The Post-Pandemic Priorities for Audit and Risk Committees

Even as the Covid-19 pandemic continues to reshape the banking and financial services industries, forward-looking organizations are focusing on how they can adapt to a post-pandemic world. With many business processes and controls forever changed, boards of directors — including their audit and risk committees — acknowledge that their views on fundamental risk issues must change as well.

New Workplaces, New Risks
One of the pandemic’s most disruptive effects was the upheaval of the centralized workforce. For decades, employees gathered together in a central location to work. Businesses took great pride in these workplaces, even putting their names atop the buildings in which they were located.

However, the pandemic shattered that model — possibly permanently — along with the concept of regular office hours and the expectations that personal devices should not be used for company business. During the pandemic, employees worked from their kitchens and dining rooms, improvising as they adapted to new ways of operating that would have been impossible 20 years ago. Beyond the obvious physical, security and technical risks associated with this dispersal, board members should understand some of the less visible risks.

For example, corporate culture often is shaped from the ground up through casual workplace interactions, which can be lacking in a remote work arrangement. Similarly, if people cannot gather together physically to brainstorm ideas, innovation and creativity can suffer. Many executives also lament their inability to read body language, tone of voice and other nuances in employees’ behavior to spot potential problems.

These types of risks are inherently difficult to quantify. Nevertheless, risk committees should be aware of them and ascertain whether management is addressing them.

Of even more pressing concern, however, are the effects that a decentralized workforce has on a bank’s business processes and control environment. While the immediate responsibility for overseeing management’s response to these risks might be assigned to the audit and risk committees, ultimately all board members have oversight responsibility and should make a committed effort to understand these risks.

Audit and risk committee priorities
Previously, when audit committees addressed risks associated with business processes and controls, they had the advantage of operating in something like a laboratory. The bank controlled most of the variables such as access controls, approvals and validations. In the post-pandemic world, however, risk monitoring and mitigation efforts must address new variables outside the bank’s control.

One specific audit committee priority is the need to evaluate how a dispersed workforce affects the control environment. Controlling access to systems is an area of major risk; remote reconciliations, remote approvals and digital signatures also are important concerns.

While a virtual private network generally would be the preferred method of providing remote employee access, that capability often was unavailable during the pandemic. Other options became necessary. In addition, many controls had to be redesigned quickly, with little time for testing the adequacy of their design or the effectiveness of the implementation.

Now is the time for many audit committees to take a step back and look holistically at their banks’ control environments. In addition to system access, this overview should include controls governing the retention of sensitive data, timely execution of controls, coordination to resolve deficiencies and validation of secondary reviews.

In assessing such controls, committee members might be constrained by their limited understanding of the technology. Given the novel nature of today’s situation, audit committees should consider getting qualified technical assistance, independent of management, to evaluate the steps taken to accommodate the new work environment.

Strategic issues and board concerns
Both the risk committee and the full board should consider broader questions as well. At a strategic level, boards should explore whether management’s response to the pandemic is sustainable. In other words, should the new practices the bank established — including remote work arrangements — become permanent?

Bank management teams have issued many press releases recounting how successfully they responded to the crisis. As banks move into the post-pandemic world, board members should review these responses and ask whether the new practices will allow for growth and innovation so that their banks can thrive in the future while still maintaining a well-controlled work environment.

As they revisit documented policies, controls and procedures — and remeasure the associated risks — boards and management teams ultimately must decide whether the new control environment is consistent with the strategy of the bank and capable of sustaining its desired organizational culture.

Why a Solid Risk Management Framework Helps Manage Change

Who owns risk management at your bank?

If your bank limits that function to the teams that report to the chief risk officer, it’s fumbling on two fronts: It’s failing to drive accountability across every corner of the enterprise, and it’s conceding its edge in a marketplace that’s never been more competitive.

Recognizing that every employee owns a piece of this responsibility make risk management an equal offensive and defensive pose for your organization. This empowers your employees to move nimbly, strategically and decisively when the bank encounters change, whether it’s an external regulatory pressure or an internal opportunity to launch a new product or service. In either case, your team navigates through change by building on best operational practices, which, in the end, work to your advantage.

