Driving Accountability in Incentive Compensation Governance


compensation-7-17-19.pngI once flunked a math test because I didn’t show my work. Turns out, showing your work is important to both math teachers and bank regulators.

To drive accountability, it is important to document and “show your work” when it comes to governance of incentive compensation plans and processes. The largest banks, due to increased regulatory oversight, have made significant strides in complying with regulators’ guidance and creating robust accountability. Here are some resulting “better practices” that provide food for thought for banks of all sizes.

While the 2010 interagency guidance on sound incentive compensation policies is almost a decade old, it remains the foundation for regulatory oversight on the matter. The guidance outlined three lasting principles for the banking industry:

  • Provide employees incentives that appropriately balance risk and reward.
  • Create policies that are compatible with effective controls and risk management.
  • Support policies through strong corporate governance, including active and effective oversight by the organization’s board of directors.

Most organizations used the release of the 2010 guidance to take a fresh look at their incentive plans. It proposed a non-exhaustive list of risk-balancing methods, such as risk adjustment of awards and deferral of payment. Many banks changed their plan structures and provisions to increase sensitivity to, and better account for, risk. The changes made sense pragmatically but largely addressed only the first principle.

After the financial crisis, boards were expected to engage in the oversight and review of all incentive arrangements to ensure that they were not rewarding imprudent risk taking. However, most institutions quickly realized it was not practical for directors to be in the weeds of all their broad-based incentive plans and thus delegated that task to management.

Compensation committees outlined expectations for senior management regarding incentive plan creation, administration and monitoring in a formal document. Their expectations would include, for example, the process for reviewing incentive plan risk.

Comp, Risk Committees Cooperate
Banks also developed stronger communication or information sharing between the compensation and risk committees of the board. This was sometimes accomplished through cross-pollinating members between the committees or conducting joint meetings on the topic. It also became standard for the chief risk officer to participate in compensation committee meetings and present on incentive compensation risk, as well as the overall risk profile of the organization.

Incentive compensation review committees, made up of the most-senior control function heads such as the chief financial officer, chief human resource officer, general counsel and chief risk officer, are often delegated primary oversight responsibilities. To create accountability, this management committee operates under a formal charter, oversees the entire governance process, provides for credible challenges throughout and annually approves all non-executive plans. A summary of their activities and findings is presented to the compensation committee annually, at minimum.

Working groups representing various business lines and broad control functions support the management committee in actively monitoring incentive compensation plans. Every activity in the governance process—from plan creation or modification to risk reviews and back-testing—has a documented process map with roles and responsibilities.

These large bank practices might be overkill for smaller organizations. However, some level of documentation and process formalization is a healthy process for any size. My advice: Don’t get fixated on the red tape, as proper governance and controls can be scaled to the size and complexity of each individual bank.

Formalize the Process
The second and third principles of the 2010 guidance are aimed at driving greater accountability and efficient oversight, including enhanced information sharing. Formalizing the process simply helps to crystalize expectations for those involved and safeguards against the dodging of responsibilities.

Plus, regulators—just like that math teacher—want to see the work. It’s not enough to simply have the right answer. You must be able to document the process you went through to get there.

The Need for Secure Communications in the Boardroom


communication-5-21-19.pngBoards need to keep director communications secure, timely and accurate.

Communication can be a major challenge for busy board directors who need to touch base with their peers regularly, and it can introduce major security risks for the institution.

Boards tend to use different applications or multiple email accounts; the numerous multiple electronic platforms means that directors need to remember multiple user IDs and passwords. Directors sometimes resort to using their personal email accounts out of frustration with other systems or for personal convenience.

Many boards send sensitive internal governance communications through insecure communication channels. The use of personal email for internal board communications is widespread. A report Diligent Corporation conducted with Forrester Consulting discovered that 56 percent of directors use personal email for their board communications. Governance professionals and C-level executives also sometimes use their personal email for governance communications.

