How Banks Can Speed Up Month-End Close

In accounting, time is of the essence.

Faster financial reporting means executives have more immediate insight into their business, allowing them to act quicker. Unfortunately for many businesses, an understaffed or overburdened back-office accounting team means the month-end close can drag on for days or weeks. Here are four effective strategies that help banks save time on month-end activities.

1. Staying Organized is the First Step to Making Sure Your Close Stays on Track
Think of your files as a library does. While you don’t necessarily need to have a Dewey Decimal System in place, try to keep some semblance of order. Group documentation and reconciliations in a way that makes sense for your team. It’s important every person who touches the close knows where to find any information they might need and puts it back in its place when they’re done.

Having a system of organization is also helpful for auditors. Digitizing your files can help enormously with staying organized: It’s much easier to search a cloud than physical documents, with the added benefit of needing less storage space.

2. Standardization is a Surefire Way to Close Faster
Some accounting teams don’t follow a close checklist every month; these situations make it more likely to accidentally miss a step. It’s much easier to finance and accounting teams to complete a close when they have a checklist with clearly defined steps, duties and the order in which they must be done.

Balance sheet reconciliations and any additional analysis also benefits from standardization. Allowing each member of the team to compile these files using their own specific processes can yield too much variety, leading to potential confusion down the line and the need to redo work. Implementing standard forms eliminates any guesswork in how your team should approach reconciliations and places accountability where it should be.

3. Keep Communication Clear and Timely
Timely and clear communication is essential when it comes to the smooth running of any process; the month-end close is no exception. With the back-and-forth nature between the reviewer and preparer, it’s paramount that teams can keep track of the status of each task. Notes can get lost if you’re still using binders and spreadsheets. Digitizing can alleviate some of this. It’s crucial that teams understand management’s expectations, and management needs to be aware of the team’s bandwidth. Open communication about any holdups allows the team to accomplish a more seamless month-end close.

4. Automate Areas That Can be Automated
The No. 1 way banks can save time during month-end by automating the areas that can be automated. Repetitive tasks should be done by a computer so high-value work, like analysis, can be done by employees. While the cost of such automation can be an initial barrier, research shows automation software pays for itself in a matter of months. Businesses that invest in technology to increase the efficiency of the month-end close create the conditions for a happier team that enjoys more challenging and fulfilling work.

Though month-end close with a lack of resources can be a daunting process, there are ways banks can to improve efficiency in the activities and keep everything on a shorter timeline. Think of this list of tips as a jumping off point for streamlining your institution’s close. Each business has unique needs; the best way to improve your close is by evaluating any weaknesses and creating a road map to fix them. Next time the close comes around, take note of any speed bumps. There are many different solutions out there: all it takes is a bit of research and a willingness to try something new.

Growth Milestone Comes With Crucial FDICIA Requirements

Mergers or strong internal growth can quickly send a small financial institution’s assets soaring past the $1 billion mark. But that milestone comes with additional requirements from the Federal Deposit Insurance Corp. that, if not tackled early, can become arduous and time-consuming.

When a bank reaches that benchmark, as measured at the start of its fiscal year, the FDIC requires an annual report that must include:

  • Audited comparative annual financial statements.
  • The independent public accountant’s report on the audited financial statements.
  • A management report that contains:
    • A statement of certain management responsibilities.
    • An assessment of the institution’s compliance with laws pertaining to insider loans and dividend restrictions during the year.
    • An assessment on the effectiveness of the institution’s internal control structure over financial reporting, as of the end of the fiscal year.
    • The independent public accountant’s attestation report concerning the effectiveness of the institution’s internal control structure over financial reporting.

Management Assessment of Internal Controls
Complying with Internal Controls over Financial Reporting (ICFR) requirements can be exhaustive, but a few early steps can help:

  • Identify key business processes around financial reporting/systems in scope.
  • Conduct business process walk-throughs of the key business processes.
  • For each in-scope business process/system, identify related IT general control (ITGC) elements.
  • Create a risk control matrix (RCM) with the key controls and identity gaps in controls.

