Why a Solid Risk Management Framework Helps Manage Change

Who owns risk management at your bank?

If your bank limits that function to the teams that report to the chief risk officer, it’s fumbling on two fronts: It’s failing to drive accountability across every corner of the enterprise, and it’s conceding its edge in a marketplace that’s never been more competitive.

Recognizing that every employee owns a piece of this responsibility make risk management an equal offensive and defensive pose for your organization. This empowers your employees to move nimbly, strategically and decisively when the bank encounters change, whether it’s an external regulatory pressure or an internal opportunity to launch a new product or service. In either case, your team navigates through change by building on best operational practices, which, in the end, work to your advantage.

Getting the bank into that position doesn’t happen overnight; the vision starts with the actions of your senior leaders. They set the tone and establish expectations, but everyone plays a hands-on role. When management prioritizes an environment where people can work collaboratively and have transparency into related roles, they foster consistency across your change management process that minimizes risk.

The need for a risk-aware culture aligns precisely with the signals coming out of Washington, D.C., that the stakes are getting higher. The Consumer Financial Protection Bureau hinted early at increased regulatory scrutiny, advising that it would tighten the regulatory standards it had relaxed to allow banks to quickly respond to customers’ financial hardship in 2020.

In response to the competitive and regulatory environment, your bank’s risk management framework should incorporate four key elements:

  • Start with setting the ground rules for how the bank will govern its risk. Define its risk strategy, the role the board and management will play and the committees that compose that governance structure — and don’t forget to detail their decision-making authority, approval and escalation process across those bodies. This upfront work also should introduce robust systems for ongoing monitoring and risk reporting, establish standard parameters on how the bank identifies issues and create a basic roadmap to remediate issues when they come along.
  • Operating Model. Distinguish the roles and responsibilities for every associate, with a key focus on how they manage risk generated by the core activities in that business. By taking the time to ensure all individuals, in every line of defense, understand their expected contributions, your bank will be ahead of the game because your people can act quicker and efficiently when a change needs to happen.
  • Standard Framework, Definitions and Taxonomies. In basic terms, everyone across the enterprise needs to speak the same language and assign risk ratings the same way. Calibrating these elements at the onset builds confidence that your bank gives thoughtful attention to categorize risks into the right buckets. Standardization should include assessment scales and definitions of different risks and risk events, leading to easier risk aggregation and risk reporting that enables a holistic view of risk across the enterprise.
  • Risk Appetite. Nothing is more important than establishing how much risk your organization is willing to take on in its daily business. Missing the mark can impact your customers, bottom line and reputation. Optimally, bank leaders will reestablish this risk appetite annually, but black swan events such as the pandemic should prompt more timely reviews.

Too often, banks reinvent the wheel every time a change or demand comes along. As the industry eyes increasing regulatory pressure in the year ahead, driving and promoting a robust risk management culture is no longer a “nice to have” within your organization; it’s a “need to have.”

When you reset the role and ownership of risk management as a strategic pillar in your bank’s future growth and direction you minimize your bank’s risk and actually propel your company forward.

Banks looking to check out best practices and a strategic framework for creating their enterprise risk framework should check out my latest whitepaper, Turning a Solid Risk Framework Into a Competitive Advantage.

77 Percent of Bank Boards Approve Loans. Is That a Mistake?


loans-5-17-19.pngBank directors face a myriad of expectations from regulators to ensure that their institutions are safe and sound. But there’s one thing directors do that regulators don’t actually ask them to do.

“There’s no requirement or even suggestion, that I’m aware of, from any regulators that says, ‘Hey, we want the board involved at the loan-approval level,’” says Patrick Hanchey, a partner at the law firm Alston & Bird. The one exception is Regulation O, which requires boards to review and approve insider loans.

Instead, the board is tasked with implementing policies and procedures for the bank, and hiring a management team to execute on that strategy, Hanchey explains.

“If all that’s done, then you’re making good loans, and there’s no issue.”

Yet, 77 percent of executives and directors say their board or a board-level loan committee plays a role in approving credits, according to Bank Director’s 2019 Risk Survey.

Boards at smaller banks are more likely to approve loans than their larger peers. This is despite the spate of loan-related lawsuits filed by the Federal Deposit Insurance Corp. against directors in the wake of the recent financial crisis.

