Tips to Navigate Top Risk Factors for Banks in 2021

Written by

Risk is always a prominent factor for banks. Their ability to strategically navigate change proved to be crucial in a year of unprecedented challenges caused by the Covid-19 pandemic.

Moss Adams partnered with Bank Director to conduct the 2021 Risk Survey that explored key risks facing the industry — and forecast how banks will emerge from the pandemic. Below is a summary of top insights from the survey, as well as considerations that bank leadership should keep front of mind as they go into the second half of the year.

Rising Credit Risk Concerns

Unsurprisingly, concerns around credit risk increased in 2020.

Two-thirds of bank respondents worry about concentrations in their loan portfolio, particularly around industries significantly strained during the pandemic, including commercial real estate and hospitality. Almost all respondents modified loans in second and third quarters of 2020 to aid their customers during the initial wave; some of these modifications extended into the fourth quarter.

Evaluation Metrics and Portfolio Concerns

Two separate metrics are now in play for regulators’ evaluations. As a result, it’s important to remember that just because your bank’s loan portfolio doesn’t receive a favorable rating doesn’t mean your bank or management won’t be evaluated favorably.

Regulators might downgrade a portfolio rating as some credits went into deferrals due to business shutdowns and borrowers being unable to make payments. However, bank management could receive a strong rating because of actions they took to keep the bank running and support customers.

While modifications reflect current realities, they don’t diminish the fact that portfolios are degrading from a stability standpoint. Forty-three percent of respondents tightened underwriting standards during the pandemic, while roughly half are unsure if they’ll adjust standards in 2021 and 2022.

Banks that have good governance will loosen their underwriting standards and will be strategic about to whom they lend money. In addition, they will assess which loans they’ll permit to be in delinquent status without taking action, and which they’ll defer.

Increases in Stress Testing

While annual stress tests are common for banks, 60% of respondents expanded the quantity or depth of economic scenarios in response to the pandemic. This is despite regulators’ previous increase of the asset cap threshold for required testing.

Most institutions focus not just on interest rate stress testing — they test the whole portfolio. This is driving more stress testing on the viability of collateral for loans and liquidity. Institutions know they’ll face increased allowance provisions and write-offs, so they’re stress testing the capital resiliency of their organization and see how they would shoulder that burden.

Looking forward, banks may want to focus on concentrated risks within the portfolio. They may also want to apply different, more specific stress testing criteria to various segments such as multifamily real estate, hospitality and mortgages, knowing certain areas may pose greater risk.

Improved Plans for Continuity and Disaster Recovery

The pandemic placed a renewed focus on continuity and disaster recovery. While most organizations had a pandemic provision in their plans following guidance from the Federal Financial Institutions Examination Council (FFIEC), they had been considered only hypothetical exercises. When an actual pandemic hit, many organizations had to react quickly, focus and learn how to adapt during the experience. Most banks will enhance their business continuity plans as a result of the pandemic: 84% of respondents say they’ve made or plan to make changes to their plans.

Key improvement areas include plans to:

  • Formalize remote work procedures.
  • Educate and train employees.
  • Provide the right tools to staff.
  • Ensure the bank’s IT infrastructure can adapt in a crisis.

Cybersecurity and Remote Work Setups

Three-quarters of respondents plan for at least some employees to work remotely after the pandemic abates. This makes cybersecurity a significant concern that boards need to further explore and implement additional precautions around.

Previously, with employees working in one space, there was only one entry point of attack for cybercriminals. Suddenly, with employees working from potentially hundreds of different locations, hundreds of entry points could exist.

Factoring in employees’ mental states is also a crucial vulnerability. It’s easier for cybercriminals to take advantage of or deceive employees that are navigating the difficulties of working from home and the general stresses of the pandemic. Increased staff training, as well as technology improvements, can help better detect and deter cyberthreats and intrusions.

Looking Forward

Though many respondents noted the resilience of the industry, it’s important to not get complacent. Banks certainly weathered the hard times, but the biggest impacts of the past year likely won’t be fully visible until the pandemic subsides.