To assess internal controls and procedures for financial reporting, start with control criteria as a baseline. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission provides criteria with a fairly broad outline of internal control components that banks should evaluate at the entity level and activity or process level.

Implementation Phases, Schedule and Events
A FDICIA implementation approach generally includes a four-phase program designed with the understanding that a bank’s external auditors will be required to attest to and report on management’s internal control assessment.

Phase One: Business Risk Assessment and COSO Evaluation
Perform a high-level business risk assessment COSO evaluation of the bank. This evaluation is a top-down approach that allows the bank to effectively identify and address the five major components of COSO. This review includes describing policies and procedures in place, as well as identifying areas of weakness and actions needed to ensure that the bank’s policies and procedures are operating with effective controls.

Phase One action steps are:

  • Educate senior management and audit committee/board of directors on reporting requirements.
  • Establish a task force internally, evaluate resources and communicate.
  • Identify and delegate action steps, including timeline.
  • Identify criteria to be used (COSO).
  • Determine which processes and controls are significant.
  • Determine which locations or business units should be included.
  • Coordinate with external auditor when applicable.
  • Consider adoption of a technology tool to provide data collection, analysis and graphical reporting.

Phase Two: Documenting the Bank’s Control Environment
Once management approves the COSO evaluation and has identified the high-risk business lines and support functions of the bank, it should document the internal control environment and perform a detailed process review of high-risk areas. The primary goals of this phase are intended to identify and document which controls are significant, evaluate their design effectiveness and determine what enhancements, if any, they must make.

Phase Three: Testing and Reporting of the Control Environment
The bank’s internal auditor validates the key internal controls by performing an assessment of the operating effectiveness to determine if they are functioning as designed, intended and expected.  The internal auditor should help management determine which control deficiencies, if any, constitute a significant deficiency or material control weakness. Management and the internal auditor should consult with the external auditor to determine if they have performed any of the tests and if their testing can be leveraged for FDICIA reporting purposes.

Phase Four: Ongoing Monitoring
A primary component of an effective system of internal control is an ongoing monitoring process. The ongoing evaluation process of the system of internal controls will occasionally require modification as the business adjusts. Certain systems may require control enhancements to respond to new products or emerging risks. In other areas, the evaluation may point out redundant controls or other procedures that are no longer necessary. It’s useful to discuss the evaluation process and ongoing monitoring when making such improvement determinations.

What New Climate Disclosure Means for Banks

Climate risk assessment is still in its infancy, but recent pronouncements by federal regulators should have bank directors and executives considering its implications for their own organizations.   

Under a new rule proposed by the Securities and Exchange Commission, publicly traded companies would be required to report on certain climate-related risks in regular public filings. 

Though the SEC’s proposal only applies to publicly traded companies, some industry observers say it’s only a matter of time before more financial institutions are expected to grapple with climate-related risks. Not long after the SEC issued its proposal, the Federal Deposit Insurance Corp. issued its own draft principles for managing climate risk. While the principles focus on banks with over $100 billion of assets, Acting Chair Martin Gruenberg commented further that “all financial institutions, regardless of size, complexity, or business model, are subject to climate-related financial risks.” 

The practice of assessing climate risk has gained momentum in recent years, but many boards aren’t regularly talking about these issues. Just 16% of the directors and officers responding to Bank Director’s 2022 Risk Survey say their board discusses climate change annually.

To understand what this means for their own organizations, boards need to develop the baseline knowledge so directors can ask management smarter questions. They should also establish organizational ownership of the issue and think about the incremental steps they might take in response to those risk assessments. 

“Climate risk is like every other risk,” says Ivan Frishberg, chief sustainability officer at $7 billion Amalgamated Financial Corp. in New York. “It needs the same systems for managing it inside a bank that any other kind of risk does. It’s going to require data, it’s going to require risk assessments, it’s going to require strategy. All of those things are very traditional frameworks.” 

