Driving Accountability in Incentive Compensation Governance


compensation-7-17-19.pngI once flunked a math test because I didn’t show my work. Turns out, showing your work is important to both math teachers and bank regulators.

To drive accountability, it is important to document and “show your work” when it comes to governance of incentive compensation plans and processes. The largest banks, due to increased regulatory oversight, have made significant strides in complying with regulators’ guidance and creating robust accountability. Here are some resulting “better practices” that provide food for thought for banks of all sizes.

While the 2010 interagency guidance on sound incentive compensation policies is almost a decade old, it remains the foundation for regulatory oversight on the matter. The guidance outlined three lasting principles for the banking industry:

  • Provide employees incentives that appropriately balance risk and reward.
  • Create policies that are compatible with effective controls and risk management.
  • Support policies through strong corporate governance, including active and effective oversight by the organization’s board of directors.

Most organizations used the release of the 2010 guidance to take a fresh look at their incentive plans. It proposed a non-exhaustive list of risk-balancing methods, such as risk adjustment of awards and deferral of payment. Many banks changed their plan structures and provisions to increase sensitivity to, and better account for, risk. The changes made sense pragmatically but largely addressed only the first principle.

After the financial crisis, boards were expected to engage in the oversight and review of all incentive arrangements to ensure that they were not rewarding imprudent risk taking. However, most institutions quickly realized it was not practical for directors to be in the weeds of all their broad-based incentive plans and thus delegated that task to management.

Compensation committees outlined expectations for senior management regarding incentive plan creation, administration and monitoring in a formal document. Their expectations would include, for example, the process for reviewing incentive plan risk.

Comp, Risk Committees Cooperate
Banks also developed stronger communication or information sharing between the compensation and risk committees of the board. This was sometimes accomplished through cross-pollinating members between the committees or conducting joint meetings on the topic. It also became standard for the chief risk officer to participate in compensation committee meetings and present on incentive compensation risk, as well as the overall risk profile of the organization.

Incentive compensation review committees, made up of the most-senior control function heads such as the chief financial officer, chief human resource officer, general counsel and chief risk officer, are often delegated primary oversight responsibilities. To create accountability, this management committee operates under a formal charter, oversees the entire governance process, provides for credible challenges throughout and annually approves all non-executive plans. A summary of their activities and findings is presented to the compensation committee annually, at minimum.

Working groups representing various business lines and broad control functions support the management committee in actively monitoring incentive compensation plans. Every activity in the governance process—from plan creation or modification to risk reviews and back-testing—has a documented process map with roles and responsibilities.

These large bank practices might be overkill for smaller organizations. However, some level of documentation and process formalization is a healthy process for any size. My advice: Don’t get fixated on the red tape, as proper governance and controls can be scaled to the size and complexity of each individual bank.

Formalize the Process
The second and third principles of the 2010 guidance are aimed at driving greater accountability and efficient oversight, including enhanced information sharing. Formalizing the process simply helps to crystalize expectations for those involved and safeguards against the dodging of responsibilities.

Plus, regulators—just like that math teacher—want to see the work. It’s not enough to simply have the right answer. You must be able to document the process you went through to get there.

Why Your Board’s Risk Committee Structure Matters


committee-4-18-19.pngCommunity bank boards have a lot of regulatory leeway when it comes how they oversee the critical risks facing their organizations, including cybersecurity. Because of this latitude, many boards are working to find the best way to properly address these risks, congruent with the size and complexity of their institution.

“We’re evolving, and I think banks our size are evolving, because we are in that grey area around formal risk management,” says Robert Bradley, the chief risk officer at $1.4 billion asset Bank of Tennessee, based in Kingsport, Tennessee. “There’s no one way to approach risk management and governance.”

As a result, some banks govern risk within a separate risk committee, while others opt for the audit committee or address their institution’s risks as a full board.

And governance of cybersecurity is even more unresolved. Most oversee cybersecurity within the risk committee (27 percent) or technology committee (25 percent), according to Bank Director’s 2019 Risk Survey. A few—just 8 percent—have established a board-level cybersecurity committee.

