We asked audit committee chairmen (and women) what their committees are grappling with in the year ahead. With the passage of the Dodd-Frank Act in 2010, it’s obvious from their responses that compliance with government regulations has become a huge concern. But so is monitoring the organization’s risks, including IT risks, and figuring out how to make a profit in an environment of low interest rates.
What do you believe are the top issues facing audit committee members in 2012 and into 2013?
We need to focus on developing the appropriate stress tests for our institutions to determine, monitor and support our capital adequacy; focus on liquidity risk as macro-economic conditions improve and many of our institutions face a run-off of deposits to higher earning assets; and institutionalize the lessons learned during this credit cycle.
– Robert F. Coleman, audit committee chairman, PrivateBancorp, Inc., Chicago, IL
I think the top issues are sustaining a risk-based focus with executive leadership, adapting risk oversight at the board level to new Dodd-Frank and Fed requirements and figuring out how to make money in a flat interest rate environment for the next two years.
– Ingrid S. Stafford, audit committee chairman, Wintrust Financial Corporation, Lake Forest, IL
IT & Security Risks
I agree that compliance, particularly trying to understand what is coming with Dodd-Frank, is growing in importance. IT risk is also taking a bigger share of our time. Everything from privacy and security (including cyber-security), to emerging technologies like the cloud, social and mobile are going to be a focus for us.
– David L. Copeland, audit committee chairman, First Financial Bankshares, Abilene, TX
Compliance continues to be one of the top issues. More and more internal resources are being directed to the ever growing compliance requirements. Disclosure is another struggle. I suspect that eventually, the 10-Qs and 10-Ks will become so lengthy that no one will read them with footnotes that now span multiple pages and are seemingly redundant to matters covered in other sections of the submissions. Risk is a concern. Each of us hopes that we do not overlook the obvious.
– Gordon Budke, audit committee chairman, Banner Corporation, Walla Walla, WA
The exponential acceleration of regulations will become an increasing challenge for audit committees of all banks, regardless of size. The compliance area alone, where banks are being required to implement government policy initiatives, is a prime example of this challenge. In addition, regulators are requiring extensive documentation of all actions taken and not taken in a culture where risk is to be reduced to zero. Therefore, the audit committee’s role is changing rapidly and must constantly be reassessed with these increasing responsibilities.
– John E. Seward, Jr., audit committee chairman, Bank of Tennessee, Kingsport, TN and Carter County Bank, Elizabethton, TN
I believe the top issues confronting audit committees this year and next are developing, implementing and monitoring audit plans, including internal audit. These plans are focused on the identification and weighting of risk elements arising out of the transition of the banking industry from the defensive/capital conservation strategies of the past three years to the growth/capital deployment strategies to be implemented over the next several years. The economy and the need for bank financing will expand together with the regulatory risks presented by the Dodd-Frank legislation.
– Timothy B. Matz, audit committee chairman, PacWest Bancorp, San Diego, CA
Enterprise Risk Management (ERM) is a hot news item. Everyone is writing about it—from the Harvard Business Review, to regulatory examiners guidance, to consulting firms, to The New York Times.ERM seems to be the newest panacea created to protect the financial markets from themselves. However, it isn’t a magic pill. Nor is it as simple as implementing a policy or assigning responsibilities to one individual and yielding immediate success and benefits. It is an all-encompassing cultural shift—where an institution’s management and employees embrace the concept that the institution has risks and that the internal identification of those risks, by everyone at every level of the institution, is key to the proactive management of the institution’s risks.
A recent Deloitte study defined a successful ERM program as follows:
[A]n ERM program is meant to set the overall framework and methodology for how a company manages risks. ERM provides an institution with the tools to clarify its risk appetite and risk profile, and to evaluate risks across the organization. By adopting a comprehensive approach to risk identification and assessment, ERM can help identify many dependencies or interrelationships among risks that might otherwise go unnoticed.
When building an ERM program, the focus should be on providing executive management and the board of directors the information they will need to guide their institution towards longer-term strategic goals.
Benefits an Effective ERM Program
As the familiar saying goes, “knowledge is power.” The board has a responsibility to safely guide and provide the necessary oversight to ensure that the strategic plan of the institution is successfully achieved. A comprehensive ERM program should provide the board and executive management with necessary and timely information on the institution’s risks, in order to for them to make decisions and provide proactive supervision.
It should also provide a singular focus on the institution’s risk profile and strategic plan, forging a common direction for the institution’s management team.
