Best Practices for Onboarding New Directors


governance-9-12-19.pngJoining a bank board can be a bewildering experience for some new directors. There’s a lot to learn, including new, confusing abbreviations and financial metrics specific to the banking industry. But with the right approach, bank boards and nominating/governance committees can make the experience easier.

Onboarding new directors and more quickly acclimating them to the world of depository institutions is essential to ensuring banks have a functioning board that is prepared to navigate an increasingly changing and complex environment. It can also reduce potential liability for the bank by ensuring its members are educated and knowledgeable, and that no one personality or viewpoint dominates the boardroom.

Banking differs from other industries because of its business model, funding base, regulatory oversights and jargon. Directors without existing knowledge of the industry may need one to two years before becoming fully contributing members who can understand the most important issues facing the bank, as well as the common parlance.

Proactive boards leverage the chairperson to create an onboarding process that is comprehensive without being overwhelming, and tailor it to suit their institution’s particular needs, as well as the skill sets of newly recruited board members. The chair can work with members of the nominating/governance committee and executives like the chief financial officer to create a specific onboarding program and identify what pertinent information will best serve their new colleague.

Bank Director has compiled the following checklist to help strengthen your bank’s onboarding program.

1. Help new directors understand their role on the board.
New directors often come in with a background in business or accounting, skills that are useful in a bank boardroom. But business success in one industry may not readily translate to banking, given the unique aspects of its business model, regulations and even vocabulary associated with financial institutions. New directors can access insights on “The Role of the Board” through Bank Director’s Online Training Series.

Banks are uniquely regulated and insured. Directors should be able to appreciate the role they serve in their oversight of the bank, as well as the role regulators have in keeping the bank safe and sound, and ensuring prudent access to credit.

2. Provide an overview of the banking industry.
Directors often aren’t bankers and will need to be acquainted with the business of banking broadly.

With this overview will come the distinctive terms and acronyms that a new director may hear tossed around a boardroom. Boards should either create or provide a glossary with definitions and acronyms of terms, including the principal regulators and common financial metrics.

Click HERE to access Bank Director’s Banking Terms Glossary.

3. Provide an overview of your bank’s business model and strategy.
Directors will need to understand the bank’s products, including how it funds itself, what sort of loans it makes and to whom, as well as other services the bank provides for a fee. They will also need to learn about the bank’s credit culture, capital regime and its approach to risk management, including loan loss reserving.

4. Create a reading list.
There are a number of internal and external resources that new board members can access as they become acclimated to the ins and outs of bank governance. Internally, they should have access to recent examination reports, call reports, and quarterly and annual filings, if they exist. They should also access external resources, like Bank Director’s Online Training Series, the Federal Reserve Bank of Kansas City’s 2016 publication, “Basics for Bank Directors,” and “The Director’s Book,” published by the Officer of the Comptroller of the Currency.

Additionally, they should keep up-to-date with the industry through bank-specific publications, such as Bank Director’s newsletter and magazine.

5. Schedule one-on-one meetings with the management team.
A new board member will need to understand who they are working with and the important roles those individuals play in running a successful bank. Their onboarding should include meetings with the management team, especially the CFO for a discussion about the financial metrics, risk measurement and health of the bank. It may also be prudent to schedule a meeting with other executives who oversee risk management at the bank.

6. Schedule one-on-one meetings with members of the board and key consultants.
New directors should sit down with the heads of board committees to understand the various oversight functions the board fulfills. The bank may also want to reach out to the firms it works with, including its accounting, law and consulting firms, to chat about their roles and relationship with the company.

7. Emphasize continuing education.
Boards should convey to new members that they expect continued education and growth in the role. One way to achieve this is through conference attendance, which can provide intensive and specialized education, as well as a community of directors from banks in other geographic areas that new members can learn from. Direct new board members to events hosted by your state banking association, if available, or sign them up for annual conferences like Bank Director’s Bank Board Training Forum.

Look for conferences that offer information calibrated to a director’s understanding, starting with basic or introductory instruction suited for new directors. The conferences should also facilitate discussion among directors, so that they can learn from each other. As a director grows in the role, the board can seek out more specialized training.