Loans-chart.png

The board at Mayfield, Kentucky-based First Kentucky Bank approves five to seven loans a month, says Ann Hale Mills, who serves on the board. These are either large loans or loans extended to businesses or individuals who already have a large line of credit at the bank, which is the $442 million asset subsidiary of Exchange Bancshares.

Yet, the fact that directors often lack formal credit expertise leads some to question whether they should be directly involved in the process.

“Inserting themselves into that decision-making process is putting [directors] in a place that they’re not necessarily trained to be in,” says James Stevens, a partner at the law firm Troutman Sanders.

What’s more, focusing on loan approvals may take directors’ eyes off the big picture, says David Ruffin, a director at the accounting firm Dixon Hughes Goodman LLP.

“It, primarily, deflects them from the more important role of understanding and overseeing the macro performance of the credit portfolio,” he says. “[Regulators would] much rather have directors focused on the macro performance of the credit portfolio, and understanding the risk tolerances and risk appetite.”

Ruffin believes that boards should focus instead on getting the right information about the bank’s loan portfolio, including trend analyses around loan concentrations.

“That’s where a good board member should be highly sensitized and, frankly, treat that as their priority—not individual loan approvals,” says Ruffin.

It all boils down to effective risk management.

“That’s one of [the board’s] main jobs, in my mind. Is the institution taking the right risk, and is the institution taking enough risk, and then how is that risk allocated across capital lines?” says Chris Nichols, the chief strategy officer at Winter Haven, Florida-based CenterState Bank Corp. CenterState has $12.6 billion in assets, which includes a national correspondent banking division. “That’s exactly where the board should be: [Defining] ‘this is the risk we want to take’ and looking at the process to make sure they’re taking the right risk.”

Directors can still contribute their expertise without taking on the liability of approving individual loans, adds Stevens.

“[Directors] have information to contribute to loan decisions, and there’s nothing that says that they can’t attend officer loan committee meetings or share what they know about borrowers or credits that are being considered,” he says.

But Mills disagrees, as do many community bank directors. She believes the board has a vital role to play in approving loans.

First Kentucky Bank’s board examines quantitative metrics—including credit history, repayment terms and the loan-to-value ratio—and qualitative factors, such as the customer’s relationship with the bank and how changes in the local economy could impact repayment.

“We are very well informed with data, local economic insight and competitive dynamics when we approve a loan,” she says.

And community bank directors and executives are looking at the bigger picture for their community, beyond the bank’s credit portfolio.

“We are more likely to accept risk for loans we see in the best interest of the overall community … an external effect that is hard to quantify using only traditional credit metrics,” she says.

Regardless of how a particular bank approaches this process, however, the one thing most people can agree on is that the value of such bespoke expertise diminishes as a bank grows and expands into far-flung markets.

“You could argue that in a very small bank, that the directors are often seasoned business men and women who understand how to run a business, and do have an intuitive credit sense about them, and they do add value,” says Ruffin. “Where it loses its efficacy, in my opinion, is where you start adding markets that they have no understanding of or awareness of the key personalities—that’s where it starts breaking apart.”

12 Questions Directors Should Ask About New Bank Activities

A bank’s board of directors must answer to a variety of constituencies, including shareholders, regulatory agencies, customers and employees. At times those constituencies may have competing interests or priorities. Other times, what may appear to be competing interests are actually variations of aligned interests.

One area where this is particularly true is the board’s responsibility to strike the right balance between driving revenues and ensuring the bank adheres to its risk appetite established as part of its enterprise risk management framework.

The failure to strike this proper balance can be devastating to the institution, and if widespread, could result in consequences across the entire industry, such as the 2008 financial crisis. As technology and innovation accelerate the pace of change in the banking industry, that balance will become more critical and difficult to manage. And as banks explore ways to increase profits and remain competitive, especially with respect to noninterest income, bank directors will need to remain diligent in their oversight of new bank activities.

Regulators have offered guidance to bank boards on the subject. For example, the Office of the Comptroller of the Currency (OCC) issued a bulletin in 2017 that defines “new activities” to include new, modified, and/or expanded products and services and provide guidance related to risk management systems for new activities. While it is management’s role to execute strategy and operate within the established risk appetite on a day-to-day basis, the board’s role is to oversee and evaluate management’s actions, and the board should understand the impact and risks associated with any new activities of the bank.