Getting the bank into that position doesn’t happen overnight; the vision starts with the actions of your senior leaders. They set the tone and establish expectations, but everyone plays a hands-on role. When management prioritizes an environment where people can work collaboratively and have transparency into related roles, they foster consistency across your change management process that minimizes risk.

The need for a risk-aware culture aligns precisely with the signals coming out of Washington, D.C., that the stakes are getting higher. The Consumer Financial Protection Bureau hinted early at increased regulatory scrutiny, advising that it would tighten the regulatory standards it had relaxed to allow banks to quickly respond to customers’ financial hardship in 2020.

In response to the competitive and regulatory environment, your bank’s risk management framework should incorporate four key elements:

  • Start with setting the ground rules for how the bank will govern its risk. Define its risk strategy, the role the board and management will play and the committees that compose that governance structure — and don’t forget to detail their decision-making authority, approval and escalation process across those bodies. This upfront work also should introduce robust systems for ongoing monitoring and risk reporting, establish standard parameters on how the bank identifies issues and create a basic roadmap to remediate issues when they come along.
  • Operating Model. Distinguish the roles and responsibilities for every associate, with a key focus on how they manage risk generated by the core activities in that business. By taking the time to ensure all individuals, in every line of defense, understand their expected contributions, your bank will be ahead of the game because your people can act quicker and efficiently when a change needs to happen.
  • Standard Framework, Definitions and Taxonomies. In basic terms, everyone across the enterprise needs to speak the same language and assign risk ratings the same way. Calibrating these elements at the onset builds confidence that your bank gives thoughtful attention to categorize risks into the right buckets. Standardization should include assessment scales and definitions of different risks and risk events, leading to easier risk aggregation and risk reporting that enables a holistic view of risk across the enterprise.
  • Risk Appetite. Nothing is more important than establishing how much risk your organization is willing to take on in its daily business. Missing the mark can impact your customers, bottom line and reputation. Optimally, bank leaders will reestablish this risk appetite annually, but black swan events such as the pandemic should prompt more timely reviews.

Too often, banks reinvent the wheel every time a change or demand comes along. As the industry eyes increasing regulatory pressure in the year ahead, driving and promoting a robust risk management culture is no longer a “nice to have” within your organization; it’s a “need to have.”

When you reset the role and ownership of risk management as a strategic pillar in your bank’s future growth and direction you minimize your bank’s risk and actually propel your company forward.

Banks looking to check out best practices and a strategic framework for creating their enterprise risk framework should check out my latest whitepaper, Turning a Solid Risk Framework Into a Competitive Advantage.

Driving Accountability in Incentive Compensation Governance


compensation-7-17-19.pngI once flunked a math test because I didn’t show my work. Turns out, showing your work is important to both math teachers and bank regulators.

To drive accountability, it is important to document and “show your work” when it comes to governance of incentive compensation plans and processes. The largest banks, due to increased regulatory oversight, have made significant strides in complying with regulators’ guidance and creating robust accountability. Here are some resulting “better practices” that provide food for thought for banks of all sizes.

While the 2010 interagency guidance on sound incentive compensation policies is almost a decade old, it remains the foundation for regulatory oversight on the matter. The guidance outlined three lasting principles for the banking industry:

  • Provide employees incentives that appropriately balance risk and reward.
  • Create policies that are compatible with effective controls and risk management.
  • Support policies through strong corporate governance, including active and effective oversight by the organization’s board of directors.

Most organizations used the release of the 2010 guidance to take a fresh look at their incentive plans. It proposed a non-exhaustive list of risk-balancing methods, such as risk adjustment of awards and deferral of payment. Many banks changed their plan structures and provisions to increase sensitivity to, and better account for, risk. The changes made sense pragmatically but largely addressed only the first principle.

After the financial crisis, boards were expected to engage in the oversight and review of all incentive arrangements to ensure that they were not rewarding imprudent risk taking. However, most institutions quickly realized it was not practical for directors to be in the weeds of all their broad-based incentive plans and thus delegated that task to management.

Compensation committees outlined expectations for senior management regarding incentive plan creation, administration and monitoring in a formal document. Their expectations would include, for example, the process for reviewing incentive plan risk.

