foundational principle of sound incentive compensation policies.

Going Forward
Lessons for the compensation committee must include considerations for what should be in place now versus what committees should be thinking about going forward. The compensation committee should have a robust process in place that examines all incentive compensation programs of the bank in accordance with regulatory guidance.

This process should evaluate each incentive compensation plan according to risk and reward, and monitor how each plan is balanced through risk mitigating measures. In addition, the incentive review process should be governed by a sound overall incentive compensation governance structure.

This structure is anchored by the compensation committee and works with a management incentive compensation oversight committee. It should dictate how plans are approved, how exceptions to plans are made and when the compensation committee is brought in for review and approval. As an example, if a major change is made to a commercial lender incentive compensation plan midyear, what is the process to review and ultimately approve the midyear change? Regulators expect those processes to exist today.

But all crises present new learnings to apply to the future. While there are a number of lessons related to a bank’s business model and treasury management, there are also takeaways for the compensation committee.

Going forward, banks need to move their mindset from credit risk mitigators to overall risk mitigators in incentive compensation. Credit risk metrics are often found within executive incentive plans as a result of the Great Recession. Banks should think how they can incorporate overall risk mitigators, beyond credit risk, and how those mitigators could affect executive incentive plans.

A risk modifier could cover risk issues such as credit, legal, capital, operational, reputational and liquidity risk factors. If all these risks rated “green,” the risk modifier would be at 100%; however, if credit or liquidity turned “yellow” or “red,” this modifier could apply a decrement to the annual incentive plan payout. In this way, a compensation committee can review all pertinent risks going forward and help ensure incentive compensation balances risk and reward.

Liquidity Risk Looms in 2023

Liquidity and interest rate risk dominated bankers’ minds following a series of rapid interest rate hikes by the Federal Reserve, and deposit pricing has proven to be a particular challenge. In 2023, bank leaders will likely focus much of their time on various strategies aimed at growing low-cost deposits while also increasing lending, says Craig Sanders, a partner with Moss Adams. At the same time, bank executives and directors are also confronting growing concerns around cybersecurity risk and regulatory scrutiny of certain fees, such as overdraft charges. 

Topics include: 

  • Liquidity Management  
  • Cybersecurity Expertise 
  • Third-Party Risk Oversight 
  • Responding to More Scrutiny on Fees 

Bank Director’s 2023 Risk Survey, sponsored by Moss Adams, explores several key risk areas, including interest rate risk, credit risk, cybersecurity and emerging issues. The survey results are further explored in the second quarter issue of Bank Director magazine.

Rising Rates, Bank Failures Highlight EVE’s Strengths, Limits

Are rising rates good for banks, or bad for them?

One way banks can answer that question— and position themselves to benefit from rising rates — is by measuring and managing their interest rate risk, or IRR. One way banks can calculate their long-term interest rate risk is using an economic value of equity, or EVE, model, which can show how interest rate movements will change the fair, or market, value of its assets, liabilities and equity. But rising deposit costs and changing depositor behavior is complicating those calculations. 

“Economic value of equity (EVE) measurements allow for longer-term earnings and capital analysis. The analysis may be useful for long-term planning and may also indicate a need for short-term actions to mitigate IRR exposure,” the Federal Deposit Insurance Corp. wrote in its  examination manual

EVE is the difference between a bank’s asset cash flows and the liability cash flows, which includes deposits, says Matthew Tevis, a managing partner at Chatham Financial. This figure differs from a bank’s total equity because EVE includes the franchise value of deposits; bank deposits become more valuable as rates rise because they’re usually stable and less sensitive to price. But how a bank should model deposit costs and runoff — especially as rates rise — are the biggest unknowns in EVE calculations, Tevis says. In contrast, it’s easier for banks to calculate the market value of assets. 

“The real challenge [with EVE] is on the liability side, because you have to assume that a certain amount of your deposit is going to be there for a period of time,” he says. 

Tevis helps banks perform rate modeling exercises so they can see how their EVE changes with different interest rate movements — for example, rates rising by 200 basis points or falling 100 basis points. These exercises can show where the bank is carrying risk that could exceed its predetermined IRR policy limits. 

Poor interest rate risk management played a large role in the March failure of Santa Clara, California-based Silicon Valley Bank, according to the Federal Reserve’s postmortem report. The April report found that the bank’s management “ignored potential longer-term negative impacts to earnings highlighted by the EVE metric.” 