The SEC’s proposed rule intends to address a major challenge with sizing up climate risk: the lack of uniform disclosures of companies’ greenhouse gas emissions and environmental efforts. The agency also wants to know how banks and other firms are incorporating climate risks into their risk management and overall business strategies. That includes both physical risk, or the risk of financial losses from serious weather events, and transition risk, arising from the shift to a low-carbon economy.  

Bank Director’s Risk Survey finds that many boards need to start by getting up to speed on the issue. Though 60% of survey respondents say that their board and senior leadership have a good understanding of physical risks, just 43% say the same about transition risk. Directors should also get a basic grasp of what’s meant by Scope 1, Scope 2 and Scope 3 emissions to better gauge the impact on their own institutions.  

Understanding Carbon Emissions

Scope 1: Emissions from sources directly owned or controlled by the bank, such as company vehicles.

Scope 2: Indirect emissions associated with the energy a bank buys, such as electricity for its facilities. 

Scope 3: Indirect emissions resulting from purchased goods and services (business travel, for example) and other business activities, such as lending and investments.

 

The SEC’s proposal would not require scenario analysis. However, directors and executives should understand how their loan portfolios could be affected under a variety of scenarios. 

Talking with other banks engaged in similar efforts could help institutions benchmark their progress, says Steven Rothstein, managing director of the Ceres Accelerator for Sustainable Capital Markets, a nonprofit that works with financial institutions on corporate sustainability. Boards could also look to trade associations and recent comments by federal regulators. In a November 2021 speech, Acting Comptroller of the Currency Michael Hsu outlined five basic questions that bank boards should ask about climate risk. The Risk Management Association recently established a climate risk consortium for regional banks. 

Assessing climate risk involves pulling together large amounts of data from across the entire organization. Banks that undertake an assessment of their climate-related risks should appoint somebody to coordinate that project and keep the board apprised.  

Banks might also benefit from conducting a peer review, looking at competing institutions as well as banks with similar investor profiles, says Lorene Boudreau, co-leader of the environment, social and governance  working group at Ballard Spahr. “What are the other components of your investors’ profile? And what are they doing? Use that information to figure out where there’s a [gap], perhaps, between what they’re doing and what your company is doing,” she says.

Finally, boards should think about the shorter term, incremental goals their bank could set as a result of a climate risk assessment. That could look like smaller, sector-specific goals for reducing financed emissions or finding opportunities to finance projects that address climate-related challenges, such as storm hardening or energy efficiency upgrades. 

A number of big banks have made splashy pledges to reduce their greenhouse gas emissions to net zero by 2050, but fewer have gotten specific about their goals for 2030 or 2040, Boudreau says. “It doesn’t have a lot of credibility without those interim steps.” 

While many smaller financial institutions will likely escape regulatory requirements for the near term, they can still benefit from adopting some basic best practices so they aren’t caught off guard in a worst-case scenario. 

“Climate risk is financial risk,” says Rothstein. “If you’re a bank director thinking about the safety and soundness of a bank, part of your job has to be to look at climate risk. Just as if someone said, ‘Is the bank looking at cyber risk? Or pandemic risk or crypto risk?’ All of those are risks that directors, through their management team, have to be aware of.” 

3 Steps to Planning for Climate Risk

Last year, President Joe Biden’s Executive Order on Climate-Related Financial Risk and the resulting report from the Financial Stability Oversight Council identified climate change as an emerging and increasing threat to U.S. financial stability.

A number of financial regulatory and agency heads have also spoken about climate risk and bank vulnerability.

Now the question is: What should banks be doing about it now? Here are three steps you can take to get started:

1. Conduct a Risk Assessment
Assessing a financial institution’s exposure to climate risk poses an interesting set of challenges. There is the short-term assessment for both internal operations and business exposures: what is happening today, next month or next year. Then there are long-term projections, for which modeling is still being developed.