Successful onboarding should help new directors acclimate to the world of banking and become a productive member of the board. Boards should expect their directors to become comfortable enough that they go beyond thoughtful listening and ask intelligent questions that reinforce the bank’s strategy and its risk management.

Outsourcing the Service, Not the Oversight


oversight-7-2-19.pngEvery bank director has heard it: You can outsource a service, but you cannot outsource the responsibility.

That sounds clear enough, but how does a board know what its role should be when an opportunity to partner with a financial technology firm, or fintech, arises? The board’s role is oversight and guidance, not day-to-day management. But oversight is not passive. So what does board oversight look like in the evolving world of bank and fintech relationships?

Consider a bank that is reviewing a proposal from a fintech. Management believes that this is a great opportunity for the institution, and presents it to the board for approval. What is the board’s role here? The board’s involvement must be flexible enough that it can react to these situations, but it should also consider some essential inquiries, such as:

Does the proposal match up with the bank’s strategic plan? The board is responsible for the strategic direction of the bank. Directors should consider if the proposal is an appropriate project for the size, resources and initiatives of the bank. They must also think about whether the proposal aligns with the bank’s strategic plan. If the proposal does not match up with the strategic plan, they may also want to consider if it is material enough that the strategic plan should be amended.

What are the risks? The board is responsible for ensuring that an effective risk management program is in place at the bank, which includes the ability to fully assess risks and establish controls and oversight to mitigate those risks. It should assess the fintech proposal through its risk management process

Management should provide the board with a comprehensive risk assessment of the proposed relationship that thoroughly outlines how each identified risk will be mitigated. The board should look at that assessment critically. Was it prepared by competent and experienced personnel? Does it appear to be thorough? Does it focus on IT risks or other narrow issues, or take into account all of the compliance issues? Does it include state laws, which is especially important if the bank is state-chartered? How does the assessment address concerns about privacy and cybersecurity? What does it say about reputation risk?

Is there a negotiated contract that addresses all of the risks? The board is responsible for ensuring that all third-party relationships are documented in negotiated contracts that protect the interests of the bank. The board needs to ensure that appropriate legal counsel is engaged to negotiate the arrangement, depending on the riskiness of a proposed fintech relationship. Counsel should have a thorough understanding of the legal issues involved in the proposed program and the applicable regulatory guidelines for third-party contracts.

The actual contract negotiation should be done by management. However, the board could consider requiring a summary of the important contract provisions or a presentation by management or legal counsel about the terms, depending on the level of risk involved and materiality to the bank.

How will the board know if the program is performing? The board should receive ongoing reports relating to monitoring of the program and the fintech. These reports should be sufficient for the board to establish that the program is compliant with law, operates in accordance with the contract and meets the strategic objectives of the bank. If the program is not performing, the board should know whether appropriate action is underway to either facilitate performance or terminate the program.

A bank’s board cannot outsource its responsibility for outsourced services, even if a fintech partner seems to have a fantastic product. The board must ask enough questions to be certain that management has engaged in appropriate due diligence, identified the risks and determined how to mitigate those risks through the contract and oversight. The implementation of all of those steps is up to management. But one role in particular rests with the board: ensuring that the relationship with the fintech partner furthers the strategic goals of the bank.

Weighing the Value of a Bank Holding Company


governance-6-24-19.pngIn May, Northeast Bank became the fourth banking organization in two years to eliminate its holding company. Northeast joins Zions Bancorporation, N.A., BancorpSouth Bank and Bank OZK in forgoing their holding companies.

All of the restructurings were motivated in part by improved efficiencies that eliminated redundant corporate infrastructure and activities. The moves also removed a second level of supervision by the Federal Reserve Board. Bank specific reasons may also drive the decision to eliminate a holding company.

Zions successfully petitioned to be de-designated as a systemically important financial institution in connection with its holding company elimination. In its announcement, Northeast replaced commitments it made to the Fed with policies and procedures relating to its capital levels and loan composition that should allow for more loan growth in the long run.