“Those that have formed a cyber committee, whether they’re small or big, I think it’s an indication of how significant they believe it is to the institution,” says Craig Sanders, a partner at survey sponsor Moss Adams.

Does a bank’s governance structure make a difference in how boards approach oversight? It might. Our analysis finds a correlation between committee structure and executive responsibilities, communications with key executives and board discussions on risk.

The majority of respondents say their bank employs a chief information security officer, though many say that executive also focuses on other areas of the bank. Whether a bank employs a dedicated CISO tends to be a function of the size and complexity of the bank’s cyber program, says Sanders.

Banks that govern cybersecurity within a risk committee or a cybersecurity committee are more likely to employ a CISO.

CISO.png

The reporting structure for the CISO varies, with a majority of CISOs reporting to the CEO (32 percent) and/or the chief risk officer (31 percent). However, the reporting structure differs by committee.

Banks with a cybersecurity committee seem to prefer that their CISO reports to the CEO (36 percent). However, 27 percent say the CISO reports to the CRO, and a combined 27 percent say the CISO reports to the chief information officer or chief technology officer. Similarly, if cybersecurity is overseen in the technology committee, the CISO often reports to the CEO (33 percent) and/or the CIO or CTO (a combined 29 percent).

However, the CISO is more likely to report to the CRO (49 percent) if cybersecurity is governed within the risk committee.

Interestingly, the audit committee is most likely to insert itself into the CISO’s reporting structure when it governs cybersecurity. Of these, 32 percent say the CISO reports to the audit committee, 37 percent to the CEO and 32 percent to the CRO.

Sanders believes more CISOs should report to the relevant committee or the full board. “I view that position almost like internal audit. They shouldn’t be reporting up through management,” he says.

Establishing a dedicated committee is a visible sign that a board is taking a matter seriously. Committees can also provide an opportunity for directors to focus and educate themselves on an issue. So, it’s perhaps no surprise that the few bank boards that have established cybersecurity committees are dedicating more board time to the subject, as evidenced in this chart.

cybersecurity.png

Risk and audit committees are tasked with a laundry list of issues facing their institutions. It’s hard to fit cybersecurity into the crowded agendas of these committees. However, it does make one question whether cybersecurity is addressed frequently enough by these boards.

Governance structure also seems to impact how frequently cybersecurity is discussed by the full board. With a cybersecurity committee, 46 percent say cybersecurity is part of the agenda at every board meeting, and 27 percent discuss the issue quarterly. Boards that address cybersecurity in the risk or audit committee are more likely to schedule a quarterly discussion as a board.

review.png

When boards take responsibility for cybersecurity at the board level—rather than assigning it to a committee—almost half say cybersecurity is on the agenda twice a year or annually. With this structure, 31 percent discuss it at every board meeting.

How frequently should boards be talking about cybersecurity?

“More is better, right?” says Sanders. “The requirement, from a regulatory standpoint, is that you only report to the board annually. So, anybody that’s doing it more than annually is exceeding the regulator’s expectation,” which is a good approach, he adds.

Few banks have cybersecurity committees, and it’s worth noting that boards with a cybersecurity committee are more likely to have a cybersecurity expert as a member. That expertise likely makes them feel better equipped to establish a committee.

Community bank boards have long grappled with how to govern risk in general. For several years following the enactment of the Dodd-Frank Act in 2010, risk committees were only required at banks above $10 billion in assets. Now, following passage of the Economic Growth, Regulatory Relief and Consumer Protection Act in 2018, that threshold is even higher, at $50 billion in assets.

But if it ain’t broke, don’t fix it: The 2019 Risk Survey confirms that boards aren’t suddenly dissolving their risk committees. Forty-one percent of banks—primarily, but not exclusively, above $1 billion in assets—have a separate board-level risk committee.

The survey indicates there’s good reason for this.

Ninety-six percent of respondents whose bank governs risk within a board-level risk committee say the CRO or equivalent meets quarterly or more with the full board. Audit committees are almost on par, at 89 percent. But interestingly, that drops to 79 percent at banks who oversee risk as a full board.