Once that occurs, some businesses will reopen but may need more capital. Others may still close permanently, leaving banks to determine which loans won’t get repaid, engage bankruptcy courts, take cents on the dollars for the loan and charge write-offs.

So while this past year has been a major learning experience, the lesson likely won’t be concluded until early 2022.

 

Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC.

When Disaster Strikes, You Better Have a Plan

Written by


strategy-9-14-17.png

Hurricanes Harvey and Irma, which struck different locations on the U.S. coastline in August and September, were a tragic reminder that we live in an uncertain world, and natural disasters can cause widespread devastation. The individuals who have been directly affected will always be the first concern, but it’s equally important that businesses and government agencies be able to rebound quickly after a widespread disaster because their ability to function effectively is vital to the recovery of the communities they serve.

Every bank needs a business continuity management plan that the senior executive team and board of directors can activate in the event of a disaster like Harvey or Irma. The plan should be reviewed and tested annually, and updated as needed, suggests Christopher Wilkinson, a principal in Crowe Horwath’s Technology Risk Consulting Group who oversees business continuity planning and penetration assessments for the firm’s cybersecurity team. A common mistake that many organizations make is to see business continuity planning as purely an IT issue, when in fact it is much broader than that. “It’s important to make sure that you focus, first and foremost, on business continuity as a business issue and not just as an IT issue,” he says. In an interview with Bank Director Editor in Chief Jack Milligan, Wilkinson talks about the basic elements of a sound business continuity management program.

BD: What are the primary elements of a good plan?
Wilkinson: When you take a look at business continuity management (BCM) programs, there are four key components. The first component starts with a business impact analysis (BIA). Organizations used to look at business continuity as an IT problem when in fact it really is a business issue. IT is a big component of restoring business operations, but business continuity as a whole is not just an IT problem. A lot of organizations have made the shift to say, “When an event happens, I don’t necessarily want to restore [just] my payroll application. I want to make sure that the process of paying my individuals is restored in full.” And the BIA builds the requirements for each one of the organization’s critical business processes.

One of the biggest components, or variables, that is set during the business impact analysis is the recovery time objective, or RTO. This tells an organization how long a specific business process like HR or payroll can be placed on the back burner before it significantly impacts the organization.

You can look at the impact from a variety of different perspectives. The obvious one would be the financial impact to the organization, but there are others, like the ability to attract new customers or the impact on servicing existing customers. There are a variety of factors that you want to measure the impact of for each business process to determine the overall impact on the organization.

The second important variable in BCM is the recovery point objective, or RPO. This one is a little bit more difficult, but what this variable tells us is, if I had to go to a snapshot of data in the past for some of the systems associated with a business process, how far back could I go? Depending on how dynamic the data is, are we talking minutes, hours or days?

Disaster recovery is an IT issue, and basically what it tells the organization is, “How do I strategically prepare my critical applications to meet the RTO and RPO expectations from the process owners?”

For example, when you talk about RTO, do I have a system designed in such a way with data backups and system redundancy, and the ability to recover that system within the required recovery time objective that the business has given me? So in essence, it’s giving you a service-level agreement, or an SLA, for each and every one of your applications. It tells the IT department, “Here’s how long I can go without this system. Now it’s your job to make sure that system is positioned strategically to meet expectations.”

The third component of a BCM program is the business continuity plan. This is, once again, a business issue. When we document business continuity plans for organizations, one of the things that we’re doing is making sure that certain processes can still be performed in the event of a disaster. If it’s payroll, for example, what can I prepare beforehand to ensure that I can pay employees given the absence of either the systems, the people, or the resources and facilities that are available?

The fourth component of BCM is testing. Are we doing our tabletop testing? Are we getting the right people in a room and walking through disaster scenarios on an annual basis? Are we testing the business side and the business continuity plan? Are we testing the disaster recovery plan, and the ability for IT to recover both the systems and the data that support the business function?