So where to begin?
Analyzing the potential impacts of physical risk and transition risk begins with the basic question, “What if?” What if extreme weather events continue, how does that impact or alter your operational and investment risks? What if carbon neutral climate regulations take hold and emissions rapidly fall? Widen your scope from credit risk to include market, liquidity and reputational risk, which is taking on new meaning. Bank executives may make reasonable decisions to stabilize their balance sheet, but those decisions could backfire when banks are seen as not supporting their customers in their transition.

Regional and smaller financial institutions will need more granular data to assess the risk in their portfolios, and they may need to assemble local experts who are more familiar with climate change’s impact on local companies.

2. Level Up the Board of Directors
Climate change has long been treated as part of corporate social responsibility rather than a financial risk, but creating a climate risk plan without executive support or effective oversight is a fool’s errand. It’s time to bring it into the boardroom.

Banks should conduct a board-effectiveness review to identify any knowledge gaps that need to be filled. How those gaps are filled depends on each organization, but climate change expertise is needed at some level — whether that be a board member, a member of the C-suite or an external advisor.

The next step is incorporating climate change into the board’s agenda. This may already be in place at larger institutions or ones located in traditionally vulnerable areas. However, recent events have made it clear that climate risk touches everything the financial sector does. Integrating climate risk into board discussions may look different for each financial institution, but it needs to start happening soon.

3. Develop a Climate-Aware Strategy
Once banks approach climate risk as a financial risk instead of simply social responsibility, it’s time to position themselves for the future. Financial institutions are in a unique position when formulating a climate risk management strategy. Not only are they managing their own exposure — they hold a leadership role in the response to carbon neutral policies and regulation.

It can be challenging, but necessary, to develop a data strategy with a holistic view across an organization and portfolio to reveal where the biggest risks and opportunities lie.

Keeping capital flowing toward clients in emission industries or vulnerable areas may seem like a high risk. But disinvestment may be more detrimental for those companies truly engaged in decarbonization activities or transition practices, such as power generation, real estate, manufacturing, automotive and agriculture. These exposures may be offset by financing green initiatives, which have the potential to mitigate transition risk across a portfolio, increase profit and, better yet, stabilize balance sheets as the economy evolves into a carbon neutral world.

An Audit Expert Explains What’s Changed

An audit committee seat can one of the biggest challenges — and one of the greatest responsibilities — for a bank director, even without a global pandemic and economic recession. The audit committee sets the tone at the top for the bank. How does its role change in a pandemic? It’s an increasingly important responsibility, says Jon Tomberlin, managing partner in Dixon Hughes Goodman LLP’s financial services practice, participating in a panel discussion focusing on audit matters at Bank Director’s BankBEYOND 2020 experience. “There’s a lot of risk and difficulty in being on the audit committee,” he says. “They are one of the most important elements of the bank.” The audit committee creates and maintains an conditions and expectations that support the integrity of the bank’s financial controls — an environment that may have altered or become strained under the pandemic’s forceful impact or the severe economic fallout. Tomberlin says he sees many roles for audit committee in this turbulent environment, overseeing and challenging the appropriateness of internal controls and management’s risk assessment. Joining Tomberlin in this conversation with Bank Director’s Editor-At-Large Jack Milligan were Michael Ososki, a partner at BKD LLP, and Mandi Simpson, a partner at Crowe LLP. You can access all of the BankBEYOND 2020 sessions by registering here.

Balance Sheet Opportunities Create Path to Outperformance

How important is net interest margin (NIM) to your institution?

In 2019, banks nationally were 87% dependent on net interest income. With the lion’s share of earnings coming from NIM, implementing a disciplined approach around margin management will mean the difference between underperforming institutions and outperforming ones. (To see how your institution ranks versus national and in-state peers, click here.)

Anticipating the next steps a bank should take to protect or improve its profitability will become increasingly difficult as they manage balance sheet risks and margin pressure. Cash positions are growing with record deposit inflows, pricing on meager loan demand is ultra-competitive and many institutions are experiencing accelerated cash flows from investment portfolios.

It is also important to remember that stress testing the balance sheet is no longer an academic exercise. Beyond the risk management, stressing the durability of capital and resiliency of liquidity can give your institution the confidence necessary to execute on strategies to improve performance and to stay ahead of peers. It is of heightened importance to maintain focus on the four major balance sheet position discussed below.