Silicon Valley reported in its 2021 annual report that its EVE was $20.7 billion, which was $4.1 billion above its total equity, but that EVE would fall sharply if rates jumped, The Wall Street Journal reported in May. The bank did not include EVE in its 2022 annual report, which was filed weeks before its March failure. 

The Fed found that Silicon Valley’s risk appetite statement, set by the board, only included net interest income metrics and not EVE. But the bank did calculate EVE, and breached it multiple times before failure. Instead of addressing the underlying risks generating these breaches, management changed assumptions, like the duration of its deposits. 

“No risk had been taken off the balance sheet,” the Fed wrote. “The assumptions were unsubstantiated given recent deposit growth, lack of historical data, rapid increases in rates that shorten deposit duration, and the uniqueness of [the bank’s] client base.”

The report goes onto say that the full board should understand and regularly review IRR reports that detail the level and trend of a bank’s exposure. 

The board of Citizens Bank of Edmond discusses EVE during the monthly asset/liability committee meetings, says CEO Jill Castilla, who shared the privately held bank’s modeling on her Twitter feed recently. The spring banking crisis was an opportunity for the $388.5 million bank, based in Edmond, Oklahoma, to revisit and potentially update its EVE assumptions. The bank commissions deposit studies periodically to analyze how funding behaved in different rate environments and economic cycles, to bolster the credibility of its liability assumptions. Castilla adds that the committee invites input from two separate third-party experts and back-tests its ALCO model to see how closely bank performance mirrored what they modeled.

“It’s important for boards to be asking for deposit studies,” she says. “These are conducted by a third party and they’re able to feed into the assumptions in the model and the disclosure of any changes within the model … We’re questioning if our assumptions are still valid and correct and we’re making some adjustments based upon what we think, but it’s important as a management team to have studies to validate those observations.”

There are two common ways banks can address interest rate risk: changing the actual assets and liabilities, or laying hedges on top of the balance sheet inputs that counteract the impact of interest rates. 

Banks are concerned that rates are going to continue rising, Tevis says: 75% of Chatham’s hedging work for banks right now is directed toward mitigating the risk from rising rates. 

Ultimately, EVE isn’t a perfect mirror of bank interest rate risk: It’s an internal calculation done by the bank that is full of assumptions. Its outputs are only as accurate as its inputs. And while bank EVE may be stressed in the high interest rate environment, the Federal Open Market Committee’s pausing rate increases, or even potentially lowering rates, could shift the calculations and assumptions that go into the model or the result itself.

“When you’re doing an EVE analysis, you’re modeling both increases and decreases and you’re protecting yourself in either environment,” Castilla says. “As managers of banks, we’re also supposed to be expert risk managers and that includes interest rate risk. We have to protect ourselves on the upside and the downside.”

Risk issues like these will be covered during Bank Director’s Bank Audit & Risk Conference in Chicago June 12-14, 2023.

Banking’s March Madness Postgame

After every significant banking crisis, it becomes clear what transpired and how it could have been avoided.

There are two key takeaways from the March bank failures that directors and their senior management team should capitalize on. They should put on a new set of lens and take a fresh look at:

  1. Enterprise risk management practices.
  2. Liquidity risk measurement and management.

What happened in March resulted mainly from a breakdown in management and governance. It is a reminder that risk management is highly interconnected among liquidity, interest rate, credit, capital and reputation risks. Risk management must be a mindset that permeates the entire institution, is owned by the c-suite and is understood by the board.

Here are a few things for directors to ponder while revisiting enterprise risk management governance:

  • Be realistic about potential risks. Listen to, and address, data-driven model outcomes. Refrain from influencing results to reflect a preferred narrative.
  • Understand key assumptions and their sensitivities. Assumptions matter.
  • Bring data to the surface and breathe life into it; value data analytics.
  • Accept that the days of “set it and forget it” policy limits and assumptions are over.
  • Revisit attitudes regarding validating risk management processes and models: Are they a check the box “exercise” or a strategically important activity?
  • Ask what could go wrong and what should we monitor? How thorough and realistic are preemptive and contingency strategies?
  • Acknowledge that stress testing is not for bad times — by then, it’s too late.
  • Cultivate an environment of productive, effective challenge.

Banks and their asset/liability management committees are under stronger regulatory microscopes. They will be asked to defend risk management culture, processes, risk assessments, strategies and overall risk governance. Be prepared.

Telling Your Liquidity Management Story
The March bank failures accentuated the critical importance of an effective liquidity management process — not just in theory, but in readiness practice. Your institution’s liquidity story matters.