Banks are weighing the role their holding companies play in daily operations. Some maintain the structure in order to engage in activities that are not permissible at the bank level. Others may not have considered the issue. Now may be a good time to ask: Is the holding company worth it?

Defined Corporate Governance
Holding companies are typically organized as business corporations under state corporate law, which often provides more clarity than banking law for matters such as indemnification, anti-takeover protections and shareholder rights.

Transaction Flexibility
Holding companies provide flexibility in structuring strategic transactions because they can operate acquired banks as separate subsidiaries. This setup might be desirable for potential partners because it keeps the target’s legal and corporate identity, board and management structure. But even without a holding company, banks can still preserve the identity of a strategic partner by operating it as a division of the surviving bank.

Additional Governance Requirements
A holding company’s status as a separate legal entity subjects it to additional corporate governance and recordkeeping requirements. A holding company must hold separate board of directors and committee meetings with separate minutes, enter into expense-sharing and tax-sharing agreements with its bank subsidiary and observe other corporate formalities to maintain separate corporate identities. In addition, the relationship between the holding company and its subsidiary bank is subject to Section 23A and Section 23B of the Federal Reserve Act, an additional regulatory compliance burden.

Additional Regulatory Oversight
Holding companies are also subject to the Fed’s supervision, examination and reporting requirements, which carry additional compliance costs and consume significant management attention. The Fed also expects bank holding companies to serve as a source of financial strength to their subsidiary banks, an expectation that was formalized in the Dodd-Frank Act.

Diminished Capital Advantages
Historically, holding companies could issue Tier 1 capital instruments that were not feasible or permissible for their bank subsidiaries, such as trust preferred securities and cumulative perpetual preferred stock. They also enjoyed additional flexibility to redeem capital, an advantage that has largely been eliminated by the Basel III rulemaking and Fed supervisory requirements. A holding company with existing grandfathered trust preferred securities or with registered DRIPs may find them useful capital management tools. Holding companies with less than $3 billion in consolidated assets that qualify under the Small Bank Holding Company and Savings and Loan Holding Company Policy Statement are not subject to the Fed’s risk-based capital rules. These companies are permitted to have higher levels of debt than other holding companies and banks.

Broader Activities, Investments
Bank holding companies, especially those that elect to be financial holding companies, can engage in non-banking activities and activities that are financial in nature through non-bank subsidiaries that are bank affiliates. In some cases, these activities may not be bank permissible, such as insurance underwriting and merchant banking. The Fed also has authority to approve additional activities that are financial in nature or incidental or complementary to a financial activity on a case-by-case basis.

Bank holding companies can also make passive, non-controlling minority investments that do not exceed 5 percent of any class of voting securities in any company, regardless of that company’s activities. By comparison, banks are limited to making investments in companies that are engaged solely in bank-permissible activities or must rely on authorities such as community development or public welfare authority to make investments. Banks may also have limited leeway authority to invest in specific securities or types of securities designated under the applicable state banking law or by the applicable state banking regulator.

Banks that are not interested in activities or investment opportunities available to holding companies may be less concerned about eliminating the structure. But an organization that engages in activities at the holding company level that are not permissible for banks or that desires to maintain its grandfathered rights as a unitary savings and loan holding company may not wish to eliminate its holding company.

Operating without a holding company would result in more streamlined regulatory oversight, corporate governance and recordkeeping processes. But a holding company provides the flexibility to engage in activities, to make investments and to create structures that a bank may not. Bank boards should weigh these costs and benefits carefully against their strategic and capital management plans.

The Most Effective Bank Directors Share These Two Qualities


director-6-14-19.pngBanks have a slim margin for error.

They typically borrow $10 for every $1 of equity, which can amplify any missteps or oversight. Robust oversight by a board of directors, and in particular the audit and risk committees, is key to the success of any institution.

“At the Federal Reserve Bank of Kansas City, we have consistently found a strong correlation between overall bank health and the level of director engagement,” wrote Kansas City Fed President Esther George in the agency’s governance manual, “Basics for Bank Directors.” “Generally, we have seen that the institutions that are well run and have fewer problems are under the oversight of an engaged and well-informed board of directors.”