To exercise this responsibility, directors should challenge plans for new activities by posing the following questions to help them determine if the proper risk approach has been taken. Questions may include:

  • Does the activity align with the bank’s strategic objectives?
  • Was a thorough review of the activity conducted? If so what were the results of that review and, specifically, what new or increased risks are associated with the activity, the controls, and the residual risk the bank will be assuming?
  • Is the associated residual risk acceptable given the bank’s established risk appetite?
  • Is the bank’s infrastructure sufficient to support the new activity?
  • Are the right people in place for the activity to be successful (both the number of people required and any specific expertise)?
  • Are there any new or special incentives being offered for employees? If so, are they encouraging the correct behavior and, just as importantly, discouraging the wrong behavior?
  • What are the specific controls in place to address any risks created?
  • How will success be measured? What reporting mechanism is in place to track success?
  • Will there be any impact on current customers? Or in the case of consumers, will there be any disparate impact or unfair or deceptive acts or practices (UDAAP) implications?
  • What third parties are required for successful implementation?
  • What limits on the amount of new business (concentration limits) should be established?
  • Are the applicable regulators aware of the bank’s plans, and what is their position/guidance?

These threshold questions will assist directors in becoming fully informed about the proposed new activities, and the answers should encourage follow up questions and discussions. For example, if third parties are necessary, then the focus would shift to the bank’s vendor management policies and procedures. Discussions around these questions should be properly documented in the meeting minutes to evidence the debate and decision-making that should be necessary steps in approving any new bank activity.

If these questions had been posed by every bank board contemplating the subprime lending business as a new activity, it may have averted the challenges faced by individual banks during the financial crisis and lessened the impact on the entire industry.

In the future, if boards seek the answers to these questions, the following discussions will help ensure directors will give thoughtful consideration to new activities while properly balancing the interests of all of their constituencies.

 

A Multifaceted Approach to Managing CRE Concentration Risk


Concentration risk is drawing scrutiny from financial regulators, who are focusing on lenders’ commercial real estate (CRE) concentrations. Financial services organizations are responding to this by looking for ways to improve their CRE risk management and credit portfolio management capabilities.

Lending institutions with high CRE credit concentrations and weak risk management practices are exposed to a greater risk of loss. If regulators determine a bank lacks adequate policies, credit portfolio management, or risk management practices, they may require it to develop more robust practices to measure, monitor, and manage CRE concentration risk.

For several years, federal regulatory agencies have issued updated guidance to help banks understand the risks. In 2006, the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency issued a guidance related to CRE concentrations followed by a statement in 2015 titled “Statement on Prudent Risk Management for Commercial Real Estate Lending.” Noting that CRE asset and lending markets are experiencing substantial growth, the 2015 guidance pointed out that “increased competitive pressures are contributing significantly to historically low capitalization rates and rising property values” and said “many institutions’ CRE concentration levels have been rising.”

Since the 2006 guidance, additional regulatory publications related to CRE concentrations have been released. The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) in 2010 began a shift, as banks with less than $10 billion in assets were exempt from more stringent requirements, according to a Crowe timeline analysis.

CRE-concentrations-small.png

Looking forward, the 2020 transition to the current expected credit loss (CECL) model for estimating credit losses will likely affect loan portfolio concentrations as well.

At the community bank level, CRE concentrations have been increasing. In 2016, CRE concentrations in smaller organizations had reached levels similar to mid-2007, according to Crowe’s analysis.

Comparison-small.png

These trends led regulators to sharpen their focus on CRE concentrations.

In one Crowe webinar earlier this year, 76 percent of the participants said their banks had some concern over how to better mitigate the risks associated with growing CRE concentrations.

In addition, 77 percent reported they received feedback within the past two years from regulators or auditors about CRE concentrations. The number of banks concerned about CRE concentration growth will likely continue to rise.