This is not a good practice. Cybercrime continues to evolve; attacks are increasingly sophisticated, and they are occurring with increasing frequency. Attacks are also becoming more complex, and recovering from digital breaches may become increasingly difficult.

Hackers specifically target directors, C-level executives and the people who support them in a tactic known as “whaling.” Hackers are keenly aware that boards regularly deal with information that is highly sensitive and confidential. Cyber criminals are likely to target high-profile individuals, threatening them with the release of private information unless they pay a ransom. When directors and other notable individuals use personal email accounts for corporate business, they are prone to falling victim to phishing and malicious cyberattacks that could harm the corporation.

Best practices for corporate governance require directors to communicate in ways that are secure, timely and accurate, and that reflect good governance principles. Encapsulated within the principles of good corporate governance is the need to use the right technology to support these efforts. Specific technology that protects the board’s internal communications can also streamline various processes. However, boards should look for specific tools with features such as remote wiping, given that nearly 30% of directors report losing or misplacing a phone, tablet or computer at some point.

The only way to keep sensitive and confidential information private is to use a secure digital messaging application. Look for applications that can work with existing digital infrastructure but are also secure. Some solutions help augment governance and accountability functions, which can address liability issues that email and other types of communications can sometimes create for board administrators and general counsels.

Probably the most difficult element of using secure communications in the boardroom is actually getting directors to use the technology. Getting board directors to change their habits can be a daunting task and something that can take time. However, with the right support and training, directors will be more willing to make the change.

Directors need to understand the importance of using the right technologies and why their current communication methods open the board up to risk. Assessing the security threat demonstrates to the board that the discussion topics and documents are highly sensitive and cannot risk being leaked. The right communication application should provide control to the administrator, with security being a top feature to ensure directors are protected.

Additionally, getting director buy-in from the start is crucial. It is important that boards realize what could happen if their emails are hacked and why they need to adopt secure communications avenues.

Providing your board of directors with the right reasons for needing secure communications is half the battle. Make sure your bank properly evaluates the various technologies to ensure that they will have the right training to properly leverage the tools.

Compensation Governance in Today’s Economy



Despite recent shifts in the economic and regulatory environment, bank boards still need to keep a close eye on many of the same issues—including risks related to your bank’s compensation practices, as McLagan Partner Gayle Appelbaum explains in this video. She also spells out how talent pressures, and the expectations of regulators and investors, will continue to keep banks on their toes.

  • Key Practices for Boards and Compensation Committees
  • Why You Can’t Relax in Today’s Strong Economy
  • The Need for Heightened Corporate Governance

Six Tech Trends for 2017


tech-trends-4-17-17.pngFor capital markets participants worldwide, Nasdaq operates as a pioneer in maintaining market resiliency and mobilizing the latest practical technologies to strengthen and optimize the business performance of our partners and, most importantly, our clients. Amidst a rapidly changing economic and political environment, the technological advances used in financial services during 2016 reached staggering new heights by year-end.

As a financial technology company, we are especially excited about what is in store for 2017. We believe the following technology trends will have a significant impact on the capital markets this year.

Machine Learning and Artificial Intelligence
Machine learning and artificial intelligence will cross-cut almost everything that we do, and it will be applicable across the board—from helping customers to trade to market surveillance. We are bringing in nontraditional data sets including email and text messaging, sentiment and macroeconomics data, and we are mining log files from different systems for insights. The technology will be used to calculate and generate indices and exchange-traded funds. It will also be integrated into exchange matching engines (the system that matches buy and sell orders) so that it can make certain trade decisions.

Collaboration Tools
Secure collaboration software and online portals will play an important part in how corporate directors and leadership teams work as compliance, board management and the need for a central document repository have become increasingly vital business propositions. These web and mobile app-based tools are typically designed with multiple security and functionality features to provide greater governance, engagement and transparency throughout an organization. As more companies begin to integrate collaboration software into their business workflows, the secure sharing of critical information will become more simplified.

