77 Percent of Bank Boards Approve Loans. Is That a Mistake?


loans-5-17-19.pngBank directors face a myriad of expectations from regulators to ensure that their institutions are safe and sound. But there’s one thing directors do that regulators don’t actually ask them to do.

“There’s no requirement or even suggestion, that I’m aware of, from any regulators that says, ‘Hey, we want the board involved at the loan-approval level,’” says Patrick Hanchey, a partner at the law firm Alston & Bird. The one exception is Regulation O, which requires boards to review and approve insider loans.

Instead, the board is tasked with implementing policies and procedures for the bank, and hiring a management team to execute on that strategy, Hanchey explains.

“If all that’s done, then you’re making good loans, and there’s no issue.”

Yet, 77 percent of executives and directors say their board or a board-level loan committee plays a role in approving credits, according to Bank Director’s 2019 Risk Survey.

Boards at smaller banks are more likely to approve loans than their larger peers. This is despite the spate of loan-related lawsuits filed by the Federal Deposit Insurance Corp. against directors in the wake of the recent financial crisis.

Loans-chart.png

The board at Mayfield, Kentucky-based First Kentucky Bank approves five to seven loans a month, says Ann Hale Mills, who serves on the board. These are either large loans or loans extended to businesses or individuals who already have a large line of credit at the bank, which is the $442 million asset subsidiary of Exchange Bancshares.

Yet, the fact that directors often lack formal credit expertise leads some to question whether they should be directly involved in the process.

“Inserting themselves into that decision-making process is putting [directors] in a place that they’re not necessarily trained to be in,” says James Stevens, a partner at the law firm Troutman Sanders.

What’s more, focusing on loan approvals may take directors’ eyes off the big picture, says David Ruffin, a director at the accounting firm Dixon Hughes Goodman LLP.

“It, primarily, deflects them from the more important role of understanding and overseeing the macro performance of the credit portfolio,” he says. “[Regulators would] much rather have directors focused on the macro performance of the credit portfolio, and understanding the risk tolerances and risk appetite.”

Ruffin believes that boards should focus instead on getting the right information about the bank’s loan portfolio, including trend analyses around loan concentrations.

“That’s where a good board member should be highly sensitized and, frankly, treat that as their priority—not individual loan approvals,” says Ruffin.

It all boils down to effective risk management.

“That’s one of [the board’s] main jobs, in my mind. Is the institution taking the right risk, and is the institution taking enough risk, and then how is that risk allocated across capital lines?” says Chris Nichols, the chief strategy officer at Winter Haven, Florida-based CenterState Bank Corp. CenterState has $12.6 billion in assets, which includes a national correspondent banking division. “That’s exactly where the board should be: [Defining] ‘this is the risk we want to take’ and looking at the process to make sure they’re taking the right risk.”

Directors can still contribute their expertise without taking on the liability of approving individual loans, adds Stevens.

“[Directors] have information to contribute to loan decisions, and there’s nothing that says that they can’t attend officer loan committee meetings or share what they know about borrowers or credits that are being considered,” he says.

But Mills disagrees, as do many community bank directors. She believes the board has a vital role to play in approving loans.

First Kentucky Bank’s board examines quantitative metrics—including credit history, repayment terms and the loan-to-value ratio—and qualitative factors, such as the customer’s relationship with the bank and how changes in the local economy could impact repayment.

“We are very well informed with data, local economic insight and competitive dynamics when we approve a loan,” she says.

And community bank directors and executives are looking at the bigger picture for their community, beyond the bank’s credit portfolio.

“We are more likely to accept risk for loans we see in the best interest of the overall community … an external effect that is hard to quantify using only traditional credit metrics,” she says.

Regardless of how a particular bank approaches this process, however, the one thing most people can agree on is that the value of such bespoke expertise diminishes as a bank grows and expands into far-flung markets.

“You could argue that in a very small bank, that the directors are often seasoned business men and women who understand how to run a business, and do have an intuitive credit sense about them, and they do add value,” says Ruffin. “Where it loses its efficacy, in my opinion, is where you start adding markets that they have no understanding of or awareness of the key personalities—that’s where it starts breaking apart.”

12 Questions Directors Should Ask About New Bank Activities


governance-3-18-19.pngA bank’s board of directors must answer to a variety of constituencies, including shareholders, regulatory agencies, customers and employees. At times those constituencies may have competing interests or priorities. Other times, what may appear to be competing interests are actually variations of aligned interests.