Tying ERM to the Institution’s Strategic Direction
To quote a less familiar saying, “[P]ast performance is not indicative of future performance.” Just because examiners have not found a problem does not mean one does not exist, or the environment is not right for something to go wrong in the future. Indeed, authors of “The six mistakes executives make in risk management,” (Harvard Business Review’s) Nassim Taleb, Daniel Goldstein and Mark Spitznagel identify the reliance on past performance as one of the six mistakes executives make in risk management. In our ERM programs, we need to focus on the future likelihood and impact of a risk.
We know intuitively that just because a person crosses a road blindfolded 10 times without being hit by a car, does not mean this success will continue. Many factors besides past performance will play into future performance. Just for a moment, think about what would happen to this person if he or she continued to cross that road blindfolded because there had been no issues in the past? How complicit would you be in the ultimate result if you failed to point out that in the past this person was crossing the road at midnight, and he or she was now getting ready to cross at rush hour? The blindfolded person did not have the necessary information to make an informed decision. Effective ERM can provide that information from which informed decisions can be made about future risks and strategic impact.
There are many situations like crossing a road blindfolded that we instinctively know are risky. However, there are many circumstances where the impact of risks is not immediately apparent, making them harder to tease out. As a board member, you must be provided with the necessary information and data to holistically understand the interconnectivity of risks and the impact of individual risks on the overall risk picture. Sponsoring an ERM program that is built around a singular framework tied to the strategic plan and risk appetite, as opposed to reviewing risk reports individually by risk discipline, will provide you with the information in a way that can be easily and systematically included in the strategic planning process. It may be a data challenge at first, but one that will reap huge rewards when you have consistent information to serve as a foundation for decision-making.
The success of an ERM program is driven in large part by board support. When board members expect ERM efforts to focus on longer-term strategic plans and the success of the institution, they foster a coalition of support for building an effective ERM program. Employees and management participate more readily in efforts to collect complete, reliable, current data that will ultimately allow the board to provide the necessary guidance and oversight for the institution.
If you take this strategic approach to ERM, risk management can provide that long-term check on potential short-term operational decisions and shift the culture so that meeting long-term strategic objectives while staying within the risk appetite is intuitive. This approach will make ERM an integral part of the success of the business, and more importantly, may provide that “panacea” that people are looking for.
What ERM Is Not
It is equally important to understand what an ERM program is NOT. If the following are in place at your institution, you should NOT mistake them for a comprehensive, proactive, ERM program similar to the one identified by the Deloitte definition:
Risk-based audit plan
Compliance testing program
Disaster planning program
ALCO (asset-liability) committee
SOX (Sarbanes-Oxley) compliance program
Checks and procedures in place solely to meet regulatory requirements with no connection to strategic planning
Individual risk assessments for requirements such as BSA (Bank Secrecy Act), fair lending, security, etc.
Individually, none of these represent an ERM program. However, when aggregated in a common framework across all risk disciplines with a singular goal, they become the basis for a solid ERM program.
It is not enough to just identify your risks. You also need a way to understand the impact of these risks on the organization, consistently across risk disciplines and across business lines. To understand impact, you need to be able to measure, compare and prioritize individual risks regardless of whether they are an IT risk or a liquidity risk.
If every risk discipline had its own processes, definitions and best practices it would be almost impossible to understand the true risk of an activity/decision/product. Different reporting structures, definitions and even color indicators can make it difficult for the board to compare a highlighted risk from the ALCO committee to another raised by the audit committee, for example.
It will likely be difficult to create a framework that is consistent yet flexible enough to apply to multiple unique risk disciplines.However, support from the board and a tie-in to the strategic plan and risk appetite will help push this forward.
While it may be difficult to create a consistent framework for uniformly tracking risks across disciplines, what have been consistent are regulators’ expectations that such a framework be in place. Regulators are now regularly asking questions to determine whether an ERM program is a “true” ERM program. They want to know whether an ERM program spans all risk disciplines and accounts for the interconnectivity between the different risk disciplines and individual risks. Creating this type of program does not happen overnight.There are many issues that need to be dealt with to be able to operate within a singular framework. The board should require risk discipline owners to develop and report through a singular framework. This framework needs:
Consistent definitions and language
Unvarying scoring/rating definitions (i.e., a $10,000 impact and a $1,000,000 impact should probably not have the same coding in reports just because one comes from finance and the other from compliance)
Common formats for assessing risk to make it easier for the business owners
Ability to know if an information technology risk is also a compliance, strategic and operational risk, to better understand the true impact to the institution.
The Deloitte study found that the biggest impediments to thoroughly implementing an ERM program are gathering and managing data across the institution through the use of a consistent frameworkand embedding the processes, data and framework into the everyday workings of an organization.