Bank of Tennessee’s audit and risk committee meets quarterly, and Bradley says that getting a handle on the bank’s overall risk governance is a priority for 2019. That includes getting more comprehensive information to the board.

“The board has all the right governance and oversight committees for ALCO, for credit, for all of those kinds of things, but we haven’t had a one-stop-shop rollup for [the overall risk] position of the bank, and that’s one of the things I’m focused on for 2019,” Bradley says. “Going forward, what I would like to do is [meet] with the risk committee at least quarterly, and with the full board, probably twice a year.”

Bank Director’s 2019 Risk Survey, sponsored by Moss Adams, reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance. The survey was conducted in January 2019.

For additional information on the responsibilities of a bank’s risk committee, please see Bank Director’s Board Structure Guideline titled “Risk Committee Structure.”

2019 Risk Survey: Cybersecurity Oversight


risk-3-25-19.pngBank leaders are more worried than ever about cybersecurity: Eighty-three percent of the chief risk officers, chief executives, independent directors and other senior executives of U.S. banks responding to Bank Director’s 2019 Risk Survey say their concerns about cybersecurity have increased over the past year. Executives and directors have listed cybersecurity as their top risk concern in five prior versions of this survey, so finding that they’re more—rather than less—worried could be indicative of the industry’s struggles to wrap their hands around the issue.

The survey, sponsored by Moss Adams, was conducted in January 2019. It reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance.

The survey also examines how banks oversee cybersecurity risk.

More banks are hiring chief information security officers: The percentage indicating their bank employs a CISO ticked up by seven points from last year’s survey and by 17 points from 2017. This year, Bank Director delved deeper to uncover whether the CISO holds additional responsibilities at the bank (49 percent) or focuses exclusively on cybersecurity (30 percent)—a practice more common at banks above $10 billion in assets.

How bank boards adapt their governance structures to effectively oversee cybersecurity remains a mixed bag. Cybersecurity may be addressed within the risk committee (27 percent), the technology committee (25 percent) or the audit committee (19 percent). Eight percent of respondents report their board has a board-level cybersecurity committee. Twenty percent address cybersecurity as a full board rather than delegating it to a committee.

A little more than one-third indicate one director is a cybersecurity expert, suggesting a skill gap some boards may seek to address.

Additional Findings

  • Three-quarters of respondents reveal enhanced concerns around interest rate risk.
  • Fifty-eight percent expect to lose deposits if the Federal Reserve raises interest rates by more than one hundred basis points (1 percentage point) over the next 18 months. Thirty-one percent lost deposit share in 2018 as a result of rate competition.
  • The regulatory relief package, passed in 2018, freed banks between $10 billion and $50 billion in assets from stress test requirements. Yet, 60 percent of respondents in this asset class reveal they are keeping the Dodd-Frank Act (DFAST) stress test practices in place.
  • For smaller banks, more than three-quarters of those surveyed say they conduct an annual stress test.
  • When asked how their bank’s capital position would be affected in a severe economic downturn, more than half foresee a moderate impact on capital, with the bank’s capital ratio dropping to a range of 7 to 9.9 percent. Thirty-four percent believe their capital position would remain strong.
  • Following a statement issued by federal regulators late last year, 71 percent indicate they have implemented or plan to implement more innovative technology in 2019 to better comply with Bank Secrecy Act/anti-money laundering (BSA/AML) rules. Another 10 percent will work toward implementation in 2020.
  • Despite buzz around artificial intelligence, 63 percent indicate their bank hasn’t explored using AI technology to better comply with the myriad rules and regulations banks face.

To view the full results of the survey, click here.

The Good and the Bad Facing Audit and Risk Committees Today


committee-6-12-18.pngIn today’s news cycle, it seems barely a week goes by before another headline flitters across a social news feed about a data breach at some major U.S. or foreign company. Hackers and scams seem to abound across the marketplace, regardless of industry or any defining factor.

Cybersecurity itself has become an increasingly important issue for bank boards—84 percent of directors and executives responding to Bank Director’s 2018 Risk Survey earlier this year cited cybersecurity as one of the top categories of risk they worry about most. Facing the industry’s cyber threats has become a principal focus for many audit and risk committees as well, along with their oversight of other external and internal threats.