One area where this is particularly true is the board’s responsibility to strike the right balance between driving revenues and ensuring the bank adheres to its risk appetite established as part of its enterprise risk management framework.

The failure to strike this proper balance can be devastating to the institution, and if widespread, could result in consequences across the entire industry, such as the 2008 financial crisis. As technology and innovation accelerate the pace of change in the banking industry, that balance will become more critical and difficult to manage. And as banks explore ways to increase profits and remain competitive, especially with respect to noninterest income, bank directors will need to remain diligent in their oversight of new bank activities.

Regulators have offered guidance to bank boards on the subject. For example, the Office of the Comptroller of the Currency (OCC) issued a bulletin in 2017 that defines “new activities” to include new, modified, and/or expanded products and services and provide guidance related to risk management systems for new activities. While it is management’s role to execute strategy and operate within the established risk appetite on a day-to-day basis, the board’s role is to oversee and evaluate management’s actions, and the board should understand the impact and risks associated with any new activities of the bank.

To exercise this responsibility, directors should challenge plans for new activities by posing the following questions to help them determine if the proper risk approach has been taken. Questions may include:

  • Does the activity align with the bank’s strategic objectives?
  • Was a thorough review of the activity conducted? If so what were the results of that review and, specifically, what new or increased risks are associated with the activity, the controls, and the residual risk the bank will be assuming?
  • Is the associated residual risk acceptable given the bank’s established risk appetite?
  • Is the bank’s infrastructure sufficient to support the new activity?
  • Are the right people in place for the activity to be successful (both the number of people required and any specific expertise)?
  • Are there any new or special incentives being offered for employees? If so, are they encouraging the correct behavior and, just as importantly, discouraging the wrong behavior?
  • What are the specific controls in place to address any risks created?
  • How will success be measured? What reporting mechanism is in place to track success?
  • Will there be any impact on current customers? Or in the case of consumers, will there be any disparate impact or unfair or deceptive acts or practices (UDAAP) implications?
  • What third parties are required for successful implementation?
  • What limits on the amount of new business (concentration limits) should be established?
  • Are the applicable regulators aware of the bank’s plans, and what is their position/guidance?

These threshold questions will assist directors in becoming fully informed about the proposed new activities, and the answers should encourage follow up questions and discussions. For example, if third parties are necessary, then the focus would shift to the bank’s vendor management policies and procedures. Discussions around these questions should be properly documented in the meeting minutes to evidence the debate and decision-making that should be necessary steps in approving any new bank activity.

If these questions had been posed by every bank board contemplating the subprime lending business as a new activity, it may have averted the challenges faced by individual banks during the financial crisis and lessened the impact on the entire industry.

In the future, if boards seek the answers to these questions, the following discussions will help ensure directors will give thoughtful consideration to new activities while properly balancing the interests of all of their constituencies.

A Multifaceted Approach to Managing CRE Concentration Risk


Concentration risk is drawing scrutiny from financial regulators, who are focusing on lenders’ commercial real estate (CRE) concentrations. Financial services organizations are responding to this by looking for ways to improve their CRE risk management and credit portfolio management capabilities.

Lending institutions with high CRE credit concentrations and weak risk management practices are exposed to a greater risk of loss. If regulators determine a bank lacks adequate policies, credit portfolio management, or risk management practices, they may require it to develop more robust practices to measure, monitor, and manage CRE concentration risk.

For several years, federal regulatory agencies have issued updated guidance to help banks understand the risks. In 2006, the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency issued a guidance related to CRE concentrations followed by a statement in 2015 titled “Statement on Prudent Risk Management for Commercial Real Estate Lending.” Noting that CRE asset and lending markets are experiencing substantial growth, the 2015 guidance pointed out that “increased competitive pressures are contributing significantly to historically low capitalization rates and rising property values” and said “many institutions’ CRE concentration levels have been rising.”

Since the 2006 guidance, additional regulatory publications related to CRE concentrations have been released. The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) in 2010 began a shift, as banks with less than $10 billion in assets were exempt from more stringent requirements, according to a Crowe timeline analysis.