Comp, Risk Committees Cooperate
Banks also developed stronger communication or information sharing between the compensation and risk committees of the board. This was sometimes accomplished through cross-pollinating members between the committees or conducting joint meetings on the topic. It also became standard for the chief risk officer to participate in compensation committee meetings and present on incentive compensation risk, as well as the overall risk profile of the organization.

Incentive compensation review committees, made up of the most-senior control function heads such as the chief financial officer, chief human resource officer, general counsel and chief risk officer, are often delegated primary oversight responsibilities. To create accountability, this management committee operates under a formal charter, oversees the entire governance process, provides for credible challenges throughout and annually approves all non-executive plans. A summary of their activities and findings is presented to the compensation committee annually, at minimum.

Working groups representing various business lines and broad control functions support the management committee in actively monitoring incentive compensation plans. Every activity in the governance process—from plan creation or modification to risk reviews and back-testing—has a documented process map with roles and responsibilities.

These large bank practices might be overkill for smaller organizations. However, some level of documentation and process formalization is a healthy process for any size. My advice: Don’t get fixated on the red tape, as proper governance and controls can be scaled to the size and complexity of each individual bank.

Formalize the Process
The second and third principles of the 2010 guidance are aimed at driving greater accountability and efficient oversight, including enhanced information sharing. Formalizing the process simply helps to crystalize expectations for those involved and safeguards against the dodging of responsibilities.

Plus, regulators—just like that math teacher—want to see the work. It’s not enough to simply have the right answer. You must be able to document the process you went through to get there.

Why Your Board’s Risk Committee Structure Matters


committee-4-18-19.pngCommunity bank boards have a lot of regulatory leeway when it comes how they oversee the critical risks facing their organizations, including cybersecurity. Because of this latitude, many boards are working to find the best way to properly address these risks, congruent with the size and complexity of their institution.

“We’re evolving, and I think banks our size are evolving, because we are in that grey area around formal risk management,” says Robert Bradley, the chief risk officer at $1.4 billion asset Bank of Tennessee, based in Kingsport, Tennessee. “There’s no one way to approach risk management and governance.”

As a result, some banks govern risk within a separate risk committee, while others opt for the audit committee or address their institution’s risks as a full board.

And governance of cybersecurity is even more unresolved. Most oversee cybersecurity within the risk committee (27 percent) or technology committee (25 percent), according to Bank Director’s 2019 Risk Survey. A few—just 8 percent—have established a board-level cybersecurity committee.

“Those that have formed a cyber committee, whether they’re small or big, I think it’s an indication of how significant they believe it is to the institution,” says Craig Sanders, a partner at survey sponsor Moss Adams.

Does a bank’s governance structure make a difference in how boards approach oversight? It might. Our analysis finds a correlation between committee structure and executive responsibilities, communications with key executives and board discussions on risk.

The majority of respondents say their bank employs a chief information security officer, though many say that executive also focuses on other areas of the bank. Whether a bank employs a dedicated CISO tends to be a function of the size and complexity of the bank’s cyber program, says Sanders.

Banks that govern cybersecurity within a risk committee or a cybersecurity committee are more likely to employ a CISO.

CISO.png

The reporting structure for the CISO varies, with a majority of CISOs reporting to the CEO (32 percent) and/or the chief risk officer (31 percent). However, the reporting structure differs by committee.

Banks with a cybersecurity committee seem to prefer that their CISO reports to the CEO (36 percent). However, 27 percent say the CISO reports to the CRO, and a combined 27 percent say the CISO reports to the chief information officer or chief technology officer. Similarly, if cybersecurity is overseen in the technology committee, the CISO often reports to the CEO (33 percent) and/or the CIO or CTO (a combined 29 percent).

However, the CISO is more likely to report to the CRO (49 percent) if cybersecurity is governed within the risk committee.

Interestingly, the audit committee is most likely to insert itself into the CISO’s reporting structure when it governs cybersecurity. Of these, 32 percent say the CISO reports to the audit committee, 37 percent to the CEO and 32 percent to the CRO.

Sanders believes more CISOs should report to the relevant committee or the full board. “I view that position almost like internal audit. They shouldn’t be reporting up through management,” he says.