Technology’s influence in banking has forced institutions to come to terms with both the inevitability of not just integrating technology somewhere within the bank’s operation, but the risk that’s involved with that enhancement. Add to that the percolating influence of blockchain and cryptocurrency and the impending implementation of the new current expected credit loss (CECL) standards issued by the Financial Accounting Standards Board, and bank boards—especially the audit and risk committees within those boards—have been thrust into uncharted waters in many ways and have few points of reference on which to guide them, other than what might be general provisions in their charters.

And lest we forget, audit and risk committees still face conventional yet equally important duties related to identifying and hiring the independent auditor, oversight of the internal and external audit function, and managing interest rate risk and credit risk for the bank—all still top priorities for individual banks and their regulators.

The industry is also in a welcome period of transition as the economy has regained its health, which has influenced interest rates and driven competition to new heights, and the current administration is bent on rolling back regulations imposed in the wake of the 2008 crisis that have affected institutions of all sizes.

These topics and more will be addressed at Bank Director’s 2018 Audit & Risk Committees Conference, held June 12-13 at Swissôtel in Chicago, covering everything from politics and the economy to stress testing, CECL and fintech partnerships.

Among the headlining moments of the conference will be a moderated discussion with Thomas Curry, a former director of the Federal Deposit Insurance Corp. who later became the 30th Comptroller of the Currency, serving a 5-year term under President Barack Obama and, briefly, President Donald Trump.

Curry was at the helm of the OCC during a key time in the post-crisis recovery. Among the topics to come up in the discussion with Bank Director Editor in Chief Jack Milligan are Curry’s views on the risks facing the banking system and his advice for CEOs, boards and committees, and his thoughts about more contemporary influences, including the recently passed regulatory reform package and the shifting regulatory landscape.

2016 Risk Practices Survey: Banks Beef Up on Cybersecurity


cybersecurity-3-21-16.pngFor 77 percent of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS, cybersecurity remains their top concern, for the second year in a row. More than half indicate that preparing for cyberattacks is one of their organization’s biggest risk management challenges. While these concerns aren’t new, respondents this year indicate a shift in how their boards and executives are addressing the threat. Unfortunately, the fact remains that many banks still aren’t doing enough to protect themselves—and their customers.

Just 18 percent indicate their bank has experienced a data breach, but it’s important to note that these breaches were almost as likely to occur at a smaller, $500 million asset institution as at a larger institution above $10 billion. Cybersecurity can no longer be dismissed as merely a “big bank” concern.

In addition to identifying cybersecurity practices within the industry, the online survey asked 161 independent directors and chairmen, chief risk officers, chief executive officers and other senior executives of U.S. banks above $500 million in assets to weigh in on their bank’s risk governance, culture and infrastructure. The survey was conducted in January.

Compared to last year’s survey results, more respondents indicate their board reviews cybersecurity at every board meeting, at 34 percent compared to 18 percent last year. While this shift represents a significant increase in board-level attention to cyberthreats compared to last year, these institutions remain the exception rather than the rule.

Many banks have yet to fully utilize the Cybersecurity Assessment Tool, developed by the Federal Financial Institutions Examination Council and made available to banks in 2015 “to help institutions identify their risks and determine their cybersecurity maturity.” Sixty-two percent of survey respondents indicate their bank has used the tool and completed an assessment. However, just 39 percent have validated the results, and 18 percent established board-approved triggers for update and reporting. All three prudential regulators—the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.— now use the tool in exams, regardless of the bank’s size. Several states have mandated its use as well.

Other key findings:

  • Seventy-eight percent indicate that their bank employs a full-time chief information security officer, up from 64 percent in last year’s survey.
  • Almost half report that the bank has a chief risk officer exclusively focused on risk, while 37 percent have a risk officer that is also focused on other areas of the bank.
  • Fifty-four percent of respondents who indicate that the bank has a CRO also say the board never meets with that individual.
  • Responses indicate a low level of board engagement with the chief risk officer: Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
  • Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
  • Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs.
  • Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.

To view the full results to the survey, click here.