This may sound trite, but the strongest bank boards embrace a collective sense of curiosity and cognitive diversity, according to executives and directors at Bank Director’s 2019 Bank Audit & Risk Committees Conference in Chicago.

Balancing revenue generation against risk management requires a bank’s audit and risk committees to invite skepticism, foster intelligent discussion and create a space for constructive disagreements. Institutions also need to remain abreast of emerging risks and changes that impact operations and strategy.

This is why curiosity, in particular, is so important.

“It’s critical for audit committee members to have curiosity and a critical mind,” says Sal Inserra, a partner at Crowe LLP. “You need to ask the tough questions. The worst thing is a silent audit committee meeting. It’s important to be inquisitive and have a sense of curiosity.”

Board members who are intellectually curious can provide credible challenges to management, agrees John Erickson, a director at Bank of Hawaii Corp.

Focusing on intellectual curiosity, as opposed to a set of concrete skills, can also broaden the pool of individuals that are qualified to sit on a bank’s audit and risk committees. These committees have traditionally been the domain of certified public accountants, but a significant portion of audit committee members in attendance at the conference were not CPAs.

Robert Glaser, the audit committee chair at Five Star Bank, sees that diversity of experience as an advantage for banks. He and several others say a diversity of experiences, or cognitive diversity, invites and cultivates diversity of thought. These members should be unafraid to bring their questions and perspectives to meetings.

Having non-CPAs on the audit committee of Pacific Premier Bancorp has helped the firm manage the variety of risks it faces, says Derrick Hong, chief audit executive at Pacific Premier. The audit committee chair is a CPA, but the bank has found it “very helpful” to have non-CPAs on the committee as well, he says.

Audit and risk committee members with diverse experiences can also balance the traditional perspective of the CPA-types.

It’s important [for audit committee members] to have balance. Bean counters don’t know everything,” says Paul Ward, chief risk officer at Community Bank System, who self-identifies as a “bean counter.”

“Some of the best questions I’ve seen [from audit committee members] have come from non-CPAs,” Ward says.

However, banks interested in cultivating intellectual curiosity and cognitive diversity in their audit and risk committees still need to identify board members with an appreciation for financial statements, and the work that goes into crafting them. After all, the audit committee helps protect the financial integrity of a bank through internal controls and reporting, not just reviewing financial statements before they are released.

Executives and board chairs also say that audit and risk committee members need to be dynamic and focus on how changes inside and outside the bank can alter its risk profile. Intellectual curiosity can help banks remain focused on these changes and resist the urge to become complicit.

I’ll be the first to admit that qualities like curiosity and cognitive diversity sound cliché. But just because something sounds cliché, doesn’t mean it isn’t also true.

Two-Thirds of Bank Directors Are Worried About the Same Thing


risk-6-12-19.pngAt around a quarter to seven o’clock on the evening of Saturday, May 11, firefighters showed up at Enloe State Bank in Cooper, Texas, to find a stack of papers on fire on the conference room table.

“We believe it is suspicious,” said the sheriff, “but we don’t have any more information at this point.” Three weeks later, regulators seized the bank “due to insider abuse and fraud by former officers,” according to Texas Banking Commissioner Charles Cooper.

It’s fair to say that Enloe State Bank is an outlier. It was the first bank to fail in a year and a half, in fact. And one can’t help but wonder what would lead someone to set papers ablaze on a conference room table.

Yet, incidents like this are important for bank executives and directors to register, because they underscore the importance of proactive oversight by a bank’s board—especially the audit and risk committees.

“The essence of the audit committee’s responsibilities is protecting the bank,” said Derrick Hong, the chief audit executive at Pacific Premier Bank, at Bank Director’s 2019 Bank Audit & Risk Committees Conference taking place in Chicago this week. “There are so many pitfalls and risks that could potentially take down a bank, so focusing on those things is the key responsibility of the audit committee.”

Admittedly, it seems like an odd time to worry about risk.

Bank capital levels have never been stronger or of higher quality, noted Steven Hovde, chairman and CEO of Hovde Group. Net charge-offs are lower across the industry than they’ve been in decades. And tax reform has catalyzed profitability. Despite narrow lending margins and subpar efficiency, the banking industry is once again earning more than 1 percent on its assets, exceeding the benchmark threshold last year for the first time since the financial crisis.