Establishing a dedicated committee is a visible sign that a board is taking a matter seriously. Committees can also provide an opportunity for directors to focus and educate themselves on an issue. So, it’s perhaps no surprise that the few bank boards that have established cybersecurity committees are dedicating more board time to the subject, as evidenced in this chart.

cybersecurity.png

Risk and audit committees are tasked with a laundry list of issues facing their institutions. It’s hard to fit cybersecurity into the crowded agendas of these committees. However, it does make one question whether cybersecurity is addressed frequently enough by these boards.

Governance structure also seems to impact how frequently cybersecurity is discussed by the full board. With a cybersecurity committee, 46 percent say cybersecurity is part of the agenda at every board meeting, and 27 percent discuss the issue quarterly. Boards that address cybersecurity in the risk or audit committee are more likely to schedule a quarterly discussion as a board.

review.png

When boards take responsibility for cybersecurity at the board level—rather than assigning it to a committee—almost half say cybersecurity is on the agenda twice a year or annually. With this structure, 31 percent discuss it at every board meeting.

How frequently should boards be talking about cybersecurity?

“More is better, right?” says Sanders. “The requirement, from a regulatory standpoint, is that you only report to the board annually. So, anybody that’s doing it more than annually is exceeding the regulator’s expectation,” which is a good approach, he adds.

Few banks have cybersecurity committees, and it’s worth noting that boards with a cybersecurity committee are more likely to have a cybersecurity expert as a member. That expertise likely makes them feel better equipped to establish a committee.

Community bank boards have long grappled with how to govern risk in general. For several years following the enactment of the Dodd-Frank Act in 2010, risk committees were only required at banks above $10 billion in assets. Now, following passage of the Economic Growth, Regulatory Relief and Consumer Protection Act in 2018, that threshold is even higher, at $50 billion in assets.

But if it ain’t broke, don’t fix it: The 2019 Risk Survey confirms that boards aren’t suddenly dissolving their risk committees. Forty-one percent of banks—primarily, but not exclusively, above $1 billion in assets—have a separate board-level risk committee.

The survey indicates there’s good reason for this.

Ninety-six percent of respondents whose bank governs risk within a board-level risk committee say the CRO or equivalent meets quarterly or more with the full board. Audit committees are almost on par, at 89 percent. But interestingly, that drops to 79 percent at banks who oversee risk as a full board.

Bank of Tennessee’s audit and risk committee meets quarterly, and Bradley says that getting a handle on the bank’s overall risk governance is a priority for 2019. That includes getting more comprehensive information to the board.

“The board has all the right governance and oversight committees for ALCO, for credit, for all of those kinds of things, but we haven’t had a one-stop-shop rollup for [the overall risk] position of the bank, and that’s one of the things I’m focused on for 2019,” Bradley says. “Going forward, what I would like to do is [meet] with the risk committee at least quarterly, and with the full board, probably twice a year.”

Bank Director’s 2019 Risk Survey, sponsored by Moss Adams, reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance. The survey was conducted in January 2019.

For additional information on the responsibilities of a bank’s risk committee, please see Bank Director’s Board Structure Guideline titled “Risk Committee Structure.”

2019 Risk Survey: Cybersecurity Oversight


risk-3-25-19.pngBank leaders are more worried than ever about cybersecurity: Eighty-three percent of the chief risk officers, chief executives, independent directors and other senior executives of U.S. banks responding to Bank Director’s 2019 Risk Survey say their concerns about cybersecurity have increased over the past year. Executives and directors have listed cybersecurity as their top risk concern in five prior versions of this survey, so finding that they’re more—rather than less—worried could be indicative of the industry’s struggles to wrap their hands around the issue.

The survey, sponsored by Moss Adams, was conducted in January 2019. It reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance.

The survey also examines how banks oversee cybersecurity risk.

More banks are hiring chief information security officers: The percentage indicating their bank employs a CISO ticked up by seven points from last year’s survey and by 17 points from 2017. This year, Bank Director delved deeper to uncover whether the CISO holds additional responsibilities at the bank (49 percent) or focuses exclusively on cybersecurity (30 percent)—a practice more common at banks above $10 billion in assets.