CRE-concentrations-small.png

Looking forward, the 2020 transition to the current expected credit loss (CECL) model for estimating credit losses will likely affect loan portfolio concentrations as well.

At the community bank level, CRE concentrations have been increasing. In 2016, CRE concentrations in smaller organizations had reached levels similar to mid-2007, according to Crowe’s analysis.

Comparison-small.png

These trends led regulators to sharpen their focus on CRE concentrations.

In one Crowe webinar earlier this year, 76 percent of the participants said their banks had some concern over how to better mitigate the risks associated with growing CRE concentrations.

In addition, 77 percent reported they received feedback within the past two years from regulators or auditors about CRE concentrations. The number of banks concerned about CRE concentration growth will likely continue to rise.

Approach to CRE Concentration Risk
The most effective methods for addressing concentration risk involve an integrated, holistic approach, which encompasses four steps:

  1. Validate CRE data. Banks must examine loan portfolio databases and verify the information is classified correctly. Coding errors and other inaccuracies often present a distorted picture of CRE concentrations.
  2. Analyze concentration risk. Banks can perform a risk analysis to expose both portfolio and loan sensitivity. Well-planned and carefully executed loan stratification can help management have a deeper understanding of their concentrations. Banks, even those not required to perform stress testing, should incorporate stress testing at the loan and portfolio levels.
  3. Mitigate CRE risk. Banks should establish policies and processes to monitor CRE loan performance and to adjust the mix of the portfolio as their risk appetite changes. Oversight of credit portfolio management is critical, as is an effective management information system.
  4. Report to management and the board. Reporting on a regular basis should include an update on mitigation efforts for any identified concentrations. Banks with higher levels of CRE loan activity might invest in dashboard reporting systems. The loan review and internal audit departments also should present additional reporting.

Loan Review and Stress Testing
Benefits can be gained by implementing a more dynamic loan review function that takes advantage of technology to identify portfolio themes and trends. The loan review function should identify if management reporting lacks granularity or other forms of risk associated with appraisal quality and underwriting practices.

Stress-testing practices can offer additional understanding of the effects economic variables might have on the portfolio. Tweaking several inputs can reveal how sensitive the bank’s models are to various scenarios. Stress testing can help facilitate discussions to better understand the loan portfolio and to identify better-performing borrowers and segments.

Other Best Practices
Other effective practices include establishing a CRE committee, creating a CRE dashboard, and adapting reporting functions to incorporate the loan pipeline. This approach can help management envision what concentrations will look like in the future if potential opportunities are funded. As CRE concentrations continue to attract regulatory scrutiny, risk management practices will become even more important to banking organizations.

What CEOs and Directors Should Know About Cybersecurity


cybersecurity-8-6-18 (1).pngAccording to Javelin’s 2018 Identity Fraud Report, identity theft reached an all-time high in 2017 with more than 16 million consumers being affected. On top of this, 24 percent of network breaches target financial institutions, according to Verizon’s 2017 Data Breach Investigations Report. This 1-2 punch combination is affecting banks of all sizes. The days of cybersecurity attacks only affecting the largest financial institutions are gone.

Criminal tactics are evolving and becoming more sophisticated. Increasingly, smartphones are targeted through spam text messages and a myriad of social media scams. These tactics could compromise the phone of a customer that may be accessing a mobile banking application or a bank employee accessing internal bank systems, such as email. The Internet of Things, or IoT, is the network of physical devices, vehicles, home appliances, and other items that can connect and exchange data. Criminals are compromising IoT to launch sophisticated cyberattacks against financial institutions and their customers.

As a bank executive or board member, there are steps you can take to fight back. It starts by recognizing your bank and your customers are targets and can become victims. As leaders, it is important to understand your responsibility to oversee the bank’s cybersecurity program and educate yourself on the current threats and trends. The following recommendations are the first steps to take as you oversee your bank’s cybersecurity program.

What the CEO should be doing

  1. The Financial Services Sector Coordinating Council has an Excel-based Automated Cyber Assessment Tool (ACAT) available for download at https://www.fsscc.org/. Ensure it is completed by management and updated at least annually.
  2. Management should develop a cybersecurity risk appetite and understand where the bank is exposed to the greatest risk.
  3. Oversee and monitor the bank’s cybersecurity program. Ensure a strategic and tested incident response program is in place.
  4. Challenge preparedness results by reviewing the ACAT and not accepting “baseline” control maturity levels as the desired control level. 
  5. Budget appropriately for cybersecurity preparedness. Compare the funding for cybersecurity controls to physical security controls. Assuming cybersecurity threats are greater than physical security threats, then funding of cybersecurity controls should be in parity with physical security investments.