Capital Assessment, Position
Capital serves as the cornerstone for all balance sheets, supporting growth, absorbing losses and providing resources to seize opportunities. Most importantly, capital serves as a last line of defense, protecting against risk of the known and the unknown.

The rapid changes occurring within the economy are not wholly cyclical in nature; rather, structural shifts will develop as consumer behavior evolves and business operations adjust to the ‘next normal.’ Knowing the breaking points for your capital base — in terms of growth, credit deterioration and a combination of these factors — will serve your institution well.

Liquidity Assessment, Position
Asset quality deterioration leads to capital erosion, which leads to liquidity evaporation. With institutions reporting record deposit growth and swelling cash balances, understanding how access to a variety of funding sources can change, given asset quality deterioration or capital pressure, is critical to evaluating the adequacy of your comprehensive liquidity position.

Interest Rate Risk Assessment, Position
In today’s ultra-low rate environment, pressure on earning asset yields is compounded by funding costs already nearing historically low levels. Excess cash is expensive; significant asset sensitivity represents an opportunity cost as the central bank forecasts a low-rate environment for the foreseeable future. Focus on adjusting your asset mix — not only to improve your earnings today, but to sustain it with higher, stable-earning asset yields over time.

Additionally, revisit critical model assumptions to ensure that your assumptions are reflective of actual pricing behaviors, including new volume rate floors and deposit betas, as they may be too high for certain categories.

Investment Assessment, Position
Strategies for investment portfolios including cash can make a meaningful contribution to your institution’s overall interest income. Some key considerations to help guide the investment process in today’s challenging environment include:

  • Cost of carrying excess cash has increased: Most institutions are now earning 0.1% or less on their overnight funds, but there are alternatives to increasing income on short-term liquidity.
  • Consider pre-investing: Many institutions have been very busy with Paycheck Protection Program loans, and we anticipate this will have a short-term impact on liquidity and resources. Currently, spreads are still attractive in select sectors of the market.

Taylor Advisors’ Take:
Moving into 2021, liquidity and capital are taking center stage in most community banks’ asset-liability committee discussions. Moving away from regulatory appeasement and towards proactive planning and decision-making are of paramount importance. This can start with upgrading your bank’s tools and policies, improving your ability to interpret and communicate the results and implementing actionable strategies.

Truly understanding your balance sheet positions is critical before implementing balance sheet management strategies. You must know where you are to know where you want to go. Start by studying your latest quarterly data. Dissect your NIM and understand why your earning asset yields are above or below peer. Balance sheet management is about driving unique strategies and tailored risk management practices to outperform; anything less will lead to sub-optimal results.

Steering a De Novo Through a Crisis and Beyond

New York-based Piermont Bank opened its doors in July 2019. Just eight months later — on March 1 — a New York woman returning home from Iran became the city’s first Covid-19 case. By March 20, with cases in the state rapidly climbing, Gov. Andrew Cuomo mandated that non-essential businesses close. One hundred days after reporting its first case, New York began reopening — but as of Nov. 19, restrictions remained in place, and New York City public schools recently returned to virtual learning to combat a resurgence of Covid-19 cases.

What a time to run a bank — especially a new one.

It sounds counterintuitive at first blush, but Wendy Cai-Lee, the bank’s founder and chief executive, believes Piermont is well positioned to serve customers. The $117 million bank focuses heavily on commercial real estate loans; it also makes commercial and industrial (C&I) loans.

She points out that as a de novo, the bank’s balance sheet is clean; her team didn’t have to devote attention to working with troubled borrowers. Piermont also has a lot of capital on hand, with a leverage ratio of 32.82% as of June 30.

But Cai-Lee recognizes the broader, longer-term impact the pandemic could have on the New York market. “We have seen appraisal values essentially drop anywhere between 10% to 35%,” she says. Her team has a risk assessment meeting every Monday; when we spoke in October, they were evaluating the potential fallout from the end of unemployment benefits through the CARES Act, set to expire at the end of the year. “That’s going to impact people’s ability to pay their rent, and I do think that’s going to bring some impact to multi-family that we haven’t seen so far,” she says.