Start with your liquidity definition. Most define liquidity by stating a few key ratios they monitor – but that’s not expressing one’s liquidity philosophy. Bankers struggle to put their liquidity definition into words, which can lead to an inadvertent focus on ratios that conflict with actual philosophy. This can result in suboptimal outcomes and unintended consequences. One definition banks could adopt is: “Liquidity is my bank’s ability to generate cash quickly, at a reasonable cost, without having to take losses.”

A bank can readily construct a productive framework around a meaningful definition. Given the notoriety around unrealized losses on assets and potentially volatile deposits, be clear that how the bank manages its liquidity does not depend on selling assets.

Construct a liquidity framework that supports this notion with four elements:

  1. Funding diversification.
  2. Concentration and policy limits.
  3. Collateral management.
  4. Stress testing and contingency planning.

Funding diversification should consider Federal Home Loan Bank, Federal Reserve programs, repurchase agreements (repos), brokered and listing service deposits and fed funds lines. The ability to manage larger relationships with insured deposit programs, such as reciprocal and one-way, FHLB letters of credit and customer repos is also an integral part of funding diversification. Make sure your institution tests all sources periodically and understand settlement timelines.

Funding concentrations must be on your radar. The board and executives need to establish policy limits for all wholesale deposit and borrowing sources, by type and in aggregate. There should also be limits that apply to specific customer deposit types such as public, specialty/niche, reciprocal and others. The bank should track and monitor uninsured deposits, especially those that are tied to broader, larger relationships, and reflect that in operating and contingency liquidity plans. Take a deep dive into your bank’s deposit data; there is a significant difference between doing a core deposit study and studying your deposits.

Collateral doesn’t matter unless it is readily available for use. Ensure all available qualifying loan and security collateral are pledged to the FHLB and Fed. Determine funding availability from each reliable source and monitor capacity relative to uninsured deposits, especially the aggregate of “whale” accounts.

Also, understand how each funding source could become restricted. Ensure your contingency liquidity management process captures this with well-defined stress tests that simulate how quickly, and to what degree, a liquidity crisis could materialize. Understand what it would take to break the bank’s liquidity, and ensure that key elements fueling this event are monitored and preemptive strategies are clearly identified.

Step back and look at your institution’s risk management policies, keeping in mind that they can become unnecessarily restrictive, despite good intentions. Avoid using “if, then” statements that force specific actions versus a thoughtful consideration of alternative actions. Your bank needs appropriately flexible policies with guardrails, not straightjackets.

The conversation on risk management and related governance at banks needs to change. Start with a fresh set of lens and a willingness to challenge established collective wisdom. Dividends will accrue to banks with the strongest risk management cultures and frameworks, with an appreciation for the important role of assumption sensitivity and overall stress testing. Ensure that clarity drives strategy — not fear.

Dusting Off Your Asset/Liability Management Policies

Directors reviewing their bank’s asset/liability management policy in the wake of recent bank failures should avoid merely reacting to the latest crisis.

Managing the balance sheet has come under a microscope since a run on deposits brought down Silicon Valley Bank, the banking subsidiary of SVB Financial Group, and Signature Bank, leading regulators to close the two large institutions. While most community banks do not have the same deposit concentrations that caused these banks to fail, bank boards should ask their own questions about their organization’s asset/liability strategies.

A bank’s asset/liability management policy spells out how it will manage a mismatch between its assets and liabilities that could arise from changing interest rates or liquidity requirements. It essentially provides the bank with guidelines for managing interest rate risk and liquidity risk, and it should be reviewed by the board on an annual basis.

“With both Silicon Valley Bank and Signature Bank, you had business models that were totally different from a regular bank, whether it’s a community bank, or a regional or even a super regional, the composition of their asset portfolios, the composition of their funding sources, were really different,” says Frank “Rusty” Conner, a partner at the law firm Covington & Burling. “Anytime you have a semi-crisis or crisis like we’ve had, you’re going to reassess things.”

Conner identifies three key flaws at play today that mirror the savings and loan crisis of the 1980s and 90s: an over-concentration in certain assets, a mismatch between the maturities of assets and liabilities, and waiting too long to recognize losses.

Those are all lessons that directors should consider when they revisit their bank’s asset/liability management policies and programs, he says.“Is there any vulnerability in our policies that relates to concentration or mismatch, or failing to address losses early?”

In order to do that, directors need to understand their bank’s policies well enough to ask intelligent and challenging questions of the bank’s management. The board may or may not have that particular subject matter expertise on its risk, audit or asset/liability committee, or in general, says Brian Nappi, a managing director with Crowe LLP.