What the board should be doing

  1. Consult with cybersecurity professionals to provide education on an annual basis.
  2. Ask the CEO and senior management to present the bank’s vision, risk appetite, and overall strategic direction for the bank’s cybersecurity program. 
  3. Review the results of ongoing monitoring of the bank’s exposure to and preparedness for cyber threats. Challenge the status quo and do not become complacent. Expect control proficiency levels to increase from baseline levels to evolving levels and higher. Criminals are not standing still and neither should you.
  4. Ensure proper budgeting of cybersecurity controls and review the bank’s cyber liability insurance annually.
  5. Ensure the bank’s systems are tested against cybersecurity threats at least annually and utilize the same techniques criminals use to break in.

What bank CEOs should know

  1. Where is our bank most at risk?
  2. Are our cybersecurity controls improving beyond baseline?
  3. Are we comfortable with residual risk levels?
  4. Are we reviewing the ACAT at least quarterly?
  5. Are our cybersecurity controls improving fast enough to outpace the evolving cybersecurity threats?

What the bank should be doing

  • Your bank should be a member of information sharing organizations such as Financial Services – Information Sharing and Analysis Center (FS-ISAC) and share information in bank peer group meetings. 
  • Work with cybersecurity experts to develop regular board reporting on cybersecurity threats and risk management.
  • Improve cybersecurity control proficiency beyond baseline. Remember that improvement does not have to be overly expensive.
    • Maximize the use of all currently available controls.
    • Do not wait on examiners or IT auditors to make you improve. It could be too late.

Many executives and boards feel unprepared to address cybersecurity threats and risks. The good news is there are many well trained and qualified cybersecurity professionals that can help you. Enact change where needed and provide ongoing oversight of the cybersecurity program at your bank. Doing so will go a long way towards ensuring your bank does not become another victim of cybersecurity attack.

Fintech Intelligence Report: Marketplace Lending


	intelligence-report-cover.PNGAs noted throughout our 2017 Acquire or Be Acquired Conference, partnerships between a bank and a tech company can take on many forms — largely based on an institution’s available capital, risk appetite and lending goals. With fintech solutions gaining momentum, many advisors at this year’s event encouraged banks to look at viable alternatives to meet consumer demands, maintain and expand their lending revenue and give formidable competition to those looking to take that market share.

Fintech lending has grown from $12 billion in 2014 to $23.2 billion in 2015 and is expected to reach $36.7 billion in 2016, a year-over-year growth of 93 percent and 58 percent in 2015 and 2016. This market, according to Morgan Stanley Research, is expected to grow further and reach $122 billion by 2020.

With this in mind, we invite you to take a look at our new Fintech Intelligence Report on Marketplace Lending. The research paper, developed by FinXTech, a division of Bank Director, and MEDICI, a subscription-based offering from LetsTalkPayments.com, explores current market dynamics along with technology and partnership models. As noted in this report, the gains of new fintech companies were widely thought to be at the expense of banks; however, many banks recognize the potential value from collaboration and have built relationships with fintechs.

Tell us what you think! As we work to provide you the latest information and research as it pertains to the financial services industry, we would appreciate your feedback on the Fintech Intelligence Report. Please email us your comments and/or suggestions at news@finxtech.com.

Four Steps for Building an Effective Risk Appetite Framework


risk-appetite-12-7-16.pngRisk appetite is a key component of a bank’s risk management framework. Effective risk management is fundamental in ensuring there is an appropriate balance between risk and reward.

Good risk management does not involve avoiding risk at all costs. Instead, it allows taking on more risk as long as the bank is making informed choices and has measures in place to mitigate risks. Having a strong risk appetite statement and well established policies and procedures is important, but equally important is the effective implementation of this framework.

Based on discussions with a number of credit risk executives at small and large banks, we have identified four steps for implementing an effective credit risk framework.

1. Ensure data quality and integrity.
Clean, standardized data is essential to making fair, timely and accurate credit decisions. The bank also needs to see its complete exposure to ensure it’s not over-exposed at the time of origination.