Serving customers during the pandemic had some banks scrambling to adopt new technology to serve customers; in contrast, Piermont was already positioning itself as a “tech-enabled” bank. “When it comes to innovation, I’m a big believer that it’s not only technology that we need to focus on, but also process,” says Cai-Lee. She aims to create an end-to-end digitized process without sacrificing on risk controls.

“I use technology to digitize everything that the client doesn’t see so that I can move all those resources to allow my bankers to spend the time with the client to find specific pain points” and identify the right solution, she explains. “This allows my bankers to engage the client very differently.” Piermont can close commercial loans in three days, she says, rather than a couple of weeks. And innovation isn’t limited to technology; Piermont offers subscription pricing for its services, for example, and recently announced a banking-as-a-service platform it’s offering through a partnership with Treasury Prime.

I spoke with Cai-Lee before that announcement. “We’re actually not going to be that anonymous bank behind these fintechs,” she says. “We’re actually going to market front and center along with the API partner so that we can actually focus on creating the right product for them.”

Piermont Bank also seeks to serve women- and minority-owned businesses, which have been particularly devastated by the pandemic and have historically lacked access to credit and investor capital. A lot of banks say they want to serve women and minority entrepreneurs, yet these groups remain underserved. When I ask how Cai-Lee’s plans differ from other institutions’ efforts, she credits Piermont’s diverse team.

Cai-Lee is Asian American; before founding Piermont, she led the commercial real estate, commercial lending, and consumer and business banking divisions at $50 billion, Pasadena, California-based East West Bancorp, which serves markets in the U.S. and China. Before that, she spent almost a decade at Deloitte, where she was literally the poster child for diversity. “They had a [life-size] cutout of me made and had it in the lobby of every Deloitte domestic office,” she recalls.

When she founded Piermont Bank, she prioritized adding a diverse array of voices and backgrounds when she assembled her team. She believes it’s a strength for the bank. “The reason why [women and minorities are] underserved is — no different from serving any industry or any demographic out there — unless you understand their pain points, it’s hard to come up with the right product and service to serve them,” says Cai-Lee. “If you don’t have enough representation of women, of minorities on your board and senior management [team], how do you foster an environment where [you can] address that demographic?”

How Subchapter S Issues Could Snag a Sale


acquisitions-5-2-19.pngNearly 2,000 banks in the U.S. have elected Subchapter S tax treatment as a way of enhancing shareholder value since 1997, the first year they were permitted to make the election. Consequently, many banks have more than 20 years of operating history as an S corporation.

However, this history is presenting increasingly frequent challenges during acquisition due diligence. Acquirers of S corporations are placing greater emphasis on due diligence to ensure that the target made a valid initial Subchapter S election and continuously maintained eligibility since the election. Common issues arising during due diligence typically fall into two categories:

  • Failure to maintain stock transfer and shareholder records with sufficient specificity to demonstrate continuous eligibility as an S corporation.
  • Failure by certain trust shareholders to timely make required Qualified Subchapter S Trust (QSST) or Electing Small Business Trust (ESBT) elections.

A target’s inability to affirmatively demonstrate its initial or continuing eligibility as an S corporation creates a risk for the acquirer. The target’s S election could be disregarded after the deal closes, subjecting the acquirer to corporate-level tax liability with respect to the target for all prior periods that are within the statute of limitations. This risk assessment may impact the purchase price or the willingness of the buyer to proceed with the transaction. In addition, the target could become exposed to corporate tax liability, depending on the extent of the compliance issues revealed during due diligence, unless remediated.

Accordingly, it is important for S corporation banks to ensure that their elections are continuously maintained and that they retain appropriate documentation to demonstrate compliance. An S corporation bank should retain all records associated with the initial election, including all shareholder consents and IRS election forms. S corporation banks should also maintain detailed stock transfer records to enable the substantiation of continuous shareholder eligibility.