“I don’t think there’s a deficiency in policies per se,” he adds. “It’s the execution.”

Nappi recommends that boards seek to “connect the dots” between their company’s business strategy and how that could fare in a changing interest rate environment.

Conner raises a similar point, questioning why some banks had so much money invested in government securities when the Federal Reserve was telegraphing its intent to eventually raise interest rates.

“That whole issue just looks so clear in hindsight now, and maybe that’s unfair,” he says. “But why is it that we didn’t anticipate that, and are we in a better position today to anticipate similar types of developments in the future?”

Boards could consider bringing in an outside expert to review the asset/liability management policy, says Brandon Koeser, a senior analyst with RSM US. A fresh set of eyes, such as an accounting firm, consultant or even a law firm, can help the board understand if its framework is generally in line with other institutions of its size and whether it’s keeping pace with changes in the broader economy.

“You also want to think about the [asset/liability management] program itself, separate from the policy, and how often you’re actually going through and reviewing to make sure that it’s keeping pace with change,” Koeser adds.

Steps to Take: Revisiting the Asset/Liability Management Policy

  • Establish and understand risk limits.
  • Consider how to handle policy exceptions.
  • Define executive authority for interest rate risk management.
  • Outline reports the board needs to monitor interest rate risk.
  • Establish the frequency for receiving those reports.
  • Evaluate liquidity risk exposure to adverse scenarios.
  • Understand key assumptions in liquidity stress testing models.
  • Review guidelines around the composition of assets and liabilities.
  • Monitor investment activities and performance of securities.
  • Review contingency funding plans.

Directors should also ask management about any liquidity stress testing the bank may be engaging in. Do directors fully understand the key assumptions in the bank’s stress testing models, and do they grasp how those key assumptions could change potential outcomes?

And if executives tell the board that the bank’s balance sheet can withstand a 30% run off of deposits in a short period of time, directors shouldn’t be satisfied with that answer, says Matt Pieniazek, CEO of Darling Consulting Group, a firm that specializes in asset/liability management. The board should press management to understand exactly how bad losses would need to be to break the bank.

“Directors don’t know enough to ask the question sometimes. They’re afraid to show their stress testing breaking the bank,” he says. “They need to have the opposite mindset. You need to understand exactly what it would take to break the bank. What would it take to create a liquidity crisis? How bad would it have to get?”

Sometimes policies tend to be too rigid or not descriptive enough, adds Pieniazek.

“The purpose of policies is not to put straighBtjackets around people,” he says. “If you have to look to policies for guidance, you want to make sure that they have an appropriate amount of flexibility and not too much unnecessary restrictiveness.”

Many banks’ policy limits concerning the use of wholesale funding — such as Federal Home Loan Bank advances and brokered deposits — are too strict and unnecessarily constrained, Pieniazek says. “A lot of them will have limits, but they’re inadequate or the limits are not sufficient, both individually and in the aggregate.”

An example of this might be a policy that stipulates the bank can tap FHLB funding for up to 25% of its assets and the Federal Reserve discount window for up to 15% but restricts the bank from going above 35% in the aggregate.

Along those lines, directors should make sure management can identify all qualifying collateral the bank might use to borrow from the Federal Reserve or FHLB, taking into account collateral that may have been pledged elsewhere. And directors should revisit any overly rigid policies that could tie executives’ arms in a liquidity crunch. A policy stipulating that a bank will sell securities first may prove too inflexible if it means having to sell those securities at a loss, for instance.

A board will also want to understand whether its asset/liability management plan considers the life cycle of a possible bank run. In that kind of scenario, how much would the bank depend upon selling assets in order to meet those liquidity needs? And what’s the plan if some of its securities are underwater when that happens?

While the most recent banking crisis doesn’t necessarily mean bank boards need to overhaul their asset/liability management policies, they should at least review those policies with some key questions and lessons in mind.

“If your regulator comes in, and they see dust on the cover of the ALM policy,” says Koeser, “and they see that the liquidity stress test or scenario analysis aren’t appropriately incorporating shocks or stressors, it could be a difficult conversation to have with your regulator on why there weren’t changes.”

Additional Resources
Bank Director’s Board Structure Guidelines include a resource focused on ALCO Committee Structure. The Online Training Series includes units on managing interest rate risk and model validation. For more about stress testing to incorporate liquidity, read “Bank Failures Reveal Stress Testing Gaps.”