How bank boards adapt their governance structures to effectively oversee cybersecurity remains a mixed bag. Cybersecurity may be addressed within the risk committee (27 percent), the technology committee (25 percent) or the audit committee (19 percent). Eight percent of respondents report their board has a board-level cybersecurity committee. Twenty percent address cybersecurity as a full board rather than delegating it to a committee.

A little more than one-third indicate one director is a cybersecurity expert, suggesting a skill gap some boards may seek to address.

Additional Findings

  • Three-quarters of respondents reveal enhanced concerns around interest rate risk.
  • Fifty-eight percent expect to lose deposits if the Federal Reserve raises interest rates by more than one hundred basis points (1 percentage point) over the next 18 months. Thirty-one percent lost deposit share in 2018 as a result of rate competition.
  • The regulatory relief package, passed in 2018, freed banks between $10 billion and $50 billion in assets from stress test requirements. Yet, 60 percent of respondents in this asset class reveal they are keeping the Dodd-Frank Act (DFAST) stress test practices in place.
  • For smaller banks, more than three-quarters of those surveyed say they conduct an annual stress test.
  • When asked how their bank’s capital position would be affected in a severe economic downturn, more than half foresee a moderate impact on capital, with the bank’s capital ratio dropping to a range of 7 to 9.9 percent. Thirty-four percent believe their capital position would remain strong.
  • Following a statement issued by federal regulators late last year, 71 percent indicate they have implemented or plan to implement more innovative technology in 2019 to better comply with Bank Secrecy Act/anti-money laundering (BSA/AML) rules. Another 10 percent will work toward implementation in 2020.
  • Despite buzz around artificial intelligence, 63 percent indicate their bank hasn’t explored using AI technology to better comply with the myriad rules and regulations banks face.

To view the full results of the survey, click here.

The Good and the Bad Facing Audit and Risk Committees Today


committee-6-12-18.pngIn today’s news cycle, it seems barely a week goes by before another headline flitters across a social news feed about a data breach at some major U.S. or foreign company. Hackers and scams seem to abound across the marketplace, regardless of industry or any defining factor.

Cybersecurity itself has become an increasingly important issue for bank boards—84 percent of directors and executives responding to Bank Director’s 2018 Risk Survey earlier this year cited cybersecurity as one of the top categories of risk they worry about most. Facing the industry’s cyber threats has become a principal focus for many audit and risk committees as well, along with their oversight of other external and internal threats.

Technology’s influence in banking has forced institutions to come to terms with both the inevitability of not just integrating technology somewhere within the bank’s operation, but the risk that’s involved with that enhancement. Add to that the percolating influence of blockchain and cryptocurrency and the impending implementation of the new current expected credit loss (CECL) standards issued by the Financial Accounting Standards Board, and bank boards—especially the audit and risk committees within those boards—have been thrust into uncharted waters in many ways and have few points of reference on which to guide them, other than what might be general provisions in their charters.

And lest we forget, audit and risk committees still face conventional yet equally important duties related to identifying and hiring the independent auditor, oversight of the internal and external audit function, and managing interest rate risk and credit risk for the bank—all still top priorities for individual banks and their regulators.

The industry is also in a welcome period of transition as the economy has regained its health, which has influenced interest rates and driven competition to new heights, and the current administration is bent on rolling back regulations imposed in the wake of the 2008 crisis that have affected institutions of all sizes.

These topics and more will be addressed at Bank Director’s 2018 Audit & Risk Committees Conference, held June 12-13 at Swissôtel in Chicago, covering everything from politics and the economy to stress testing, CECL and fintech partnerships.

Among the headlining moments of the conference will be a moderated discussion with Thomas Curry, a former director of the Federal Deposit Insurance Corp. who later became the 30th Comptroller of the Currency, serving a 5-year term under President Barack Obama and, briefly, President Donald Trump.

Curry was at the helm of the OCC during a key time in the post-crisis recovery. Among the topics to come up in the discussion with Bank Director Editor in Chief Jack Milligan are Curry’s views on the risks facing the banking system and his advice for CEOs, boards and committees, and his thoughts about more contemporary influences, including the recently passed regulatory reform package and the shifting regulatory landscape.