But it’s in the good times like these that banking’s troubles are sowed.

“You have to be proactive rather than reactive,” said Mike Dempsey, senior manager at Dixon Hughes Goodman LLP. This approach stems from culture, said Dempsey’s co-presenter LeAnne Staalenburg, senior vice president in charge of corporate security and risk at Capital City Bank Group.

“Culture is key,” said Stallenburg. “Having that culture spread throughout the organization is critical to having a successful risk management program.”

To be clear, the biggest threat to banks currently isn’t bad loans. Credit policy isn’t something to ignore, of course, because loan losses will climb when the cycle takes a turn for the worse. But banks have plenty of capital to absorb those losses, and memories of the last crisis are still fresh in many risk managers’ minds.

The biggest threat isn’t related to funding, either. Even though bankers are concerned about large institutions taking deposit market share as interest rates climb, 74 percent of attendees at Bank Director’s Audit & Risk Committees Conference said their institutions either maintained their existing share or gained share as rates inched higher.

Instead, according to conference attendees, the biggest threat is related to technology. When asked which categories of risk they were most concerned about, 69 percent identified cybersecurity as the No. 1 threat.

Vendor relationships only aggravate this concern. As Staalenburg and Dempsey noted in response to an attendee’s question, vendors offer another way for malicious actors to infiltrate a bank.

Even though we are in a golden age of banking, Hovde emphasized, now is not the time for a bank’s board, and particularly its audit and risk committees, to be complacent.

“Generally, we have seen that the institutions that are well run and have fewer problems are under the oversight of an engaged and well-informed board of directors,” wrote Kansas City Federal Reserve President Esther George in the Fed’s governance manual, Basics for Bank Directors. “Conversely, in cases where banks have more severe problems and recurring issues, it is not uncommon to find a disengaged board that may be struggling to understand its role and fulfill its fiduciary responsibilities.”

Here’s What Bankers Are Asking About Risk Committees


committee-6-13-18.pngOne of the central topics of conversation at this week’s Bank Audit & Risk Committees Conference hosted by Bank Director in Chicago is whether a bank’s board of directors should have a risk committee separate from its audit committee. And for banks that have already established a risk committee, the question is what responsibilities should be delegated to it.

In one respect, the question of whether a bank should establish a risk committee seems easy to answer because it’s clearly delineated in the regulations. Under the original Dodd-Frank Act of 2010, banks with more than $10 billion in assets are required by law to have one, though that threshold was raised to $50 billion in legislation enacted last month designed to ease the burden of the post-financial crisis regulatory regime on smaller banks.

There is a general consensus among attendees at this year’s conference that a bank shouldn’t base its decision to establish a risk committee solely on a size threshold. “Now that we have a risk committee, I don’t know how we did it without one,” said Tom Richovsky, chairman of the audit committee at United Community Banks, a $12.3-billion bank based in Blairsville, Georgia.

Rob Azarow, a partner at Arnold & Porter, says the decision should be informed by two factors in addition to size. The first is the complexity of a bank, with the presumption being that a bank with a more complex business model should establish a risk committee sooner than a bank with a less complex model. The second factor is dollars and cents—namely, whether a bank has the internal resources at its disposal to essentially split its existing audit committee into two.

It’s worth noting as well, as Azarow points out, that even under the new legislation, the Federal Reserve retains the authority to require a bank to implement a risk committee, irrespective of size. Another point to keep in mind is that even for banks not required as a result of their size to establish a risk committee, once established, it is subject to regulatory oversight.

Approximately half the banks at this year’s Bank Audit & Risk Committees Conference have both types of committees—audit and risk—with many of the others still weighing the pros and cons of establishing both.

Deciding whether to have a risk committee is only half the battle; the other half involves deciding exactly what that committee should do. Should it be vested with all risk-related questions, thereby usurping the authority over those questions from other committees? Or should the other committees retain their authority of relevant risks, while the risk committee then plays the role of overseeing an aggregated view of those risks?