The essential essence of the culture shift is this: Embedding risk-reduction processes into day-to-day business activities as opposed to thinking about potential risks.Enhanced reporting on risk-related data supports this goal and is imperative for decision making and supporting strategic planning.To get to this data, and for it to make any sense, it is important that all risk disciplines are utilizing the same risk management framework. If different frameworks are used, several things can happen. First, individuals can spend days or their whole job just transforming data and creating reports. Second, decisions could be made based on data that appear to be comparable, but due to definitional and scoring issues are not. Neither is effective or efficient.
What to Do Next
Currently the “accepted” theory on risk management is that it needs to be a “top-down” approach. The board and executive management must discuss and agree on a business strategy and a risk appetite. Then this information is “pushed down” into the organization through “control groups” like ERM, compliance, EM, etc. While ERM needs to start at the top, it cannot be “pushed down” until there is a cultural shift within the organization that alters the mindset of the entire organization regarding the role of risk management.
This is most successful when implemented as a circular process, where each individual is important and responsible for understanding and managing risks. The board and executive management need to say that risk management is important, define the risk appetite, provide investment where necessary to reduce risks, and make it apparent that they view ERM as everyone’s job, not just the job of the chief risk officer.The risk discipline leaders need to translate this risk appetite, create a process to identify and assess risks and work directly with the various operating divisions to evaluate how their businesses and decisions compare to that risk strategy. Decisions are made continuallybased on this information. The risk staff report back to the board and executive management on the program and overall institutional risk, which rounds out the process.
Step 1:Review, update, and approve strategic plan
Step 2:Work with executive management and risk leaders to ensure strategic plan is translated into risk appetite statement that the board approves.
Step 3:Ensure the risk discipline leaders, not just executive management, understand both the strategic plan and the risk appetite.
Step 4:Ask the risk discipline leaders and ERM (if you have a designated individual) to demonstrate that the ERM and individual risk programs have incorporated your strategic plan and risk appetite into their programs.
Step 5:Risk discipline leaders should present a singular framework for future ERM reporting to the board.
Step 6:Conduct a brainstorming session that identifies emerging or major risks that could keep the institution from meeting strategic objectives. ERM incorporates this into risk assessment program.
Step 7:Reporting is updated and augmented to ensure that the board understands the highest profile risks, how they interconnect between the different risk types, their potential impact to the institution, and mitigation plans and responsibilities, etc.
“New Language” and Your Questions to Ask
Key Risk Indicators (KRIs):Ratios or data points that alert you to potential problems/risks that should be investigated.
Key Performance Indicators (KPIs): Ratios or data points that help you measure the success of the institution’s ERM program and/or strategic plan implementation.
Inherent Risk: The base risk that exists by being in business, without your institution’s programs or controls in place. It is beneficial for the board to understand which risks have very high inherent risk so that they can ensure the proper resources are allocated to control those risks.
Residual Risk: The controlled risk that exists after taking into account your ERM and other management programs. In most cases this is the most important “score” for the board to review and understand.
Risk Disciplines: A generic term for IT, audit, compliance, operational, PR, finance/treasury and other operational areas that actively manage the institution’s risk profile.
Risk Assessment: The process to identify and score the impact of a risk happening and the likelihood that it will.
Risk-Based Audit: An overall understanding of the risks of an institution so that an audit calendar can be created that focuses audit resources on the highest areas of risk for the institution.
Compliance Risk Assessments (BSA, Fair Lending, etc.): Detailed risk assessments that are required by regulation and/or law on a specific topic defined by a regulation.
We have a risk management program in place. How does the board know if the program is providing timely, valuable information upon which informed decisions can be made?
Are your bank’s strategic plan and risk appetite statements driving your ERM program, or does it seem to be an exercise in regulatory paperwork?
Are your auditors auditing your ERM program or performing your risk management function? If they are performing it, who is auditing it?
Have you correlated any of the risks and understand the overall impact of a singular risk to your institution regardless of whether it is IT, compliance, finance, etc?
Risk Scoring/Reporting reports
What does “red,” “4,” “high risk” really mean?
How does your program remove “high risks” from the reports?
Are people/divisions penalized for noting a “high risk”?
Do we have any key risk indicators that tell us we may need to become more concerned with these risks?
How do these ratings translate into “impact” to the institution (i.e., not achieving our strategic plan or going outside of our risk appetite)?
Who manages the medium or low risks to ensure they don’t become high risks?
How often do you update your risk scoring? (Annually is typically good for community banks.)