2016 Risk Practices Survey: Banks Beef Up on Cybersecurity


cybersecurity-3-21-16.pngFor 77 percent of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS, cybersecurity remains their top concern, for the second year in a row. More than half indicate that preparing for cyberattacks is one of their organization’s biggest risk management challenges. While these concerns aren’t new, respondents this year indicate a shift in how their boards and executives are addressing the threat. Unfortunately, the fact remains that many banks still aren’t doing enough to protect themselves—and their customers.

Just 18 percent indicate their bank has experienced a data breach, but it’s important to note that these breaches were almost as likely to occur at a smaller, $500 million asset institution as at a larger institution above $10 billion. Cybersecurity can no longer be dismissed as merely a “big bank” concern.

In addition to identifying cybersecurity practices within the industry, the online survey asked 161 independent directors and chairmen, chief risk officers, chief executive officers and other senior executives of U.S. banks above $500 million in assets to weigh in on their bank’s risk governance, culture and infrastructure. The survey was conducted in January.

Compared to last year’s survey results, more respondents indicate their board reviews cybersecurity at every board meeting, at 34 percent compared to 18 percent last year. While this shift represents a significant increase in board-level attention to cyberthreats compared to last year, these institutions remain the exception rather than the rule.

Many banks have yet to fully utilize the Cybersecurity Assessment Tool, developed by the Federal Financial Institutions Examination Council and made available to banks in 2015 “to help institutions identify their risks and determine their cybersecurity maturity.” Sixty-two percent of survey respondents indicate their bank has used the tool and completed an assessment. However, just 39 percent have validated the results, and 18 percent established board-approved triggers for update and reporting. All three prudential regulators—the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.— now use the tool in exams, regardless of the bank’s size. Several states have mandated its use as well.

Other key findings:

  • Seventy-eight percent indicate that their bank employs a full-time chief information security officer, up from 64 percent in last year’s survey.
  • Almost half report that the bank has a chief risk officer exclusively focused on risk, while 37 percent have a risk officer that is also focused on other areas of the bank.
  • Fifty-four percent of respondents who indicate that the bank has a CRO also say the board never meets with that individual.
  • Responses indicate a low level of board engagement with the chief risk officer: Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
  • Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
  • Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs.
  • Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.

To view the full results to the survey, click here.

Cybersecurity: Five Best Practices To Protect Your Bank


Heightened Standards for Directors: What You Need to Know


directors-10-15-15.pngOn September 2, 2014, the OCC issued guidelines establishing heightened standards for certain institutions with $50 billion in total assets and for “highly complex” institutions, noting that it does not intend to apply the guidelines to community banks. However, the guidelines distill the OCC’s characterization of directors’ responsibilities that apply regardless of asset size. In this regard, the guidelines should be required reading for directors of every bank.

With regard to the role of directors, the OCC did not adopt a higher standard of director liability than the law generally provides (depending upon state of incorporation or chartering). This approach is very different from that espoused by the Federal Reserve Board’s Governor Tarullo in his controversial speech last year. Governor Daniel Tarullo exhorted legislatures to change the standards governing director conduct to impose a duty to meet regulatory and supervisory objectives (not just a duty to their institution and shareholders). The OCC notably bypassed the opportunity to try to extend director obligations beyond statute. Thus, the guidelines need to be read in conjunction with the existing legal framework.

The OCC reformulated what are in many cases age-old principles of director conduct. The guidelines are beneficial to directors in a variety of ways. Notably, the OCC sought to reclarify the divide between director and managerial responsibilities. To understand the significance of such line drawing, directors need to be aware of the regulatory approach to conflating the roles of directors and management since the downturn. Specifically, administrative actions, matters requiring attention and supervisory correspondence, have discussed the directors’ obligations to become further involved in their institutions’ activities in a quasi-managerial tone.

The OCC’s guidelines, however, note that they do not impose managerial responsibilities on boards or suggest the boards must guarantee any particular result. Instead, the OCC notes that the board’s duty is the traditional one of strategy and oversight.

However, there are increasing expectations for directors, particularly in terms of oversight of risk management. First, the OCC expects institutions to establish strategic plans that set forth a risk appetite. The board then must hold management accountable for adhering to the framework established. The guidelines clarify that the board provides active oversight by relying on risk assessments prepared by the departments of risk management and internal audit. Thus, although the board’s active oversight is in reliance on risk assessments, the board still must evaluate whether the risk appetite is being exceeded.