Cloud Computing
Cloud providers are taking security seriously, and we anticipate that the financial cloud will soon be more secure than most traditional on-ground data centers. That would potentially allow us to make sensitive information more broadly available than on traditional, centralized databases. Exchanges need to comply with rules and regulations on fair and equal access for clients, so moving front-office applications to the cloud necessitates some technology changes. Running middle-office and back-office applications in the cloud is more straightforward, but in 2017 we will continue work to address the remaining security concerns regarding data separation and customer access to data.

Data Analytics
The ability to mine data, normalize it, update analytics in real time and present it in a consolidated view is a source of competitive advantage. We are now seeing a seismic shift across the industry with machine learning and artificial intelligence enabling users to eliminate bias in the analysis and discover new patterns in the data.

There will be a diverse set of use cases for data analytics within financial services, including its application in the investor relations function, where analytics can assist the IR team by aggregating specific investor data points, filtering institutional investors by the positions they hold in your company’s stock and identifying specific investment characteristics.

Mobile Technology
Advancements in mobile technology have changed the way business professionals collaborate and access information. A new generation of cloud-based applications has simplified information sharing across device types. For example, we have combined mobile technology with other technologies—particularly cloud and blockchain—to enable remote proxy voting. To some extent, financial firms have been laggards in adopting mobile technology because of the security concerns, but addressing those will drive increased penetration.

Blockchain
Blockchain technology could create important efficiencies in position-keeping and reconciliation. For cash-settled securities, it could accelerate the clearing and settlement time frame from three days to same-day, significantly reducing risk in the system. Collateral could be moved around quickly and easily. On the settlement side, blockchain could complement several services, including managing payments and cash, transferring securities, facilitating collateral and tri-party arrangements, and securities lending.

It is clear that financial services in 2017 will evolve rapidly as new technology is integrated into the marketplace. These technologies will change how financial institutions manage their infrastructure, interact with one another, and ultimately, how industry leaders scale and grow their businesses. We are excited to see how the year unfolds.

Good Corporate Governance Starts With the Articles and Bylaws


governance-11-14-16.pngJust as a good diet and regular exercise contribute to a healthy lifestyle, good corporate governance and board oversight often serve as the foundation for the health and stability of any corporate organization. Corporate governance is often a difficult concept to nail down. In the highly regulated banking industry, the importance of good corporate governance practices is significantly amplified due to the additional layer of regulatory risk that may not affect businesses in other industries.

Although good corporate governance is often associated with maintaining certain policies and procedures, such as guidelines, codes of conduct, committee charters, shareholder agreements and intercompany and tax sharing agreements, we routinely encounter financial institutions that ignore or overlook one of the most fundamental aspects of corporate governance: the articles of incorporation and bylaws. In fact, we experience many situations in which financial institutions have articles and bylaws that are significantly outdated and have not been revised to comply with current laws, regulations and other corporate best practices. Failure to keep these governing documents current can not only raises legal and regulatory concerns, but oftentimes compromises the ability of the management team to protect and preserve the interests of its shareholders.

A comprehensive review of the articles and bylaws is recommended, particularly if you have not conducted such a review in the past. Set forth below is a summary of certain terms and provisions that may be of particular interest to your management and board of directors.

Compliance With State Corporate Laws
State corporate laws provide the basic foundation for the conduct of business of most banks and bank holding companies. Over time, these state corporate laws are revised or replaced with more modern corporate statutes. Although the corporate laws may evolve over time, many financial institutions fail to adapt their articles and bylaws to conform to these changes. In many cases, we encounter articles and bylaws that reference outdated and repealed laws and statutes that could lead to questionable legal interpretations and uncertainty in many critical situations.