Cybersecurity: Five Best Practices To Protect Your Bank


Heightened Standards for Directors: What You Need to Know


directors-10-15-15.pngOn September 2, 2014, the OCC issued guidelines establishing heightened standards for certain institutions with $50 billion in total assets and for “highly complex” institutions, noting that it does not intend to apply the guidelines to community banks. However, the guidelines distill the OCC’s characterization of directors’ responsibilities that apply regardless of asset size. In this regard, the guidelines should be required reading for directors of every bank.

With regard to the role of directors, the OCC did not adopt a higher standard of director liability than the law generally provides (depending upon state of incorporation or chartering). This approach is very different from that espoused by the Federal Reserve Board’s Governor Tarullo in his controversial speech last year. Governor Daniel Tarullo exhorted legislatures to change the standards governing director conduct to impose a duty to meet regulatory and supervisory objectives (not just a duty to their institution and shareholders). The OCC notably bypassed the opportunity to try to extend director obligations beyond statute. Thus, the guidelines need to be read in conjunction with the existing legal framework.

The OCC reformulated what are in many cases age-old principles of director conduct. The guidelines are beneficial to directors in a variety of ways. Notably, the OCC sought to reclarify the divide between director and managerial responsibilities. To understand the significance of such line drawing, directors need to be aware of the regulatory approach to conflating the roles of directors and management since the downturn. Specifically, administrative actions, matters requiring attention and supervisory correspondence, have discussed the directors’ obligations to become further involved in their institutions’ activities in a quasi-managerial tone.

The OCC’s guidelines, however, note that they do not impose managerial responsibilities on boards or suggest the boards must guarantee any particular result. Instead, the OCC notes that the board’s duty is the traditional one of strategy and oversight.

However, there are increasing expectations for directors, particularly in terms of oversight of risk management. First, the OCC expects institutions to establish strategic plans that set forth a risk appetite. The board then must hold management accountable for adhering to the framework established. The guidelines clarify that the board provides active oversight by relying on risk assessments prepared by the departments of risk management and internal audit. Thus, although the board’s active oversight is in reliance on risk assessments, the board still must evaluate whether the risk appetite is being exceeded.

This expectation for oversight of risk tolerance have been seeping down the landscape and has become common practice for banking organizations of over $1 billion. I have seen institutions of $600 million and $700 million in total assets adding chief risk officers and risk committees. Risk assessments have proliferated like kudzu. Whether the guidelines are only expectations generally for the systemic important financial institutions (SIFIs) or not, these principles are becoming mainstream ideas for community banks as well. For SIFIs, the scope and pervasiveness of the risk management and mitigation framework are yet to be fleshed out.

The OCC expects boards to provide a credible challenge to management. Specifically, boards, in reliance on information from independent risk management and internal audit, should question, challenge and, when necessary, oppose decisions to expand the bank’s risk profile beyond its risk appetite.

The guidelines note that boards are not prohibited from engaging third-party experts to assist them. Thus, the OCC keeps open the well-worn ability of directors to rely on others for guidance (although the fiduciary decision-making remains exclusively the province of the board).

Otherwise, the OCC trots out existing basic minimum standards for corporate governance. Specifically, the guidelines provide that boards should conduct annual self-assessments. The guidelines also note that the OCC will review director training to see if it touches on all appropriate areas. Moreover, the guidelines note that directors must dedicate time and energy to reviewing and understanding the key issues affecting their bank. Those expectations are hardly new.

In short, the guidelines represent a mixed bag for bank directors. The OCC’s adherence to the separation between board and managerial responsibilities and directors’ ability to rely on third-party experts is reassuring. The OCC’s discussion of risk management and engaged directors challenging managerial direction are not threatening in themselves. Director concerns lie in the notion that examiners will expect an increasingly elaborate edifice of risk tolerance and assessment. For community banks, the question is how much of this edifice will they need. Thus, it is not the principles that are controversial, but the way in which such principles will be measured that causes concern for director liability.