Approach to CRE Concentration Risk
The most effective methods for addressing concentration risk involve an integrated, holistic approach, which encompasses four steps:

  1. Validate CRE data. Banks must examine loan portfolio databases and verify the information is classified correctly. Coding errors and other inaccuracies often present a distorted picture of CRE concentrations.
  2. Analyze concentration risk. Banks can perform a risk analysis to expose both portfolio and loan sensitivity. Well-planned and carefully executed loan stratification can help management have a deeper understanding of their concentrations. Banks, even those not required to perform stress testing, should incorporate stress testing at the loan and portfolio levels.
  3. Mitigate CRE risk. Banks should establish policies and processes to monitor CRE loan performance and to adjust the mix of the portfolio as their risk appetite changes. Oversight of credit portfolio management is critical, as is an effective management information system.
  4. Report to management and the board. Reporting on a regular basis should include an update on mitigation efforts for any identified concentrations. Banks with higher levels of CRE loan activity might invest in dashboard reporting systems. The loan review and internal audit departments also should present additional reporting.

Loan Review and Stress Testing
Benefits can be gained by implementing a more dynamic loan review function that takes advantage of technology to identify portfolio themes and trends. The loan review function should identify if management reporting lacks granularity or other forms of risk associated with appraisal quality and underwriting practices.

Stress-testing practices can offer additional understanding of the effects economic variables might have on the portfolio. Tweaking several inputs can reveal how sensitive the bank’s models are to various scenarios. Stress testing can help facilitate discussions to better understand the loan portfolio and to identify better-performing borrowers and segments.

Other Best Practices
Other effective practices include establishing a CRE committee, creating a CRE dashboard, and adapting reporting functions to incorporate the loan pipeline. This approach can help management envision what concentrations will look like in the future if potential opportunities are funded. As CRE concentrations continue to attract regulatory scrutiny, risk management practices will become even more important to banking organizations.

What CEOs and Directors Should Know About Cybersecurity


cybersecurity-8-6-18 (1).pngAccording to Javelin’s 2018 Identity Fraud Report, identity theft reached an all-time high in 2017 with more than 16 million consumers being affected. On top of this, 24 percent of network breaches target financial institutions, according to Verizon’s 2017 Data Breach Investigations Report. This 1-2 punch combination is affecting banks of all sizes. The days of cybersecurity attacks only affecting the largest financial institutions are gone.

Criminal tactics are evolving and becoming more sophisticated. Increasingly, smartphones are targeted through spam text messages and a myriad of social media scams. These tactics could compromise the phone of a customer that may be accessing a mobile banking application or a bank employee accessing internal bank systems, such as email. The Internet of Things, or IoT, is the network of physical devices, vehicles, home appliances, and other items that can connect and exchange data. Criminals are compromising IoT to launch sophisticated cyberattacks against financial institutions and their customers.

As a bank executive or board member, there are steps you can take to fight back. It starts by recognizing your bank and your customers are targets and can become victims. As leaders, it is important to understand your responsibility to oversee the bank’s cybersecurity program and educate yourself on the current threats and trends. The following recommendations are the first steps to take as you oversee your bank’s cybersecurity program.

What the CEO should be doing

  1. The Financial Services Sector Coordinating Council has an Excel-based Automated Cyber Assessment Tool (ACAT) available for download at https://www.fsscc.org/. Ensure it is completed by management and updated at least annually.
  2. Management should develop a cybersecurity risk appetite and understand where the bank is exposed to the greatest risk.
  3. Oversee and monitor the bank’s cybersecurity program. Ensure a strategic and tested incident response program is in place.
  4. Challenge preparedness results by reviewing the ACAT and not accepting “baseline” control maturity levels as the desired control level. 
  5. Budget appropriately for cybersecurity preparedness. Compare the funding for cybersecurity controls to physical security controls. Assuming cybersecurity threats are greater than physical security threats, then funding of cybersecurity controls should be in parity with physical security investments.

What the board should be doing

  1. Consult with cybersecurity professionals to provide education on an annual basis.
  2. Ask the CEO and senior management to present the bank’s vision, risk appetite, and overall strategic direction for the bank’s cybersecurity program. 
  3. Review the results of ongoing monitoring of the bank’s exposure to and preparedness for cyber threats. Challenge the status quo and do not become complacent. Expect control proficiency levels to increase from baseline levels to evolving levels and higher. Criminals are not standing still and neither should you.
  4. Ensure proper budgeting of cybersecurity controls and review the bank’s cyber liability insurance annually.
  5. Ensure the bank’s systems are tested against cybersecurity threats at least annually and utilize the same techniques criminals use to break in.