This distinction is clearest in the context of the credit committee, for example. One of the fundamental purposes of a credit committee is to gauge credit risk. It isn’t uncommon, for instance, for a bank to require its credit committee to approve especially large loans. Would the risk committee now handle this?

Generally, the answer is no. The role of the risk committee when it comes to credit risk is broader, focused on concentration risk as opposed to the risk associated with individual credits.

Another place this comes up is in the context of technology and information security. While the audit committee would retain the authority to ensure that current laws, regulations and best practices are being abided by, the risk committee would be more focused on looming threats.

Deciding which responsibilities fall under the risk committee as opposed to, say, the audit and credit committees seems to boil down to the question of whether the issue is backward-looking or forward-looking, tactical or strategic. Issues that are forward-looking and strategic should go to the risk committee, with the rest remaining under the jurisdiction of their home committees.

To be clear, conclusions on when and how to charter a risk committee are far from settled. There are rough best practices, but no overarching consensus in terms of bright lines. Even banks that have established separate risk committees with clearly delineated duties are still in a process of adjustment. They’re happy with their decision to do so, but they recognize that this is more of an evolution than a revolution.

Regtech: Reaping the Rewards


regtech-4-24-18.pngAs it evolves, regtech is uniquely poised to save banks time and money in their compliance efforts, and has become a common topic for many in the banking industry. If you’re ready to realize the promise of regtech at your institution, here are a few key steps to take before you start parsing through providers or sending out requests for proposals.

Consider changes to your organizational structure that would place oversight of both legal and compliance transformations under one department. In Burnmark’s RegTech 2.0 report, Chee Kin Lam, the group head of legal, compliance and secretariat for DBS Bank, pointed to his authority over both legal and compliance functions and budgets as a key to the Singapore-based bank’s ability to work with regtech companies.

At first blush, a change to your bank’s internal structure seems like an extreme measure for a precursor to a technology pilot, but that perception misses the big-picture implications of implementing a new regtech solution. If a bank intends to engage meaningfully with regtech, Lam pointed out, there’s a need for an overarching framework for onboarding new technologies to make sure they “speak to each other at a legal/compliance level instead of at an individual function level—e.g. control room, trade surveillance, AML surveillance and so on.”

What’s more, legal and compliance functions are already tied closely together, and any regtech solution would likely impact both areas of the bank. Central management of these two functions can help ensure efficient regtech implementation.

Create a solid, detailed problem statement before you ever look for a solution. Lam suggests identifying the top legal and compliance risks your bank is facing, and working from there to identify pain points for your employees and customers when they interact with that risk area. One way to go about this process is to utilize design thinking, which looks at products and experiences from the point of view of the customers and employees who utilize them.

By seeking out pain points and working through the design-thinking process to find their root cause, bank leadership can identify specific, actionable areas for improvement. As tempting as it can be for an institution to attempt a total overhaul of its regulatory processes, banks should pursue modular regtech solutions to solve specific, defined problem statements instead. As Peter Lancos, CEO and co-founder of Exate Technology, points out in RegTech 2.0, “[f]ragmentation makes a regulatory strategy impossible—especially due to geographic spread and banks having separate teams set up to deal with individual regulations.”

Leverage outside expertise. The risks of implementing regtech can be daunting, so bank leaders need to use every tool in their arsenal to get deployment right. Banks should involve regulators in the conversation early on in the process of working with a regtech company. According to Jonathan Frieder of Accenture in The Growing Need for RegTech, “[r]egulators globally have continued to accept and, ultimately, to embrace regtech” making 2018 “a pivotal year.”

In addition to getting regulators on board, banks should consider enlisting outside assistance from consultants or other regulatory experts. Such experts provide assistance with assessing problem statements or potential regtech vendors. Lancos states that he feels “it is essential for banks to have regulatory expertise support to actually write the rules that go into the rules engine of regtech solutions.”

Regtech implementation is a lot more involved than an average plug-and-play fintech product. However, when a bank considers the cost efficiencies, improved compliance record and decreased customer and employee frustration, the upside of regtech can be well worth the planning it requires.