BD: What mistakes do companies, including banks, typically make in their business continuity planning?
Wilkinson: That is a great question. I think one of the more common mistakes that I mentioned earlier is looking at business continuity as an IT issue, instead of as a business issue.

If we’re dealing with payroll and HR as an example, I very likely could recover the payroll application. But there may be other dependencies within the payroll process that aren’t up and running that aren’t IT related.

So it’s important to make sure that you focus, first and foremost, on business continuity as a business issue and not just as an IT issue.

Another mistake is that some of the smaller banks under $10 billion in assets haven’t done a business continuity risk assessment, where you’re prioritizing your threat based upon the company profile. That could be geographic location, which is probably one of the largest factors for banks. As you can imagine, if I’m a bank in the Florida Keys, I’ll have much different concerns with regards to the types of events or threats that may impact me than a bank in the Midwest.

So I need to make sure that I take a look at those threats, and then take a look at the controls that are in place from a business continuity perspective. Look at the most effective controls that are required for each one of those types of events, and then put those in place, and make sure that they’re effective.

BD: Do banks have any special issues when it comes to business continuity?
Wilkinson: Banks are probably a little less challenging than other kinds of organizations. If you think about manufacturing and distribution, you have to worry about supply chain management. The Japanese tsunami in 2011 was a great example of that; it disrupted the supply chain for folks in many industries. It became quite a challenge to be able to find some of the parts and raw materials that companies needed, especially if they were coming from Japan.

Probably the most challenging aspect within the banking world is the number of branches they have and their geographic distribution. Banks need to review their facilities and understand where the critical business processes lie within each one of those facilities, and then strategically design a business continuity plan for each one of those facilities, based upon their geographic footprint. That is probably the most challenging thing that bankers face that other industries may not.

BD: Are there other risks that banks need to worry about from a business continuity standpoint that don’t necessarily relate directly to some kind of natural disaster?
Wilkinson: There absolutely is. And that’s why when we talk about more mature organizations and their business continuity management program, what we’re starting to see is the convergence of the business continuity management program and the crisis management plan.

Having a crisis management playbook and a communication strategy for things like an active shooter scenario are starting to converge with business continuity management. The primary area where we see overlap is the management structure that’s going to be leading that organization through one of those events. They are very different situations if you think about a tornado versus an active shooter. But the overall management structure, and who’s leading the organization and making key decisions and putting out public communication—that’s where the primary overlap is for those two different kinds of events. In the past, we’ve looked at them as two different programs. More mature organizations are starting to converge those two into one larger program that speaks to business resiliency.

BD: Any last points you want to make before we close this out?
Wilkinson: Today we are a very mobile workforce. How am I to use that mobility strategically to assist my business continuity program?

One of the ways that organizations can take advantage of this mobility is if they have a laptop refresh program. Let’s assume that a certain number of bank employees carry laptops, and those laptops get refreshed on an annual, biannual or every-three-year basis. If you’re not leasing those laptops and you own them, it’s a good opportunity to take those laptops, put them in a secure location and leverage them in case something does happen. It’s a lot easier to pull out 15- or 20-year-old laptops that already have a lot of the software and systems I need loaded on them than it is for me to create new systems from scratch.

Number two, when we see banks or organizations connecting their business continuity programs, in the unfortunate case where there is an event, communication is key. There are a lot of different systems out there that allow me to communicate with my employees and my customers. Pricing varies between the different products that are available, but the ability to send text messages—especially because typically that’s one of the last things that ultimately will go down from an infrastructure perspective in terms of the amount of data that’s used across networks—is changing the way that we as practitioners implement our plans.

Preparing for the Worst: How Banks Handled Hurricane Sandy and Other Storms

Written by


evacuate.jpgDisaster can strike at any time, so regulators require banks to prepare for disaster recovery and make business continuity plans, ensuring that banks can serve customers throughout a crisis. But how best to prepare? “Mitigate the risk from the beginning,” says Roberta Witty, vice president at Gartner Research and a former IT risk manager with what was then known as Chase Manhattan Bank.