Limitation of Personal Liability and Indemnification of Directors and Officers
Most state corporate laws have provisions that permit a corporation to limit the personal liability of, and/or provide indemnification to, directors and officers pursuant to provisions in its articles or bylaws. Typically, the ability to limit liability and provide indemnification to directors and officers is eliminated in certain situations such as a breach of fiduciary duty or intentional misconduct. However, we routinely experience situations in which the limitation of liability and indemnification are either not addressed by the articles or bylaws or contain provisions that may not fully protect the interests of the management team.

Electronic Communications
As technology continues to evolve, many state corporate statutes have been revised to permit certain shareholder and director communications, such as notices of shareholder and director meetings, to be delivered in electronic format. Despite these statutory revisions, if your institution’s articles and bylaws require physical delivery of these notices, you might not be able to take advantage of these newer and less costly forms of communication.

Uncertificated Shares
As financial institutions continue to consolidate and increase their shareholder base, the use of third-party transfer agents is becoming more prevalent for the management of stock transfer records. Most transfer agents have implemented uncertificated book-entry systems as a means of recording stock ownership, which eliminates the need for physical stock certificates. However, it is not uncommon for the articles and bylaws to specifically require the issuance of physical stock certificates to their shareholders. Obviously, these provisions must be revised before implementing an uncertificated stock program.

In addition to the specific matters addressed above, some other important areas to consider when reviewing your articles and bylaws include the shareholders’ ability to call special meetings, the process for including shareholder proposals at annual or special meetings, the implementation of a classified board of directors, the process for the removal of directors, mandatory retirement age for directors, shareholder vote by written consent and a supermajority vote standard for certain article and bylaw amendments, such as limitation of liability and indemnification.

A review of your institution’s articles and bylaws is only one component of the broader corporate governance umbrella, but it is one of the more important and fundamental aspects of your board’s corporate governance responsibilities. Routine maintenance of these fundamental corporate documents will be a good start towards enhancing your institution’s overall corporate governance structure.

Do You Understand the New Incentive Compensation Proposed Rules?


compensation-9-7-16.pngFederal banking and securities regulators published a notice of proposed rulemaking revisiting incentive compensation standards that were originally proposed in 2011. The 2016 proposal provides a more prescriptive approach for larger financial institutions than the previous proposal, and it applies to institutions with $1 billion or more in assets. As with prior guidance applicable to incentive compensation, the overarching principles should be considered by financial institutions of all sizes when designing their compensation programs consistent with the Interagency Guidance on Sound Incentive Compensation Policies issued in June 2010, which applies to all banking organizations regardless of asset size.

The 2016 proposal is similar to the previous proposal in that it prohibits excessive compensation to “covered” persons. However, unlike the 2011 proposal, the 2016 proposal more clearly defines requirements of institutions by creating three levels based on average total consolidated assets, with the lowest scrutiny applying to Level 3 institutions, those that have assets of $1 billion or more but less than $50 billion.

The proposal has implications for any incentive compensation provided to officers, directors, employees and principal shareholders associated with an institution with assets of $1 billion or more. As required under the Dodd-Frank Act, the proposal tries to discourage excessive compensation and compensation that could lead to a material financial loss.

Excessive Compensation
There are two distinct elements for consideration. First is excessive compensation, which involves amounts paid that are unreasonable or disproportionate to the amount, nature, quality and scope of services performed by the covered person. Types of information the regulatory agencies will consider in making this assessment include, among others:

  • The combined value of all compensation, fees or benefits provided to the covered person;
  • The compensation history of the covered person and similarly-situated individuals;
  • The financial condition of the covered institution;
  • Peer group practices; and
  • Any connection between the individual and any fraudulent act or omission, breach of fiduciary duty or insider abuse.

Material Financial Loss
In determining whether incentive-based compensation could lead to a material financial loss, regulators have previously stated that they will balance potential risks with the financial reward and assess whether the institution has effective controls and strong corporate governance. The 2016 proposal specifically provides that an incentive-based compensation arrangement would not be considered to appropriately balance risk and reward unless it:

  • Includes financial and non-financial measures of performance;
  • Is designed to allow non-financial measures of performance to override financial measures of performance, when appropriate; and
  • Is subject to adjustment to reflect actual losses, inappropriate risks taken, compliance deficiencies, or other measures or aspects of financial and non-financial performance.