Bank Board Risk Committee: What Every Board Should Do


5-14-14-FIS.pngOnly a fraction of the nation’s banks are required to have a board-level risk committee. Under the Federal Reserve’s enhanced prudential standards coming out of the Dodd-Frank Act, publicly traded bank holding companies with assets of $10 billion or greater and all other bank holding companies with assets of $50 billion or greater must have a risk committee.

But banks of all sizes are going ahead and adding risk committees anyway. The Bank Director 2014 Risk Practices Survey, sponsored by FIS, identified that 76 percent of banks with assets between $5 billion to $10 billion and 54 percent of banks with less than $5 billion in assets had proactively implemented a board-level risk committee even though they did not have to by law.

A key finding from the survey was that banks that implemented a separate board-level risk committee performed better financially and reported a higher median return on assets (ROA) of 1.00 and median return on equity (ROE) of 9.50, compared to banks that govern risk with a combined audit/risk committee or within the audit committee. Having a board-level committee focused on how risks can be mitigated to enable attainment of financial and strategic plan objectives will result in a higher level of performance.

The other key benefit that a separate board-level risk committee can provide is proactive oversight of risk management. Effective risk management is identifying and mitigating risks before they become a material problem. It is forward-looking, not reviewing after the fact. So trying to oversee risks with a combined audit/risk committee or within an audit committee is extremely challenging and conflicting, since the focus of the audit committee is looking in the rear view mirror and after the fact. A risk committee can stay focused on overseeing risk limits and tolerances, and look for systemic risks and emerging risk trends. This way, material problems and surprises can be avoided before they arise and negatively impact earnings, capital or reputation.

So how can one go about implementing a highly effective board-level risk committee? The key to success is to get it right from the beginning. Start with the committee charter. The charter sets the tone and is the foundation for a highly effective risk committee.

The following PDF is a risk committee self-assessment checklist based on the Federal Reserve requirements for bank holding companies and industry best practices. A Yes answer will confirm either compliance with a regulatory requirement or a best practice. A No answer will identify a weakness. So if you have a risk committee, use the checklist to identify gaps and areas for improvement. If you do not yet have one, use the checklist below to jump start devising the risk committee charter.

Download the checklist in PDF format.

The Cheesecake Factory and Banking: What a Successful Restaurant Knows About Risk Management


menu.jpgWhen eating out at a chain restaurant, food consistency is important. Restaurant patrons know what their favorite meal tastes like and expect a consistent product.

But, have you ever taken a moment to think about all of the processes and procedures a chain restaurant must have in place that enables them to deliver the exact same meal to the table no matter what the geographical location? In an August 13, 2012 article in The New Yorker, Dr. Atul Gawande, a professor of public health at Harvard, examined how the Cheesecake Factory consistently and efficiently implemented an updated menu twice per year in all of its restaurant chains across the country without sacrificing quality or disrupting service.

Impressed with the Cheesecake Factory’s ability to quickly and effectively distribute information to its geographically dispersed restaurants, enabling each chain to follow exactly the same protocols to deliver the same quality product, Dr. Gawande wondered if a similar business model might successfully be applied to the health care industry. Using the Cheesecake Factory’s model for information distribution and quality control, could the medical industry operate more efficiently and provide better service while simultaneously offering higher-quality care?

For the financial services industry, things are growing more complex everyday. However, like the Cheesecake Factory, the financial institutions that are successful are those that have implemented consistent processes and standards across the entire organization, and then effectively communicated this information throughout all levels. 

Key Steps in the Enterprise Risk Management Process: A Recipe for Success

To address unknown risks, financial institutions must adopt a systematic approach to emerging risk identification, assessment, monitoring and reporting. Following a consistent approach to managing risk can prevent unexpected and detrimental events from occurring and enable financial institutions to pinpoint areas of opportunity.

Step 1: Risk Identification

Financial institutions can better protect themselves and even further their business strategies and objectives by approaching risk management in a much more disciplined way. At every Cheesecake Factory restaurant, the kitchen manager inspects every dish before it leaves the kitchen to identify whether the dish meets the restaurant’s standards or needs to be redone. Much like the kitchen manager, a financial institution’s risk manager should identify potential risks not only for each business line, but also at a very high level throughout the organization as a whole.