Regulators are increasingly demanding that a solid risk governance framework include policies and processes to provide risk data aggregation and reporting capabilities. In order to accomplish this, banks should have the IT infrastructure to store data and support risk aggregation and reporting in order to capture material risks, concentrations and emerging risks in a timely manner.

Technology can significantly improve data quality and aggregation. Current systems offer a single source of truth and gather all the risk data in one system that is easy to view and access. So there’s no need for checking multiple systems, tracking exposure in spreadsheets, or adding up numbers. These systems can also aggregate exposures across products, industries, regions, and so forth.

2. Set appropriate limits.
At most banks, the limit-setting process falls to the risk management team. But setting limits is as much an art as a science in many institutions.

One way to ensure appropriate limits is to align compensation with risk culture and take an approach to limit setting that is well articulated, tied to business objectives, and clearly sets out the consequences of breaching limits. In addition, banks can leverage the funding and resources that have already been allocated to conduct regulatory stress testing to help set risk appetite limits.

We have worked with clients to define their risk appetite limits through a well defined analytical and quantitative approach. Ultimately, this approach can help risk management set appropriate limits, adjust limits as the market environment changes, obtain business buy-in, and improve the bank’s overall risk culture.

3. Implement and enforce limits.
Effective risk appetite can be thwarted by integration challenges between risk, business and other functional areas at banks. Lack of cultural alignment and faulty processes often prevent the risk appetite framework from being adopted by the business units at the point of origination, rendering it ineffective.

At many banks, the process is still manual–checking reports and spreadsheets to ensure compliance where automation could save time and increase accuracy. Solutions now exist that let bank officers see at the point of origination where a potential deal is going to breach risk appetite limits. At that point, before moving forward, the red flag is raised and originators can decide to continue the approval process and seek an exception, escalate it to management, or even decline the deal.

4. Monitor limits and manage breaches.
Identifying limit breaches and near-breaches in a timely manner is critical to a dynamic risk appetite monitoring process. Limits should be reviewed and updated frequently, as changes in market conditions, risk tolerance, strategy, or other factors arise. Having ready access to customer and portfolio data, and where various exposures stand against limits, is essential to make timely decisions.

Breaches must be identified as they occur, automatic alerts sent to the right decision-making individuals at the bank, and the breach and resolution must be well documented so it can be audited in the future. Manual calculation and spreadsheets cannot guarantee this; only a strong IT infrastructure with limits and management capabilities can achieve this desired state.

Conclusion: The Way Forward
Technology can deliver significant value to the overall risk appetite process. Automated systems provide efficiency gains, better data quality and enhanced analytics. And these factors, in turn, drive the ability to measure, monitor and adjust risk taken against established risk appetite.

For more on this topic, see our white paper.

Five Key Steps to Integration Success


When it comes to the completion of a merger or acquisition, whether you view the glass as half full or half empty will likely depend on your planned approach to integration. After all, there’s no shortage of statistics on the failure rate of mergers and acquisitions due to post-deal integration issues. And it’s easy to see why. The challenge of integrating the people, processes and technology of two organizations into one is a daunting exercise whose success depends on a variety of factors, many of which can be subtle, yet complex.

Still, such challenges are not deterring bankers from the pursuit. Through November of 2015, there were 306 M&A banking deals. With the December numbers not yet available, we would expect the total for 2015 to be about the same as the total for 2014. And, according to recent KPMG community banking survey, nearly two-thirds of the 100 bank executives surveyed anticipate being involved in a merger or acquisition as either buyer or seller during the next year. Moreover, one out of three of those community bank executives foresee integrating information technology systems as the most difficult integration challenge, followed closely by talent management.

While such challenges are undeniable, directors must play a key role in helping management achieve positive results. These five key steps can help directors guide management in driving a successful integration.

Step 1: Set the Tone at the Top
Prior to signing the deal, establish a set of goals that cascade a vision of the deal into high-level, practical operating objectives for the combined organization. Directors should review and provide input in these operating objectives to ensure they align with the bank’s overall strategy, risk appetite and the strategic rationale for the deal. With a strong set of operating objectives in place, executives can develop guiding principles which clearly define the key fundamentals that stakeholders should follow as they begin the planning phase of the integration.