Additional Elements of the 2016 Proposal
The 2016 proposal re-emphasizes that internal controls and corporate governance are essential in monitoring risks related to incentive compensation. The 2016 proposal also contains a requirement that certain records must be disclosed upon request of the covered institution’s federal banking regulator.

The 2016 proposal will be effective 540 days after publication of the final rule and does not apply to any incentive plans with a performance period that begins before the effective date. Similarly, an institution that increases assets to become a Level 1, 2 or 3 institution must comply with rules applicable to that level within 540 days of the triggering size (determined based on asset size over the four most recent consecutive quarters).

Considerations
We recommend that boards begin taking steps in order to comply with the 2016 proposal and the Guidance.

  1. Consider whether any of the institution’s incentive-based compensation is excessive or encourages risks that could result in a material financial loss by: applying the excessive compensation factors as set forth above; making compensation sensitive to risk through deferrals, longer performance periods and claw-backs; and considering a peer group study.
  2. Document relevant considerations as evidence of compliance with the Guidance at the committee and board levels.
  3. Implement controls and governance to oversee and monitor compensation and determine whether to risk–adjust awards.
  4. Review compensation policies annually.

Three Critical Challenges for Bank Audit Committees


audit-committee-5-17.pngAs the effects of the banking crisis continue to recede, regulatory agencies have shifted their focus. As asset quality concerns gradually diminish, regulators are scrutinizing corporate governance and risk management issues more closely.

In this environment, audit committees are being challenged to meet a higher standard regarding their understanding of their organization’s risk profile and often must adapt their approach to reflect changing business priorities. Three areas of concern merit special attention as they present audit committees with significant challenges.

Challenge 1: Cybersecurity Risk
Cybersecurity is a paramount issue in financial institutions today, ranking as the number one concern of bank executives and board members in the annual Bank Director Risk Practices Survey for two years running. In the 2016 survey, 77 percent of the respondents said cybersecurity was their top concern, and more than half said preparing for cyber attacks is one of their biggest risk management challenges.

Those numbers are not surprising because banks are a natural target for hackers. But the challenge of managing cybersecurity risk is complicated by banks’ natural reluctance to publicize breaches due to their legitimate fear of alerting other hackers to their vulnerabilities. Unfortunately, this justifiable secrecy makes it more difficult for other banks to learn from their peers’ experiences and hinders banks’ ability to recognize comparable weaknesses in their own systems and third-party relationships.

Another complicating factor is the makeup of the audit committee itself. Committee members very rarely have professional IT backgrounds, so they must rely on qualified third parties to provide insights into risks and mitigation strategies.

Recent regulatory guidance can help overcome this challenge to some extent. Audit committee members should be thoroughly familiar with the Federal Financial Institutions Examination Council’s two-part Cybersecurity Assessment Tool, which was issued in 2015 to help institutions identify their risk exposure and determine if their risk management programs are appropriately aligned. The audit committee should make sure management completes this assessment and integrates its principles into the overall risk management effort.

In addition, the Office of the Comptroller of the Currency (OCC) regularly issues joint statements with other bank regulatory bodies on specific cybersecurity concerns such as new malware developments, extortion attempts, and other current trends. Committee members should stay abreast of the most recent OCC statements on the agency’s website and confirm that management is following the specific preventive steps listed in those statements.

Challenge 2: Reallocating Audit Resources
In the current industry environment of shrinking margins and growing cost pressures, audit committees often must address increasing regulatory compliance demands and growing cybersecurity risk while struggling with resource constraints. Fortunately, there often are unrecognized opportunities to control risk management costs by reallocating resources to reflect changing business models.