Rewards of Board Service


2017-Compensation-White-Paper-cover.pngAre bank boards becoming savvier?

In 2007, the life of a bank board member was less stressful. That was before Lehman Brothers Holdings filed for bankruptcy, before the full impact of the financial crisis was felt by the nation’s banks and almost three years before the Dodd-Frank Act was passed. By contrast, Bank Director’s 2012 Compensation Survey found bank boards “Overworked, Underpaid and Unappreciated.”

However, directors may be breathing a little easier or at least have adjusted to their enhanced responsibilities, according to our findings in the 2017 Compensation Survey, sponsored by Compensation Advisors, a member of Meyer-Chatfield Group. This white paper looks at the evolving trends both in composition and compensation that have occurred over the past ten years.

Today, most directors—73 percent—believe that their compensation is competitive enough to attract new board members. Just seven percent of the independent directors and chairmen responding to this year’s survey cite additional income as the greatest reward for board service—meaning that attracting top talent to the board doesn’t boil down to money. “Compensation is not a primary driver in choosing to serve on a board,” says Flynt Gallagher, president of Compensation Advisors. “You’ll never pay them for the actual value of the time spent.”

As the oversight responsibilities of bank boards expand, fueled not just by the regulatory environment but also an evolving marketplace, the composition of bank boards are gradually shifting to meet these new demands. Sixty percent of survey respondents say their board has a plan in place to identify prospective directors, and 51 percent say their board will actively seek to become more diverse in the next two years.

But will today’s banks be able to find and attract the board members needed to take the organization into the future?

For more on these considerations, read the white paper.

To view the full results to the survey, click here.

How a Board Can Credibly Challenge Management on Risk


3-16-15-KPMG.pngIf you were asked, as a community bank director, how well your board challenges your executive team about the effectiveness of its risk management program (an area of increasing regulatory focus), how would you grade your board? Would it be closer to a C than an A? Worse? Better?

It is a situation that begs a few questions: What steps can, and should, a director take to assess management’s risk and compliance management capabilities? How can a board implement processes that enhance its risk oversight capabilities and how will those processes evolve and mature as the bank grows and the strategic and competitive landscape changes? Does the board need a separate risk committee? If the board is not required by regulation to have a risk committee, how well is the board discharging its risk oversight responsibilities (possibly delegated to the audit committee)?

Our experience with community banks indicates that, with the risk environment quickly evolving, directors can benefit from risk management training focused on the board’s role in ensuring the adequacy and effectiveness of the bank’s risk management functions and activities. We say that not as criticism but instead as an indication of the difficulty in keeping up with the pace of industry change.

What may be most important, though, is the recognition at banks that risk management is not just a program, but rather, is an ongoing process that must become embedded in the way management runs the bank and the board conducts its stewardship and oversight responsibilities.

With those observations as a backdrop, community bank board members may want to consider the following to identify potential improvement opportunities in board governance, oversight and risk management capabilities:

  • If the bank has less than $10 billion in assets, and thus is not required by The Dodd-Frank Act to establish a separate risk committee, is risk management afforded the appropriate degree of focus and attention?
  • What is the complexity of the bank’s operating model and the pace of change within the organization, the  markets it serves, the types of credit offered, liquidity risks, interest-rate exposure, and its ability to respond to technological changes and cybersecurity threats?
  • Is the management of risks being overseen by the full board, spread across various committees, or delegated to the audit committee?  Have roles and responsibilities for risk oversight been clearly defined and communicated, including among the various board members and committees?  If the audit committee is responsible, do the members have the capacity, and skills, to provide effective oversight of the variety of risks facing the bank, or should a dedicated risk committee be established?