Step 2: Assess the Integration Plan and Roadmap
An integration plan and roadmap needs to be established early in the deal lifecycle. Anchor the plan with a well-understood methodology and a clear, high-level and continuously monitored timeline that identifies key activities and milestones throughout the course of the integration. Develop an integration playbook that details the governance structure, scope of the work streams and activities in addition to well defined roles and responsibilities. Directors must fully understand the integration plan so they can provide valuable feedback, effectively challenge timelines, and have the requisite knowledge to determine if there is a prudent methodology for each phase of the integration. Key disclosures about the transaction should be reviewed to ensure communications to regulators and shareholders set realistic expectations for closing the deal, converting customers, and capturing synergies.

Step 3: Effectively Challenge and Monitor Synergy Targets
Operating cost and revenue efficiencies are identified as part of the deal model, factored into the valuation, and play a critical role in determining the potential success of a merger. Executive management should establish synergy targets at the line-of-business level to promote accountability. Directors should foster effective challenge of expected synergies and provide oversight of the process for establishing the baseline and tracking performance against targets over the course of the integration.

Step 4: Promote Senior Leadership Involvement and Strong Governance Oversight
The program structure and governance oversight is established during the initial planning phase to control the integration program and drive effective decision making. Executive management should identify an “integration leadership team’’ with sufficient decision-making authority and a combination of merger and operating experience to effectively identify risks, resolve issues and integrate the business. Directors should examine the team’s experience, track progress against goals, and closely monitor key risks to assess management’s ability to execute the integration activities.

Step 5: Evaluate Customer and Employee Impacts and Communication Plans
The objective of customer and employee experience programs is to take a proactive approach to help ensure that significant impacts are identified, analyzed and managed with the goal of minimizing attrition. Integrated and effective communication plans are established to address concerns of customer and employee groups to reduce uncertainty, rumors and resistance to change. Directors should scrutinize customer and employee impacts in an attempt to ensure management has an effective mitigation plan for negative impacts through communication, training and target operating model design. Planning for employee retention should include the identification of critical talent to mitigate risks to the integration while ensuring business continuity.

By taking these five steps, directors can provide management with the guidance and support needed for a successful integration.

Should Directors Approve Loans?


bank-board-loan-committee-06-29-15.pngOne of the most controversial topics we’ve ever addressed at a Bank Director conference is whether directors should be approving loans. I once moderated a panel that included two bank audit committee chairs and the debate back and forth between them—one bank had a board level loan committee and the other did not—was fascinating. Audit committee issues are usually pretty cut and dry, but they were actually very impassioned in their defense of their respective practices. 

Every bank has a loan approval process at the operating subsidiary level, and the bigger the loan the greater the scrutiny it receives. Every bank also has a loan or credit committee at the operating level. And while every loan or credit committee functions a little bit differently, they all take basically the same approach. The committee checks to see whether the loan has been underwritten to the bank’s stated credit standards and complies with all of its loan policies. Sometimes there will be heated debate over exceptions to the policies involving an individual loan to a good customer—a loosening of the terms and conditions, perhaps, or maybe a little higher loan-to-value ratio if it’s a commercial real estate loan. All banks also have a legal lending limit, which is the maximum amount the bank can lend to a single borrower or group of borrowers. And since the regulators don’t want their banks making too many loans at their legal limit, there is effectively a “house lending limit” which is set well below the legal limit.

The point is, every bank has a group of experienced professionals with lending and credit skills, and these people are paid to evaluate loans and make the tough calls. It’s hard for me to see how directors who have never been bankers, or have never been trained how to evaluate a loan from a credit perspective, bring much to the process. I think it’s fair to say that board level loan committees are generally found at small banks, and one could argue that directors at such an institution might have a good sense of who to lend to—and not lend to—in the community. But any benefit that most directors would bring to the loan approval process is offset by the increased liability they assume when they insert themselves into the loan approval process. During the financial crisis, the Federal Deposit Insurance Corp. specifically targeted directors at failed banks who had been involved in approving loans that later went bad and helped sink their bank

The board is required by law to approve loans to the bank’s executives, directors or principal shareholders under Regulation O. Beyond that, I think the most appropriate role for directors in the lending activities of their bank is to make sure that sound lending policies are in place, and then monitor management’s performance to make sure the guidelines are met.  The board, most likely through its audit or risk committee, should also keep a close watch on the bank’s loan quality trends to verify that management is staying within the risk appetite parameters it has laid out. In other words, the bank’s directors should govern, which is the proper role of the board, rather than execute, which is the role of management. If you can’t trust the pros in your organization to make good credit decisions—backed up by appropriate board oversight—then you need a new team.