For example, as customer habits and access methods change, some financial institutions are reassessing whether it is cost-effective to continue applying the same level of risk mitigation activity at the branch level. Steps such as lengthening the intervals between traditional branch audits and reassigning certain risk control responsibilities to operational managers make it possible to reallocate some internal audit resources to new, more pressing areas of risk. Audit committee members should be alert to such opportunities to reassess and fine-tune the audit approach to reflect today’s business reality.

Challenge 3: Adapting to New Strategies
Shrinking margins also are leading banks to look for opportunities to diversify their revenue strategies. But every new revenue stream requires new operational and support functions and opens up new categories of risk that must be assessed, controlled, and managed. One of the important responsibilities of the audit committee is to actively assess how a new business line will affect the institution’s risk parameters and to determine how those parameters can be addressed effectively and efficiently.

New revenue streams and changing business strategies are nothing new, of course. Historically, bank directors always have been challenged to adapt to shifts in economic and business priorities. In today’s environment, however, with greater regulatory emphasis on the management of risk, the challenges to audit committees are intensified. An effective response to these challenges can have a direct, significant and positive effect on an institution’s long-term success.

Succeeding With Your Succession Plan


succession--12-2-15.pngOne of the areas of corporate governance that is receiving increasing focus by regulators and investors is succession planning. Succession planning is important at the board and management level and is especially challenging for community banks that do not normally have the bench strength to choose from a wide talent pool. Often the principal challenge is to incentivize potential successors to remain in a subordinate position while at the same time transitioning a CEO to retirement.

Integration of the Succession Plan
Corporate governance documents should be reviewed and revised if necessary to identify the appropriate members of the board that will adopt and administer succession guidelines. This is typically the governance committee or the compensation committee. The guidelines should be reviewed by counsel to assure that they do not create unintended expectations or rights that are not consistent with exiting plans and contracts. Employment contracts should be revised to clarify the obligation of senior executives to ensure succession development of identified officers.

It is not uncommon that a specific duty to cooperate and implement the succession of a subordinate according to an agreed upon schedule be made part of the contract. Position descriptions should support and facilitate an evaluation of the candidates’ potential for advancement. Further, term provisions should be revised to contemplate expected retirement dates. Short-term bonus plans are a particularly useful method to incentivize cooperation in the development of subordinate executives. A key metric in determining performance of a senior executive should be his or her skills in mentoring and developing subordinates.

Retaining the Next Generation of Bank Leaders
While the mentoring relationship is key, it is often the case that senior executives who are considered the likely successor for the next level, be it CEO, COO or CFO, are lured away by competitors who can offer more immediate advancement. This is sometimes due to the ambition and impatience of the junior executive but also the resistance of the incumbent. There are a number of legal arrangements that can reduce the risk of this occurring. In general, once a designated successor is identified, that person should be granted unvested stock or cash which will vest fully upon their promotion. This is a critical stage as the CEO and board must work closely together to ensure the candidate is prepared to carry the full responsibility of the senior executive. This could take several years and involves familiarizing the candidate with key customers, regulators and the board.

In the event the candidate is not promoted but an outside candidate is chosen, a succession plan agreement would cause a significant portion of the unvested benefits to vest and the candidate would have a window to determine if he or she would remain with the bank. This should have the effect of causing most candidates to resist any capricious impulses to forego the final laps on the succession track and make it more expensive for competitors to raid key talent. It is also the fair thing to do, as the candidate is not guaranteed that he or she will succeed to the desired position but is being asked to remain loyal and forego outside opportunities at the point in the career path where he or she is most attractive to outside companies. It also should allay any fears concerning the risk that an 11th hour outside candidate will be chosen.

Transitioning Retirement of the Senior Executive
For every CEO who has dragged his or her feet in agreeing to a retirement date, there are boards who refuse to accept the planned retirement date given by the CEO. This is human nature, but good corporate governance demands that specific provisions be put in place that counteract this tendency.