What bank CEOs should know

  1. Where is our bank most at risk?
  2. Are our cybersecurity controls improving beyond baseline?
  3. Are we comfortable with residual risk levels?
  4. Are we reviewing the ACAT at least quarterly?
  5. Are our cybersecurity controls improving fast enough to outpace the evolving cybersecurity threats?

What the bank should be doing

  • Your bank should be a member of information sharing organizations such as Financial Services – Information Sharing and Analysis Center (FS-ISAC) and share information in bank peer group meetings. 
  • Work with cybersecurity experts to develop regular board reporting on cybersecurity threats and risk management.
  • Improve cybersecurity control proficiency beyond baseline. Remember that improvement does not have to be overly expensive.
    • Maximize the use of all currently available controls.
    • Do not wait on examiners or IT auditors to make you improve. It could be too late.

Many executives and boards feel unprepared to address cybersecurity threats and risks. The good news is there are many well trained and qualified cybersecurity professionals that can help you. Enact change where needed and provide ongoing oversight of the cybersecurity program at your bank. Doing so will go a long way towards ensuring your bank does not become another victim of cybersecurity attack.

Fintech Intelligence Report: Marketplace Lending


	intelligence-report-cover.PNGAs noted throughout our 2017 Acquire or Be Acquired Conference, partnerships between a bank and a tech company can take on many forms — largely based on an institution’s available capital, risk appetite and lending goals. With fintech solutions gaining momentum, many advisors at this year’s event encouraged banks to look at viable alternatives to meet consumer demands, maintain and expand their lending revenue and give formidable competition to those looking to take that market share.

Fintech lending has grown from $12 billion in 2014 to $23.2 billion in 2015 and is expected to reach $36.7 billion in 2016, a year-over-year growth of 93 percent and 58 percent in 2015 and 2016. This market, according to Morgan Stanley Research, is expected to grow further and reach $122 billion by 2020.

With this in mind, we invite you to take a look at our new Fintech Intelligence Report on Marketplace Lending. The research paper, developed by FinXTech, a division of Bank Director, and MEDICI, a subscription-based offering from LetsTalkPayments.com, explores current market dynamics along with technology and partnership models. As noted in this report, the gains of new fintech companies were widely thought to be at the expense of banks; however, many banks recognize the potential value from collaboration and have built relationships with fintechs.

Tell us what you think! As we work to provide you the latest information and research as it pertains to the financial services industry, we would appreciate your feedback on the Fintech Intelligence Report. Please email us your comments and/or suggestions at news@finxtech.com.

Four Steps for Building an Effective Risk Appetite Framework


risk-appetite-12-7-16.pngRisk appetite is a key component of a bank’s risk management framework. Effective risk management is fundamental in ensuring there is an appropriate balance between risk and reward.

Good risk management does not involve avoiding risk at all costs. Instead, it allows taking on more risk as long as the bank is making informed choices and has measures in place to mitigate risks. Having a strong risk appetite statement and well established policies and procedures is important, but equally important is the effective implementation of this framework.

Based on discussions with a number of credit risk executives at small and large banks, we have identified four steps for implementing an effective credit risk framework.

1. Ensure data quality and integrity.
Clean, standardized data is essential to making fair, timely and accurate credit decisions. The bank also needs to see its complete exposure to ensure it’s not over-exposed at the time of origination.

Regulators are increasingly demanding that a solid risk governance framework include policies and processes to provide risk data aggregation and reporting capabilities. In order to accomplish this, banks should have the IT infrastructure to store data and support risk aggregation and reporting in order to capture material risks, concentrations and emerging risks in a timely manner.

Technology can significantly improve data quality and aggregation. Current systems offer a single source of truth and gather all the risk data in one system that is easy to view and access. So there’s no need for checking multiple systems, tracking exposure in spreadsheets, or adding up numbers. These systems can also aggregate exposures across products, industries, regions, and so forth.

2. Set appropriate limits.
At most banks, the limit-setting process falls to the risk management team. But setting limits is as much an art as a science in many institutions.

One way to ensure appropriate limits is to align compensation with risk culture and take an approach to limit setting that is well articulated, tied to business objectives, and clearly sets out the consequences of breaching limits. In addition, banks can leverage the funding and resources that have already been allocated to conduct regulatory stress testing to help set risk appetite limits.