Directors who are really plugged into their communities can always make suggestions about good prospects, and those suggestions will probably be well received. They just shouldn’t be approving them.

An Appetite for Risk


More financial institutions have established or plan to establish a risk appetite in 2015, but many boards don’t fully understand the exercise: Forty-two percent of the respondents to Bank Director’s 2015 Risk Practices Survey, sponsored by FIS, say their board needs more training in how to oversee the bank’s risk appetite. How are bank boards approaching risk appetite?

Can a Financial Institution Be Too Small for Enterprise Risk Management?


3-26-14-Crowe.pngHistorically, enterprise risk management (ERM) has been considered an endeavor for large financial institutions because these institutions represent a greater risk to the banking industry. Today, however, financial institutions of various asset sizes are being pressured or required to implement ERM.

Financial institutions that offer complex products and services, process large volumes of transactions, have extensive delivery channels, or have a high concentration of customers in one area warrant stronger ERM practices due to the higher level of risk posed. However, smaller institutions with a less complex business structure also face risks that might affect their ability to meet their strategic objectives.

Each financial institution is unique. An institution’s ERM program should be based on its risk profile, structure, products, risks and needs. An ERM program does not require extensive documentation or systems if the risk profile does not warrant it.

Financial institutions with less risky profiles can implement effective and efficient ERM practices by following four practical guidelines.

  1. Implement a corporate governance structure by establishing an ERM committee and developing a charter and policy. Institutions typically assemble an ERM committee comprising the president, CEO, CFO, chief operating officer, chief lending officer, compliance officer, and internal auditor. Others may be members as needed to provide specialized knowledge. The objectives of the committee are to centralize oversight of risk management activities; review effectiveness of risk management systems, practices, and procedures; and provide recommendations for improvement.

    The committee should meet regularly. In smaller financial institutions, this committee generally provides risk reporting to the board. The committee should develop a charter that addresses committee membership, authority, goals and responsibilities.

    Management should develop an ERM policy that identifies the institution’s risk management philosophy, its risk identification and assessment methods, and how it addresses and incorporates changes such as new or evolving regulations and new products or services. The policy should formalize the institution’s risk appetite and identify significant risk and performance indicators and their respective limits or acceptable ranges.

  2. Clearly define measurable strategic objectives aligned with the institution’s risk appetite. Management should align its strategic, financial, compliance and operations objectives with the institution’s risk appetite. When determining the institution’s risk appetite, management should consider events that have negative effects on the institution, such as underperforming customer service, as well as events that have positive effects, like offering new products or services. Often, there is a disconnect between an institution’s stated strategy and its risk appetite. If management’s strategy and objectives do not fit within the institution’s risk appetite parameters, the objectives should be revisited.
  3. Identify and monitor important risk and profitability indicators. The management team should identify 10 to 12 significant risk indicators to monitor the progress and successful mitigation of significant risk events that affect its ability to meet its objectives. This allows management to focus on the most significant risks. New and evolving risks also should be considered. The indicators should be specific to major risk events and strategic objectives, and they should be forward-looking. At the same time, management should identify 10 to 12 key performance indicators to monitor the successful achievement of the institution’s objectives. The performance indicators often are historic measures and should be monitored, updated and reported frequently.
  4. Foster an ERM culture. An institution’s culture is critical in achieving true risk management across the organization. Executive leadership should foster an enterprise-wide risk management environment whereby the institution’s risk management philosophy is understood and supported, risk method is adhered to, individuals are accountable for managing and addressing risks, and business is transacted within the institution’s risk appetite.

The Early Bird Gets the Worm
ERM is not a turnkey system or a one-size-fits-all program. It is a discipline that elevates risk management to a strategic level, using collective enterprise-wide processes and practices that manage risk and maximize opportunities to achieve objectives. No financial institution is too small to implement a practical ERM program. Those that proactively identify and respond to risks and opportunities will have a competitive advantage over their peers in responding to the ever-changing business environment, and will be more likely to develop a nimble, adaptable and sustainable long-term strategy for success.