When Superstorm Sandy hit in late October, banks like North Jersey Community Bank, a $822-million asset institution based in Englewood Cliffs, New Jersey, and Sun National Bank, a $3-billion asset bank headquartered in Vineland, New Jersey, called upon years of preparation. Planning began for North Jersey Community Bank shortly after its founding in 2005, and the plan is updated twice annually, changing based on what is going on in the environment. “We weren’t sitting here on the Saturday before the storm going, ‘Oh my God, what are we going to do?’” says Frank Sorrentino, chief executive officer of North Jersey Community Bank. “We know exactly what we’re going to do, [and] how we’re going to do it.”

When disaster strikes, it helps to have backups. Many banks, including North Jersey Community Bank, relied on generators to provide power so branches could continue to serve customers despite power outages. But generators can fail. The back-up generator for North Jersey Community Bank’s headquarters and operations center in Englewood Cliffs was temporarily out of commission due to problems with natural gas in the area. The bank had planned in advance for this type of situation back in 2006, when the bank, at roughly $200 million, was significantly smaller. Sorrentino planned—and opened—a secondary operations center in Hackensack, New Jersey. “We were a very small bank at that time, so the cost of creating a second operations center was very high,” says Sorrentino. ”But I recognized that we needed this disaster recovery capability and backup.” Everything was duplicated in Hackensack, including file servers, phone systems, Internet connections, and data, and was available when Sandy struck.

At Sun National, data redundancies were in place to ensure that mobile and online banking remained available. “We have several backup sites,” says Tom Geisel, chief executive officer of Sun National Bank, and systems were “tested and re-tested.” Banks must be also careful to secure back-up data outside of the area potentially affected by a disaster, says Witty. Sun National never had to use those back-up systems during Sandy, and online banking remained accessible. For customers that lost Internet connectivity, Sun National provided laptops and air cards within the branches so customers could access their accounts and online banking.

Adaptability is key. When Hurricane Ike hit Galveston, Texas, in September 2008, Moody National Bank, an $872-million asset bank based in Galveston, was prepared for a power outage. Unfortunately, the bank did not anticipate the storm surge that brought eight feet of water into its main office. It was two weeks before the National Guard allowed anyone back onto the island. Once employees and residents were allowed to return, they conducted business at card tables while repairs went on around them, says Owen Cheney, chief information office at Moody National Bank. Fortunately, their data was stored in two different places—Houston and Austin, Texas, which was largely unaffected by Ike. Online banking was available during the disaster, as well as ATM and debit card availability.

Workforce resilience is vital to a solid business continuity plan. In particular, “a community bank has a lot of concentration risk,” says Witty, with facilities and employees all in the same area. While Sandy did provide several days warning in which banks could reposition staff, personal safety did make business a secondary concern. “In any situation like this, our primary concern and focus is the safety and security of our employees, customers and their families,” says Geisel. North Jersey Community Bank, in the interest of public and personnel safety, closed all locations when New Jersey Governor Chris Christie announced that the area was under a state of emergency. The bank re-opened to limited hours the next day, and used its four courier vans to help customers and employees.  Sun National prepared for staff unavailability by ensuring that key employees had a “back up” employee to step in when needed.

Communication is crucial for employees and customers. Sun National used as many communication avenues as possible, including the bank’s website, hotlines and social media. Both Sun National and North Jersey Community Bank found social media to be extremely important, with both banks using Facebook and Twitter to communicate to the public during the disaster. Social media was a part of the banks’ disaster recovery plans. “People will communicate via social media when all else fails,” says Sorrentino.

For the CEOs of North Jersey Community Bank and Sun National Bank, Superstorm Sandy proved to be the ultimate test in business continuity—one they feel their banks passed with flying colors. Sorrentino was in Paris, France, when Sandy hit the New Jersey coast. The extensive planning allowed the bank to function without Sorrentino there, he says.  Neither CEO would make any significant changes to future planning at this time. “I’m very proud of the planning that our team did corporate-wide,” says Geisel, “and I’m even more proud of how they executed.”