We have worked with clients to define their risk appetite limits through a well defined analytical and quantitative approach. Ultimately, this approach can help risk management set appropriate limits, adjust limits as the market environment changes, obtain business buy-in, and improve the bank’s overall risk culture.

3. Implement and enforce limits.
Effective risk appetite can be thwarted by integration challenges between risk, business and other functional areas at banks. Lack of cultural alignment and faulty processes often prevent the risk appetite framework from being adopted by the business units at the point of origination, rendering it ineffective.

At many banks, the process is still manual–checking reports and spreadsheets to ensure compliance where automation could save time and increase accuracy. Solutions now exist that let bank officers see at the point of origination where a potential deal is going to breach risk appetite limits. At that point, before moving forward, the red flag is raised and originators can decide to continue the approval process and seek an exception, escalate it to management, or even decline the deal.

4. Monitor limits and manage breaches.
Identifying limit breaches and near-breaches in a timely manner is critical to a dynamic risk appetite monitoring process. Limits should be reviewed and updated frequently, as changes in market conditions, risk tolerance, strategy, or other factors arise. Having ready access to customer and portfolio data, and where various exposures stand against limits, is essential to make timely decisions.

Breaches must be identified as they occur, automatic alerts sent to the right decision-making individuals at the bank, and the breach and resolution must be well documented so it can be audited in the future. Manual calculation and spreadsheets cannot guarantee this; only a strong IT infrastructure with limits and management capabilities can achieve this desired state.

Conclusion: The Way Forward
Technology can deliver significant value to the overall risk appetite process. Automated systems provide efficiency gains, better data quality and enhanced analytics. And these factors, in turn, drive the ability to measure, monitor and adjust risk taken against established risk appetite.

For more on this topic, see our white paper.

Five Key Steps to Integration Success


When it comes to the completion of a merger or acquisition, whether you view the glass as half full or half empty will likely depend on your planned approach to integration. After all, there’s no shortage of statistics on the failure rate of mergers and acquisitions due to post-deal integration issues. And it’s easy to see why. The challenge of integrating the people, processes and technology of two organizations into one is a daunting exercise whose success depends on a variety of factors, many of which can be subtle, yet complex.

Still, such challenges are not deterring bankers from the pursuit. Through November of 2015, there were 306 M&A banking deals. With the December numbers not yet available, we would expect the total for 2015 to be about the same as the total for 2014. And, according to recent KPMG community banking survey, nearly two-thirds of the 100 bank executives surveyed anticipate being involved in a merger or acquisition as either buyer or seller during the next year. Moreover, one out of three of those community bank executives foresee integrating information technology systems as the most difficult integration challenge, followed closely by talent management.

While such challenges are undeniable, directors must play a key role in helping management achieve positive results. These five key steps can help directors guide management in driving a successful integration.

Step 1: Set the Tone at the Top
Prior to signing the deal, establish a set of goals that cascade a vision of the deal into high-level, practical operating objectives for the combined organization. Directors should review and provide input in these operating objectives to ensure they align with the bank’s overall strategy, risk appetite and the strategic rationale for the deal. With a strong set of operating objectives in place, executives can develop guiding principles which clearly define the key fundamentals that stakeholders should follow as they begin the planning phase of the integration.

Step 2: Assess the Integration Plan and Roadmap
An integration plan and roadmap needs to be established early in the deal lifecycle. Anchor the plan with a well-understood methodology and a clear, high-level and continuously monitored timeline that identifies key activities and milestones throughout the course of the integration. Develop an integration playbook that details the governance structure, scope of the work streams and activities in addition to well defined roles and responsibilities. Directors must fully understand the integration plan so they can provide valuable feedback, effectively challenge timelines, and have the requisite knowledge to determine if there is a prudent methodology for each phase of the integration. Key disclosures about the transaction should be reviewed to ensure communications to regulators and shareholders set realistic expectations for closing the deal, converting customers, and capturing synergies.