Step 2: Risk Assessment

At each restaurant, the kitchen manager rates the food on the line using a scale of one-to-ten.

Similarly, while it is common for financial institutions to face a variety of risks, it is important to gather a manageable list of what are collectively seen as the most significant risks. Once the risks are identified, they can be scored or rated, and then prioritized based on their significance.

Step 3: Risk Monitoring

The fact each dish is inspected before it reaches the customer at the Cheesecake Factory, kitchen managers can coach their staff to aim for a score of 10 and provide customers with a consistent product.

Financial institutions should also be coaching their business line managers on how to understand and monitor their risk profiles. Risk monitoring protocols should be scheduled on a regular basis, so that risks can be reviewed, re-prioritized and controls can be tested and tweaked.

Step 4: Risk Reporting

Efficient communication is a key factor in the Cheesecake Factory’s ability to implement new menu items quickly and consistently. Most ERM programs should also have a robust reporting/communication component in place.

With all of the information at hand, knowing the full range of risks the financial institution faces as well as the controls at its disposal, the organization can use the risk data to implement practical business decisions.

Lessons Learned

For financial institutions, the end result is a strong risk management culture that will encourage innovation in business lines without exposing an organization to the kinds of risks that contributed to the financial crisis. Giving more thought as to how information is actually managed and distributed throughout an organization will only lead to more intelligent risk-taking that is more effectively communicated across the financial institution.

Do Small Banks Need a Risk Committee?


fwd-thinking.jpgDoes your board need to set up a separate risk committee to manage all of its bank’s exposures? If your institution is large enough, that question has already been answered for you. The two-year-old Dodd-Frank Act, which was Congress’ answer to the financial crisis of 2008, will soon require that all banks with $10 billion in assets or greater have a board level risk committee, and also that the committee have at least one director with risk management experience.

The new rules on risk committees have been proposed but are currently in a comment period, so it’s unclear when they will take effect or what the final requirements will look like, although it’s a safe bet that all banks north of $10 billion have already begun the process of organizing a risk committee. The more interesting question is what institutions below the $10 billion cut off point should do. The answer would seem to be, “It depends.”

Christina Speh, the director of consulting services at Wolters Kluwer Financial Services, says it’s the job of the board to set the institution’s risk appetite based on its strategic plan, and then make sure that the executive management team stays within the boundaries that the board has laid out. At its simplest, these boundaries are expressed in the form of various metrics—the level of non-performing assets, or service quality complaints, for example—and also as institutional values, such as honesty or customer responsiveness.

When it comes to the risk governance process, Speh says that it’s particularly important that boards be “forward thinking” in their approach—which is perhaps the best argument in favor of having a separate risk committee. “I would say that [risk management] is not really an audit committee function regardless of the size of the institution,” she says. “Audit committees look backward. The role of the risk committee is strategic and forward looking.”

Bert Otto, a Chicago-based deputy comptroller for the Central District at the Office of the Comptroller of the Currency, agrees with Speh that boards need to have a forward thinking perspective when it comes to risk governance. Otto says he asked his staff to identify those institutions that emerged from the 2008 financial crisis in relatively good shape and identify what they had in common. An important characteristic that many of these banks shared was a board that was keenly focused on emerging risks, which enabled them to spot problems at an earlier stage in the downturn than many of their peers.

“The institutions that weathered the storm better than others had that [forward looking] process, whether they had a risk committee or not,” says Otto. That said, Otto believes the presence of a risk committee makes it more likely that a board will be focused on future risks—although he stops short of advocating that all banks should have a risk committee. For Otto, the important considerations are factors like the institution’s business model and product mix. “Vanilla institutions just serving their communities in a small town in rural America, we’re not saying they have to have a risk committee,” he says.  Larger, more complex institutions with a more complicated risk profile—even if they are below the $10 billion threshold—might benefit from a having a separate risk committee, Otto adds.

For smaller institutions, more important than whether responsibility falls to the audit committee or a separate risk committee is the perspective that the board brings to the activity of risk governance. “My concern is that if no one is looking at it, [the bank] is going to be late to the dance when something happens,” Otto says.