This expectation for oversight of risk tolerance have been seeping down the landscape and has become common practice for banking organizations of over $1 billion. I have seen institutions of $600 million and $700 million in total assets adding chief risk officers and risk committees. Risk assessments have proliferated like kudzu. Whether the guidelines are only expectations generally for the systemic important financial institutions (SIFIs) or not, these principles are becoming mainstream ideas for community banks as well. For SIFIs, the scope and pervasiveness of the risk management and mitigation framework are yet to be fleshed out.

The OCC expects boards to provide a credible challenge to management. Specifically, boards, in reliance on information from independent risk management and internal audit, should question, challenge and, when necessary, oppose decisions to expand the bank’s risk profile beyond its risk appetite.

The guidelines note that boards are not prohibited from engaging third-party experts to assist them. Thus, the OCC keeps open the well-worn ability of directors to rely on others for guidance (although the fiduciary decision-making remains exclusively the province of the board).

Otherwise, the OCC trots out existing basic minimum standards for corporate governance. Specifically, the guidelines provide that boards should conduct annual self-assessments. The guidelines also note that the OCC will review director training to see if it touches on all appropriate areas. Moreover, the guidelines note that directors must dedicate time and energy to reviewing and understanding the key issues affecting their bank. Those expectations are hardly new.

In short, the guidelines represent a mixed bag for bank directors. The OCC’s adherence to the separation between board and managerial responsibilities and directors’ ability to rely on third-party experts is reassuring. The OCC’s discussion of risk management and engaged directors challenging managerial direction are not threatening in themselves. Director concerns lie in the notion that examiners will expect an increasingly elaborate edifice of risk tolerance and assessment. For community banks, the question is how much of this edifice will they need. Thus, it is not the principles that are controversial, but the way in which such principles will be measured that causes concern for director liability.

Bank Board Risk Committee: What Every Board Should Do


5-14-14-FIS.pngOnly a fraction of the nation’s banks are required to have a board-level risk committee. Under the Federal Reserve’s enhanced prudential standards coming out of the Dodd-Frank Act, publicly traded bank holding companies with assets of $10 billion or greater and all other bank holding companies with assets of $50 billion or greater must have a risk committee.

But banks of all sizes are going ahead and adding risk committees anyway. The Bank Director 2014 Risk Practices Survey, sponsored by FIS, identified that 76 percent of banks with assets between $5 billion to $10 billion and 54 percent of banks with less than $5 billion in assets had proactively implemented a board-level risk committee even though they did not have to by law.

A key finding from the survey was that banks that implemented a separate board-level risk committee performed better financially and reported a higher median return on assets (ROA) of 1.00 and median return on equity (ROE) of 9.50, compared to banks that govern risk with a combined audit/risk committee or within the audit committee. Having a board-level committee focused on how risks can be mitigated to enable attainment of financial and strategic plan objectives will result in a higher level of performance.

The other key benefit that a separate board-level risk committee can provide is proactive oversight of risk management. Effective risk management is identifying and mitigating risks before they become a material problem. It is forward-looking, not reviewing after the fact. So trying to oversee risks with a combined audit/risk committee or within an audit committee is extremely challenging and conflicting, since the focus of the audit committee is looking in the rear view mirror and after the fact. A risk committee can stay focused on overseeing risk limits and tolerances, and look for systemic risks and emerging risk trends. This way, material problems and surprises can be avoided before they arise and negatively impact earnings, capital or reputation.

So how can one go about implementing a highly effective board-level risk committee? The key to success is to get it right from the beginning. Start with the committee charter. The charter sets the tone and is the foundation for a highly effective risk committee.

The following PDF is a risk committee self-assessment checklist based on the Federal Reserve requirements for bank holding companies and industry best practices. A Yes answer will confirm either compliance with a regulatory requirement or a best practice. A No answer will identify a weakness. So if you have a risk committee, use the checklist to identify gaps and areas for improvement. If you do not yet have one, use the checklist below to jump start devising the risk committee charter.

Download the checklist in PDF format.