Who participated in the scoring of the risks? (More than the person responsible for the risk should be involved in scoring.)
Day-to-Day Management Questions
Is the business leader held responsible for the risks in their business?
Do your risk discipline leaders work together to identify, assess and manage risk across the institution?
Does all management take the risk assessment and management process seriously and consider it part of their job?
If issues (surrounding key risks) are identified and action plans put in place, do we hit our dates and have involvement by the entire team necessary to act?
Are the proper resources allocated to ensure the institution can manage ERM and provide relevant data to the appropriate individuals for decision making?
Audit committee members who participated in two separate roundtable discussions for public community banks at the Bank Director Peer Group sessions, held as part of the Bank Director Audit Committee Conference in Chicago on June 13, were able to let down their guard and share with their counterparts their experiences, uncertainties and pearls of wisdom. Despite being separated by thousands of miles, participants in both roundtable discussions shared their views on similar issues as if they were next-door neighbors.
It quickly became clear that the institutions represented in both groups are very focused on responding to an increase in regulatory scrutiny of how audit committees oversee the management of certain risks. This increasing level of scrutiny is being experienced now and is expected only to increase further in the foreseeable future.
Historically, audit committee members have focused primarily on their institutions’ higher-level financial measures and performance against budgets. In addition, audit committees have devoted a significant amount of attention to the results of exams such as internal audit, regulatory safety and soundness, and external audit findings.
In response to the expected increase in the level of regulatory oversight, however, additional areas of focus are now becoming part of the regular responsibilities of audit committees over and above their past approach. These include:
Monitoring credit concentrations
Monitoring classified loans
Monitoring the remediation of exceptions noted by regulatory examiners, as well as internal and external audit
Understanding new initiatives and their related risks
Furthermore, to remain current on new issues, audit committee members are using tools such as self-assessment checklists, while also seeking out educational opportunities about new and emerging regulatory and accounting matters. Clearly, expectations are rising regarding engaging in and documenting participation in learning activities.
The members also discussed their interactions with and expectations of management. Because their relationships with management are generally collegial, it can be challenging at times to maintain the fierce independence that is expected of audit committees. Members agreed that reminding each other on a regular basis of their responsibilities helps them meet this challenge.
In addition, roundtable participants considered other approaches to holding their colleagues accountable for being productive committee members including attendance and participation requirements and peer evaluations. They also agreed that maintaining a culture of open and frank communication is vital in maintaining effective audit committee performance.
A few distinctions emerged between the two community bank roundtable groups, which were divided by size of institution. For example, members representing larger institutions (generally with more than $1 billion in total assets) have heard more from their regulators about formally documenting the identification and measurement of risks their institutions face as well as the mitigation of those risks – in other words, enterprisewide risk management. Members from smaller institutions indicated that risk identification, measurement, and mitigation were being documented less formally and generally their regulators have not asked them to do more.
Lots of banks say they have enterprise risk management programs in place, but they really don’t have a full program. Others are just getting started.
“You hear the regulators want it, but that’s not the reason to do it,’’ said Ed Burke, who is on the board of Beacon Federal Bancorp in East Syracuse, New York, a $1 billion-asset institution that is getting started creating a program. “It will cut down on risk and we’re in the risk business.”
Here are 10 tips for getting started or enhancing enterprise risk programs. Heavy debt for this list is owed to Christina Speh, director of new markets, enterprise risk management, at Wolters Kluwer Financial Services in Washington, D.C., as well as other speakers at Bank Director’s Bank Audit Committee conference in Chicago in June.
Do get started. If you don’t have a complete enterprise risk management program in place, have a plan on how you’ll get there.
Do set an appetite for risk inside your organization. A risk matrix is advisable.
Do ask questions about future or emerging risks. What is not on the agenda that might happen? What hasn’t happened in the past but might in the future?
Don’t let management set the agenda. The board sets the agenda for risk appetite and asks the hard questions about the organization’s potential risks.
Do make sure that managers are getting together in different departments and creating a unified approach to measure risks.
Do make sure the organization’s appetite for risk is ingrained in the strategic planning process.
Do make sure your executive compensation structure takes into account the organization’s appetite for risk.
Don’t let management pile on too much paperwork for the board. Insist on easy-to-understand executive summaries of risk inside an organization periodically. The executive summary should address the organization’s risks, what the potential impacts are and what the underlying assumptions involve.
Don’t let the person who created the risk management framework go back and audit it.
Do ask how the organization’s appetite for risk is being conveyed and monitored throughout the organization.