Prior to registering a stock transfer to a trust, S corporation banks should request and retain copies of all governing trust instruments, as well as any required IRS elections.

It is also advisable to have the bank’s legal counsel review these trust instruments to confirm eligibility status and any required elections. Banks that are relying on the family aggregation rules to stay below the 100 shareholder limitation should also keep records supporting the family aggregation analysis.

While S corporation banks have realized significant economic benefits through the elimination of double taxation of corporate earnings, maintaining strong recordkeeping practices is a critical element in protecting and maximizing franchise value, especially during an acquisition. Any S corporation bank that is contemplating selling in the foreseeable future should consider conducting a preemptive review of its Subchapter S compliance and take any steps necessary to remediate adverse findings or secure missing documentation prior to exploring a sale.

One Tool To Get a Better Grasp on Cybersecurity Risk Oversight


cybersecurity-11-26-18.pngAs new types of risk – and new regulatory requirements – are introduced, bank directors play an instrumental role in making sure the executive team is properly addressing cybersecurity risks.

This can be an especially challenging responsibility as it is rare for board members to have the technical background or expertise to appropriately assess an entity’s cybersecurity risk management program without external resources. In many instances, directors find themselves in the uncomfortable position of relying primarily on management reports or the advice of third-party providers to meet their oversight responsibilities.

Annual scorecards from management and vulnerability assessments from third-party providers have value, but can make it difficult to compare and assess risk management programs with confidence.

To address this challenge, boards can consult new guides that offer ways to explore and dig into potential cyber risk management issues and other technical matters.

The Center for Audit Quality (CAQ), recently released a new publication, “Cybersecurity Risk Management Oversight: A Tool for Board Members.” The tool, like other emerging frameworks, is designed to help board members probe more deeply, challenge management assertions from a position of knowledge and understanding, and make more informed use of independent auditors.

Asking the right questions
In addition to offering board members a high-level overview of cybersecurity risk management issues and board responsibilities, the tool offers a series of probing questions board members can use as they engage in discussions about cybersecurity risks and disclosures with management and with independent financial auditors.

The questions are organized into four groups:

  1. Understanding how the financial statement auditor considers cybersecurity risk. These questions help board members understand the auditor’s approach to cybersecurity-related risks, and how such risks get addressed in the audit process.
  2. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures. These questions help board members explore compliance with current SEC guidance, as well as other regulatory and disclosure requirements.
  3. Understanding management’s approach to cybersecurity risk management. These questions look beyond financial reporting and compliance, and begin to probe broader cybersecurity-related issues, including the governing framework, policies, processes, and controls the bank has in place to manage and mitigate cybersecurity risk.
  4. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management. These questions help board members learn about additional offerings CPA firms can provide to assist them, and what factors to consider when engaging outside auditors to perform readiness assessments and examinations.

Starting the conversation
The CAQ says the cybersecurity oversight tool is not intended to be a comprehensive, all-inclusive list of questions for board members to ask. It also cautions against using the questions as a checklist for board members to use.

Rather, board members should look at the questions as conversation starters, examples of the types of issues they should raise with management and financial statement auditors. The purpose of the questions is to spark a dialogue to clarify responsibilities and generate a conversation and help board members develop a better understanding of how the company is managing its cybersecurity risks.

Expanding CPAs’ capabilities
As noted, one group of questions is designed to help board members learn more about other cybersecurity assurance services offered by CPA firms. One example of such services is the new System and Organization Controls (SOC) for Cybersecurity examination developed by the AICPA.

The information within the report provides management, directors or clients a description of the organization’s cybersecurity risk management program and an independent opinion on the effectiveness of the controls in place.

As concerns over cybersecurity risks in banking continue to intensify, directors will find it increasingly necessary to be capable of effectively challenging executive management and financial auditors. This tool is one guide alongside other evolving frameworks and services, that can help boards fulfill their responsibilities while also adding significant value to the bank and its shareholders.

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance


cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.