While the succession plan if properly administered should groom a successor who at the proper time is ready to replace the incumbent CEO, there need to be specific provisions that ensure that the incumbent is incentivized to facilitate the transition at that time. It is not unusual to execute a transition and retirement agreement with the CEO. The agreement would amend existing agreements and plans to include, among other things, accelerated cash and stock benefits, a lump sum payout of remaining salary, contract benefits and describe a transitional role for the CEO. It could continue health and welfare benefits. This would be in addition to any retirement benefits.

Conclusion
Succession planning is often neglected until it becomes a serious issue because of a sudden departure of a executive. Boards must work harder to ensure that the bank has a dynamic succession plan in place to meet the competitive challenges of the future.

The Audit Committee: Help Them Help You


audit-committee-11-19-15.pngAn effective audit committee is a critical component of a financial institution’s corporate governance, but such a committee is not the result of an accident. It is formed through a deliberate process that includes appointing qualified individuals, providing adequate resources and offering other appropriate support.

The Right People
Every effective team begins with an effective leader to serve as chairperson. To fill that role for the audit committee, the board must select an independent director who, at a minimum, possesses an understanding of U.S. generally accepted accounting principles and the importance of internal controls. The audit chairperson should have a sense of the pressure points where the institution might be particularly vulnerable to fraud. Often, board members are business owners, managers in other organizations, or educators and will need help to acquire the requisite skill sets to lead or participate on the audit committee.

The Right Resources
With accounting standards, regulatory compliance requirements and risk factors continuing to change at a rapid pace, boards need to commit time and money to keep the chairperson and the audit committee up to speed. New accounting rules revisit some long-standing techniques in order to establish a more transparent level of reporting. Also, the introduction of the Consumer Financial Protection Bureau (CFPB) added complexity to regulatory compliance, and a bank that runs afoul of the new rules could suffer substantial harm to its reputation. In addition, technology and customer demands for access to services through nontraditional channels add risks never contemplated 10 years ago.

To help the audit committee stay current, the board should provide it access to outside training on these and other relevant areas. Boards also can obtain valuable guidance by monitoring the activities at other banks. Their publicized experiences (for example, in alerts from the Office of the Comptroller of the Currency) can serve as a road map of areas that require regular attention from the audit committee. Audit committee members must be intimately familiar not just with their own bank—but also with the banking industry as a whole.

The Right Support
Although it is management’s responsibility to establish processes and controls to manage risk, it is the audit committee’s responsibility to confirm that such processes and controls are established and monitored. The internal audit group, already charged with risk assessment and monitoring, can play an important role in satisfying this responsibility.

As with the audit committee, the success of internal audit hinges on the training and experience of the team members and on the provision of necessary resources. The importance of these elements increases significantly when the bank’s management is responsible for reporting on the design and effectiveness of the internal controls over financial reporting, as is required of publicly traded companies, because management must attest that controls are well-designed and operating effectively and is held responsible if its attestation proves false.

Bear in mind that a bank’s growth often is not mirrored in changes in internal audit. As a result, issues can go unidentified. Even if new issues are appropriately identified, the review cycles will be prolonged if internal audit has insufficient personnel. When the board looks strategically at the organization, it must align the expansion of the business with the risk mitigation process—including internal audit resources. Even the most capable audit committee will prove ineffective without a well-armed internal audit team.

The board also should recognize that its attitude and that of management toward internal audit frequently contributes to its success (or lack thereof). Leadership should address findings on a timely basis, and the board and audit committee should monitor the responsiveness of corrective action, especially for those issues flagged as higher risk. If management is dismissive of findings, and the audit committee or board is disinterested in follow-up, the value of the internal audit role will erode quickly.

The Right Approach
Board members are elected to oversee the activities of their bank, and the audit committee is an integral part of that oversight. It is in the board’s—and the bank’s—best interest to provide both the audit committee and internal audit with the training and resources necessary to execute their responsibilities.