When the Federal Deposit Insurance Corp. sued Washington Mutual’s executives in March over the bank’s failure, the government’s lawyers said they “took on enormous risk without proper risk management,” marginalized the chief risk officer, and pursued an aggressive lending policy despite being warned against it.
In part because of the financial meltdown at banks such as Wamu, regulators and bank boards are more interested in how risk is handled throughout an organization.
About 78 percent of financial institutions have adopted some kind of enterprise risk management program, according to the 2011 Deloitte Global Risk Management Survey, up from 36 percent who said so in the 2009 survey.
Regulators are asking more questions about what bankers are doing about risk, and more banks are starting the process of implementing an enterprise-wide program, according to speakers at Bank Director’s Bank Audit Committee conference in Chicago June 13-15.
Enterprise risk management is about more than just insuring against known risks. It’s about what could happen in the future that you don’t even know about, said Pat Langiotti, chairman of National Penn Bancshares enterprise-wide risk committee in Boyertown, Pennsylvania.
“What are you not monitoring? What is not on the agenda that could happen and what would the impact be, and what are we doing about that?” she said. “What risk are you taking and is there a reward for taking on that risk that’s adequate to the risk?”
Enterprise risk is about assessing all the risks of the institution, from operational, to information technology to reputational risk on an ongoing basis, establishing an appetite for risk, and making sure conformity to that risk appetite is monitored and pervades the institution.
Some banks, such as National Penn Banchsares, a $9.4 billion-asset publicly traded bank Boyertown, Pennsylvania, have a separate risk committee of the board to take responsibility for their enterprise risk management program, but some others handle it on the audit committee.
“I don’t think a risk committee is operating to make sure there’s no risk,’’ said Tony LeVecchio, the audit committee chairman of ViewPoint Financial Group, a $2.8 billion publicly traded bank in Dallas, Texas. “It’s more of an understanding of what risk you’ve agreed to take. What you don’t want is to find out ‘oh my goodness, I didn’t know we had a risk here?’”
The risk appetite has to be factored into the bank’s strategic planning, said Christina Speh, director of new markets, enterprise risk management at Wolters Kluwer Financial Services in Washington, D.C.
“There is nothing more frustrating than having a process and spending energy and time on something that doesn’t do anything,’’ she said. “If you have no idea how this fits into your strategic plan, it’s possible you’re just doing paperwork for regulatory agencies.”
“At the end of the day, the reason you’re doing this is because you want to ensure your bank is successful and meets your strategic plan,’’ she said. “You have a plan and you want your bank to reach this in five or 10 years. But how do you get there? And how do you put processes in place to make sure that if risks are realized, you’re able to handle that?”
For American Community Bank & Trust, a $590 million-asset institution located about 70 miles north of Chicago in McHenry County, Illinois, enterprise risk management (ERM) has steadily become a part of the culture and dialogue throughout the organization. Chief Executive Officer Charie Zanck admits that it will still require continual improvement over time, but knew she had to start somewhere.
A common theme throughout this year’s Bank Chairman/CEO Peer Exchange event was the topic of enterprise risk management and what exactly that means to today’s financial institutions. While many bank leaders are finding the term difficult to define, it is clear that the Federal Deposit Insurance Corp. will be focusing heavily on risk management processes and not just for the publicly traded and/or larger banks.
After much research and calls to the regulators, Zanck had come up empty in her quest to define what ERM was and what the industry standard best practices were for her to build upon at her institution. What she discovered was that it wasn’t easy, or simple, and there was no hallmark case or standard process. Now what?
Although it was hard to get started, Zanck knew that the old siloed or isolated approach to managing risk wasn’t going to work anymore. So she began to build out her own processes for assessing the risks in her organization, identifying the bank’s risk appetite in conjunction with the board, putting controls in place and determining how to best measure those risks.
American Community Bank & Trust ended up changing the way it looks at risk and has begun to apply those processes to not only specific areas such as IT or vendors, but also to their strategic and growth decisions. For example, when the management team wants to introduce a new product into the marketplace, it must first get the approval of the ERM committee, which looks at it from all different perspectives and asks the tough questions. That is the essence of enterprise risk management, and no one person can do it all, Zanck said. It requires a team of people from compliance, operations and senior management to fully assess the risk to the entire organization. Zanck then reports the findings to the board and audit committee.
Unfortunately, the regulators weren’t much help to Zanck despite their new mandate to monitor her organization’s risk. She sympathized with her fellow bankers, noting that this was why it was such a difficult process for her and her team. If the banks don’t figure ERM out for themselves, then it will surely get decided for them. The question is by whom?