Step 3: Effectively Challenge and Monitor Synergy Targets
Operating cost and revenue efficiencies are identified as part of the deal model, factored into the valuation, and play a critical role in determining the potential success of a merger. Executive management should establish synergy targets at the line-of-business level to promote accountability. Directors should foster effective challenge of expected synergies and provide oversight of the process for establishing the baseline and tracking performance against targets over the course of the integration.

Step 4: Promote Senior Leadership Involvement and Strong Governance Oversight
The program structure and governance oversight is established during the initial planning phase to control the integration program and drive effective decision making. Executive management should identify an “integration leadership team’’ with sufficient decision-making authority and a combination of merger and operating experience to effectively identify risks, resolve issues and integrate the business. Directors should examine the team’s experience, track progress against goals, and closely monitor key risks to assess management’s ability to execute the integration activities.

Step 5: Evaluate Customer and Employee Impacts and Communication Plans
The objective of customer and employee experience programs is to take a proactive approach to help ensure that significant impacts are identified, analyzed and managed with the goal of minimizing attrition. Integrated and effective communication plans are established to address concerns of customer and employee groups to reduce uncertainty, rumors and resistance to change. Directors should scrutinize customer and employee impacts in an attempt to ensure management has an effective mitigation plan for negative impacts through communication, training and target operating model design. Planning for employee retention should include the identification of critical talent to mitigate risks to the integration while ensuring business continuity.

By taking these five steps, directors can provide management with the guidance and support needed for a successful integration.

Should Directors Approve Loans?


bank-board-loan-committee-06-29-15.pngOne of the most controversial topics we’ve ever addressed at a Bank Director conference is whether directors should be approving loans. I once moderated a panel that included two bank audit committee chairs and the debate back and forth between them—one bank had a board level loan committee and the other did not—was fascinating. Audit committee issues are usually pretty cut and dry, but they were actually very impassioned in their defense of their respective practices. 

Every bank has a loan approval process at the operating subsidiary level, and the bigger the loan the greater the scrutiny it receives. Every bank also has a loan or credit committee at the operating level. And while every loan or credit committee functions a little bit differently, they all take basically the same approach. The committee checks to see whether the loan has been underwritten to the bank’s stated credit standards and complies with all of its loan policies. Sometimes there will be heated debate over exceptions to the policies involving an individual loan to a good customer—a loosening of the terms and conditions, perhaps, or maybe a little higher loan-to-value ratio if it’s a commercial real estate loan. All banks also have a legal lending limit, which is the maximum amount the bank can lend to a single borrower or group of borrowers. And since the regulators don’t want their banks making too many loans at their legal limit, there is effectively a “house lending limit” which is set well below the legal limit.

The point is, every bank has a group of experienced professionals with lending and credit skills, and these people are paid to evaluate loans and make the tough calls. It’s hard for me to see how directors who have never been bankers, or have never been trained how to evaluate a loan from a credit perspective, bring much to the process. I think it’s fair to say that board level loan committees are generally found at small banks, and one could argue that directors at such an institution might have a good sense of who to lend to—and not lend to—in the community. But any benefit that most directors would bring to the loan approval process is offset by the increased liability they assume when they insert themselves into the loan approval process. During the financial crisis, the Federal Deposit Insurance Corp. specifically targeted directors at failed banks who had been involved in approving loans that later went bad and helped sink their bank

The board is required by law to approve loans to the bank’s executives, directors or principal shareholders under Regulation O. Beyond that, I think the most appropriate role for directors in the lending activities of their bank is to make sure that sound lending policies are in place, and then monitor management’s performance to make sure the guidelines are met.  The board, most likely through its audit or risk committee, should also keep a close watch on the bank’s loan quality trends to verify that management is staying within the risk appetite parameters it has laid out. In other words, the bank’s directors should govern, which is the proper role of the board, rather than execute, which is the role of management. If you can’t trust the pros in your organization to make good credit decisions—backed up by appropriate board oversight—then you need a new team.

Directors who are really plugged into their communities can always make suggestions about good prospects, and those suggestions will probably be well received. They just shouldn’t be approving them.

An Appetite for Risk


More financial institutions have established or plan to establish a risk appetite in 2015, but many boards don’t fully understand the exercise: Forty-two percent of the respondents to Bank Director’s 2015 Risk Practices Survey, sponsored by FIS, say their board needs more training in how to oversee the bank’s risk appetite. How are bank boards approaching risk appetite?