2021 Governance Best Practices Survey Results: Who’s Driving Bank Strategy?

The best banks balance short-term thinking with long-term strategy.

“Long-term performance is always our paramount objective,” Bank OZK Chair and CEO George Gleason told Bank Director at its recent Inspired by Acquire or Be Acquired virtual event. The $27 billion bank topped Bank Director’s 2021 RankingBanking study. “If short-term results suffer because of our focus on long-term objectives, then that’s just part of it.”

Strategic discipline starts with a bank’s leadership team — and the board should play an important role in developing the strategy and monitoring its execution. But that’s not always the case, according to the results of the 2021 Governance Best Practices Survey, sponsored by Bryan Cave Leighton Paisner LLP.

The survey explores the board’s approach to strategic planning, as well as governance practices, board composition and the relationship between executives and the board. The results find that most boards don’t drive strategic planning at their institutions: Just 20% say the board drives this process and collaborates with management to develop the strategic plan. Most — 56% — say their board establishes the risk appetite but relies on management to develop the strategy.

The vast majority believe their strategic planning process is effective. But of the 11% who believe their process to be ineffective, some express regret over the lack of input from their board. One respondent believes their bank’s strategic plan to be “too in the weeds,” while another holds the opposite concern. “It flies at 30,000 feet for [the] most part,” says one independent chair. “[We] need to get a little closer to the ground with metrics and clear paths for management to build.”

Most — 84% — reviewed their strategic plan during the pandemic, but few shortened the time horizon of their strategy. This may seem surprising, given previous indicators that Covid-19 accelerated bank strategy in some areas, particularly around the implementation of digital technology. Perhaps this indicates that, for most bank leadership teams, balancing short-term results and long-term strategy remains top of mind.

Key Findings

Strategic Review
Three-quarters of respondents say their board reviews the strategic plan annually. Roughly two-thirds bring in an outside advisor or consultant to assist in developing the strategic plan — but not generally every year.

Board Responsibilities
When asked to identify the board’s most important functions, the majority of respondents point to holding management accountable for achieving goals in a safe and sound manner (61%) and meeting its fiduciary responsibilities to shareholders (60%). Just 34% say that setting strategy is a key board responsibility.

Competitive Pressures
Respondents say that pressure on net interest margins (52%), the ability to grow organically in their markets (44%) and meeting customer demands for digital options (37%) threaten the long-term viability of their bank.

Interacting With Management
The vast majority of independent directors, chairs and lead directors believe they’re getting the right level of information from bank executives. Almost all interact at least quarterly with the bank’s CEO (98%), CFO (94%) and chief risk officer (85%).

Credible Challenge
Three-quarters say their board has several directors willing to ask tough questions when warranted; 92% find their management team receptive to feedback.

Needle Moving on Board Diversity
Almost 60% believe that fostering diversity in the boardroom improves corporate performance. Thirty-nine percent have three or more board members who bring diverse characteristics to the board, based on gender, race or ethnicity.

Assessing Performance
Less than half conduct an annual evaluation of their board’s performance, which most use to assess the effectiveness of the board as a whole (84%), improve governance processes (60%), identify training needs for the board (59%) or assess committee performance (58%).

To view the full results of the survey, click here.

Federal Agencies Heighten Expectations and Penalties for Bank Directors

regulation-9-21-16.pngThere have been two changes in bank regulatory enforcement that should be interesting to all directors. Recently, the Office of the Comptroller of the Currency released a new examination handbook applicable to institutions of all asset sizes and changed a corresponding handbook for directors, guiding examiners in assessing an institution’s risk strategy and control environment and heightening the responsibilities of bank board directors. The guidance requires directors to be in a position to pose “credible challenges to management” and states a director’s prime duty is to “ensure the bank operates in a safe and sound manner,” altering a director’s previous duty of “protecting the bank.”

Also, recent rulemaking has intensified the sting of civil money penalties (CMPs). Effective August 1, 2016, the list of violations has been augmented and fines have materially increased. CMPs will increase for directors, institutional affiliated parties (IAPs), banks, thrifts, and other financial institutions. CMP statutes that carry three-tiered penalties geared to levels of severity and intent generally have risen 80 percent to 90 percent to $9,468, $47,340 and $1,893,610. Note that regulators forbid banks from making indemnification payments to a director or IAP assessed a CMP.

The changes in the handbooks, coupled with the enhanced CMPs, signal “regulatory creep,” suggesting strongly that less complex institutions will be held to standards expected of complex institutions. This supervisory approach should be noted by a bank and its board. If a federal banking agency decides to proceed with an enforcement action, the target (either the institution or the IAP) will be notified in writing and provided 15 days to explain why a CMP is unwarranted. Additionally, an IAP target will be required to update personal financial statements.

The bank’s response to the agency requires a deep dive into the record of the supervisory communication between the bank and the agency. A thorough legal analysis of the evidence, counsel’s opinion regarding the likelihood of a violation being upheld on appeal, and advice regarding the potential penalty range is critical. The penalty could range from an informal (supervisory) penalty to a public monetary penalty and industry ban. This is the time the target, along with experienced counsel, should meet with the relevant agency officials to seek to resolve the principal supervisory concerns, so the exposure is contained. It’s a good idea to address the possibility of agency referrals for criminal charges. The process of personal interaction with agency officials, and submission of the legal analysis with focused strategic dialog, is paramount.

While it is typically useful that bank management and directors present a unified front, because the federal banking agencies apply different standards and penalties to directors than bank management, a bank must appreciate the potential for conflicts of interest between directors and bank management. It may be necessary to engage independent legal counsel for the board. To the extent there is a uniformity of interests between management and directors, a joint defense agreement can be fashioned. Most bank board protection plans will cover legal fees and costs associated with independent counsel, although, again, the payment of an assessed CMP cannot be indemnified by the bank.

If alleged violations cannot be resolved by settlement, the CMP assessment or other sanctions will be made public. The sanctioned person may request a hearing before an administrative law judge. After the hearing occurs and submissions from counsel are received, the administrative law judge issues an opinion and recommendation to the agency. The administrative law judge’s opinion can be appealed to the agency head. A similar process then occurs before the agency head, and final agency action is rendered. Final agency action may be appealed to the relevant federal court of appeals. The Federal Reserve Board, the Federal Deposit Insurance Corp. and to a certain extent, the Consumer Financial Protection Bureau, use similar procedures.

Now more than ever, it is imperative that a bank director appreciate heightened supervisory expectations, actively provide oversight to management and, importantly, document for the record curiosity and skepticism. A director’s best defense is to be alert to warning signs that a finding of a legal violation is being considered. With management, the board should be proactive in addressing supervisory concerns, and document curative actions taken before the violation is outlined in a written supervisory communication.

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance

cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.