Regardless of whether or not a separate risk committee exists, the full board is ultimately responsible for understanding the bank’s key risks and credibly challenging management’s assessment and response to those risks.  Here are several considerations for boards as they evaluate their risk oversight. Keep in mind the issue of scalability. As the bank grows, the processes and reporting associated with each risk oversight activity will become more robust and formalized:

  1. Do our board members (particularly directors on audit or risk committees) know our bank’s top enterprise risks—those that threaten our bank’s strategy, business model, or existence? 
  2. Does our bank have a formal risk management process? Do directors know how management identifies and manages risks, both existing and emerging, and if there is a process of accountability? Does the board have comfort that management has the proper talent to manage today’s risks?
  3. Does the bank have a formal risk appetite statement? If not, how does the board oversee that management is not taking risks outside of the bank’s stated risk tolerance? Is there a protocol to escalate a risk issue directly to the board? Is there evidence that management recognizes the critical need to timely communicate risk issues to board members? Is there a process for the board to evaluate the impact of compensation on management’s risk-taking?
  4. As the bank takes on new initiatives or offers new products and services, does the board understand the process to evaluate the risks prior to decisions being made? Is there a clear threshold for when items need to be brought to the board before finalizing a decision?
  5. In examining management’s reporting process, are directors concerned whether they are getting relevant data? Are they getting so much detail that it cannot be absorbed? Are they getting data at such a high level that it’s impossible to evaluate risk?
  6. Does the board recognize that risk management done well adds competitive advantage and value by addressing gaps in operations? Viewing risk management solely as a compliance function increases the chances of wasting time and money.
  7. Is the board ensuring that, in dealing with the regulators, the bank is “getting credit’’ for the risk management activities it is doing well by being able to describe the programs that have been instituted—or actions taken—that will enable the bank to “harvest value” from its enterprise risk management process?
  8. Finally, given the importance of “tone at the top,’’ are directors satisfied that the proper culture of “doing the right thing’’ exists across the organization?

Audit Committee 101: Back to Basics


Duty of care, loyalty and good faith are the basic foundations for every board member as they strive to increase revenue and shareholder value for their institutions. As the regulatory requirements continue to expand, the role of the audit committee is quickly following suit, leaving many bank audit committee members concerned about their effectiveness.

At Bank Director’s Bank Audit Committee conference in Chicago on June 14-15th, Robert Fleetwood, partner for Chicago-based law firm Barack Ferrazzanno’s financial institutions group and Todd Sprang, partner at the certified public accounting firm Clifton Gunderson, took a crowded room of audit committee members back to basics during their Audit Committee 101 session.

audit-fleetwood-sprang.jpg

Cautioning that these are not one-size-fits-all requirements, Fleetwood and Sprang outlined a list of fundamentals and best practices for today’s audit committee members.

1.       Understand your duties. Sprang suggested if you are unsure of your role or responsibilities, seek a tutorial from outside counsel to ensure that every member is comfortable with their duties.

2.      Recognize the reputational risk to the organization and you as an individual. At the end of the day, you want to do the right thing by all parties. It’s never a good situation when a director has to admit that he/she didn’t read the materials or didn’t know what was going on at their institution.

3.      Oversight. The primary role of the audit committee is to evaluate the audit process, oversee financial reporting, and assess the risk and control environment. To do this effectively, committee members should be asking lots of questions, requesting feedback and regularly discussing concerns.

4.      Committee composition. Most boards typically look to local CPAs to fill their audit committee seats, yet having members with a wide range of expertise provides additional perspective and beneficial feedback.

5.      Yes, you need a committee charter. Not only should the charter be reviewed on a regular basis to ensure that the board is complying, but it happens to be a great tool for setting agendas.            

6.      To rotate or not to rotate? Fleetwood recommended that if you do implement a rotation requirement, that it take place after an extended period of time. The audit committee has a steep learning curve and rotating frequently creates the risk of losing members before they had a chance to peak.

7.     Build a relationship with the external auditors. Communication is the key.  Review your reports and materials ahead of time, and use the review session to ask them questions, get their perspectives on market trends, and request recommendations.

8.   Internal audit reviews. Whether your institution uses in-house resources or outsources this process, a major red flag is a report with no findings. Ask why. You should always be finding ways to improve, rather than just going through the motions.                

9.      Setting the agenda. The agenda should follow the committee charter as well as include an annual checklist to work through regularly. Delegate the legwork to your experts and include them on the agenda periodically.

10. Attend the meetings. Distribute materials ahead of time, whether in print or through board portals, and include only what is necessary to review. Read the materials beforehand and attend in person at least quarterly.